As an administrator in today’s world of networked computing and easy access to the Internet, security both internally and externally must be the first and last issue considered. Denying unauthorized access is the first step to keeping your system secure. The mechanism to prevent access to all or some network services on a system is called a firewall.
Every operating system allows for the implementation of a firewall differently. Red Hat Enterprise Linux uses IPTables, a network packet-filtering mechanism in the Linux kernel. IPTables can be used to allow or deny packets based on numerous factors including their destination, their source, which port they are trying to access, the user ID of the process that created the packet, and more.
Install the iptables RPM package to use IPTables. It includes utilities to configure which packets to filter. The IPTables configuration consists of a series of rules. Each rule must be for a specific table, with each table having its own set of chains. A chain is a list of rules, which are compared to the packets passed through the chain. If a set of packets matches a chain, the target of the rule tells the system what to do with the packets, including passing it along to a different chain.
This section discusses how to write and enable IPTables rules. It also discusses the Red Hat Enterprise Linux security levels, which are predefined sets of IPTables rules. They can be used to quickly implement a basic firewall.
Selecting a Table and Command for IPTables
The first part of an IPTables rule is defining the table with the -t <table> option:
iptables -t <table> ...
Choose from the following tables:
. filter: Default table used if -t <table> is not specified. Its predefined chains are
INPUT, FORWARD, and OUTPUT.
. nat: Use when a packet tries to create a new connection. Its predefined chains are
PREROUTING, OUTPUT, and POSTROUTING.
. mangle: Use for specialized packet altering such as changing the destination of the packet. Its predefined chains are PREROUTING, OUTPUT, INPUT, FORWARD, and POSTROUTING.
. raw: Use for exempting packets from connection tracking when the NOTRACK target is used. Its predefined chains are PREROUTING and OUTPUT.
Each rule must contain only one of the commands listed in Table unless otherwise specified. The command should follow the table definition:
iptables -t <table> -A <chain> <rulespec> ...
TABLE IPTables Commands
IPTables Command Description
-A <chain> <rulespec> Append rule to the end of the chain.
-D <chain> <rulespec> Delete rule. The <rule> can be the rule number, with the count starting at 1.
-I <chain> <rulnum> <rulespec> Insert a rule at a specific point in the chain.
-R <chain> <rulenum> <rulespec> Replace a rule at a specific point in the chain. -L <chain> List all rules in the chain. The -t <table> option can be used to display rules for a given table.
-F <chain> Delete, or flush, all the rules in the chain.
-Z <chain> Set the packet and byte counters to zero in a specific chain or in all chains if no chain is given.
-N <chain> Add a new chain. Name must be unique.
-X <chain> Delete a given chain. Before a chain can be deleted, it cannot be referenced by any rules, and the chain must not contain any rules.
-P <chain> <target> Set the target policy for a given chain, or what to do with the packets if they match the rule.
-E <old> <new> Rename a user-defined chain. New name must be unique.
-h Show very brief description of command-line options.
TABLE IPTables Rule Parameters
-p <protocol> Protocol for the packets. The most common ones are tcp, udp, and icmp. Protocols from /etc/protocols can also be used. If all is used, all protocols are valid for the rule. If an exclamation point and a space are before the protocol name, the rule matches all protocols except the one listed after the exclamation point.
-s <address> Source of the packets. The <address> can be a network name, an IP address, or an IP address with a mask. If an exclamation point and a space are before the address, the rule matches all addresses except the one listed after the exclamation point.
-d <address> Destination of the packets. The <address> can be in the same formats as for the -s <address> parameter.
-j <target> Target of the rule, or what to do with the packets if they match the rule. Target can be a user-defined chain other than the one this ruleis in, a predefined target, or an extension.
The following predefined targets are available:
ACCEPT: Allow the packet through.
DROP: Drop the packet and do nothing further with it.
QUEUE: Pass the packet to userspace.
RETURN: Stop processing the current chain and return the previous chain.
-g <chain> Continue processing in the given chain.
-i <name> Interface on which the packet was received. If an exclamation point and a space are before it, the rule only matches if the packet was not received on the given interface. If a plus mark is appended to the interface name, the rule is true for any interface that begins with the name. If the interface name is not specified, packets received from any interface matches the rule. Only for packets entering the INPUT, FORWARD, and PREROUTING chains.
-o <name> Interface on which the packet will be sent. If an exclamation point and a space is before it, the rule only matches if the packet was not received on the given interface. If a plus mark is appended to the interface name, the rule is true for any interface that begins with the name. If the interface name is not specified, packets to be sent from any interface match the rule. Only for packets entering the INPUT, FORWARD, and PREROUTING chains.
-f Rule only matches second and further fragmented packets. If an exclamation point is before the -f parameter, the rule only matches unfragmented packets.
-c PKTS BYTES Used to initialize the packet and byte counters of the rule. Only for INSERT, APPEND, and REPLACE actions.
Selecting IPTables Options
Each rule may contain the options in Table, but they are not required. They should be listed in the rule after the command and any rule specifications for the command such as the following:
iptables -t <table> -A <chain> <rulespec> --line-numbers ...
TABLE IPTables Options
IPTables Option Description
-v Show more details if available such as the interface name and counters when listing rules.
-n Do not resolve IP addresses to hostnames, port numbers to service names, or network address to network names. Can be used to speed up output of commands such as listing the rules.
-x Provide the exact values of the packet and byte counters.
Only applicable to the -L command.
--line-numbers When listing rules, display line numbers in front of each rule to show the position of the rule in the chain.
--modprobe=<command> When adding or inserting rules, use the specified command to load additional kernel modules.
Starting and Stopping the IPTables Service
The IPTables service can be started and stopped using the iptables service. The script to manage the service has many other options. As root, the following <options> can be used with the service iptables <options> command:
. start: Start service with the rules defined in /etc/sysconfig/iptables.
. stop: Flush firewall rules, delete chains, unload kernel modules, and set policy to accept all packets again.
. restart: Stop the service, then start it again.
. condrestart: Stop the service, then start it again but only if it is already running.
. save: Save current rules in /etc/sysconfig/iptables.
. status: If firewall is active, display output of rules.
. panic: Same as stop, but after the firewall is disabled, the policy is set to drop all packets.
To activate the firewall at boot time, execute the following as root:
chkconfig iptables on
Saving the IPTables Rules
IPTables rules can be set on the command line by issuing the iptables commands one by one as root. However, they are only in effect until the system is rebooted or the table of rules is cleared. They are not saved. Executing individual iptables commands is useful for testing the syntax of new rules or watching how they affect packets in real-time. However, at some point, the rules need to be saved so that they can be used on subsequent reboots. After setting up your rules, use the following command as root to save them to /etc/sysconfig/iptables:
#service iptables save
The next time the system is rebooted and the iptables service is started, the rules are read from the file and re-enabled.
Alternately, you can add your IPTables rules directly to the /etc/sysconfig/iptables file.
With so many tables, chains, and targets, the possible IPTables rules seem endless. This section gives some common examples to help you understand how it all fits together.
. Flush rules for the INPUT, FORWARD, and OUTPUT chains:
iptables -F INPUT
iptables -F FORWARD
iptables -F OUTPUT
. Drop all incoming and forwarding packets but allow outgoing packets to be sent:
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
. To allow incoming and outgoing connections to the port used for a network service:
iptables -A INPUT -p tcp --sport <port> -j ACCEPT
iptables -A OUTPUT -p tcp --dport <port> -j ACCEPT
For example, to allow SSH connections:
iptables -A INPUT -p tcp --sport 22 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 22 -j ACCEPT
On an internal webserver with eth1 connected to the internal network and eth0 connected to the Internet, only accept web connections from internal clients on port 80, assuming all internal packets are routed to eth1. Drop all packets coming from the Internet, regardless of the port.
iptables -A INPUT -i eth0 -j DROP
iptables -A INPUT -p tcp --sport 80 -i eth1 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 80 -i eth1 -j ACCEPT
. Allow the server to masquerade packets from other systems using it as a gateway:
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
For this to work, IP forwarding must also be enabled in the kernel by changing the value of net.ipv4.ip_forward to 1 in /etc/sysctl.conf by the root user:
Changes to this file do not take effect until the sysctl -p command is executed by root.
. Using the connlimit match extension, limit the number of simultaneous SSH connections to the server per client IP address to 3:
iptables -p tcp --syn --dport 22 -m connlimit --connlimit-above 3 -j REJECT
Enabling the Default Firewall
If you just need to set which ports should accept connections and which ports should deny requests for connections, you can enable the default Red Hat Enterprise Linux firewall and then specify specific ports on which to allow connections. This default firewall is a predefined set of IPTables rules. Using this default set of rules and then adding ports on which to accept connections instead of writing your own custom IPTables rules works best for desktop systems that aren’t offering any server or network services and single-purpose systems that only need to accept connections on specific ports such as the FTP port for an FTP server. To enable the default firewall, use the Security Level Configuration program in Red Hat
Enterprise Linux. To start the program, select Administration, Security Level and Firewall from the System menu on the top panel on the desktop or execute the system-config-securitylevel command. If you configured a security level with the Setup Agent, it can be modified with this tool at any time. To use this program, you must have the system-config-securitylevel RPM package installed.