Sunday, 12 June 2011

Configure firewall settings using system-config-firewall or iptables

Since advanced iptables settings (routing, NATing) are covered in the RHCE exam, I assume that this objective relates to allowing services through the firewall.
If you have been following this blog, and who hasn't?, then you'll already be somewhat familiar with the iptables command, but I'll expand here a little bit on some of the commands, however first let's have a look at system-config-firewall.
This is the main screen:
Once you have allowed the services you want through the firewall, click Apply.
Note that this will essentially overwrite the current iptables configuration. If you are only using system-config-firewall then this is of no concern to you, so go ahead and press yes.

As with most GUI tools, it is fairly simple to use and there is not much to be said here, so let's turn our attention to iptables.

The iptables command is very powerful and can do a lot of things and thus it can be fairly complex, but my reading of this objective is that only the basics are needed, so let's get started:
iptables -F
this will clear your iptables configuration, which will allow any traffic through, you can check that the firewall rules are empty with this command:
iptables -nvL
Now, let's block all traffic:
iptables -I INPUT -j DROP
Needeless to say that you should not perform this command remotely, as it will block your remote connection. You can use REJECT instead of DROP, where the former replies to client and the latter doesn't, check the iptables manual for longer and better explanation.

Let's allow ssh connections:
iptables -I INPUT -p tcp --dport ssh  -j ACCEPT
Note, that if you use -I iptables will insert the line to the top of the chain, if you want to add it to the bottom of the chain you can use -A instead.

Note that the above will only allow ssh traffic for connections that have been established to this server and not from this server to another server. The reason for this is best explained with the ouput of the netstat -ant command:
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address               Foreign Address             State
tcp        0      0                    *                       LISTEN
tcp        0      0           ESTABLISHED
tcp         0 0            ESTABLISHED
You can see that the local server ( is listening to any address on port 22 and you can also see that a connection has been established to the local server on port 22 from on port 34492. The line below shows the opposite, a connection has been established from port 44334 on the local server to on port 22. This is essentially how network sockets work, the service listens on a pre-established port, 22 in this case, and the actual connection takes place in one of the ephemeral ports, remember that each connection needs a socket, so that if you connected to port 22, then nobody else would be able to connect to that socket and thus no more connections to the server, not very useful, right? So what can you do, just add a rule like this:
iptables -I INPUT -p tcp -m state --state  RELATED,ESTABLISHED -j ACCEPT
Note that in order for a connection to be established in needs to be initiated from the client and thus should not present any risks if your server has not been compromised.

A better rule would use the source port and input interfaces flag --sport and -i respectively, so that only SSH connections are allowed, like this:
iptables -I INPUT -i eth0 -p tcp --sport 22 -m state --state  RELATED,ESTABLISHED -j ACCEPT
Remember that you need to save the rules as otherwise they will be lost after a reboot, a new way of saving them not discussed before:
service iptables save 
I have already provided examples of rules for web and ftp servers in previous posts. A couple more commands to finish, the first one is how to delete rules.
iptables -D chainname rulenumber
and the second one is how to zero the counters, this can be helpful with troubleshooting sometimes:
iptables -Z chainname

No comments:

Post a Comment