Linux Firewall with iptables

[zbeng]

Published on Pandora Security with permission, article author retains full copyright.

This paper will concern the software package iptables by netfilter.org.

It assumes you have installed a working iptables with the conntrack module.

[glow=red,2,300]

"Software inside this framework enables packet filtering, network address

[and port] translation (NA[P]T) and other packet mangling. It is the

re-designed and heavily improved successor of the previous Linux 2.2.x

ipchains and Linux 2.0.x ipfwadm systems. [/glow]

Main Features

* stateless packet filtering (IPv4 and IPv6)

* stateful packet filtering (IPv4)

* all kinds of network address and port translation (NAT/NAPT)

* flexible and extensible infrastructure

* multiple layers of API's for 3rd party extensions

* large number of plugins/modules kept in 'patch-o-matic' repository

:endquote

In my opinion with the right third party tools iptables can provide a

stable, fast, and secure open source solution for any enterprise. There

are many companies like www.smoothwall.org that base their services around

iptables.

This paper assumes you already have iptables installed with the right kernel

modules present. Most Linux distributions have their own packages for iptables

and I recomend installing it that way.

To begin the command we use to configure iptables is of course 'iptables'.

Now im not going to cover every little detail which can easily be found in

the man page, 'man iptables', but I will tell you that iptables is a firewall

based on rules which can be seen using 'iptables -L'. The output might look

like...

[glow=red,2,300]Chain INPUT (policy ACCEPT)

target    prot opt source              destination       

Chain FORWARD (policy ACCEPT)

target    prot opt source              destination       

                             

Chain OUTPUT (policy ACCEPT) 

target    prot opt source              destination    [/glow]

As you can see iptables is broken up into _Chains_. While you can always add more

there are essentially three main ones that are their by default. All originating

packets destined for your machine start at the INPUT chain and is compared to

each rule in that chain starting at the top. As soon as a rule matches a packet

iptables applies the desired _Action_ to that packet.

To flush all the rules from your firewall and start fresh like, the example above,

type 'iptables -F'. As you can see the default policy on the INPUT chain is set

to ACCEPT. This says that if a packet arrives that doesnt match any of the rules in

the chain, we will accept the packet by default. As you can guess this isnt very

secure so we will set the INPUT chain policy to DROP. This will drop all packets

by default.

[glow=red,2,300]#Clear the rules

iptables -F

#Tell the INPUT chain to drop all packets by default

iptables -P INPUT DROP [/glow]

Now we obviously want to let some traffic through but we also want strict control

over what traffic gets in. Our first two rules will block all fragmented packets

and packets that are in INVALID state. This will protect us from general unwanted

traffic that may traverse itself to you. Also drop all incoming pings.

[glow=red,2,300]#Block all fragmented packets. These guys restrict some information gathering techniques

iptables -A INPUT -p all -f -j DROP

#Block packets in state INVALID. Note: must have the conntrack module for this one

iptables -A INPUT -p all -m conntrack --ctstate INVALID -j DROP

#Block all incoming icmp type echo_request

iptables -A INPUT -p icmp --icmp-type ping -j DROP

#If you use irc you can speed up ident with this command, and if you dont use irc you SHOULD

iptables -A INPUT -p tcp --dport 113 -j REJECT --reject-with icmp-port-unreachable [/glow]

Now if you are running any services open those ports up now. Try to keep tcp and udp

seperate. I have included two examples.

[glow=red,2,300]#Accept incoming traffic to port 22 (ssh)

iptables -A INPUT -p tcp --dport 22 -j ACCEPT

#Accept all incoming UDP traffic to port 53

iptables -A INPUT -p udp --dport 53 -j ACCEPT

#You pirates will have to open your own ports a'yar![/glow]

The last step is to accept all your other normal traffic. This step also depends on the

conntrack module for iptables. The idea here is to keep out all the traffic that doesnt

belong.

[glow=red,2,300]#Accept all tcp traffic in states RELATED and ESTABLISHED

iptables -A INPUT -p tcp -m conntrack --ctstate RELATED,ESTABLISHED

#Accept only ESTABLISHED udp traffic.

  #note: This is how I make my DSL faster because my isp has misconfigured routers

  #but is a good idea because it can prevent your machine from participating in a

  #fraggle attack.

iptables -A INPUT -p udp -m conntrack --ctstate ESTABLISHED

#Accept all icmp traffic in states RELATED and ESTABLISHED

iptables -A INPUT -p icmp -m conntrack --ctstate RELATED,ESTABLISHED[/glow]

And thats it, check 'iptables -L' and make sure you entered all the commands in correctly.

Most distributions have init scripts that can save your rules for you. I reccomend you

use those.

[glow=red,2,300]

#In Gentoo to start iptables...

/etc/init.d/iptables start

#To stop iptables...

/etc/init.d/iptables stop

#To save your rules...

/etc/init.d/iptables save

#To start iptables everytime the system boots...

rc-update add iptables default

[/glow]

This is not by all means the perfect firewall for everyone. No network is the same and I

suggest reading 'man iptables' to see everything that iptables has to offer. The example

rule-set for iptables is meant for a generic workstation or server. Dont let this be an

end all solution for you, read 'man iptables'.