iptables -F ------ To flush all iptables rules
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
These permit outgoing traffic but drop incoming or forwarded packets.
1.Enabling Source Address Verification
Task: To prevent remote hosts from spoofing incoming packets as if they had come from your local machine.
Solution: Turn on source address verification in kernal.(ip spoofing protection)
echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter
OR
change it in this file
# vi /etc/sysctl.conf
# Controls source route verification
net.ipv4.conf.default.rp_filter = 1
and run sysctl to reread the configuration immediately
# sysctl -p
Source address verifiction is a kernel-level feature that drops packets that appear to come from your internal network, but do not. Enabling this feature should be your first network-related security task. you can setup this same effect using firewall rules as well.
1.1 Blocking Spoofed Addresses
Task: Need to prevent remote hosts frrom pretending to be local to your network,
Solution: For a single machine to prevent remote hosts from pretending to be that machine,
# iptables -A INPUT -i external_interface -s your_IP_Address -j REJECT
If you have a linux machine acting as a firewall fir your internal network(say, 192.168.0.*) with two network interfaces, one internal and one external,and you want to prevent remote machines from spoofing internal IP address to the external interface, use the following
# iptables -A INPUT -i external_interface -s 192.168.0.0/24 -j REJECT
DROP v/s REJECT
DROP simply swallows the packet, never to be seen again and emits no response. REJECT in contrast responds to the packet with a friendly message back to the sender, something about REJECT the connection.
REJECT helps to understand why not able to connect to a network because of response message it sends, But DROP didnt give you any clue why not able to connect, it leaves you less chance to trouble shoot the error in connection.
REJECT can leave you open to denial of service attack(DOS). If a third party hack a system(victim) and sends message from victim to your machine and in response you reject the packets, returning them not to the third party but to victim, owner of the source address. You are unintentionally flooding victim with rejections.
So better to choose DROP to prevent them from being abused in such a manner.(Better in a large network). If you are a home user REJECT is better.When Rejecting we can reject with different messages using --reject-with option.
2.3 Blocking all Network traffic
Problem: you want to block all network traffic by firewall
Solution:
iptables -F
iptables -A INPUT -j REJECT
iptables -A OUTPUT -j REJECT
iptables -A FORWARD -j REJECT
2.4 Blocking Incoming Traffic
Problem: You want to block all incoming network traffic, except from your system itself. Do not affect outgoing traffic,
iptables -F INPUT
iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -j REJECT
--------
# iptables -A INPUT -p tcp --syn -j REJECT
# iptables -A INPUT -p udp --dport 0:1023 -j REJECT
--------
Here in rule iptables takes advantage of statefulness, permitting incoming packets only if they are part of established outgoing connections. All other incoming packets are rejected.
Don't simply drop all input packets
# ipchains -F INPUT
# ipchains -A INPUT -j REJECT
as this will block responses returning from your legitimate outgoing connections,
iptables also supports the --syn flag to process tcp packets,
# iptables -A INPUT -p tcp --syn -j REJECT
2.5 Blocking outgoing traffic
Problem: Drop all outgoing network traffic, possible do not affect incoming traffic
Solution:
iptables -F OUTPUT
iptables -A OUTPUT -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -j REJECT
Here iptables takes advantage of statefulness, iptables can tell the difference between outgoing traffic initiated from the local machine and outgoing traffic in response to established incoming connections, The latter is permitted but the former is not.
2.6 Blocking incoming service requests
Problem: Want to block connections to a particular network service, examp HTTP
Solution:
iptables -A INPUT -p tcp --dport www -j REJECT
TO BLOCK INCOMING http TRAFFIC BUT PERMIT LOCAL HTTP traffic,
iptables -A INPUT -p tcp -i lo --dport www -j ACCEPT
iptables -A INPUT -p tcp --dport www -j REJECT
2.7 Blocking Access from a remote host
Problem: Need to block incoming traffic from a particular host
Solution:
Block all access by that host
# iptables -A INPUT -s remote_ip_address -j REJECT
To block request for one particular service, say the SMTP mail service:
# iptables -A INPUT -p tcp -s remote_ip_address --dport
smtp -j REJECT
To admit some hosts but block all others:
# iptables -A INPUT -s ip_address_1 [-p protocol --dport service] -j ACCEPT
# iptables -A INPUT -s ip_address_2 [-p protocol --dport service] -j ACCEPT
# iptables -A INPUT -s ip_address_3 [-p protocol --dport service] -j ACCEPT
# iptables -A INPUT [-p protocol --dport service] -j REJECT
2.8 Blocking access to a remote host
Problem: You want to block outgoing traffic to a particular host,
Solution:
To block all access,
# iptables -A OUTPUT -d remote_ip_address -j REJECT
To block a particular service, such as a remote web site:
# iptables -A OUTPUT -p tcp -d remote_ip_address --dport
www -j REJECT
2.9 Blocking outgoing access to all web servers on a
network
Problem: Want to prevent outgoing access to a network, eg all web servers at yahoo.com.
Solution: Figure out how to specify the yahoo.com network, eg: 64.58.76.0/24 and reject web access:
# iptables -A OUTPUT -p tcp -d 64.58.76.0/24 --dport
www -j REJECT
You can also specify hostname instead of ip address in your firewall rule. If DNS report multiple ip address for that hostname, a seperate rule must create for each ip address.
# host www.google.com ------ Will give all ip-address of
google.com
www.google.com has address 173.194.75.103
www.google.com has address 173.194.75.104
www.google.com has address 173.194.75.105
www.google.com has address 173.194.75.106
www.google.com has address 173.194.75.147
www.google.com has address 173.194.75.99
www.google.com has IPv6 address 2a00:1450:4013:c01::69
so better block access to www.google.com
# iptables -A OUTPUT -d www.google.com -j REJECT
# iptables -L OUTPUT
security experts recommend that you use only IP addresses in your rues, not hostnames. Since an attacker could poison your DNS and circumvent rules defined for hostnames. However the hostnames are relevent only at the moment you run iptables to define a rule, as the program looks up the underlying IP address immediately and
stores them in the rule.
2.10 Blocking Remote access, but permitting local
Problem: You want only local users to acces a TCP service: remote requests should be denied.
Solution: Permit connections via the loopback interface and reject all others
# iptables -A INPUT -p tcp -i lo --dport service -j ACCEPT
# iptables -A INPUT -p tcp --dport service -j REJECT
You can also single out your local IP address specifically:
# iptables -A INPUT -p tcp ! -s your_ip address --dport
service -j REJECT
2.11 Controlling access by MAC Address
Problem: You want only a particuler machine, identified by its MAC address, to access your system
Solution:
# iptables -F INPUT
# iptables -A INPUT -i lo -j ACCEPT
# iptables -A INPUT -m mac --mac-source 12:34:56:89:90:ab
-j ACCCEPT
# iptables -A INPUT -j REJECT
This will work only within your local network. If you receive a packets from a machine outside your subnet, it will contain your gateway's MAC address, not that of the orginal source machine.
MAC address can be spoofed. Suppose you have a machine called MACHINE, whose MAC address is trusted by your firewall. If an intruder discovers this fact and MACHINE is down, the intruder could spoof MACHINE's MAC address and your firewall would be none the wiser. On the other hand if MACHINE is up during the spoofing
its kernel will start screaming(via syslog) about duplicate MAC address.
2.12 Permitting SSH Access only
Problem: you want to permit incoming SSH access but no other incoming access. Allow local connections to all services
Solutions:
# iptables -F INPUT
# iptables -A INPUT -p tcp --dport ssh -j ACCEPT
# iptables -A INPUT -i lo -j ACCEPT
# iptables -A INPUT -j REJECT
A common setup is to permit access to a remote machine only by ssh.If you want this access limited to certain hosts or networks, list them by IP address as follows,
# iptables -A INPUT -p tcp -s 128.220.13.4 --dport ssh -j ACCEPT
# iptables -A INPUT -p tcp -s 71.54.121.19 --dport ssh -j ACCEPT
# iptables -A INPUT -p tcp -s 152.16.91.0/24 --dport ssh -j
ACCEPT
# iptables -A INPUT -j REJECT
The REJECT rule in the preceding prevents all other incoming connections. If you want to prevent only SSH connections use this REJECT rule instead
# iptables -A INPUT -p tcp --dport ssh -j REJECT
2.13 Prohibiting outgoing Telnet connections
Problem: You want to block all outgoing telnet connections,
Solution:
# iptables -A OUTPUT -p tcp --dport tenlet -j REJECT
To block all outgoing telnet connections except to yourself from yourself
# iptables -A OUTPUT -p tcp -o lo --dport telnet -j ACCEPT
# iptables -A OUTPUT -p tcp --dport tenet -j REJECT
2.14 Protecting Dedicated server
Problem: You want to run a specific set of services on your machine, accessible to the outside world. All other services should be rejected and logged. Internally, however, local users can access all services.
Solution: suppose your services are www,ssh,smtp
# iptables -F INPUT
# iptables -A INPUT -i lo -j ACCEPT
# iptables -A INPUT -m multiport -p tcp --dport
www,ssh,smtp -j ACCEPT
# iptables -A INPUT -j LOG -m limit
# iptables -A INPUT -j REJECT
Local connections from your own host arrive via the loopback interface.
2.15 Preventing pings
Problem: You don't want remote sites to receive responses if they ping you,
Solution:
# iptables -A INPUT -p icmp --icmp-type echo-request -j DROP
Don't make the mistake of dropping all ICMP messages,
Wrong, Don't do this
# iptables -A INPUT -p icmp -j DROP
Because pings are only one type of ICMP message, and you might not want to block all types. List the available ICMP messages with
# iptables -p icmp -h
2.16 Listing your firewall rules
Problem: You want to see your firewall rules
Solution:
# iptables -L [chain]
For more detailed output, append the -v option
If iptable takes a long time to print the rule list, try appending thee -n option to disable reverse DNS lookups. Such lookups of local addresses, such as 192.168.0.2 may cause delays due to timeouts.
2.17 Deleting firewall rules
Problem: You want to delete firewall rules, individually or all at once.
Solution: To delete rules en masse, also called flushing a chain, do the following:
# iptables -F [chain]
To delete rules individually:-
# iptables -D chain rule_number
Rules are numbered beginning with 1. To list the rules,
# iptables -L
Select one to delete(say,rule 4 on the input chain), and type
# iptables -D INPUT 4
If you have previously saved your rules and want your deletions to remain in effect after the next reboot, re-save the new configuration.
2.18 Inserting firewall rule
Problem: Rather than appending a rule to a chain, you want to insert or replace one else where in the chain,
Solution: Instead of the -A option, use -I to insert or -R to replace. You'll need to know the numeric position, within the existing rules, of the new rule.
For instance, to insert a new rule in the fourth position in the chain:
# iptables -I chain 4 ......specification.........
To replace the second rule in a chain:
# iptables -R chain 2 ......specification......
When you insert a rule at position N in a chain, the old rule N becomes rule N+1, the rule N+1 becomes the rule N+2 and so on.
2.19 Saving a firewall configuration
Problem: you want to save your firewall configuration
Solution: Save your settings
# iptables-save > /etc/sysconfig/iptables
2.20 Loading a firewall configuration
Problem: you want to load your firewall rules, eg: at boot time
Solution: use iptables-restore. Assuming you've saved your firewall configuration in /etc/sysconfig
#!/bin/bash
echo 1 > /proc/sys/net/ipv4/ip_forward (optional)
iptables-restore < /etc/sysconfig/iptables
to load firewall at boot time,
# chkconfig iptables on
2.21 Building complex rule trees
Problem: you want to construct complex firewall behaviors, but you are getting lost in the complexity.
Solution:
Be modular: isolate behaviors into their own chains. Then connect the chains in the desired manner
# iptables -N CHAIN1
# iptables -N CHAIN2
# iptables -N CHAIN3
# iptables -N CHAIN4
# iptables -N CHAIN5
Add your rules to each chain, Then connect the chains; for examp
# iptables -A INPUT ......specification...... -j CHAIN1
# iptables -A CHAIN1 ......specification...... -j CHAIN2
# iptables -A CHAIN2 ......specification...... -j CHAIN3
# iptables -A INPUT ......specification...... -j CHAIN4
# iptables -A INPUT ......specification...... -j CHAIN5
Connecting chains is like a modular programming with subroutines, the rule:
# iptables -A CHAIN1 ......specification...... -j CHAIN2
creates a jump point to CHAIN2 from this rule in CHAIN1, if the rule is satisfied. Once CHAIN2 has been traversed, control returns to the next rule in CHAIN1,similar to
returning from a subroutine.
2.22 Logging
Problem: You want firewall to log and drop certain packets
Solution: Create a new rule chain that logs and drops in sequence:
# iptables -N LOG_DROP
# iptables -A LOG_DROP -j LOG --log-level warning
--log-prefix "dropped" -m limit
# iptables -A LOG_DROP -j DROP
then use it as a target in any relevant rules:
# iptables ......specification...... -j LOG_DROP
iptables's LOG targeet causes the kernel to log packets that matches your given specification.
The "--log-level" option sets the syslog level for these
log messages and "--log-prefix" adds an identifiable string to the log entries.
The further options "--log-prefix", "--log-tcp-sequence", "--log-tcp-options" and "--log-ip-options" affect the
information written to the log.
LOG is usually combined with the limit module (-m limit) to limit the number of redundant log entries made per time period, to flooding your logs.
2.23 Open port 80 and 110 in server machine
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 110 -j ACCEPT
Verify that port is open
# netstat -tulpn | less
Make sute iptable is allowing port 80 / 110
# iptables -L -n
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
These permit outgoing traffic but drop incoming or forwarded packets.
1.Enabling Source Address Verification
Task: To prevent remote hosts from spoofing incoming packets as if they had come from your local machine.
Solution: Turn on source address verification in kernal.(ip spoofing protection)
echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter
OR
change it in this file
# vi /etc/sysctl.conf
# Controls source route verification
net.ipv4.conf.default.rp_filter = 1
and run sysctl to reread the configuration immediately
# sysctl -p
Source address verifiction is a kernel-level feature that drops packets that appear to come from your internal network, but do not. Enabling this feature should be your first network-related security task. you can setup this same effect using firewall rules as well.
1.1 Blocking Spoofed Addresses
Task: Need to prevent remote hosts frrom pretending to be local to your network,
Solution: For a single machine to prevent remote hosts from pretending to be that machine,
# iptables -A INPUT -i external_interface -s your_IP_Address -j REJECT
If you have a linux machine acting as a firewall fir your internal network(say, 192.168.0.*) with two network interfaces, one internal and one external,and you want to prevent remote machines from spoofing internal IP address to the external interface, use the following
# iptables -A INPUT -i external_interface -s 192.168.0.0/24 -j REJECT
DROP v/s REJECT
DROP simply swallows the packet, never to be seen again and emits no response. REJECT in contrast responds to the packet with a friendly message back to the sender, something about REJECT the connection.
REJECT helps to understand why not able to connect to a network because of response message it sends, But DROP didnt give you any clue why not able to connect, it leaves you less chance to trouble shoot the error in connection.
REJECT can leave you open to denial of service attack(DOS). If a third party hack a system(victim) and sends message from victim to your machine and in response you reject the packets, returning them not to the third party but to victim, owner of the source address. You are unintentionally flooding victim with rejections.
So better to choose DROP to prevent them from being abused in such a manner.(Better in a large network). If you are a home user REJECT is better.When Rejecting we can reject with different messages using --reject-with option.
2.3 Blocking all Network traffic
Problem: you want to block all network traffic by firewall
Solution:
iptables -F
iptables -A INPUT -j REJECT
iptables -A OUTPUT -j REJECT
iptables -A FORWARD -j REJECT
2.4 Blocking Incoming Traffic
Problem: You want to block all incoming network traffic, except from your system itself. Do not affect outgoing traffic,
iptables -F INPUT
iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -j REJECT
--------
# iptables -A INPUT -p tcp --syn -j REJECT
# iptables -A INPUT -p udp --dport 0:1023 -j REJECT
--------
Here in rule iptables takes advantage of statefulness, permitting incoming packets only if they are part of established outgoing connections. All other incoming packets are rejected.
Don't simply drop all input packets
# ipchains -F INPUT
# ipchains -A INPUT -j REJECT
as this will block responses returning from your legitimate outgoing connections,
iptables also supports the --syn flag to process tcp packets,
# iptables -A INPUT -p tcp --syn -j REJECT
2.5 Blocking outgoing traffic
Problem: Drop all outgoing network traffic, possible do not affect incoming traffic
Solution:
iptables -F OUTPUT
iptables -A OUTPUT -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -j REJECT
Here iptables takes advantage of statefulness, iptables can tell the difference between outgoing traffic initiated from the local machine and outgoing traffic in response to established incoming connections, The latter is permitted but the former is not.
2.6 Blocking incoming service requests
Problem: Want to block connections to a particular network service, examp HTTP
Solution:
iptables -A INPUT -p tcp --dport www -j REJECT
TO BLOCK INCOMING http TRAFFIC BUT PERMIT LOCAL HTTP traffic,
iptables -A INPUT -p tcp -i lo --dport www -j ACCEPT
iptables -A INPUT -p tcp --dport www -j REJECT
2.7 Blocking Access from a remote host
Problem: Need to block incoming traffic from a particular host
Solution:
Block all access by that host
# iptables -A INPUT -s remote_ip_address -j REJECT
To block request for one particular service, say the SMTP mail service:
# iptables -A INPUT -p tcp -s remote_ip_address --dport
smtp -j REJECT
To admit some hosts but block all others:
# iptables -A INPUT -s ip_address_1 [-p protocol --dport service] -j ACCEPT
# iptables -A INPUT -s ip_address_2 [-p protocol --dport service] -j ACCEPT
# iptables -A INPUT -s ip_address_3 [-p protocol --dport service] -j ACCEPT
# iptables -A INPUT [-p protocol --dport service] -j REJECT
2.8 Blocking access to a remote host
Problem: You want to block outgoing traffic to a particular host,
Solution:
To block all access,
# iptables -A OUTPUT -d remote_ip_address -j REJECT
To block a particular service, such as a remote web site:
# iptables -A OUTPUT -p tcp -d remote_ip_address --dport
www -j REJECT
2.9 Blocking outgoing access to all web servers on a
network
Problem: Want to prevent outgoing access to a network, eg all web servers at yahoo.com.
Solution: Figure out how to specify the yahoo.com network, eg: 64.58.76.0/24 and reject web access:
# iptables -A OUTPUT -p tcp -d 64.58.76.0/24 --dport
www -j REJECT
You can also specify hostname instead of ip address in your firewall rule. If DNS report multiple ip address for that hostname, a seperate rule must create for each ip address.
# host www.google.com ------ Will give all ip-address of
google.com
www.google.com has address 173.194.75.103
www.google.com has address 173.194.75.104
www.google.com has address 173.194.75.105
www.google.com has address 173.194.75.106
www.google.com has address 173.194.75.147
www.google.com has address 173.194.75.99
www.google.com has IPv6 address 2a00:1450:4013:c01::69
so better block access to www.google.com
# iptables -A OUTPUT -d www.google.com -j REJECT
# iptables -L OUTPUT
security experts recommend that you use only IP addresses in your rues, not hostnames. Since an attacker could poison your DNS and circumvent rules defined for hostnames. However the hostnames are relevent only at the moment you run iptables to define a rule, as the program looks up the underlying IP address immediately and
stores them in the rule.
2.10 Blocking Remote access, but permitting local
Problem: You want only local users to acces a TCP service: remote requests should be denied.
Solution: Permit connections via the loopback interface and reject all others
# iptables -A INPUT -p tcp -i lo --dport service -j ACCEPT
# iptables -A INPUT -p tcp --dport service -j REJECT
You can also single out your local IP address specifically:
# iptables -A INPUT -p tcp ! -s your_ip address --dport
service -j REJECT
2.11 Controlling access by MAC Address
Problem: You want only a particuler machine, identified by its MAC address, to access your system
Solution:
# iptables -F INPUT
# iptables -A INPUT -i lo -j ACCEPT
# iptables -A INPUT -m mac --mac-source 12:34:56:89:90:ab
-j ACCCEPT
# iptables -A INPUT -j REJECT
This will work only within your local network. If you receive a packets from a machine outside your subnet, it will contain your gateway's MAC address, not that of the orginal source machine.
MAC address can be spoofed. Suppose you have a machine called MACHINE, whose MAC address is trusted by your firewall. If an intruder discovers this fact and MACHINE is down, the intruder could spoof MACHINE's MAC address and your firewall would be none the wiser. On the other hand if MACHINE is up during the spoofing
its kernel will start screaming(via syslog) about duplicate MAC address.
2.12 Permitting SSH Access only
Problem: you want to permit incoming SSH access but no other incoming access. Allow local connections to all services
Solutions:
# iptables -F INPUT
# iptables -A INPUT -p tcp --dport ssh -j ACCEPT
# iptables -A INPUT -i lo -j ACCEPT
# iptables -A INPUT -j REJECT
A common setup is to permit access to a remote machine only by ssh.If you want this access limited to certain hosts or networks, list them by IP address as follows,
# iptables -A INPUT -p tcp -s 128.220.13.4 --dport ssh -j ACCEPT
# iptables -A INPUT -p tcp -s 71.54.121.19 --dport ssh -j ACCEPT
# iptables -A INPUT -p tcp -s 152.16.91.0/24 --dport ssh -j
ACCEPT
# iptables -A INPUT -j REJECT
The REJECT rule in the preceding prevents all other incoming connections. If you want to prevent only SSH connections use this REJECT rule instead
# iptables -A INPUT -p tcp --dport ssh -j REJECT
2.13 Prohibiting outgoing Telnet connections
Problem: You want to block all outgoing telnet connections,
Solution:
# iptables -A OUTPUT -p tcp --dport tenlet -j REJECT
To block all outgoing telnet connections except to yourself from yourself
# iptables -A OUTPUT -p tcp -o lo --dport telnet -j ACCEPT
# iptables -A OUTPUT -p tcp --dport tenet -j REJECT
2.14 Protecting Dedicated server
Problem: You want to run a specific set of services on your machine, accessible to the outside world. All other services should be rejected and logged. Internally, however, local users can access all services.
Solution: suppose your services are www,ssh,smtp
# iptables -F INPUT
# iptables -A INPUT -i lo -j ACCEPT
# iptables -A INPUT -m multiport -p tcp --dport
www,ssh,smtp -j ACCEPT
# iptables -A INPUT -j LOG -m limit
# iptables -A INPUT -j REJECT
Local connections from your own host arrive via the loopback interface.
2.15 Preventing pings
Problem: You don't want remote sites to receive responses if they ping you,
Solution:
# iptables -A INPUT -p icmp --icmp-type echo-request -j DROP
Don't make the mistake of dropping all ICMP messages,
Wrong, Don't do this
# iptables -A INPUT -p icmp -j DROP
Because pings are only one type of ICMP message, and you might not want to block all types. List the available ICMP messages with
# iptables -p icmp -h
2.16 Listing your firewall rules
Problem: You want to see your firewall rules
Solution:
# iptables -L [chain]
For more detailed output, append the -v option
If iptable takes a long time to print the rule list, try appending thee -n option to disable reverse DNS lookups. Such lookups of local addresses, such as 192.168.0.2 may cause delays due to timeouts.
2.17 Deleting firewall rules
Problem: You want to delete firewall rules, individually or all at once.
Solution: To delete rules en masse, also called flushing a chain, do the following:
# iptables -F [chain]
To delete rules individually:-
# iptables -D chain rule_number
Rules are numbered beginning with 1. To list the rules,
# iptables -L
Select one to delete(say,rule 4 on the input chain), and type
# iptables -D INPUT 4
If you have previously saved your rules and want your deletions to remain in effect after the next reboot, re-save the new configuration.
2.18 Inserting firewall rule
Problem: Rather than appending a rule to a chain, you want to insert or replace one else where in the chain,
Solution: Instead of the -A option, use -I to insert or -R to replace. You'll need to know the numeric position, within the existing rules, of the new rule.
For instance, to insert a new rule in the fourth position in the chain:
# iptables -I chain 4 ......specification.........
To replace the second rule in a chain:
# iptables -R chain 2 ......specification......
When you insert a rule at position N in a chain, the old rule N becomes rule N+1, the rule N+1 becomes the rule N+2 and so on.
2.19 Saving a firewall configuration
Problem: you want to save your firewall configuration
Solution: Save your settings
# iptables-save > /etc/sysconfig/iptables
2.20 Loading a firewall configuration
Problem: you want to load your firewall rules, eg: at boot time
Solution: use iptables-restore. Assuming you've saved your firewall configuration in /etc/sysconfig
#!/bin/bash
echo 1 > /proc/sys/net/ipv4/ip_forward (optional)
iptables-restore < /etc/sysconfig/iptables
to load firewall at boot time,
# chkconfig iptables on
2.21 Building complex rule trees
Problem: you want to construct complex firewall behaviors, but you are getting lost in the complexity.
Solution:
Be modular: isolate behaviors into their own chains. Then connect the chains in the desired manner
# iptables -N CHAIN1
# iptables -N CHAIN2
# iptables -N CHAIN3
# iptables -N CHAIN4
# iptables -N CHAIN5
Add your rules to each chain, Then connect the chains; for examp
# iptables -A INPUT ......specification...... -j CHAIN1
# iptables -A CHAIN1 ......specification...... -j CHAIN2
# iptables -A CHAIN2 ......specification...... -j CHAIN3
# iptables -A INPUT ......specification...... -j CHAIN4
# iptables -A INPUT ......specification...... -j CHAIN5
Connecting chains is like a modular programming with subroutines, the rule:
# iptables -A CHAIN1 ......specification...... -j CHAIN2
creates a jump point to CHAIN2 from this rule in CHAIN1, if the rule is satisfied. Once CHAIN2 has been traversed, control returns to the next rule in CHAIN1,similar to
returning from a subroutine.
2.22 Logging
Problem: You want firewall to log and drop certain packets
Solution: Create a new rule chain that logs and drops in sequence:
# iptables -N LOG_DROP
# iptables -A LOG_DROP -j LOG --log-level warning
--log-prefix "dropped" -m limit
# iptables -A LOG_DROP -j DROP
then use it as a target in any relevant rules:
# iptables ......specification...... -j LOG_DROP
iptables's LOG targeet causes the kernel to log packets that matches your given specification.
The "--log-level" option sets the syslog level for these
log messages and "--log-prefix" adds an identifiable string to the log entries.
The further options "--log-prefix", "--log-tcp-sequence", "--log-tcp-options" and "--log-ip-options" affect the
information written to the log.
LOG is usually combined with the limit module (-m limit) to limit the number of redundant log entries made per time period, to flooding your logs.
2.23 Open port 80 and 110 in server machine
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 110 -j ACCEPT
Verify that port is open
# netstat -tulpn | less
Make sute iptable is allowing port 80 / 110
# iptables -L -n
You can use this technique to secure a confidential data that can be misused if the packets are received at the wrong end .
ReplyDeleteThanks
Silvester Norman
Change Mac Address