Home arrow Security arrow Page 5 - Firewalls

Installing Iptables - Security

If you have ever wondered how to configure and run a secure open source firewall, look no further. This book excerpt is from chapter three of Open Source Security Tools by Tony Howlett, ISBN 0321194438, copyright 2004. All rights reserved. It is reprinted with permission from Addison-Wesley Professional.

TABLE OF CONTENTS:
  1. Firewalls
  2. Network Architecture Basics
  3. TCP/IP Networking
  4. Security Business Processes
  5. Installing Iptables
  6. Writing Shell Scripts
  7. IP Masquerading with Iptables
  8. Installing Turtle Firewall
  9. SmoothWall Hardware Requirements
  10. Creating a VPN on the SmoothWall Firewall
By: Addison-Wesley Prentice Hall PTR
Rating: starstarstarstarstar / 10
March 30, 2005

print this article
SEARCH DEV SHED

TOOLS YOU CAN USE

advertisement

Most Linux systems on kernel 2.4 or higher will have Iptables built right in, so you donít have to install any additional programs. (If your system is earlier than kernel 2.4, it will use Ipchains or Ipfwadm. These are similar systems, but they are not reviewed in this book.) You can issue Iptables statements from the command line or via a script (see the sidebar). To double-check that Iptables is installed, type iptables - L and see if you get a response. It should list your current rule set (which is probably empty if you havenít configured a firewall yet).

If your system doesnít have Iptables or if you want to get the latest version of the code, go to www.netfilter.org and download the RPM for your operating system. You can also get it from the CD-ROM that comes with this book.

If you donít have a Webmin RPM on your installation disks, check www. webmin.com to see if there is a version of Webmin available for your operating system. Webmin is required for the Turtle Firewall, and there are specific versions for each distribution and operating system. If there isnít one for your particular operating system, then you canít use Turtle Firewall, but the list of supported systems is quite large. Click on the RPM file in X-Windows and it will install automatically.

Using Iptables

The idea behind Iptables and Ipchains is to create pipes of input and process them according to a rule set (your firewall configuration) and then send them into pipes of output. In Iptables, these pipes are called tables; in Ipchains, they are called chains (of course!). The basic tables used in Iptables are:

  • Input
  • Forward
  • Prerouting
  • Postrouting
  • Output

The general format of an Iptables statement is

iptables command rule-specification extensions

where command, rule-specification, and extensions are one or more of the valid options. Table 3.2 lists the Iptables commands, and Table 3.3 contains the Iptables rule specifications.

Table 3.2 Iptables Commands

Commands Descriptions
-A chainAppends one or more rules to the end of the statement.
-I chain rulenumInserts chain at the location rulenum. This is useful when you want a rule to supercede those before it.
-D chainDeletes the indicated chain.
-R chain rulenumReplaces the rule at rulenum with the provided chain.
-LLists all the rules in the current chain.
-FFlushes all the rules in the current chain, basically deleting your firewall configuration. This is good when beginning a configuration to make sure there are no existing rules that will conflict with your new ones.
-Z chainZeros out all packet and byte counts in the named chain.
-N chainCreates a new chain with the name of chain.
-X chainDeletes the specified chain. If no chain is specified, this deletes all chains.
-P chain policySets the policy for the specified chain to policy.

 

Table 3.3 Iptables Rule Specifications

Rule SpecificationsDescriptions
-p protocolSpecifies a certain protocol for the rule to match. Valid protocol types are icmp, tcp, udp, or all.
-s address/mask!portSpecifies a certain address or network to match. Use standard slash notation to designate a range of IP addresses. A port number or range of port numbers can also be specified by putting them after an exclamation point.
-j targetThis tells what to do with the packet if it matches the specifications. The valid options for target are:
DROP   Drops the packet without any further action.
REJECT  Drops the packet and sends an error packet in return.
LOG      Logs the packet to a file.
MARK    Marks the packet for further action.
TOS    Changes the TOS (Type of Service) bit.
MIRROR   Inverts the source and destination addresses and sends them back out, essentially ďbouncingĒ them back to the source.
SNAT       Static NAT. This option is used when doing Network Address Translation (NAT). It takes the source address and converts it into another static value, specified with the switch --to-source.
DNAT        Dynamic NAT. Similar to above but using a dynamic range of IP addresses.
MASQ        Masquerades the IP using a public IP.
REDIRECT   Redirects the packet.


There are other commands and options but these are the most common operations. For a full listing of commands, refer to the Iptables man page by typing man iptables at any command prompt.
Creating an Iptables Firewall

The best way to learn is to do, so letís walk through a couple of commands to see how they are used in practical application. Here is an example of how to create a firewall using Iptables. You can enter these commands interactively (one at a time) to see the results right away. You can also put them all into a script and run it at boot time to bring your firewall up at boot time (see the sidebar on writing scripts). Remember to type them exactly as shown and that capitalization is important.



 
 
>>> More Security Articles          >>> More By Addison-Wesley Prentice Hall PTR
 

blog comments powered by Disqus
escort Bursa Bursa escort Antalya eskort
   

SECURITY ARTICLES

- Secure Your Business for Data Privacy Day
- Google Testing Security Fob Password Alterna...
- Security News Highlights Concerns
- Going to Extremes for Data Security
- Skipfish Website Vulnerability Scanner
- Critical Microsoft Visual Studio Security Pa...
- US Faces Tech Security Expert Deficit
- LAN Reconnaissance
- An Epilogue to Cryptography
- A Sequel to Cryptography
- An Introduction to Cryptography
- Security Overview
- Network Security Assessment
- Firewalls
- Whatís behind the curtain? Part II

Developer Shed Affiliates

 


Dev Shed Tutorial Topics: