If you have ever wondered how to configure and run a secure open source firewall, look no further. This book excerpt is from chapter three of Open Source Security Tools by Tony Howlett, ISBN 0321194438, copyright 2004. All rights reserved. It is reprinted with permission from Addison-Wesley Professional.
Most Linux systems on kernel 2.4 or higher will have Iptables built right in, so you donít have to install any additional programs. (If your system is earlier than kernel 2.4, it will use Ipchains or Ipfwadm. These are similar systems, but they are not reviewed in this book.) You can issue Iptables statements from the command line or via a script (see the sidebar). To double-check that Iptables is installed, type iptables - L and see if you get a response. It should list your current rule set (which is probably empty if you havenít configured a firewall yet).
If your system doesnít have Iptables or if you want to get the latest version of the code, go to www.netfilter.org and download the RPM for your operating system. You can also get it from the CD-ROM that comes with this book.
If you donít have a Webmin RPM on your installation disks, check www. webmin.com to see if there is a version of Webmin available for your operating system. Webmin is required for the Turtle Firewall, and there are specific versions for each distribution and operating system. If there isnít one for your particular operating system, then you canít use Turtle Firewall, but the list of supported systems is quite large. Click on the RPM file in X-Windows and it will install automatically.
The idea behind Iptables and Ipchains is to create pipes of input and process them according to a rule set (your firewall configuration) and then send them into pipes of output. In Iptables, these pipes are called tables; in Ipchains, they are called chains (of course!). The basic tables used in Iptables are:
The general format of an Iptables statement is
iptables command rule-specification extensions
where command, rule-specification, and extensions are one or more of the valid options. Table 3.2 lists the Iptables commands, and Table 3.3 contains the Iptables rule specifications.
Table 3.2 Iptables Commands
Appends one or more rules to the end of the statement.
-I chain rulenum
Inserts chain at the location rulenum. This is useful when you want a rule to supercede those before it.
Deletes the indicated chain.
-R chain rulenum
Replaces the rule at rulenum with the provided chain.
Lists all the rules in the current chain.
Flushes all the rules in the current chain, basically deleting your firewall configuration. This is good when beginning a configuration to make sure there are no existing rules that will conflict with your new ones.
Zeros out all packet and byte counts in the named chain.
Creates a new chain with the name of chain.
Deletes the specified chain. If no chain is specified, this deletes all chains.
-P chain policy
Sets the policy for the specified chain to policy.
Table 3.3 Iptables Rule Specifications
Specifies a certain protocol for the rule to match. Valid protocol types are icmp, tcp, udp, or all.
Specifies a certain address or network to match. Use standard slash notation to designate a range of IP addresses. A port number or range of port numbers can also be specified by putting them after an exclamation point.
This tells what to do with the packet if it matches the specifications. The valid options for target are: DROP Drops the packet without any further action. REJECT Drops the packet and sends an error packet in return. LOG Logs the packet to a file. MARK Marks the packet for further action. TOS Changes the TOS (Type of Service) bit. MIRROR Inverts the source and destination addresses and sends them back out, essentially ďbouncingĒ them back to the source. SNAT Static NAT. This option is used when doing Network Address Translation (NAT). It takes the source address and converts it into another static value, specified with the switch --to-source. DNAT Dynamic NAT. Similar to above but using a dynamic range of IP addresses. MASQ Masquerades the IP using a public IP. REDIRECT Redirects the packet.
There are other commands and options but these are the most common operations. For a full listing of commands, refer to the Iptables man page by typing man iptables at any command prompt. Creating an Iptables Firewall
The best way to learn is to do, so letís walk through a couple of commands to see how they are used in practical application. Here is an example of how to create a firewall using Iptables. You can enter these commands interactively (one at a time) to see the results right away. You can also put them all into a script and run it at boot time to bring your firewall up at boot time (see the sidebar on writing scripts). Remember to type them exactly as shown and that capitalization is important.