Configuring Iptables and Firewall in Linux

by Jay

Terminal

1. What are Iptables or firewalls?

IP tables is a command-line firewall utility that uses policy chains to allow or block traffic. When a connection tries to establish itself on your system, iptables looks for a rule in its list to match it to. If it doesn’t find one, it resorts to the default action. IP tables almost always comes pre-installed on any Linux distribution.

We can update/Reinstall the IP tables package by # yum install iptables* -y command.

2. What are the types of firewalls?

There are four types of firewalls.

(i) Packet firewalls:

● It works at Physical, Data Link and Network Layers.

● It works fast and efficiently.

● It treats each packet in isolation.

(ii) Stateful firewalls:

● It identifies a packets connection state.

● It maintains packets history in the state tables.

(iii) Application layer firewalls:

● It inspects and filter packets on OSI layer upto Application Layer.

● It identifies if protocols are being misused.

(iv) Proxies’ firewalls:

● It acts as an intermediary.

● It operates at Application Layer.

● It won’t allow direct connections..

3. What are the tables maintained by IP tables?

Normally IP tables maintain 3 tables.

(i) INPUT table:

This chain handles all packets that are addressed to your server and also to control the behavior for incoming connections. For example, if a user attempts to SSH into your PC/server, iptables will attempt to match the IP address and port to a rule in the input chain.

(ii) OUTPUT table:

This chain contains rules for traffic created by your server. This chain is used for outgoing connections. For example, if you try to ping google.com, iptables will check its output chain to see what the rules are regarding ping and google.com before making a decision to allow or deny the connection attempt.

(iii) FORWARD table:

This chain is used for incoming connections that aren’t actually being delivered locally. Think of a router – data is always being sent to it but rarely actually destined for the router itself; the data is just forwarded to its target. Unless you’re doing some kind of routing, NATing, or something else on your system that requires forwarding, you won’t even use this chain. This chain is used to deal with traffic destined for other servers

that are not created on your server. This chain is basically a way to configure your server to route requests to other machines.

4. What are the meanings of REJECT, DROP and ACCEPT?

REJECT:

REJECT means server receives the FTP request from the specified IP address and rejects that request and also send the acknowledgement.

DROP:

DROP means server receives the FTP requests from the specified IP address and drop the request without sending any acknowledgement.

ACCEPT:

ACCEPT means server receives the FTP requests from the specified IP address and allow that system forFTP services.

5. What is the configuration file of IP tables and what are the options available in IP tables command?

/etc/sysconfig/iptables is the configuration file of IP tables.

# iptables <options><chain> firewall-rule

(to execute the IP tables) The options are as follows.

-A —–> Add or append the rule.

-p —–> Indicates the protocol for that rule (tcp, udp, icmp, ….etc.;).

-s —–> Indicates the source of the packet (IP address, Network ID or Hostname).

-d —–>Indicates the destination of the packet.

-j —–> ‘Jump to target’ indicates the interface through which the incoming packets are coming through the INPUT , FORWARD and PREROOTING chain.

-o —–> ‘Output Interface’ indicates the interface through which the outgoing packets are sent through the INPUT, FORWARD and PREROOTING chain.

-sport or -source-port —–> Source port for -p tcp or -p udp.

-dport or -destination-port —–> Destination port for -p tcp or -p udp.

6. How to allow a ping from outside to inside and inside to outside?

# iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
# iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
# iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
# iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT

7. In how many ways can we protect the network?

There are 4 ways to protect the network.

(i) SELinux

(ii) IP tables

(iii) Firewalld

(iv) TCP wrappersIP tables and firewalld both are used to protect our systems services from outside. But we can use only

8. How to configure the firewalld?

(i) Install the firewalld package by

# yum install firewalld* -y

.

(ii) Check whether the firewalld package is installed or not by

# rpm -qa firewalld

(iii)Check the status of the firewalld by executing the below commands.

# systemctl status firewalld
     or 
# firewall-cmd --status

Examples of IP tables commands:

To check the IP tables status

# service iptables status

To start the IP tables

# service iptables start 

To stop the IP tables

# service iptables stop

To restart the IP tables

# service iptables restart 

To save the iptables rules permanently

# service iptables save

To enable the iptables at next boot

# chkconfig iptables on 

To disable the iptables at next boot

# chkconfig iptables off

To add the rules to the existing iptables to allow ssh

# iptables -A INPUT -I eth0 -p tcp --deport 22 -j ACCEPT

where -A —> Add or append a rule to the INPUT chain for incoming traffic.

-i eth0 —> Incoming packets through the interface eth0 will be verified against this added new rule.

-p tcp -deport 22 —> protocol is tcp and the destination port is 22.

-j ACCEPT —> Accept the packet.

To allow http traffic

# iptables -A INPUT -p tcp -m state --state NEW -m tcp --deport 80 -j ACCEPT 

To allow https traffic

# iptables -A INPUT -s 9.9.9.9 -p tcp -m state --state NEW -m tcp --deport 443 -j ACCEPT

To allow ssh input and output on port number 22 through a device eth0

# iptables -A INPUT -i eth0 -p tcp --deport 22 -m state --state NEW, ESTABLISHED -j ACCEPT

And

# iptables -A INPUT -o eht0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT

To allow SNMP traffic through port number 161

# iptables -A IN PUT -p udp -m state --state NEW -m udp --deport 161 -j ACCEPT 

To block the input traffic

# iptables -P INPUT DROP

To block the forward traffic

# iptables -P FORWARD DROP

To block the output traffic (where P is capital letter)

# iptables -p OUTPUT DROP

To block the 9.9.9.9 input traffic

# iptables -A INPUT -s 9.9.9.9 -j DROP

To see the list of the IP tables

# iptables -L

To flush the iptable rules nothing but deleting all the rules

# iptables -F

* Don’t run this command on production servers or real time environment.

To save all the existing iptables rules as backup copy in /root/iptables file)

# iptables -save > /root/iptables

To restore the IP tables from the backup file

# iptables -restore < /root/iptables

To REJECT or DROP or ACCEPT the FTP requests from the specified IP address system

# iptables -I INPUT -s <IP address> -p tcp --deport 21 -j <REJECT> or <DROP> or <ACCEPT>

To REJECT, DROP or ACCEPT the FTP requests from all the systems in that network

# iptables -I INPUT -s <IP address>/<net mask as 8/16/24> -p tcp --deport 21 -j <REJECT> or <DROP> or <ACCEPT>

To REJECT, DROP or ACCEPT all the requests from the specified system all the systems in that network

# iptables -I INPUT -s <IP address>/<net mask as 8/16/24> -p tcp -j <REJECT> or <DROP> or <ACCEPT>

To repeat a free command for every 5 seconds

# watch -d -n 5 free

* Default is for every 2 seconds. -d option highlights the change. Press Ctrl+c to quit from the above command.

To ping the IP address with audiable ping ie., it makes noises

# ping -a 192.168.10.1

To over write the trail.txt file five times default is 3 times

# shred -n 5 trail.txt

To remove a file after over writing

# shred -u 5 trail.txt

* This shed tool may not work in journaling or RAID file systems.

To know what type file is that

# file <file name>

To check the connection between the source and the destinations

# mtr <IP address>

* The above command gives the report continuously until the user press Ctrl+c.

Improvedtop command and it allows to scroll vertically or horizontally)

# htop

To capture the output of any command and stores it in a file along with the starting and ending time of the command

# logsave filelist.txt ls -l

To display all the lines in a file that start with a particular string and performance of this command is more than grep

# look "printf" avltree.c

To display the status of a file or file system like absolute path of the files, the no of blocks used by the file, the I/O block size, inode access specifier, access time, time of modification, ….etc

# stat <file name>

It is a powerful text based file manager and it is a directory browsing tool and allows to see thecontents of the archived files, …etc.;

# mc

* In RHEL – 6 we have to write the rules and regulations to allow or deny the system but, in RHEL – 7 we have enable or disable the firewalld options only.

To manage the firewalld services using graphical user mode

# firewall-config

To display all available zones

# firewall-cmd --get-zones 

to check the default zone, the default zone is public zone

# firewall-cmd --get-default-zone

To activate the work zone, nothing but changing default zone temporarily

# firewall-cmd --set-default-zone=work

To set the default zone as work permanently

# firewall-cmd –permanent –set-default-zone=work

To display which zone is an active with IP address and interface eth0

# firewall-cmd --get-activate-zones

To add the source to the public zone temporarily

# firewall-cmd --add-service=172.25.0.0/24 --zone=public

To see the default zone which is activated

# firewall-cmd --get-activate-zone

To add the IP address to public zone permanently

# firewall-cmd --permanent -add-source=172.25.0.0/24 --zone=public 

To remove the iP address from public zone temporarily

# firewall-cmd --remove -souce =172.25.0.0/24 --zone=public

To remove the iP address from public zone permanently

# firewall-cmd --permanent --remove-source=172.25.0.0/24 --zone=public

To change the interface or add interface to the public zone temporarily

# firewall-cmd --add-interface=eth1 --zone=public

To change the interface or add interface to the public zone permanently

# firewall-cmd --permanent --add-interface=eth1 --zone=public

To see the activated zones

# firewall-cmd --get-active-zones

* All rules what we have written are temporary. If the system is rebooted then all changed values are revertback to it’s previous state

* To make the changed values permanent then, add --permanent to all the commands set of firewalld.

To apply the changed rules immediately

# firewall-cmd --reload

To add the sshd service to firewall permanently

# firewall-cmd --permanent --add-service=sshd

To list all the firewall added services

# firewall-cmd --list-services

To list all the all the firewall added services with detailed information

# firewall-cmd --list-all

To remove sshd service from firewall permanently

# firewall-cmd --permanent --remove-service=sshd 

To add the port number 22 with tcp protocol to firewall permanently

# firewall-cmd --permanent --add-port=22/tcp 

To remove the port number 22 permanently

# firewall-cmd --permanent --remove-port=22/tcp

First it unload all the firewall settings and again reload the firewall settings completely

# firewall-cmd --complete-reload

TCP WRAPPERS:

* Firewalld will protect all the services.

* TCP WRAPPER will also protect the services, but it can support for only limited services. And it can protect the services which are having the libwrap.so module is loaded for that service.

* So, TCPWRAPPER does not support to protect all the services except libwrap.so module loaded.

This command is used to check the modules which are loaded for this services

# ldd

To display all the loaded modules of the specified service

# ldd <service name with full path>

To display all the loaded modules of the sshd service

# ldd /usr/sbin/sshd

To check whether libwrap.so module is loaded or not

# ldd /usr/sbin/sshd | grep -i libwrap.so

To configure the TCPWRAPPER:

(i) Open /etc/hosts.deny or /etc/hosts.allow file by

# vim /etc/hosts.deny

OR

# vim /etc/hosts.allow

* The above files are to be edited or modified to enable or disable the tcpwrapper services the users.

  • Go to last line and type as below
  • # vim /etc/hosts.deny

    To deny the specified host or hostname

    sshd : 172.25.9.11 or system9.example.com

    To deny all the clients

    sshd : ALL

    To deny all the clients except all the systems of example.com domain

    sshd : ALL EXCEPT *.eample.com

    (ii) save and exit this file.

    (iii) Open /etc/hosts.allow by

    # vim /etc/hosts.allow 
  • and go to last line and type as below.
  • to allow 2 systems only
  • sshd : 172.25.9.11 172.25.6.11 

    (iv) save and exit this file.

    * If the client system’s entry is there in both /etc/hosts.deny and /etc/hosts.allow files, then the TCPWRAPPER will look /etc/hosts.allow file first. Then it will look /etc/hosts.deny file. If there is an entry in both the files, then it will allow the system because based on the above rule first it will read /etc/hosts.allow file and allow the system. It won’t read the /etc/hosts.deny file.

    Related Posts

    Leave a Comment

    * By using this form you agree with the storage and handling of your data by this website.