iptables

http://en.gentoo-wiki.com/wiki/Iptables

Iptables

From Gentoo Linux Wiki

Jump to: navigation , search

 

[edit ] Introduction

iptables is a program for controlling the Linux Kernel's firewall. By default it allows all incoming and outgoing connections.

[edit ] Installation

emerge -av

iptables

[edit ] Getting Started

By default iptables permits all incoming and outgoing connections, however it is possible that some rules may already exist on your system. To see the current set of rules type:

/sbin/iptables -L

-v

You should see three Chains, all empty, if you don't you can back up your rules by running

/sbin/iptables-save

> ~/rules.save

which will put the rules.save file into your home directory. Should you want to reload your old configuration you can run

iptables-load

< ~/rules.save

So now that any old rules have been saved for later reference, you can type:

iptables -F

to flush (delete everything in) the rules set. The most basic rule to apply is the default policy. If no other rules match on the chain, the default destination (policy) is used. For input we want this to be DROP, but before setting that you want to be sure that you won't get cut off from the internet by doing it (since this would block ALL traffic). To make this policy viable you need for your kernel to be able to keep track of active TCP connections as well as related udp packets. Therefore, you must enable connection tracking in the kernel:

Linux Kernel Configuration: iptables configuration

Networking support ---> Networking options ---> [*] Network packet filtering framework (Netfilter) ---> Core Netfilter Configuration ---> <*> Netfilter connection tracking support -*- Netfilter Xtables support (required for ip_tables) <*> "state" match support

After configuring your kernel, you can now type:

iptables -A INPUT

-m state --state RELATED,ESTABLISHED -j ACCEPT

What this is telling iptables is that you want to add a rule to the input (-A INPUT) that will accept (-j ACCEPT) packets as long as they are related to previous packets. the -m state tells iptables to use the module (or match extension) state, and the --state RELATED,ESTABLISHED are arguments to the module state. Thus -m state --state isn't actually redundant. --state is defining which states to match, namely (RELATED and ESTABLISHED). Now you are ready to secure your system. Change the default policy for input to DROP,

iptables -P INPUT

DROP

Now you should still be able to get on the internet and do all your normal tasks, its just that no new connections can be made from the outside in. Assuming you have no need for incoming connections you are set, however if you want to do something more advanced, move on to the next section.

And last you need to allow outgoing connections.

iptables -I INPUT

-i lo -j ACCEPT

[edit ] Advanced

[edit ] Logging

Logging messages requires syslog-ng to be installed and running:

emerge -av

syslog-ng

/etc/init.d/syslog-ng

start

It may be a good idea to make this a default process:

rc-update add

syslog-ng default

Once this is set up, you can add the LOG rule to your chains:

iptables -A INPUT

-j LOG

The LOG chain returns, so if you put it at the beginning of the chain then you will log ALL packets. If you put it at the end, and the policy is to drop it will log all the dropped packets. If your default policy is ACCEPT then you should probably create a chain called LOGDROP and instead of just dropping packets you can drop/log them. To do this you just run the following commands:

iptables -N

LOGDROP

creates a new chain named LOGDROP,

iptables -A

LOGDROP -j LOG

logs the packets that come to the chain

iptables -A

LOGDROP -j DROP

drops the packets. Now instead of using "-j DROP" you should use "-j LOGDROP" when you want to do both, for instance if you were blocking specific ports.

Once all this is done, any logged packets will be sent to /var/log/messages, along with the rest of the dmesg output.

[edit ] Routing

A very good guide to using your linux box as a router can be found here: http://www.gentoo.org/doc/en/home-router-howto.xml Many of the iptables tips in this section will cross over and allow you to better understand/modify what you do in that guide.

[edit ] Command Examples

• Appends a rule that allows udp packets from port 22 to the INPUT chain

iptables -A INPUT

-p udp --dport 22 -j ACCEPT

• Inserts a rule between rule 1 and 2 that does the same as above.

iptables -I INPUT

2 -p tcp --dport 22 -j ACCEPT

• Deletes all the rules that match, for instance the previous two lines.

iptables -D INPUT

-p tcp --dport 22 -j ACCEPT

• Deletes the second rule in the INPUT chain.

iptables -D INPUT

2

• Prints out all the current rules with the option of printing just a specific chain

iptables -L -v

[CHAIN]

• Zeros out the packet count, with the option of only zeroing the count for a particular chain.

iptables -Z

[CHAIN]