Linux(limited)firewallIptablesBasicsNHFmirrorofhttp://www.linuxnewbie.org/nhf/intel/security/iptables_basics.htmlIptablesBasicsNHFWrittenBy:Prince_Kenshieditedbyduquoihowtouseiptablestosetupbasicfirewall

knowhowfirewalltreatspacketsleaving,entering,orpassingthroughcomputer.thereisachainforeach.Thechainsarehalfthelogicbehindiptables.packetenteringgoesthroughINPUTchain.packetcomputersendsouttonetworkgoesthroughOUTPUTchain.packetcomputerpicksupononenetworkandsendstoanothergoesthroughFORWARDchain.howiptablesworksetupcertainrulesineachofthesechainsthatdecidewhathappenstopacketsthatpassthrough.ifcomputersendsapackettowww.yahoo.comtorequestanHTMLpage,itwouldfirstpassthroughtheOUTPUTchain.Thekernelwouldlookthroughrulesinthechainandseeifanymatch.Thefirstonethatmatchesdecidestheoutcomeofthatpacket.Ifnorulesmatch,thepolicyofthewholechainwillbethefinaldecisionmaker.ThenwhateverreplyYahoo!sentbackwouldpassthroughtheINPUTchain.|s(sourceordns)toblockallpacketscomingfrom200.200.200.1�sisusedtospecifysourceIPorDNSname.torefertotrafficcomingfromthisaddress:iptables�s200.200.200.1|j(accept|deny|drop)But�sdoesn'tsaywhattodowiththepackets.�joptionwillspecifywhathappenstothepacket.ThemostcommonthreeareACCEPT,DENY,andDROP.ACCEPTisnotwhatwewant.DENYsendsamessagebackthiscomputerisn'tacceptingconnections.DROPtotallyignoresthepacket.IfsuspiciousaboutIP,DROPoverDENY:iptables�s200.200.200.1�jDROP|A(append)Butthecomputerstillwon'tunderstandsoaddthechainitgoeson.use�Aforthis.Itappendstheruletotheendofchainspecified.tokeepthecomputerfromtalkingtous,putitonINPUT:iptables�AINPUT�s200.200.200.1�jDROP|d(destination)Thissinglecommandignoreseverythingcomingfrom200.200.200.1(withexceptions,butwe'llgetintothatlater).Theorderofoptionsdon'tmatter;�jDROPcouldgobefore�s200.200.200.1.tokeepyourcomputerfromtalkingtoit,changeINPUTtoOUTPUTandchange�sto�dfordestination.||destination|port|||source|portwhatifweonlywanttoignoretelnetrequestsfromthiscomputer?port23istelnetbutyoucanjustusethewordtelnet.atleast3protocolscanbespecified:TCP,UDP,andICMP.Telnet,likemostservices,runsonTCPsowe'regoingwithit.The�poptionspecifiesprotocol.ButTCPdoesn'ttelliteverything;telnetisonlyaspecificprotocolusedonthelargerprotocolofTCP.AfterwespecifytheprotocolisTCP,wecanuse��destination�porttodenotetheportthey'retryingtocontactuson.don'tgetsourceanddestinationportsmixedup.Remember,theclientcanrunonanyport,it'stheserverthatwillruntheserviceonport23.toblockoutacertainserviceuse��destination�port.Theoppositeis��source�port.command:iptables�AINPUT�s200.200.200.1�ptcp��destination�porttelnet�jDROPtospecifyanIPrange,youcoulduse200.200.200.0/24.ThiswouldspecifyanyIPthatmatched200.200.200.*.

biggerfish|i(input)||o(output)...interfaceLet'ssayyouhaveaLANandthenyouhaveaconnectiontotheinternet.saytheLANiseth0whileinternetconnectionisppp0.NowsupposewewanttotelnettorunasaservicetocomputersontheLANbutnotoninsecureinternet.use�ifortheinputinterfaceand�ofortheoutputinterface.YoucouldalwaysblockitontheOUTPUTchain,butblockitonINPUTsothetelnetdaemonneverevenseestherequest.rule:iptables�AINPUT�ptcp��destination�porttelnet�ippp0�jDROPthisshouldcloseofftheporttoanyoneontheinternetyetkeptitopentotheLAN.otherwaystomanipulaterules|A(append)The�Aoptionappendsaruletotheendofthelist,meaninganymatchingrulebeforeitwillhavesaybeforethisonedoes.|I(insert)toputarulebeforetheendofthechain,use�Iforinsert.Thiswillputtheruleinanumericallocationinthechain.Forexample,toputitatthetopoftheINPUTchain,use"�IINPUT1"alongwiththerestofthecommand.Justchangethe1towhateverplaceyouwantittobein.|R(replace)Nowsaywewanttoreplacewhateverrulewasalreadyinthatlocation.Justuse�Rtoreplacearule.Ithasthesamesyntaxas�Iandworksthesamewayexceptitdeletestheruleatthatpositioninsteadofbumpingeverythingdown.|D(delete)finally,ifyoujustwanttodeletearule,use�D.Thisalsohasasimilarsyntaxbutyoucaneitheruseanumberfortheruleortypeoutalltheoptionsthatyouwouldifyoucreatedtherule.Thenumbermethodisusuallytheoptimalchoice.|L(list)Therearetwomoresimpleoptionstolearnthough.�Llistsalltherulessetsofarwhenyouforgetwhereyou'reat.|F(flush)�Fflushesacertainchain.(removesallrulesonthechain.)Ifyoudon'tspecifyachain,itwillbasicallyflusheverything.

advancedWeknowthesepacketsuseacertainprotocolandifthatprotocolisTCP,thenitusesacertainport.youmightbecompelledtojustcloseallportstoincomingtraffic,butafteryourcomputertalkstoanothercomputer,thatcomputermusttalkback.Ifyoucloseallincomingports,you'llrenderyourconnectionuseless.formostnon�serviceprograms,youcan'tpredictwhichporttheycommunicateon.Butthere'sstillaway.|synoptionWhenevertwocomputerstalkoverTCP,thatconnectionmustfirstbeinitialized.ThisisthejobofaSYNpacket.SYNpackettellsothercomputerit'sreadytotalk.onlythecomputerrequestingtheservicesendsaSYNpacket.SoifyouonlyblockincomingSYNpackets,itstopsothercomputersfromopeningservicesonyourcomputerbutwon'tstopyoufromcommunicatingwiththem.Itroughlymakesyourcomputerignoreanythingthatitdidn'tspeaktofirst.It'smeanbutitgetsthejobdone.theoptionforthisis��synafteryouspecifyTCPprotocol.Sotomakearulethatblocksallincomingconnectionsonlyontheinternet:iptables�AINPUT�ippp0�ptcp��syn�jDROP!(not)That'salikelyruleyou'lluseunlessawebserviceruns.toleaveoneportopen,example80(HTTP),asimplewaytodothisisanexclamationmark�itmeansnot.Forinstance,toblockallSYNpacketsonallportsexcept80,itwouldlooksomethinglikethis:iptables�AINPUT�ippp0�ptcp��syn��destination�port!80�jDROPchangingpolicyforachain|p(forwardaccept)ThechainsINPUTandOUTPUTareusuallysettoACCEPTbydefaultandFORWARDissettoDENY.tousecomputerasarouter,setFORWARDpolicytoACCEPT.Howdowedothis?usethe�Poption.Justfollowitbythechainnameandthenewpolicyandyouhaveitmade.TochangeFORWARDchaintoanACCEPTpolicy:iptables�PFORWARDACCEPTmaniptableslearnmoreoptions(orrefreshyourmemory).findmoreadvanceddocumentstolearnadvancedfeaturesofiptables.Links:IntroducingNetfilter(iptables)http://www.linuxsecurity.com/docs/colsfaq.html