iptables based linux firewall primer

refer to the Linux 2.4 Packet Filtering HOWTO for a more detailed guide (dbw mod v1.1)

Introduction to Using iptables

This is my introduction to building a simple Linux iptables based firewall. You need linux running one of the 2.4 kernels to use iptables. I will show you how to protect your personal linux desktop computer as well as the basics behind linux firewalling with iptables.

First Enable IP Forwarding in the Kernel sysctl configuration file! ( /etc/sysctl.conf )

net.ipv4.ip_forward =1
net.ipv4.conf.default.rp_filter = 1

iptables Commands:

Either long or short options are allowed.

--append -A chain Append to chain

--delete -D chain Delete matching rule from chain

--delete -D chain rulenum

[...]

The best way to secure your firewall is to disable services that you are not planning on using. If you arn't hosting a web site, then disable port 80, if you are not using telnet, disable port 23, and so on. I usually disable Apache, Portmapper, and disable listening on other services that aren't necessary. A true firewall wouldn't have all of these services installed or running anyway.

First thing, you need to lock down your computer to provide excellent port protection. Use the following iptables chain to get started:

/sbin/iptables -A INPUT -p tcp --syn -j DROP

The previous statement will allow you to, as the user of the computer, performed all your normal Internet activities. You will be able to browse the Web, ssh out, or chat with a colleague on ICQ. On the other hand, the outside world, when trying to connect to your Linux box via TCP/IP, will simply be ignored. This is a reasonable solution for most Linux computers.

For remote management, SSH typically operates on port 22 and thus, we would need to enable connections to port 22, while keeping the rest of the connections closed. This can be done with the following iptable chains:

/sbin/iptables -A INPUT -p tcp --syn --destination-port 22 -j ACCEPT

/sbin/iptables -A INPUT -p tcp --syn -j DROP

We can limit which machines can connect to port 22 by modifying the iptable chain, and adding the -s option. The -s in this example specifies what source address is allowed to connect to the server.

/sbin/iptables -A INPUT -p tcp --syn -s 192.168.1.110/32 --destination-port 22 -j ACCEPT

/sbin/iptables -A INPUT -p tcp --syn -j DROP

The addition of the -s 192.168.1.110/32 will enable only the remote machine with the IP address of 192.168.1.110 to connect to your protected host.

When you create an iptables-based firewall, each chain (for simplicity's sake, each line) will be read sequentially. Thus, it is possible to have the previous configuration of only one machine having rights to connect via SSH, and to run a public Web server. This could be done with the following commands:

/sbin/iptables -A INPUT -p tcp --syn -s 192.168.1.110/32 --destination-port 22 -j ACCEPT

/sbin/iptables -A INPUT -p tcp --syn --destination-port 80 -j ACCEPT

/sbin/iptables -A INPUT -p tcp --syn -j DROP

IP connection tracking, you can see what is going on by typing:

cat /proc/net/ip_conntrack

Primary source of information - LinuxWorld article and Linux 2.4 Packet Filtering HOWTO

about the author: Krissy is an enthusiastic member in a growing trend of linux geek girls. The females place in computer technology is not well defined and very few are exploring this realm. Krissy specializes in documentation for various linux related projects and her contributions are highly valued. Krissy has a linux related web site and is a member of lazygirl.net.