Netfilter
is a host-based firewall for Linux operating systems. It is included as part of
the Linux distribution and it is activated by default. This firewall is
controlled by the program called iptables. Netfilter filtering take place at
the kernel level, before a program can even process the data from the network
packet.
Iptables Config File: The default config files for RHEL / CentOS / Fedora
Linux are: /etc/sysconfig/iptables - The system scripts that activate the
firewall by reading this file.
Understanding Firewall :
There are total 4 chains:
INPUT - The default chain is used for packets addressed to
the system. Use this to open or close incoming ports (such as 80,25, and 110
etc) and ip addresses / subnet (such as 202.54.1.20/29).
OUTPUT - The default chain is used when packets are
generating from the system. Use this open or close outgoing ports and ip
addresses / subnets.
FORWARD - The default chains is used when packets send
through another interface. Usually used when you setup Linux as router. For
example, eth0 connected to ADSL/Cable modem and eth1 is connected to local LAN.
Use FORWARD chain to send and receive traffic from LAN to the Internet.
RH-Firewall-1-INPUT
- This is a user-defined custom
chain. It is used by the INPUT, OUTPUT and FORWARD chains.
Packet Matching Rules
Each packet starts at the
first rule in the chain .
A packet proceeds until it
matches a rule.
If a match found, then
control will jump to the specified target (such as REJECT, ACCEPT, DROP).
Target Meanings
The target ACCEPT means allow packet.
The target REJECT means to drop the packet and send
an error message to remote host.
The target DROP
means drop the packet and do not send an error message to remote host or
sending host
/etc/sysconfig/iptables
Edit /etc/sysconfig/iptables, enter:# vi /etc/sysconfig/iptables# start the firewall service iptables start
# restart the firewall service iptables restart
# stop the firewall service iptables stop
# yum install iptables
#To see iptables
rules #iptables -L
# Save iptables #service iptables save
Saving firewall rules to /etc/sysconfig/iptables:
Saving firewall rules to /etc/sysconfig/iptables:
Assume our server IP: 192.168.50.2
#For Mail incoming, outgoing and Web
Server firewall
iptables -A INPUT -s 0/0 -d 192.168.50.2/32 -p tcp --dport 25 -j ACCEPT
iptables -A INPUT -s 0/0 -d 192.168.50.2/32 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s 0/0 -d 192.168.50.2/32 -p tcp --dport 25 -j ACCEPT
iptables -A INPUT -s 0/0 -d 192.168.50.2/32 -p udp --dport 25 -j ACCEPT
iptables -A INPUT -s 0/0 -d 192.168.50.2/32 -p udp --dport 143 -j ACCEPT
iptables -A INPUT -s 0/0 -d 192.168.50.2/32 -p tcp --dport 143 -j ACCEPT
iptables -A INPUT -s 0/0 -d 192.168.50.2/32 -p tcp --dport 110 -j ACCEPT
iptables -A INPUT -s 0/0 -d 192.168.50.2/32 -p udp --dport 110 -j ACCEPT
# For ssh and telnet permission
iptables -A INPUT -s 192.168.50.5/32 -d 192.168.50.2/32 -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -s 0/0 -d 192.168.50.2/32 -p tcp --dport 25 -j ACCEPT
iptables -A INPUT -s 0/0 -d 192.168.50.2/32 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s 0/0 -d 192.168.50.2/32 -p tcp --dport 25 -j ACCEPT
iptables -A INPUT -s 0/0 -d 192.168.50.2/32 -p udp --dport 25 -j ACCEPT
iptables -A INPUT -s 0/0 -d 192.168.50.2/32 -p udp --dport 143 -j ACCEPT
iptables -A INPUT -s 0/0 -d 192.168.50.2/32 -p tcp --dport 143 -j ACCEPT
iptables -A INPUT -s 0/0 -d 192.168.50.2/32 -p tcp --dport 110 -j ACCEPT
iptables -A INPUT -s 0/0 -d 192.168.50.2/32 -p udp --dport 110 -j ACCEPT
# For ssh and telnet permission
iptables -A INPUT -s 192.168.50.5/32 -d 192.168.50.2/32 -p tcp --dport 22 -j ACCEPT
iptables
-A INPUT -s 192.168.50.0/24 -d 192.168.50.2/32 -p tcp --dport 22 -j ACCEPT
iptables
-A INPUT -s 0/0 -d 192.168.50.2/32 -p tcp --dport 22 -j ACCEPT
Enable Printing Access For 192.168.1.0/24
-A INPUT -s 192.168.1.0/24 -p udp -m udp --dport 631 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -p tcp -m tcp --dport 631 -j ACCEPT
## Block access to port 80 ##
iptables -A INPUT -s 202.54.1.1 -p tcp --dport 80 -j DROP
iptables -A INPUT -s 202.54.1.2/29 -p tcp --dport 80 -j DROP
## block and drop access to port 443 (secure apache web-server)
iptables -A INPUT -s 202.54.1.1 -p tcp --dport 443 -j DROP
iptables -A INPUT -s 202.54.1.2/29 -p tcp --dport 443 -j DROP
## save newly added firewall rules ##
/sbin/service iptables save
## verify new firewall settings
/sbin/iptables -L -n -v
/sbin/iptables -L INPUT -n -v | grep 202.54.1.1
Range of Port allow
iptables -A INPUT -p tcp –dport 20:21 -j ACCEPT
#Passive FTP Ports Maybe:
#(Again, specifying ports 50000 through 50050 in one rule
iptables -A INPUT -p tcp –dport 50000:50050 -j ACCEPT
iptables -A INPUT -p tcp –dport 20:21 -j ACCEPT
#Passive FTP Ports Maybe:
#(Again, specifying ports 50000 through 50050 in one rule
iptables -A INPUT -p tcp –dport 50000:50050 -j ACCEPT
ICMP Allow Deny
The Internet Control
Message Protocol (ICMP) has many messages that are identified by a
"type" field. You need to use 0 and 8 ICMP code types. Zero
(0) is for echo-reply and Eight (8) is for
echo-request.
Disable outgoing ICMP request:
iptables -A OUTPUT -p icmp
--icmp-type echo-request -j DROP
OR iptables -A OUTPUT -p icmp --icmp-type 8 -j
DROP
Enable or allow ICMP ping incoming client request
SERVER_IP="192.168.50.2"
iptables -A INPUT -p icmp
--icmp-type 8 -s 0/0 -d $SERVER_IP -m state –state NEW,ESTABLISHED,RELATED -j
ACCEPT
iptables -A OUTPUT -p icmp
--icmp-type 0 -s $SERVER_IP -d 0/0 -m state --state ESTABLISHED,RELATED -j
ACCEPT
Allow or enable
outgoing ping request
SERVER_IP="192.168.50.2"
iptables -A OUTPUT -p icmp
--icmp-type 8 -s $SERVER_IP -d 0/0 -m state --state NEW,ESTABLISHED,RELATED -j
ACCEPT
iptables -A INPUT -p icmp
--icmp-type 0 -s 0/0 -d $SERVER_IP -m state --state ESTABLISHED,RELATED -j
ACCEPT
or
iptables -A INPUT -p ICMP --icmp-type 8 -j DROPiptables -A INPUT -s 192.168.50.10 -p ICMP --icmp-type 8 -j ACCEPT
# Translate local users (10.9.255.0/24)
to pulic address (eth1=WAN)
iptables -t nat --a POSTROUTING -s 10.9.255.0/24 -o eth1 -j MASQUERADE
iptables -t nat --a POSTROUTING -s 10.9.255.0/24 -o eth1 -j MASQUERADE
No comments:
Post a Comment