Introduction
As an operating system that has gained a strong market share in the server environment, firewall applications have always been important to Linux, and Linux kernels have had packet filtering since the 1.1 series.
In 1994, Alan Cox created ipfwadm, the first firewall for Linux, which was based on ipfw from BSD and was enhanced for Linux 2.0. BSD has a reputation for conservative development and is still using ipfw many years later while Linux is now on to its second replacement. The second generation, ipchains, was introduced to Linux 2.2 in 1998, and iptables took its place during 1999, in the 2.4 kernel series.
iptables is included by default in all Linux distributions and is a sophisticated, stateful firewall which can be used on workstations and servers alike. It is far more powerful than Windows XP’s ICF, and (in my opinion) more powerful than BSD / OS X’s ipfw, though it is less user friendly than both.
Network ports used by common traffic
- SSH - TCP 22
- SMTP - UDP & TCP 25
- DNS - UDP & TCP 53
- DHCP - UDP 57
- HTTP - TCP 80
- Kerberos - UDP & TCP 88
- POP3 - TCP 110
- SMB - UDP 137:138 &TCP 139,445
- IMAP - TCP 143
- LDAP - UDP & TCP 389
- HTTPS - TCP 443
- LPD - UDP & TCP 515
- AFP - UDP & TCP 548
- CUPS - UDP & TCP 631
- LDAP / SSL - UDP & TCP 636
- IMAP / SSL - TCP 993
- POP3 / SSL - TCP 995
iptables command
The syntax of the iptables command is:
iptables [command-type] [pattern-match-options] -j [target]
command-type
Can include
- L - List rules in all chains
- -F [chain] - Flush all rules from [chain]
- -P [chain] - Set policy for [chain]. The policy can be “ACCEPT” or “DROP” (or “FORWARD” but we will not cover IP masquerading)
- -A [chain] - Append a rule to [chain].
- -D [chain] [rulenum] - Delete rule [rulenum] from chain [chain]
- -N [chain] - Create a new chain with name [chain]
pattern-match-options
Source, destination, port, rate
Can include:
- -p [protocol] - Where protocol is tcp, udp or icmp
- -d [address / mask], -s [address / mask] - Specifies the destination / source name or address of the packet
- –dport [port], –sport [port] - The destination / source port (can also be designated by protocol)
- -i [interface], -o [interface] - Specifies which input / output interface the rule applies to ( eth0 , ppp0 )
- -m state –state state_type - Where state_type can be NEW, ESTABLISHED, RELATED (such as an ICMP error message) or INVALID
- –icmp-type [typename] - Allows specification of the ICMP type, which can be a numeric ICMP type, or one of the ICMP type names
Note that most of these patterns can include ! as a negation.
target
iptables has a number of different actions which can be applied to packets matching a particular rule:
- DROP - silently drop packet without acknowledgement and terminate processing
- REJECT - reject packet, send ICMP “Port unreachable” message and terminate processing
- ACCEPT - accept packet and terminate processing
- FORWARD - forward packet using Network Address Translation (NAT) and terminate processing (we will not cover this)
- LOG - log at kernel level at “warn” level priority and continue to next chain
Examples
These examples can be cut and pasted directly in to the /etc/sysconfig/iptables file and loaded with service iptables restart. Feel free to use them and edit as you see fit.
The first example below is for a web and file server connected via a single ethernet device. Inbound FTP, SSH, HTTP, HTTPS, SMB, AFP and established connections are allowed while outbound connections are not restricted.
*filter
# Allow all loopback (lo0) traffic and drop all traffic to 127/8 that doesn’t use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT -i ! lo -d 127.0.0.0/8 -j REJECT
# Accept all established connections
-A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
# Allow all outbound traffic
-A OUTPUT -j ACCEPT
# Accept all SSH and Web server connections
-A INPUT -p tcp –dport 22 -j ACCEPT
-A INPUT -p tcp –dport 80 -j ACCEPT
-A INPUT -p tcp –dport 443 -j ACCEPT
# Samba (accept connections from 128.250.)
-A INPUT -p udp -s 128.250.0.0/16 –dport 137:138 -j ACCEPT
-A INPUT -p tcp -s 128.250.0.0/16 –dport 139 -j ACCEPT
-A INPUT -p tcp -s 128.250.0.0/16 –dport 445 -j ACCEPT
# AFP (accept connections from 128.250.)
-A INPUT -p udp -s 128.250.0.0/16 –dport 548 -j ACCEPT
-A INPUT -p tcp -s 128.250.0.0/16 –dport 548 -j ACCEPT
# Reject and log all other inbound
-A INPUT -j LOG
-A INPUT -j REJECT
-A FORWARD -j LOG
-A FORWARD -j REJECT
The second example is for an email server connected via dual ethernet devices. The server allows inbound connections for SSH, SMTP, POP3, IMAP, POP3 via SSL, IMAP via SSL and established traffic. Outbound connections are not restricted.
*filter
# Allow all loopback (lo0) traffic
# Drop all traffic to 127/8 that doesn’t use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT -i ! lo -d 127.0.0.0/8 -j REJECT
# Accept all established connections
-A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
# Accept inbound SSH connections
-A INPUT -p tcp –dport 22 -j ACCEPT
# Allow inbound access to smtp via first ethernet device
-A INPUT -p tcp –dport smtp -i eth0 -j ACCEPT
# Allow access to other mail services via second ethernet device
-A INPUT -p tcp –dport pop3 -i eth1 -j ACCEPT
-A INPUT -p tcp –dport imap -i eth1 -j ACCEPT
-A INPUT -p tcp –dport pop3s -i eth1 -j ACCEPT
-A INPUT -p tcp –dport imap2 -i eth1 -j ACCEPT
# Allow all outbound traffic
-A OUTPUT -j ACCEPT
# Reject and log all other inbound
-A INPUT -j LOG
-A INPUT -j REJECT
-A FORWARD -j LOG
-A FORWARD -j REJECT
COMMIT
ref :: http://linux.unimelb.edu.au/server/course/fc3/iptables.html