Basic settings of IPTables for Linux Network Management

1. Introduction

CentOS has a built-in powerful firewall, collectively referred to as iptables, but the more correct name is iptables/netfilter. Iptables is a user space module. As a user, you can use the command line to add firewall rules to the default table. Netfilter is a core module built into the kernel for actual filtering. Iptables has many front-end image interfaces that allow users to add or define rules, but many of them are not as flexible as using command lines, and restrict users to understand what actually happens. We will learn about the command line interface of iptables.

Before we officially deal with iptables, we must have a basic understanding of its operation. Iptables uses the concepts of IP address, protocol (tcp, udp, icmp), and port. We don't need to be experts in these areas (because we can find the information we need), but a general understanding of them will help.

Iptables puts rules into the default rule chain (INPUT, OUTPUT, and FORWARD), and all traffic (IP packets) will be checked by the relevant Rule chain, determine how to handle each packet based on the rules, for example, accept or discard it. These actions are called targets, and the two most common default targets are DROP to discard packets; or ACCEPT to ACCEPT packets.

Rule chain

We can add rules to the three default rule chains of the filter table to process packets through these rule chains. They are:

INPUT-all host-based packets.

OUTPUT-all packets from the host.

FORWARD-the destination or source of these packets is not the host, but the route is routed to the host (selected by it ). If your host is a vro, this rule chain will be applied.

We will spend the most time processing the INPUT rule chain to filter packets that enter our machines-that is, to reject bad guys.

A rule is added to each rule chain in the form of a list. Each packet will be checked by the first rule before the last one. If the packet matches one of the rules, the corresponding action will be executed, for example, ACCEPT or DROP packets. Once a matching rule exists, the packet will be processed according to the rule, instead of being checked by other rules in the Rule chain. If the packet passes all checks and does not comply with any rule in any rule chain, the default action of this rule chain will be executed. This is the so-called default policy, which can be set to ACCEPT or DROP packets.

Rule chains have default policies, which bring about two basic possibilities. We must consider them to determine how to organize our firewalls.

1. we can DROP all packets by default, and then add rules to ACCEPT (ACCEPT) packets originating from trusted IP addresses, or open the ports that provide services, such as bittorrent, FTP server, Web server, and Samba file server.

Or,

2. we can ACCEPT all packets by default, and then deliberately add rules to intercept (DROP) packets from problematic IP addresses or series, or prevent packets from entering or leaving the port for private purposes only or for ports that do not provide services.

In general, the first method is mostly used in the INPUT rule chain, because we want to control what can access our machine. The second method is mostly used in the OUTPUT rule chain, because most of us trust the packets that leave (from) our machines.

2. Start preparation

Using iptables on the command line requires the root permission. Therefore, you must become the root user to do the following.

Note: We will disable iptables and reset your firewall rules. Therefore, if you rely on your Linux Firewall as the first line of defense, please pay special attention to this.

Iptables should be installed on all CentOS 3.x, 4.x, and 5.x by default. You can check whether iptables is installed on your system as follows:

$ Rpm-q iptables iptables-1.3.5-1.2.1

To check whether iptables is running, we can check whether the iptables module has been loaded and use the-L option to view the active rules:

# Lsmod | grep ip_tables 29288 1 iptable_filter x_tables 29192 6 ip6t_REJECT, ip6_tables, ipt_REJECT, xt_state, xt_tcpudp, ip_tables

# Iptables-L Chain INPUT (policy ACCEPT) target prot opt source destination RH-Firewall-1-INPUT all -- anywhere Chain FORWARD (policy ACCEPT) target prot opt source destination RH-Firewall-1-INPUT all -- anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain RH-Firewall-1-INPUT (2 references) target prot opt source destination ACCEPT all -- anywhere ACCEPT icmp -- anywhere icmp any ACCEPT esp -- anywhere ACCEPT ah -- anywhere ACCEPT udp -- anywhere 224.0.0.20.udp dpt: mdns ACCEPT udp -- anywhere udp dpt: ipp ACCEPT tcp -- anywhere tcp dpt: ipp ACCEPT all -- anywhere state RELATED, established accept tcp -- anywhere state NEW tcp dpt: ssh REJECT all -- anywhere reject-with icmp-host-prohibited

From the above we can see the default rules and the rules used to access the SSH service.

If iptables is not executed, you can enable it as follows:

# System-config-securitylevel

3. Create a simple set of rules

Note: At this moment, we will clear the default rule set. If you remotely connect to a server through SSH for learning, you may reject yourself from this server. You must change the default input policy to accept before clearing the existing rules. Then, you must add a rule that allows you to access the machine by yourself, prevent yourself from being blocked.

• Four pages in total:
• Previous Page
• 1
• 2
• 3
• 4
• Next Page