Firewall Using iptables

1
Firewall Using iptables
2
iptables Firewall

• iptables (also called netfilter) is the latest
  Linux firewall
• It replaces the older IPFW (also called
  ipchains) system
• iptables is configurable in a basic way from the
  GUI Firewall Configuration tool available from
  the menu choice SystemgtAdministrationgtFirewall

3
iptables Firewall
4
Firewall Configuration Tool Options

• See pp. 585-586 in text
• Trusted Services
• Check to allow the indicated protocol
• Other Ports
• Add custom TCP/UDP ports
• For example, Internet Relay Chat (IRC) would pass
  through the Firewall if 194 tcp is selected
• Trusted Interfaces
• ethn is the NIC
• No TCP/UDP ports are blocked from trusted
  interfaces
• Masquerading
• Allows other computers on the LAN with private IP
  address to use this computer to get to the
  Internet
• http//tldp.org/HOWTO/IP-Masquerade-HOWTO/

5
Firewall Configuration Tool Options

• Port Forwarding
• Redirecting packets to non-standard port numbers
  or to another computer. One way to allow a
  server behind the firewall to provide public
  HTTP, SSH, etc.
• http//en.wikipedia.org/wiki/Port_forwarding
• http//portforward.com/help/portforwarding.htm
• ICMP Filter
• Internet Control Message Protocol for error and
  informational messages
• There are several ICMP types
• http//en.wikipedia.org/wiki/Internet_Control_Mess
  age_Protocol
• Custom Rules
• For adding additional rules from a file
• Toolbar Apply button
• The options selected are translated to iptables
  commands and written to the /etc/sysconfig/iptable
  s rules file.
• Enable and Disable buttons dont work properly in
  Fedora 9

6
Rules File

• The rules are stored in /etc/sysconfig/iptables
• These rule records are stored in the kernel when
  the iptables service is started
• The records are consulted upon receipt of a
  packet from top to bottom within a chain
• When a packet matches the criteria on a record,
  the action (normally indicated by the j jump
  option) for that rule is executed and the rest of
  the rules are skipped
• See http//en.wikipedia.org/wiki/Iptables
• http//www.eglug.org/book/export/html/303

7
Rules

• Example
• iptables A INPUT p TCP i eth0 s
  10.25.255.255 j ACCEPT
• -A Append to following chain, that is, INPUT
  chain
• -p Protocol, that is, protocol TCP
• -i Interface, that is, interface eth0
• -s Source address 10.25.255.255, that is,
  broadcast packets
• -j Jump followed by disposition (ACCEPT or
  REJECT), in this case, accept packet

8
Definitions

• Tables there are separate rules for each table
• Tables
• Filter default table, Firewall filtering rules
  for chains
• NAT rules for translation
• Mangle rules for specialized packet routing
• Filtering Chains
• Input packets arriving for this machine
• Forward packets arriving but destined for
  another machine (routed)
• Output packets sent by this machine
• User-defined for special handling

9
Other Definitions

• - d Destination address
• - m state value
• State values
• NEW first packet of session (TCP SYN request)
• ESTABLISHED ongoing session
• INVALID ICMP packet that isnt a response to a
  current session
• RELATED ICMP error messages

10
End