Installing Iptables - Security

If you have ever wondered how to configure and run a secure open source firewall, look no further. This book excerpt is from chapter three of Open Source Security Tools by Tony Howlett, ISBN 0321194438, copyright 2004. All rights reserved. It is reprinted with permission from Addison-Wesley Professional.

TABLE OF CONTENTS:

By: Addison-Wesley Prentice Hall PTR

Poor Best

Rating:

/ 10

March 30, 2005

print this article

SEARCH DEV SHED

TOOLS YOU CAN USE

Most Linux systems on kernel 2.4 or higher will have Iptables built right in, so you don’t have to install any additional programs. (If your system is earlier than kernel 2.4, it will use Ipchains or Ipfwadm. These are similar systems, but they are not reviewed in this book.) You can issue Iptables statements from the command line or via a script (see the sidebar). To double-check that Iptables is installed, type iptables - L and see if you get a response. It should list your current rule set (which is probably empty if you haven’t configured a firewall yet).

If your system doesn’t have Iptables or if you want to get the latest version of the code, go to www.netfilter.org and download the RPM for your operating system. You can also get it from the CD-ROM that comes with this book.

If you don’t have a Webmin RPM on your installation disks, check www. webmin.com to see if there is a version of Webmin available for your operating system. Webmin is required for the Turtle Firewall, and there are specific versions for each distribution and operating system. If there isn’t one for your particular operating system, then you can’t use Turtle Firewall, but the list of supported systems is quite large. Click on the RPM file in X-Windows and it will install automatically.

Using Iptables

The idea behind Iptables and Ipchains is to create pipes of input and process them according to a rule set (your firewall configuration) and then send them into pipes of output. In Iptables, these pipes are called tables; in Ipchains, they are called chains (of course!). The basic tables used in Iptables are:

Input
Forward
Prerouting
Postrouting
Output

The general format of an Iptables statement is

iptables command rule-specification extensions

where command, rule-specification, and extensions are one or more of the valid options. Table 3.2 lists the Iptables commands, and Table 3.3 contains the Iptables rule specifications.

Table 3.2 Iptables Commands

Commands	Descriptions
-A chain	Appends one or more rules to the end of the statement.
-I chain rulenum	Inserts chain at the location rulenum. This is useful when you want a rule to supercede those before it.
-D chain	Deletes the indicated chain.
-R chain rulenum	Replaces the rule at rulenum with the provided chain.
-L	Lists all the rules in the current chain.
-F	Flushes all the rules in the current chain, basically deleting your firewall configuration. This is good when beginning a configuration to make sure there are no existing rules that will conflict with your new ones.
-Z chain	Zeros out all packet and byte counts in the named chain.
-N chain	Creates a new chain with the name of chain.
-X chain	Deletes the specified chain. If no chain is specified, this deletes all chains.
-P chain policy	Sets the policy for the specified chain to policy.

Table 3.3 Iptables Rule Specifications

Rule Specifications	Descriptions
-p protocol	Specifies a certain protocol for the rule to match. Valid protocol types are icmp, tcp, udp, or all.
-s address/mask!port	Specifies a certain address or network to match. Use standard slash notation to designate a range of IP addresses. A port number or range of port numbers can also be specified by putting them after an exclamation point.
-j target	This tells what to do with the packet if it matches the specifications. The valid options for target are: DROP Drops the packet without any further action. REJECT Drops the packet and sends an error packet in return. LOG Logs the packet to a file. MARK Marks the packet for further action. TOS Changes the TOS (Type of Service) bit. MIRROR Inverts the source and destination addresses and sends them back out, essentially “bouncing” them back to the source. SNAT Static NAT. This option is used when doing Network Address Translation (NAT). It takes the source address and converts it into another static value, specified with the switch --to-source. DNAT Dynamic NAT. Similar to above but using a dynamic range of IP addresses. MASQ Masquerades the IP using a public IP. REDIRECT Redirects the packet.

There are other commands and options but these are the most common operations. For a full listing of commands, refer to the Iptables man page by typing man iptables at any command prompt.
Creating an Iptables Firewall

The best way to learn is to do, so let’s walk through a couple of commands to see how they are used in practical application. Here is an example of how to create a firewall using Iptables. You can enter these commands interactively (one at a time) to see the results right away. You can also put them all into a script and run it at boot time to bring your firewall up at boot time (see the sidebar on writing scripts). Remember to type them exactly as shown and that capitalization is important.

Next: Writing Shell Scripts >>



	>>> More Security Articles >>> More By Addison-Wesley Prentice Hall PTR

blog comments powered by Disqus

SECURITY ARTICLES

- Skipfish Website Vulnerability Scanner
- Critical Microsoft Visual Studio Security Pa...
- US Faces Tech Security Expert Deficit
- LAN Reconnaissance
- An Epilogue to Cryptography
- A Sequel to Cryptography
- An Introduction to Cryptography
- Security Overview
- Network Security Assessment
- Firewalls
- What’s behind the curtain? Part II
- What’s behind the curtain? Part I
- Vectors
- PKI: Looking at the Risks
- A Quick Look at Cross Site Scripting

Find More Security Articles

DevShed

Security Tutorials

Installing Iptables - Security

See Also:

Dev Shed Tutorial Topics: