Open Source

Basic Guide on IPTables (Linux Firewall) Tips / Commands

Basic Guide on IPTables (Linux Firewall) Tips / Commands &-8211; this Article or News was published on this date:2019-05-28 19:54:40 kindly share it with friends if you find it helpful

This tutorial guides you how firewall works in Linux Operating system and what is IPTables in Linux? Firewall decides fate of packets incoming and outgoing in system. IPTables is a rule based firewall and it is pre-installed on most of Linux operating system. By default it runs without any rules. IPTables was included in Kernel 2.4, prior it was called ipchains or ipfwadm. IPTables is a front-end tool to talk to the kernel and decides the packets to filter. This guide may help you to rough idea and basic commands of IPTables where we are going to describe practical iptables rules which you may refer and customized as per your need.

Different services is used for different protocols as:

  1. iptables applies to IPv4.
  2. ip6tables applies to IPv6.
  3. arptables applies to ARP.
  4. ebtables applies to Ethernet frames..

IPTables main files are:

  1. /etc/init.d/iptables – init script to start|stop|restart and save rulesets.
  2. /etc/sysconfig/iptables – where Rulesets are saved.
  3. /sbin/iptables – binary.

There are at present three tables.

  • Filter
  • NAT
  • Mangle

At present, there are total four chains:

  1. INPUT : Default chain originating to system.
  2. OUTPUT : Default chain generating from system.
  3. FORWARD : Default chain packets are send through another interface.
  4. RH-Firewall-1-INPUT : The user-defined custom chain.

Note: Above main files may slightly differ in Ubuntu Linux.

How to start, stop and restart Iptabe Firewall.

- /etc/init.d/iptables start 
- /etc/init.d/iptables stop
- /etc/init.d/iptables restart

To start IPTables on system boot, use the following command.

-chkconfig --level 345 iptables on

Saving IPTables rulesets with below command. Whenever system rebooted and restarted the IPTables service, the exsiting rules flushed out or reset. Below command save TPTables rulesets in /etc/sysconfig/iptables file by default and rules are applied or restored in case of IPTables flushes out.

-service iptables save

Checking the status of IPTables / Firewall. Options “-L” (List ruleset), “-v” (Verbose) and “-n” (Displays in numeric format).

[[email protected] ~]- iptables -L -n -v

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    6   396 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT 5 packets, 588 bytes)
 pkts bytes target     prot opt in     out     source               destination

Display IPTables rules with numbers. With the help of argument “–line-numbers” you can append or remove rules.

[[email protected] ~]- iptables -n -L -v --line-numbers

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1       51  4080 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
2        0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
3        0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
4        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22
5        0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT 45 packets, 5384 bytes)
num   pkts bytes target     prot opt in     out     source               destination

Flushing or deleting IPTables rules. Below command will remove all the rules from tables. Take rulesets backup before executing above command.

[[email protected] ~]- iptables -F

Deleting or appending rules, let us first see the rules in chains. Below commands shall display rulesets in INPUT and OUTPUT chains with rule numbers which will help us to add or delete rules

[[email protected] ~]- iptables -L INPUT -n --line-numbers

Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination
1    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
2    ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0
3    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
4    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22
5    REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited
[[email protected] ~]- iptables -L OUTPUT -n --line-numbers
Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination

Let’s say if you want to delete rule no 5 from INPUT chain. Use the following command.

[[email protected] ~]- iptables -D INPUT 5

To insert or append rule to INPUT chain in between 4 and 5 ruleset.

[[email protected] ~]- iptables -I INPUT 5 -s ipaddress -j DROP

We have just tried to cover basic usages and functions of IPTables for begineer. You may create complex rules once you have complete understanding of TCP/IP and good knowledge of your setup.

Shorewall – A High-Level Firewall for Configuring Linux Servers

Shorewall &-8211; A High-Level Firewall for Configuring Linux Servers &-8211; this Article or News was published on this date:2019-05-28 19:40:00 kindly share it with friends if you find it helpful

Setting up a firewall in Linux can be very daunting for a newbie, or for someone not very familiar with iptables. Luckily, there is a very easy to use solution in Shorewall.

Install Shorewall Firewall in LinuxInstall Shorewall Firewall in Linux

Install Shorewall Firewall in Linux

In this multi-part tutorial, I am going to get you started with Shorewall, and walk you through some more advanced topics with this awesome firewall system.

What is Shorewall?

Shorewall is essentially a front-end to iptables, but it is a command line environment front-end that utilizes a number of text files for its configuration. While Shorewall is a robust firewall system that can be scaled over very large networks servicing numerous machines, we are going to start off with a basic two-interface configuration and nail down the basics.

A two-interface configuration consists of a machine with two Ethernet ports, one coming in, and one going out to the local network.

Installation of Shorewall in Linux

Shorewall can be installed using apt-get and yum package manager tools.

On Debian/Ubuntu/Linux Mint
$ sudo apt-get install shorewall6
On RHEL/CentOS/Fedora
$ sudo yum install shorewall6

After installation, we need to copy a sample configuration from the “/usr/share/doc/shorewall” directory to Shorewall’s default directory “/etc/shorewall”.

$ sudo cp /usr/share/doc/shorewall/example/two-interfaces/* /etc/shorewall

And then cd to /etc/shorewall.

$ cd /etc/shorewall

If we take a look in this directory, we see a bunch of files and shorewall.conf file. Shorewall views the network as a group of different zones, so the first file we want to take a look it is the “/etc/shorewall/zones” file.

Install Shorewall Firewall in LinuxZones

Zones

In here, we see that there are three zones defined by default: net, loc, and all. It is important to note that Shorewall treats the firewall machine itself as its own zone and stores it in a variable called $FW. You will see this variable throughout the rest of the configuration files.

The “/etc/shorewall/zones” file is pretty self-explanatory. You have the net zone (internet facing interface), the loc zone (LAN facing interface), and all, which is everything.

Install Shorewall Firewall in LinuxPolicy

Policy

This setup up gives up the following:

  1. It allows all connection requests from the loc zone (LAN) to the net zone (Internet).
  2. Drops all connection requests (ignores) from the net zone to the firewall and the LAN.
  3. Rejects and logs all other requests.

The LOG LEVEL bit should be familiar to anyone who has done administrating with Apache, MySQL, or any other number of other FOSS programs. In this case, we are telling Shorewall to use the info level of logging.

If you wish to have your firewall available to you to administer from your LAN, you can add the following lines to your “/etc/shorewall/policy” file.

-SOURCE		DEST	POLICY		LOG		LEVEL		LIMIT:BURST
loc			$FW		ACCEPT
$FW			loc		ACCEPT

Now that our zones and policy are set, we have to configure our interfaces. You do this by editing the “/etc/shorewall/interfaces” file.

Install Shorewall Firewall in LinuxInterfaces

Interfaces

Here, we have set our internet facing interface as eth0 to the net zone. On our LAN side, we have set the other interface, eth1, to the loc zone. Please adjust this file to fir your configuration properly.

The various options you can place for either of these interfaces is extensive, and are best explained in detail on the man page.

$ man shorewall-interfaces

A quick run down of some of them are as follows:

  1. nosmurfs – filter packets with broadcast address as source.
  2. logmartians – log packets with impossible source address.
  3. routefilter – kernel route filtering for anti-spoofing.

Of course, now that our system is firewalled, we are going to need certain connections to be allowed through in order to get what we need to do done. You define these in the rules file at “/etc/shorewall/rules“.

Install Shorewall Firewall in LinuxRules

Rules

This file looks confusing at first, mainly because the columns overlap, but the headers are pretty self-explanatory. First, you have the ACTION column, that describes what you want to perform.

Next, you have a SOURCE header where you define the zone where the packet is originating. Then, you have your DEST, or destination, which is the zone or IP address of the destination. Lets use an example.

Suppose you want to run an SSH server behind your firewall on the machine with the IP address of 192.168.1.25. Not only are you going to have to open up a port in your firewall, but you are going to have to tell the firewall that any traffic coming on port 22 needs to get routed to the machine at 192.168.1.25.

This is known as Port Forwarding. It is a common feature on most firewall/routers. In “/etc/shorewall/rules“, you would accomplish this by adding a line like this:

SSH(DNAT)	net		loc:192.168.1.25
Install Shorewall Firewall in LinuxSSH Port Forwarding

SSH Port Forwarding

Above, we have defined any SSH destined packets coming from the net zone to the firewall have to be routed (DNAT) to port 22 on machine with address 192.168.1.25.

This is called Network Address Translation or NAT. The “D” simply tells Shorewall that this is a NAT for a destination address.

In order for this to work, you have to have NAT support enabled in your kernel. If you need NAT and don’t have it, please see my tutorial on Recompiling a Debian Kernel.

Reference Links

Shorewall Homepage

In the next article, we will walk through some more advanced topics, but there should be plenty here to get you started with for now. As always, please have a look at the man pages for a more in-depth understanding.

Read Also : Exploring Shorewall Firewall Configuration and Command Line Options