TotalPenguin - More Linux than Kernel 2.6 - IPTABLES: Linux Firewall Configuration

Home

Resources

IPTABLES: Linux Firewall Configuration

Written by Jordan

Objective

This guide looks at configuring the IPTABLES firewall on Linux. This guide is for those comfortable with Linux.

Introduction

IPTABLES is a firewall for Linux that conveys to the kernel what packets to be dropped and which are to be allowed. Other than just blocking traffic IPTABLES has the ability to decide the rate of traffic, this can help avert DOS attacks.

Commands and Options

Lets start by looking the basic commands and options of IPTABLES.

# iptables -L

This lists all the current rules. If you have not configured anything as yet. The output is going to be something like below.

Basic chains:

INPUT: Deals with the incoming traffic terminating at the host
OUTPUT: Deals with the outgoing traffic originating from the host
FORWARD: Traffic neither originating nor terminating at the host just passing through it
-N [newchain]: The -N option can be used to create a

Actions:

ACCEPT: Accept the packet
REJECT: Drop packet and notify the sender
DROP: Drop packet and do not notify sender

Rule Modification:

-A [chain]: New rules are added to the chains at the end
-R [chain] [num]: The rule at position [num] is changed of [chain]
-D [chain] [num]: The rule at position [num] is deleted of [chain]
-I [chain] [num]: New rules are added at position [num] to the [chain]
-F [chain]: Deletes all the rules of [chain]

Protocol:

-p: Specify the protocol (tcp,udp etc) to be looked for
--dports: Specify the range of destination ports to be acted upon. A range is given as start:end.
-s: Specify the source ip to act on
-d: Specify the destination ip address to act on
-i: The interface to listen network traffic on

Sample Runs

Now lets try out some commands using the options above and see their effect on the chains

# iptables -i eth0 -A INPUT -p tcp --dport ftp -j DROP

Listens at interface eth0 and DROPs all INCOMING traffic on PORT ftp (21).

Lets now refine this rule by blocking ftp traffic from 10.101.4.34 only. As this was the first rule in the INPUT chain, INPUT 1 refers to it. As we are replacing a whole rule we need to repeat the existing information too.

# iptables -i eth0 -R INPUT 1 -s 10.101.4.34 -p tcp --dport ftp -j DROP

Now lets block all traffic to an from google.com. A simple rule in the FORWARD chain does the job.

# iptables -A FORWARD -d www.google.com -j DROP

Lets see the iptables chain state after these two additions:

# iptables -L

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
DROP       tcp -- 10.101.4.34          anywhere            tcp dpt:ftp

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
DROP       0    -- anywhere             www.google.com

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

As the output shows that all FTP requests from ip 10.101.4.34 have been blocked and all connections to google.com too.

Say you have a extra secure network and one particular Server should be accessed by on another specific computer. So what we need here is a rule that blocks all requests except those from the allowed computer.

# iptables -A INPUT -p tcp --source ! 10.9.1.67 -j DROP

This command now instructs the firewall to accept connections only from the ip 10.9.1.67 for the tcp protocol and drop requests of any other computer not satisfying this requirement

Say someone ha figured out that you are blocking their requests based on the IP. So they masquerade their IP and now have a free hand. Well a better way is to accept connections for only those matching the MAC address of your safe PC.

# iptables -i eth1 -A INPUT --mac-source ! 11:34:DA:51:23:EE -j DROP

This command now blocks connections of all computers except the one matching the specified MAC address. Also, it sniffs for data on interface eth1.

At the end lets look at a protocol that does not work on a specific port the ICMP protocol. Here's how you can block all those PING requests.

# iptables -A INPUT -p icmp -j DROP

Need Help? Questions? Comments?

Feel free to post any questions or comments you have about this tutorial on our forum.