Friday, July 18, 2008

Basic IPv4 Firewall Using iptables

Scenario: somebody wants to harden his/her stand-alone server using linux built-in firewall application: iptables. The server only has one NIC.

Here are the steps:
1. Create a custom chain named HOME-RULES and insert a rule on top of INPUT that will jump all packets to it. Remember, to save the firewall configuration when you're finished.
[root@greg ~]# iptables -N HOME-RULES
[root@greg ~]# iptables -A INPUT -j HOME-RULES
[root@greg ~]# service iptables save
Saving firewall rules to /etc/sysconfig/iptables: [ OK ]
[root@greg ~]# less /etc/sysconfig/iptables
# Generated by iptables-save v1.3.5 on Sat Jul 19 07:29:26 2008
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:CLASS-RULES - [0:0]
-A INPUT -j HOME-RULES
COMMIT
# Completed on Sat Jul 19 07:29:26 2008

2. In this tutorial, I am going to show you how to populate the HOME-RULES chain by directly editing /etc/sysconfig/iptables. (Note: I assume you understand how to use vim to edit files).
[root@greg ~]# vim /etc/sysconfig/iptables
Insert the following text below the -A INPUT lines.
-A HOME-RULES -i lo -j ACCEPT --> accepts all traffic on the loopback interface (lo)
-A HOME-RULES -p icmp -j ACCEPT --> accepts ping from other host
-A HOME-RULES -m state --state ESTABLISHED,RELATED -j ACCEPT --> enable stateful replies
-A HOME-RULES -p tcp --dport 22 -j ACCEPT --> accepts packets destined for tcp port 22 (ssh)/accepts other host to ssh to the server
-A HOME-RULES -m state --state NEW -p udp --dport 514 -j ACCEPT --> accepts packets with the NEW state destined for udp port 514 (syslog)
-A HOME-RULES -j LOG --> log all packets not matched by one of the above rules
-A HOME-RULES -j REJECT --> rejects all packets not matched by one of the above rules

3. Save the new configuration.
4. Load the new rules.
[root@greg ~]# service iptables restart
Flushing firewall rules: [ OK ]
Setting chains to policy ACCEPT: filter [ OK ]
Unloading iptables modules: [ OK ]
Applying iptables firewall rules: [ OK ]
Loading additional iptables modules: ip_conntrack_netbios_n[ OK ]
5. You're all set.
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)