As an administrator in today’s world of networked computing and easy
access to the Internet, security both internally and externally must be the
first and last issue considered. Denying unauthorized access is the first step
to keeping your system secure. The mechanism to prevent access to all or some
network services on a system is called a firewall.
Every operating system allows for the implementation of a firewall
differently. Red Hat Enterprise Linux uses IPTables, a network packet-filtering
mechanism in the Linux kernel. IPTables can be used to allow or deny packets
based on numerous factors including their destination, their source, which port
they are trying to access, the user ID of the process that created the packet,
and more.
Install the iptables RPM package to use IPTables. It includes
utilities to configure which packets to filter. The IPTables configuration
consists of a series of rules. Each rule must be for a specific table, with
each table having its own set of chains. A chain is a list of rules, which are compared
to the packets passed through the chain. If a set of packets matches a chain,
the target of the rule tells the system what to do with the packets, including
passing it along to a different chain.
This section discusses how to write and enable IPTables rules. It also
discusses the Red Hat Enterprise Linux security levels, which are predefined
sets of IPTables rules. They can be used to quickly implement a basic firewall.
Selecting a Table and Command
for IPTables
The first part of an IPTables rule is defining the table with the -t
<table> option:
iptables -t <table> ...
Choose from the following tables:
. filter: Default table
used if -t <table> is not specified. Its predefined chains are
INPUT, FORWARD, and OUTPUT.
. nat: Use when a packet
tries to create a new connection. Its predefined chains are
PREROUTING, OUTPUT, and POSTROUTING.
. mangle: Use for
specialized packet altering such as changing the destination of the packet. Its
predefined chains are PREROUTING, OUTPUT, INPUT, FORWARD, and POSTROUTING.
. raw: Use for exempting
packets from connection tracking when the NOTRACK target is used. Its
predefined chains are PREROUTING and OUTPUT.
Each rule must contain only one of the commands listed in Table unless
otherwise specified. The command should follow the table definition:
iptables -t <table> -A <chain> <rulespec> ...
TABLE IPTables Commands
IPTables Command Description
-A <chain> <rulespec> Append
rule to the end of the chain.
-D
<chain> <rulespec> Delete
rule. The <rule> can be the rule number, with the count starting at 1.
-I <chain> <rulnum> <rulespec> Insert a rule at a
specific point in the chain.
-R
<chain> <rulenum> <rulespec> Replace
a rule at a specific point in the chain. -L <chain> List all rules in the chain. The
-t <table> option can be used to display rules for a given table.
-F <chain> Delete,
or flush, all the rules in the chain.
-Z
<chain> Set
the packet and byte counters to zero in a specific chain or in all chains if no
chain is given.
-N <chain> Add
a new chain. Name must be unique.
-X
<chain> Delete
a given chain. Before a chain can be deleted, it cannot be referenced by any
rules, and the chain must not contain any rules.
-P
<chain> <target> Set
the target policy for a given chain, or what to do with the packets if they
match the rule.
-E <old> <new> Rename
a user-defined chain. New name must be unique.
-h Show
very brief description of command-line options.
TABLE IPTables Rule Parameters
Parameter Description
-p
<protocol> Protocol
for the packets. The most common ones are tcp, udp, and icmp. Protocols from
/etc/protocols can also be used. If all is used, all protocols are valid for
the rule. If an exclamation point and a space are before the protocol name, the
rule matches all protocols except the one listed after the exclamation point.
-s
<address> Source
of the packets. The <address> can be a network name, an IP address, or an
IP address with a mask. If an exclamation point and a space are before the
address, the rule matches all addresses except the one listed after the
exclamation point.
-d
<address> Destination
of the packets. The <address> can be in the same formats as for the -s
<address> parameter.
-j
<target> Target
of the rule, or what to do with the packets if they match the rule. Target can
be a user-defined chain other than the one this ruleis in, a predefined target,
or an extension.
The
following predefined targets are available:
ACCEPT: Allow the packet through.
DROP: Drop the packet and do nothing
further with it.
QUEUE: Pass the packet to userspace.
RETURN: Stop processing the current
chain and return the previous chain.
-g <chain> Continue
processing in the given chain.
-i
<name> Interface
on which the packet was received. If an exclamation point and a space are
before it, the rule only matches if the packet was not received on the given
interface. If a plus mark is appended to the interface name, the rule is true
for any interface that begins with the name. If the interface name is not
specified, packets received from any interface matches the rule. Only for
packets entering the INPUT, FORWARD, and PREROUTING chains.
-o
<name> Interface
on which the packet will be sent. If an exclamation point and a space is before
it, the rule only matches if the packet was not received on the given
interface. If a plus mark is appended to the interface name, the rule is true
for any interface that begins with the name. If the interface name is not
specified, packets to be sent from any interface match the rule. Only for
packets entering the INPUT, FORWARD, and PREROUTING chains.
-f
Rule
only matches second and further fragmented packets. If an exclamation point is
before the -f parameter, the rule only matches unfragmented packets.
-c
PKTS
BYTES Used to initialize the packet and byte counters of the rule. Only for
INSERT, APPEND, and REPLACE actions.
Selecting IPTables Options
Each rule may contain the options in Table, but they are not required.
They should be listed in the rule after the command and any rule specifications
for the command such as the following:
iptables -t <table> -A <chain> <rulespec>
--line-numbers ...
TABLE IPTables Options
IPTables Option Description
-v
Show
more details if available such as the interface name and counters when listing
rules.
-n
Do
not resolve IP addresses to hostnames, port numbers to service names, or
network address to network names. Can be used to speed up output of commands
such as listing the rules.
-x Provide the exact values of the
packet and byte counters.
Only applicable to the -L command.
--line-numbers
When
listing rules, display line numbers in front of each rule to show the position
of the rule in the chain.
--modprobe=<command>
When adding or
inserting rules, use the specified command to load additional kernel modules.
Starting and Stopping the
IPTables Service
The IPTables service can be started and stopped using the iptables
service. The script to manage the service has many other options. As root, the
following <options> can be used with the service iptables <options>
command:
. start: Start service with
the rules defined in /etc/sysconfig/iptables.
. stop: Flush firewall
rules, delete chains, unload kernel modules, and set policy to accept all
packets again.
. restart: Stop the
service, then start it again.
. condrestart: Stop the
service, then start it again but only if it is already running.
. save: Save current rules
in /etc/sysconfig/iptables.
. status: If firewall is
active, display output of rules.
. panic: Same as stop, but
after the firewall is disabled, the policy is set to drop all packets.
To activate the firewall at boot time, execute the following as root:
chkconfig iptables on
Saving the IPTables Rules
IPTables rules can be set on the command line by issuing the iptables
commands one by one as root. However, they are only in effect until the system
is rebooted or the table of rules is cleared. They are not saved. Executing
individual iptables commands is useful for testing the syntax of new rules or watching
how they affect packets in real-time. However, at some point, the rules need to
be saved so that they can be used on subsequent reboots. After setting up your
rules, use the following command as root to save them to
/etc/sysconfig/iptables:
#service iptables save
The next time the system is rebooted and the iptables service is
started, the rules are read from the file and re-enabled.
Alternately, you can add your IPTables rules directly to the
/etc/sysconfig/iptables file.
IPTables Examples
With so many tables, chains, and targets, the possible IPTables rules
seem endless. This section gives some common examples to help you understand
how it all fits together.
. Flush rules for the INPUT, FORWARD, and OUTPUT chains:
iptables -F INPUT
iptables -F FORWARD
iptables -F OUTPUT
. Drop all incoming and forwarding packets but allow outgoing packets
to be sent:
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
. To allow incoming and outgoing connections to the port used for a network
service:
iptables -A INPUT -p tcp --sport <port> -j ACCEPT
iptables -A OUTPUT -p tcp --dport <port> -j ACCEPT
For example, to allow SSH connections:
iptables -A INPUT -p tcp --sport 22 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 22 -j ACCEPT
On an internal webserver with eth1 connected to the internal network
and eth0 connected to the Internet, only accept web connections from internal
clients on port 80, assuming all internal packets are routed to eth1. Drop all
packets coming from the Internet, regardless of the port.
iptables -A INPUT -i eth0 -j DROP
iptables -A INPUT -p tcp --sport 80 -i eth1 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 80 -i eth1 -j ACCEPT
. Allow the server to masquerade packets from other systems using it
as a gateway:
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
For this to work, IP forwarding must also be enabled in the kernel by
changing the value of net.ipv4.ip_forward to 1 in /etc/sysctl.conf by the root
user:
net.ipv4.ip_forward=1
Changes to this file do not take effect until the sysctl -p command is
executed by root.
. Using the connlimit match extension, limit the number of
simultaneous SSH connections to the server per client IP address to 3:
iptables -p tcp --syn --dport 22 -m connlimit --connlimit-above 3 -j
REJECT
Enabling the Default Firewall
If you just need to set which ports should accept connections and
which ports should deny requests for connections, you can enable the default
Red Hat Enterprise Linux firewall and then specify specific ports on which to
allow connections. This default firewall is a predefined set of IPTables rules.
Using this default set of rules and then adding ports on which to accept
connections instead of writing your own custom IPTables rules works best for
desktop systems that aren’t offering any server or network services and
single-purpose systems that only need to accept connections on specific ports
such as the FTP port for an FTP server. To enable the default firewall, use the
Security Level Configuration program in Red Hat
Enterprise Linux. To start the program, select Administration,
Security Level and Firewall from the System menu on the top panel on the
desktop or execute the system-config-securitylevel command. If you configured a
security level with the Setup Agent, it can be modified with this tool at any
time. To use this program, you must have the system-config-securitylevel RPM package
installed.
0 comments:
Post a Comment