Tuesday, 2 October 2012

/etc/sysconfig/iptables settings

To check if iptables is installed.
   # rpm -q iptables

To see if iptables is actually running
   # lsmod | grep ip_tables

To inspect currently loaded rules for iptables.
   # iptables -L

To save the new added rules
   # /sbin/service iptables save


To enable iptables by running:
   # system-config-securitylevel

To edit the rules for iptables.
   # vi /etc/sysconfig/iptables

Example of the content of / etc/sysconfig/iptables file.

*nat
:PREROUTING ACCEPT [190:33819]
:POSTROUTING ACCEPT [1:60]
:OUTPUT ACCEPT [4:240]
-A POSTROUTING -o eth1 -j MASQUERADE
COMMIT
# Completed on Wed Nov 23 12:04:17 2011
# Generated by iptables-save v1.4.7 on Wed Nov 23 12:04:17 2011
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1413536:615884533]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth+ -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -p icmp -j ACCEPT
-A FORWARD -i lo -j ACCEPT
-A FORWARD -i eth+ -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT


Rule Set for iptables

1. Set of rules that all all outgoing connections but block all unwanted incoming connections:
# iptables -P INPUT ACCEPT
# iptables -F
# iptables -A INPUT -i lo -j ACCEPT
# iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# iptables -A INPUT -p tcp --dport 22 -j ACCEPT
# iptables -P INPUT DROP
# iptables -P FORWARD DROP
# iptables -P OUTPUT ACCEPT
# iptables -L -v

Switch Definition
-P  : default policy
-F  : flush all existing rules
-A : append a rule to a specific chain
-i   : to specify packets matching or destinated for the localhost interface
-j   : to jump to the target action for packets matching the rule.
-m : to load a module (state)
-p  : connection types
-dport : connection port
-L -v: to list the rules
-s  : source IP address

2. If allowed external internet interface (ppp0 dialup modem), it will have effectively like disabled our firewall.
# iptables -A INPUT -i ppp0 -j ACCEPT
 
3. To allow all incoming packets within internal LAN but still filter incoming packets on our external internet connection.
# iptables -A INPUT -i lo -j ACCEPT
# iptables -A INPUT -i eth0 -j ACCEPT 


4. Add packets from trusted IP address
# iptables -A INPUT -s [ip_address] -j ACCEPT        
# iptables -A INPUT -s [ip_address]/[port] -j ACCEPT      
# iptables -A INPUT -s [ip_address]/[subnet_mask] -j ACCEPT 
# iptables -A INPUT -s [ip_address] -m mac --mac-source [mac_address_of_source_ip_address] -j ACCEPT 
 

5. Accept tcp packets on destination port 6881 (bittorent)
# iptables -A INPUT -p tcp --dport 6881 -j ACCEPT
 
6. Accept tcp packets on destination port 6881-6890
# iptables -A INPUT -p tcp --dport 6881:6890 -j ACCEPT
 
7. Accept tcp packets on destination port 22 (SSH)
# iptables -A INPUT -p tcp --dport 22 -j ACCEPT
 
8. Accept tcp packets on destination port 22 (SSH) from private LAN
# iptables -A INPUT -p tcp -s 192.168.0.0/24 --dport 22 -j ACCEPT

No comments:

Post a Comment