Chapter – 18 Firewalling with iptables

Objectives: At the end of this module, you would have gained fair knowledge on: •What is a Firewall •Difference between IPCHAINS & IPTABLES •Implementing a Firewall using IPTABLES

The Linux kernel contains advanced tools for packet filtering, the process of controlling network packets as they attempt to enter, move through, and exit your system. Pre-2.4 kernels contained the ability to manipulate packets using ipchains, which used lists of rules that apply to packets at each step of the filtering process. The introduction of the 2.4 kernel brought with it iptables, which is similar to ipchains but greatly expands on the scope and control available when filtering packets.

Traffic moves through a network in packets, which are collections of data in particular sizes. A file sent over a network between two computers may be comprised of many packets, each of which holds a small part of the file data. The sending computer takes the file and breaks it into packets to be sent over the network, using the rules of the particular network protocol being utilized. The other computer receives the packets and, using the method specified by the

Packet Filtering

Every packet contains information, which helps it navigate the network and move to its destination. The packet can tell computers along the way, as well as the destination machine, where it came from, where it is going, and what type of packet it is, among other things Most packets are designed to carry data, although some protocols use packets in special ways. Each packet may need be checked against many, many rules before emerging at the end of the chain. The structure and purpose of these rules may vary, but they usually seek to identify a packet coming from or going to a particular IP address or set of addresses when using a particular protocol and network service .

If the rule specifies an ACCEPT target for a matching packet, the packet skips the rest of the rule checks and is allowed to continue to its destination. If a rule specifies a DROP target, the packet is "dropped," meaning that the packet is refused access to the system and nothing is sent back to the host that sent the packet. If a rule specifies a REJECT target, the packet is dropped, but an error packet is sent to the packet's originator.

Every chain has a default policy to ACCEPT, DROP, or REJECT the packet, or possibly, QUEUE the packet to be passed to userspace. If none of the rules in the chain apply to the packet, then the packet is dealt with in accordance with the chain's default policy. The iptables command allows you to configure these rule lists, as well as set up new chains and tables to be used for your particular situation.

Differences between iptables and ipchains Ipchains and iptables appear to be quite similar. After all, both methods of packet filtering use chains of rules operating within the Linux kernel to decide not only which packets to let in or out, but also what to do with packets that match certain rules, however, iptables offer a much more extensible way of filtering packets, giving an administrator a finer grained level of control without building too much complexity into the entire system.

• Under iptables, each filtered packet is only processed using rules from one chain rather than multiple chains.

Differences between iptables and ipchains

• In other words, a FORWARD packet coming into a system using ipchains would have to go through the INPUT, FORWARD, and OUTPUT chains in order to move along to its destination. • However, iptables only sends packets to the INPUT chain if they are destined for the local system and only sends them to the OUTPUT chain if the local system generated the packets

Differences between iptables and ipchains The DENY target has been changed to DROP. In ipchains, packets that matched a rule in a chain could be directed to the DENY target, which silently dropped the packet. This target must be changed to DROP in iptables to have the same effect. Order matters when placing options in a chain rule. Previously, with ipchains, it did not matter very much, how you ordered the rule options when typing the rule. The iptables command is a bit fussier about where some options may go.

Rules that allow packets to be filtered by the kernel are put into place by running the iptables command with a number of options after it that identify the types of packets being filtered, the source or destination of those packets, and what to do with the packet if it matches the rule. The options used with a particular iptables rule must be grouped logically, based on the purpose and conditions of the overall rule, in order for the rule to be valid.

Options Used in iptables Commands

A powerful aspect of iptables is that multiple tables can be used to decide the fate of a particular packet, depending upon the type of packet being monitored and what is to be done with the packet. The default table, named filter, contains the standard built-in INPUT, OUTPUT, and FORWARD chains. This is somewhat similar to the standard chains in use with ipchains Each table contains default chains that perform necessary tasks based on the purpose of the table, but you can easily set up new chains in each of the tables

Many iptables commands take the following structure: iptables [-t <table-name>] <command> <chainname> <parameter-1> <option-1> <parameter-n> <option-n> When looking at the structure of an iptables command, it is important to remember that, unlike most other commands, the length and complexity of an iptables command can change based on its purpose One way to think about iptables commands is to recognize that some parameters and options used may create the need to use other parameters and options to further specify the previous option's request

• Type iptables -h to see a comprehensive list of iptables command structures. Commands tell iptables to perform a specific action, and only one command is allowed per iptables command string. Except for the help command, all commands are written in upper-case characters. -A — Appends the iptables rule to the end of the specified chain. This is the command used to simply add a rule when rule order in the chain does not matter. -C — Checks a particular rule before adding it to the user-specified chain. This command can help you construct complicated iptables rules by prompting you


D — Deletes a rule in a particular chain by number -E — Renames a user-defined chain. This does not affect the structure of the table at all. -F — Flushes the selected chain, which effectively deletes every rule in the the chain. If no chain is specified, this command flushes every rule from every chain. -h — Provides a list of helpful command structures, as well as a quick summary of command parameters and options. -I — Inserts a rule in a chain at a particular point. -L — Lists all of the rules in the chain specified after the command. To list all rules in all chains in the default filter table, do not specify a chain or table.

iptables -L <chain-name> -t <table-name> -N — Creates a new chain with a user-specified name. -P — Sets the default policy for a particular chain, so that when packets traverse an entire chain without matching a rule, they will be sent on to a particular target, such as ACCEPT or DROP. -R — Replaces a rule in a particular chain. You must use a rule's number after the chain's name to replace that rule. -X — Deletes a user-specified chain. Deleting a builtin chain for any table is not allowed. -Z — Zeros the byte and packet counters in all chains for a particular table.

Storing iptables Information
Rules created with the iptables command are only stored in RAM. If you were to restart your system after setting up various iptables rules, they would be lost and you would need to retype them. If you want particular rules to take effect whenever your system boots, you need to save them to the /etc/sysconfig/iptables To do this, arrange your tables, chains, and rules the way they should be the next time the system boots or iptables is restarted, and type the /sbin/service iptables save command as the root user.

This causes the iptables init script to run the /sbin/iptablessave program and write the current iptables configuration to the /etc/sysconfig/iptables file. This file should only be readable by root, so your precise packet filtering rules are not viewable by average users. The next time the system boots, the iptables init script will reapply the rules saved in /etc/sysconfig/iptables by using the /sbin/iptables-restore command. While it is always a good idea to test a new iptables rule before committing it to the /etc/sysconfig/iptables file, it is possible to copy iptables rules into this file from another system's version of this file. This allows you to quickly distribute sets of iptables rules to many different machines at once.

Sign up to vote on this title
UsefulNot useful

Master Your Semester with Scribd & The New York Times

Special offer for students: Only $4.99/month.

Master Your Semester with a Special Offer from Scribd & The New York Times

Cancel anytime.