If you have been following this blog, and who hasn't?, then you'll already be somewhat familiar with the iptables command, but I'll expand here a little bit on some of the commands, however first let's have a look at system-config-firewall.
This is the main screen:
As with most GUI tools, it is fairly simple to use and there is not much to be said here, so let's turn our attention to iptables.
The iptables command is very powerful and can do a lot of things and thus it can be fairly complex, but my reading of this objective is that only the basics are needed, so let's get started:
iptables -Fthis will clear your iptables configuration, which will allow any traffic through, you can check that the firewall rules are empty with this command:
iptables -nvLNow, let's block all traffic:
iptables -I INPUT -j DROPNeedeless to say that you should not perform this command remotely, as it will block your remote connection. You can use REJECT instead of DROP, where the former replies to client and the latter doesn't, check the iptables manual for longer and better explanation.
Let's allow ssh connections:
iptables -I INPUT -p tcp --dport ssh -j ACCEPTNote, that if you use -I iptables will insert the line to the top of the chain, if you want to add it to the bottom of the chain you can use -A instead.
Note that the above will only allow ssh traffic for connections that have been established to this server and not from this server to another server. The reason for this is best explained with the ouput of the netstat -ant command:
Active Internet connections (servers and established)You can see that the local server (10.168.20.221) is listening to any address on port 22 and you can also see that a connection has been established to the local server on port 22 from 10.168.20.227 on port 34492. The line below shows the opposite, a connection has been established from port 44334 on the local server to 10.168.20.225 on port 22. This is essentially how network sockets work, the service listens on a pre-established port, 22 in this case, and the actual connection takes place in one of the ephemeral ports, remember that each connection needs a socket, so that if you connected to port 22, then nobody else would be able to connect to that socket and thus no more connections to the server, not very useful, right? So what can you do, just add a rule like this:
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 10.168.20.221:22 10.168.20.227:34492 ESTABLISHED
tcp 0 0 10.168.20.221:44334 10.168.20.225:22 ESTABLISHED
iptables -I INPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPTNote that in order for a connection to be established in needs to be initiated from the client and thus should not present any risks if your server has not been compromised.
A better rule would use the source port and input interfaces flag --sport and -i respectively, so that only SSH connections are allowed, like this:
iptables -I INPUT -i eth0 -p tcp --sport 22 -m state --state RELATED,ESTABLISHED -j ACCEPTRemember that you need to save the rules as otherwise they will be lost after a reboot, a new way of saving them not discussed before:
service iptables saveI have already provided examples of rules for web and ftp servers in previous posts. A couple more commands to finish, the first one is how to delete rules.
iptables -D chainname rulenumberand the second one is how to zero the counters, this can be helpful with troubleshooting sometimes:
iptables -Z chainname
No comments:
Post a Comment