Any command or configuration file that is configured to block data from coming into your system or LAN is a firewall . Some of these commands and configuration files are covered in other chapters. The main Linux firewall tool is iptables . Various iptables commands can be connected in chains. Each of these commands can be used to block or allow data associated with specific protocols.
The two legacy alternatives to iptables are ipfwadm and ipchains . The ipfwadm command is associated with the Linux kernel 2.0.x and is now obsolete. The ipchains command is associated with the Linux kernel 2.2.x and is still supported in the current Linux 2.4.x kernel.
Many good firewalls are available based on ipchains . If you want to use one of them, you ll need to do the following:
Turn off the iptables service with the service iptables stop command.
Use the rmmod command to remove the ip_tables (and dependent) modules.
Install the ipchains-* RPM.
Use insmod to activate the ipchains.o module.
You can then start adding ipchains rules to /etc/sysconfig/ipchains , and activate them with the service ipchains start command. Make sure that ipchains and not iptables is activated the next time you boot Linux with the appropriate chkconfig commands.
The iptables command is based on regulating data traffic in three directions: in, out, and through. In other words, you can configure iptables to stop data from coming in from an outside network. You can configure iptables to stop data from leaving your computer. And you can configure iptables to regulate data that travels forward through your computer: that is, between a LAN and another network such as the Internet.
No magic iptables command is available that works for everyone. Most firewalls are based on a series of iptables commands that are connected as chains. Let s take a look at a fairly simple firewall, based on a high-security firewall created during the installation of Red Hat Linux. The entries shown in Figure 22.2 are from /etc/sysconfig/iptables , where Red Hat Linux saves firewall commands.
For the moment, just note that four different chains are shown in this file: INPUT , FORWARD , OUTPUT , and RH-Lokkit-0-50-INPUT . The first three chains are default chains that allow all traffic to flow through the firewall. All of the commands that follow the -A are appended to the end of the RH-Lokkit chain. In the following sections, we explain iptables commands and options in more detail.
Let s analyze the iptables command in detail. This is a rich command; entire books are available that explore the various associated options. While we describe the masquerading options later in this chapter, let s look at a few important options now. The iptables command has a very specific format:
iptables -t table option pattern -j target
The first option here is based on the -t table option. Two basic tables are available: filter and nat . The nat table supports the Network Address Translation associated with masquerading. The filter table allows you to block or allow specific types of network traffic. Because -t filter is the default, this option is usually not specified in a firewall configuration file.
Remember, there are three default chains: INPUT , OUTPUT , and FORWARD . Four main options are associated with iptables : you can list ( -L ), append ( -A ), or delete ( -D ) a specific rule, or flush ( -F ) all of the rules in a chain.
The iptables -L command lists all of the current rules on all chains. If your firewall is complex, you may want to list the rules on a specific chain. For example, the iptables -L INPUT command lists all firewall rules related to data coming into your computer. A sample list of current firewall rules is shown in Figure 22.3.
To add a new rule, you ll generally append it to the end of one of the chains. For example, the following command appends a limit of a packet every second to the ping command to data that is forwarded through your computer, thus preventing the so-called ping of death:
# iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
To delete an existing rule, first identify the chain and the location of the rule within the chain. For example, if you want to delete the rule related to rns3.earthlink.net in Figure 22.3, note that it s the third rule in the RH-Lokkit-0-50-INPUT chain. The appropriate command is
# iptables -D RH-Lokkit-O-50-INPUT 3
If you re a bit frustrated, you can start over. For example, if you had a series of rules in the FORWARD chain that you wanted to delete, run the following command:
# iptables -F FORWARD
This command can be a bit dangerous; if you ran the iptables -F command without specifying a chain, you would delete every rule in every chain. Basic iptables options are shown in Table 22.2.
-A chain rule
Appends a rule to the end of a chain
-D chain number
Deletes the rule number from the specified chain
Flushes, or deletes, all rules from the specified chain
-I chain number rule
Inserts a rule as the specified rule number in the noted chain
Lists the current rules in the specified chain
Starts a new nonstandard chain
Deletes a user -defined chain
If you accidentally flush your iptables chains, the original chains should still be available in /etc/sysconfig/ iptables . You can make Linux reread these rules with the service iptables reload command.
Now it s time to examine the next step in the iptables command. Previously, you ve identified the action to take on a chain. Next, you need to specify a pattern to match in the chain. Patterns can match the IP address of the message sender or source, the TCP/IP port, and or the protocol.
Take the previous command that prevents the ping of death. For some reason, say you want to regulate the ping command solely from IP address 184.108.40.206. You could do so with the following command:
# iptables -A FORWARD -s 220.127.116.11 -p icmp --icmp-type ? echo-request -m limit --limit 1/s -j ACCEPT
Note the use of the -s option, which prepares the way for the source IP address. You could reverse the effect and regulate the ping command from every other address, by using an exclamation point:
# iptables -A FORWARD -s !18.104.22.168 -p icmp --icmp-type ? echo-request -m limit --limit 1/s -j ACCEPT
The exclamation point ( ! ) tells iptables to treat whatever follows as an exception. In other words, this command is applied to every computer on the Internet unless it has the noted IP address.
It helps to specify a range of IP addresses such as a LAN. The following commands combine a network IP address with a subnet mask in regular and CIDR notation. (See Chapter 21 for a description of CIDR, which is short for Classless Inter-Domain Routing.)
# iptables -A FORWARD -s 22.214.171.124/255.255.255.0 -p ? icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT # iptables -A FORWARD -s 126.96.36.199/24 -p icmp --icmp-type ? echo-request -m limit --limit 1/s -j ACCEPT
Some of the other switches associated with iptables are shown in Table 22.3.
Specifies the destination TCP/IP port number.
Allows you to specify the type of ICMP message; echo-request corresponds to the messages sent by a ping command.
Notes an action to be taken if the requirements of the command are satisfied; normally ACCEPT , DROP , REJECT , or LOG .
Sets an allowable rate for a specific message; can be in seconds, minutes, hours, or days; e.g., 2/s = 2 per second.
Looks at the data for a match; may be a protocol, such as tcp or udp , or a condition, such as a limit.
Checks the data for a specific protocol, such as tcp or udp .
Specifies a source IP address.
Sets a source TCP/IP port.
Looks for flags in a TCP packet:
SYN (synchronize) packets are sent from a client and expect a reply.
ACK (acknowledgment) packets acknowledge SYN requests .
A FIN (finish) packet is the final one in a communication.
RST (reset) packets tell a client that a request has been rejected.
Example: --tcp-flags SYN,RST,ACK SYN looks for SYN , RST , and ACK packets, but passes only packets that have the SYN flag.
The iptables command looks at every data packet that comes in, goes out, or forwards through your computer. You can tell the command to look for a specific protocol. The most common protocol patterns are based on TCP, UDP, and ICMP. The key is the -p option, which specifies the protocol. For example, the earlier command that prevents the ping of death uses the -p icmp option, since ping is associated with ICMP. (For more information on ICMP, see Chapter 20 .)
As noted in Chapter 20 , over 65,000 TCP/IP ports are available. Many of these ports are dedicated to standard services. For example, the following command stops any attempt to connect from the 188.8.131.52/24 network with TCP packets to port 21, which is associated with FTP:
# iptables -A FORWARD -s 184.108.40.206/24 -p tcp --dport 21 -j REJECT
Say you ve created an iptables command that looks for some pattern in the data that goes into, out of, or through your computer. But if it finds a match, you need to tell iptables what to do with that packet of data.
When iptables finds a match, the -j command tells the chain to jump to one of four conclusions: ACCEPT , DROP , REJECT , or LOG . These actions are explained in Table 22.4.
Allows packets that match the specified characteristics into, out of, or through your computer.
Stops packets that match the specified characteristics into, out of, or through your computer.
Stops packets that match the specified characteristics into, out of, or through your computer; a message is sent to the computer that sent the message.
Logs a record of matching packets in /var/log/messages .
Now that we ve broken down the iptables command, you can create the firewall rules that you need. While tools such as redhat-config-firewall as described in Chapter 19 can help, GUI tools do not give you the degree of control that you may need. You need to know at least how to add and delete rules from a firewall chain.
As an experiment, let s start with a computer without a firewall. This assumes that you have a LAN of two or more computers. If you have firewall rules in /etc/sysconfig/iptables that you want to save, back them up. Append the rule discussed earlier on the ping of death. Revise it so it drops any ping requests from within your LAN.
The following steps assume a LAN with an address of 192.168.0.0/24; if your LAN has a different address and network mask, substitute accordingly .
Back up any current firewall. Copy /etc/sysconfig/iptables to a file in your home directory.
Flush any rules in your current firewall with the iptables -F command.
Append the ping of death rule as shown. This stops any pings to your computer ( INPUT ) from the cited network:
# iptables -A INPUT -s 192.168.0.0/24 -p icmp --icmp-type echo-request -j DROP
Try the ping 127.0.0.1 command on the local computer. It should still work.
Go to another computer on your LAN. Try to ping the IP address of the first computer. You should see one ping message before everything stops.
If necessary, restore the original /etc/sysconfig/iptables file.
If you re in a mood for experiments, try these steps again, this time with a -j REJECT option at the end of the iptables command. Note the difference when you run the ping command from the other computer on your LAN.
Return to the high-security firewall described earlier, depicted in Figure 22.3. If you install a web server on your computer in the future, you ll want to revise your firewall a bit. The current firewall includes rules as follows:
Chain RH-Lokkit-0-50-INPUT (1 references) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT udp -- rns1.earthlink.net anywhere udp spt:domain ACCEPT udp -- rns3.earthlink.net anywhere udp spt:domain REJECT tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN reject- with icmp-port-unreachable REJECT udp -- anywhere anywhere udp reject-with icmp-port- unreachable
You need to insert an iptables rule that accepts data through TCP/IP port 80. Based on the conditions described earlier:
We re inserting a rule in the chain named RH-Lokkit-0-50-INPUT . Make it the second rule in the chain ( -I RH-Lokkit-0-50-INPUT 2 ).
Since connections to a website need a reply, they require TCP packets ( -p tcp ).
We know from /etc/services that connections to a website work through port 80 ( -m tcp --dport 80 ).
Requests to websites come from clients and should have SYN flags. They should be checked for and RST and ACK flags to make sure they re not coming from other computers acting as servers ( --tcp-flags SYN,RST,ACK SYN ).
Finally, packets that meet all of these conditions should be accepted ( -j ACCEPT ).
Putting this all together, we end up with the following command:
# iptables -I RH-Lokkit-0-50-INPUT 2 -p tcp -m tcp --dport 80 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
Once you add the command, you can see the following result in the iptables chain:
Chain RH-Lokkit-0-50-INPUT (1 references) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT tcp -- anywhere anywhere tcp dpt:http flags:SYN,RST,ACK/SYN ACCEPT udp -- rns1.earthlink.net anywhere udp spt:domain ACCEPT udp -- rns3.earthlink.net anywhere udp spt:domain REJECT tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN reject-with icmp-port-unreachable REJECT udp -- anywhere anywhere udp reject-with icmp-port-unreachable
If this is what you want to do, remember to save your configuration changes.
You can save configuration changes to /etc/sysconfig/iptables with the service iptables save command.
While iptables is the default for Red Hat Linux 9, it is always a good idea to check the service status of your firewall. You can do with the chkconfig command. For example, the following command should show the runlevels where Linux starts the iptables service:
# chkconfig -- list iptables iptables 0:off 1:off 2:on 3:on 4:on 5:on 6:off
If you see that the iptables service is not activated (and at the right runlevels), you can activate it. For example, the following command activates iptables the next time you start in runlevel 2, 3, or 5:
# chkconfig --level 235 iptables
Remember, Red Hat Linux does not normally use runlevel 4. For details, see Chapter 11 .