RHEL6–41–
IP TABLES IN LINUX-P3
What is IP Tables and how to implement,
Other Posts under IPTABLES series,
From
previous mistakes we learned too many things or nothing (it depends upon you),
lets try to short out those issue in this post.
An
important point to note is, IPTables always work in sequential order so always
consider while appending (-A) any rule that where they are in order, or in
which line they are.
Config
file for IPTables…
[root@rhel6-server ~]# cat /etc/sysconfig/iptables
# Firewall configuration written by
system-config-firewall
# Manual customization of this file is not
recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j
ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport
22 -j ACCEPT
-A INPUT -j REJECT --reject-with
icmp-host-prohibited
-A FORWARD -j REJECT --reject-with
icmp-host-prohibited
COMMIT
Let’s
start it again,
# iptables -A CHAIN selection-criteria -j TARGET
CHAIN = INPUT / OUTPUT
/ FORWARD
TARGET = ACCEPT /
REJECT / DROP
Following
are some of the “selection-criteria”
-p protocol
|
protocol in a
rule (tcp, udp, icmp, or all, with all matching any protocol type)
|
- - sport
port[:port]
|
originating
port in a rule. We can specify a single port or a range by separating the
port numbers by a colon, as - - sport
2058:54657 to match any ports between 2058 and 54657, inclusive of both.
|
- - dport
port[:port]
|
Specifies the
destination port in a rule. This option works just like the - - source - port
option but for destination ports
|
-s address[/mask]
|
source
address in a rule. We can provide either a single IP address or a network
block by including the /mask value
|
-d address[/mask]
|
Specifies the
destination address in a rule. This option works just like the
- - source option but for the destination address. |
-i name
|
input
interface in a rule.
|
-o name
|
output
interface in a rule. This
|
- - state state
|
Specifies the
connection state in a rule, we can use this option as
-m state --state <INVALID/NEW/ ESTABLISHED/RELATED> |
NEW -- meaning that
the packet has started a new connection, or otherwise associated with a
connection which has not seen packets in both directions, or A packet
requesting a new connection, such as an HTTP request.
ESTABLISHED -- meaning that
the packet is associated with a connection which has seen packets in both
directions, or A packet that is part of an existing connection.
RELATED -- meaning that
the packet is starting a new connection, but is associated with an existing
connection, such as an FTP data transfer, or an ICMP error, or A packet that is
requesting a new connection but is part of an existing connection. For example,
FTP uses port 21 to establish a connection, but data is transferred on a
different port (typically port 20).
INVALID -- A packet that
is not part of any connections in the connection tracking table.
Before creating any rule,
let’s intersect a RULE.
# iptables -I INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
-I
means we are inserting a rule in INPUT chain via incoming (-i) port eth0 which
suppose to match only TCP connection (-m tcp) using TCP protocol (-p tcp), set
for incoming connection on destination port 22
(--dport
22) and if the incoming packet found jump (-j) to acceptance chain (ACCEPT) to
allow the packet.
We
can write same rule as below also,
# iptables -I INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
Another intersection,
# iptables -t filter -A INPUT -I eth0 -p tcp –dport 80 -j REJECT
Add
a rule to Filter table in INPUT chain and the rule should be, if incoming
interface is eth0 and protocol is TCP where destination port is 80 then jump to
REJECT.
Another intersection,
# iptables -I INPUT 3 -s 192.168.1.1/24 -p tcp --dport 22 -j ACCEPT
Insert
(-I) this rule as INPUT chain in line number 3 where source (-s) network 192.168.1.1/24
which is using TCP protocol (-p tcp) coming towards port 22 (--dport 22) is
jumped to ACCEPT.
Iptables
-t
table name
RULE
Position/Action Chain Name
Condition1
AND Condition2 And Condition3
-j
jump to action
RULE
|
-t filter
|
Table Name
|
-A INPUT
|
add/insert/delete
rule in specific chain
|
|
-i eth0 -p
tcp --dport 80
|
Conditions
|
|
-j REJECT
|
Jump/Action
|
Let’s
start it again.
Before
going forward, please make a habit to copy the iptables file,
# cp /etc/sysconfig/iptables /etc/sysconfig/iptables.010718
Now
we will not do previous mistake, first we will allow whatever we want to communicate
and then we will drop all.
Make
a list of things which need to be allowed.
1.
Loopback
2. Ping
3. SSH
4.
HTTP
Currently
I have only 4 things to allow,
First thing First,
[root@rhel6-server ~]# iptables -F
#flush
all previous rules
[root@rhel6-server ~]# iptables-save #save the default rules
Now
stop iptables services, so that we have chance/scope to evaluate/check/rectify
the rules
[root@rhel6-server ~]# service iptables stop
iptables:
Flushing firewall rules:
[ OK ]
iptables:
Setting chains to policy ACCEPT: filter
[ OK ]
iptables:
Unloading modules:
[ OK ]
[root@rhel6-server
~]#
[root@rhel6-server ~]# service iptables status
iptables:
Firewall is not running.
Let’s
start our configuration,
Is
my server acting as router? NO … then we do not require any Forward rule… just
drop it,
[root@rhel6-server ~]# iptables -P FORWARD DROP
Do
we need any invalid connection? NO … then drop it
[root@rhel6-server ~]# iptables -A INPUT -m state --state INVALID -j
DROP
Do
we need localhost communication? YES … then allow it
[root@rhel6-server ~]# iptables -I INPUT -i lo -j ACCEPT
[root@rhel6-server ~]# iptables -I OUTPUT -o lo -j ACCEPT
[root@rhel6-server
~]#
[root@rhel6-server ~]# iptables -A INPUT -p icmp -j ACCEPT
[root@rhel6-server ~]# iptables -A OUTPUT -p icmp -j ACCEPT
[root@rhel6-server
~]#
[root@rhel6-server ~]# iptables -A INPUT -p tcp --dport 22 -j ACCEPT
[root@rhel6-server ~]# iptables -A OUTPUT -p tcp --dport 22 -j
ACCEPT
[root@rhel6-server
~]#
[root@rhel6-server ~]# iptables -A INPUT -p tcp --dport 80 -j ACCEPT
[root@rhel6-server ~]# iptables -A OUTPUT -p tcp --dport 80 -j
ACCEPT
We
know what we are sending outside, then allowing all OUTPUT connections, though
if we are doing this then above OUTPUT rules are not required. Anyways this is
learning then its acceptable.
[root@rhel6-server ~]# iptables -P OUTPUT ACCEPT
We
already configured all INPUT rules, so let’s DROP rest of incoming connections,
[root@rhel6-server ~]# iptables -P INPUT DROP
Now
this is it. So, save the rules and start iptables services.
[root@rhel6-server ~]# iptables-save
[root@rhel6-server ~]# iptables-save > /etc/sysconfig/iptables
Let’s
verify…
[root@rhel6-server
~]# iptables -L --line-numbers
Chain INPUT (policy DROP)
num
target prot opt source destination
1
ACCEPT all --
anywhere anywhere
2 DROP all
-- anywhere anywhere state INVALID
3
ACCEPT icmp -- anywhere anywhere
4
ACCEPT tcp --
anywhere anywhere tcp dpt:ssh
5
ACCEPT tcp --
anywhere anywhere tcp dpt:http
Chain FORWARD (policy DROP)
num
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
num
target prot opt source destination
1
ACCEPT all --
anywhere anywhere
2
ACCEPT icmp -- anywhere anywhere
3
ACCEPT tcp --
anywhere anywhere tcp dpt:ssh
4
ACCEPT tcp --
anywhere anywhere tcp dpt:http
All
seems good, lets start the iptables service.
[root@rhel6-server ~]# service iptables start
iptables:
Applying firewall rules:
[ OK ]
GREAT…
IP TABLES SUCCESSFULLY
IMPLEMENTED.
Checking
IPTables validity from rhel6-client1
ICMP:
[root@rhel6-client1 ~]# ping 192.168.135.142
PING
192.168.135.142 (192.168.135.142) 56(84) bytes of data.
64
bytes from 192.168.135.142: icmp_seq=1 ttl=64 time=2.64 ms
64
bytes from 192.168.135.142: icmp_seq=2 ttl=64 time=0.414 ms
^C
---
192.168.135.142 ping statistics ---
2 packets
transmitted, 2 received, 0% packet loss, time 1292ms
rtt
min/avg/max/mdev = 0.414/1.528/2.642/1.114 ms
HTTP: PORT 80:
SSH: PORT 22:
[root@rhel6-client1 ~]# ssh 192.168.135.142
root@192.168.135.142's
password:
Last
login: Sat Jul 7 14:19:44 IST 2018 from
192.168.135.150 on pts/3
Last
login: Sat Jul 7 14:34:19 2018 from
192.168.135.150
[root@rhel6-server ~]# hostname
rhel6-server
No comments:
Post a Comment