HOWTO Setup iptables: Difference between revisions
Jump to navigation
Jump to search
| Line 9: | Line 9: | ||
["enable"] Netfilter connection tracking support--->Layer 3 Independent Connection tracking | ["enable"] Netfilter connection tracking support--->Layer 3 Independent Connection tracking | ||
["enable"] Netfilter Xtables support (required for ip_tables) | ["enable"] Netfilter Xtables support (required for ip_tables) | ||
["enable"] "state" match support | ["enable"] "state" match support | ||
IP: Netfilter Configuration ---> | IP: Netfilter Configuration ---> | ||
| Line 17: | Line 15: | ||
["enable"] Packet Filtering | ["enable"] Packet Filtering | ||
["enable"] REJECT target support | ["enable"] REJECT target support | ||
### ["enable"] Packet mangling | |||
==Iptables Installation== | ==Iptables Installation== | ||
Revision as of 15:54, 30 January 2008
Kernel Configuration
NOTE This configuration is for basic firewalling only; we don't do NAT/packet-forwarding... so, if you're reading this, and wish to use NAT/forwarding, you will be missing a few key configuration items :-O
* NOTE As of kernel 2.6.22 you must enable the following:
Networking ---->
Networking options ---->
Network packet filtering framework (Netfilter)--->
Core Netfilter Configuration ---->
["enable"] Netfilter connection tracking support--->Layer 3 Independent Connection tracking
["enable"] Netfilter Xtables support (required for ip_tables)
["enable"] "state" match support
IP: Netfilter Configuration --->
["enable"] IPv4 connection tracking support (required for NAT) required by "Layer 3 Independent Connection tracking" above (caused many headaches)
["enable"] IP tables support (required for filtering/masq/NAT)
["enable"] Packet Filtering
["enable"] REJECT target support
- ["enable"] Packet mangling
Iptables Installation
emerge iptables rc-update add iptables default
Usually, when you try to start a new installation of iptables, you get an error, sometimes like this:
hostname ~ # /etc/init.d/iptables start * Not starting iptables. First create some rules then run: * /etc/init.d/iptables save
Or, you may see this kind of error:
FATAL: Module ip_tables not found. iptables v1.3.8: can't initialize iptables table `filter': iptables who? (do you need to insmod?) Perhaps iptables or your kernel needs to be upgraded.
In any of these startup cases, we will manually start iptables (that is, not using the init-script), and give it a very-simple command-line rule, just to get iptables going:
hostname ~ # /sbin/iptables -A INPUT -i lo -j ACCEPT
Scripting the Rules
Once iptables is up-and-running, simply execute the script below, to implement the policies:
sh /etc/iptables.bak
Example 1 - /etc/iptables.bak for a web-server with vsftpd upload, also SSH connectivity, and being monitored by nagios:
#! /bin/sh # /etc/iptables.bak # Let's save typing & confusion with variables IPTABLES=/sbin/iptables # Flush active rules and custom tables $IPTABLES --flush $IPTABLES --delete-chain # set the defaults so that by-default incoming packets are dropped, unless explicitly allowed; # for a desktop workstation, we'll let lots of (unpredictable) outgoing packets go freely. $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP $IPTABLES -P OUTPUT ACCEPT # INBOUND POLICY # ============== # of course, accepting loopback is a good idea $IPTABLES -A INPUT -i lo -j ACCEPT # (Applies to packets entering our network interface from the network, # and addressed to this host.) $IPTABLES -A INPUT -m state --state INVALID -j DROP $IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT # ftp incoming $IPTABLES -A INPUT -p tcp -m state --state NEW --dport 20 -j ACCEPT $IPTABLES -A INPUT -p tcp -m state --state NEW --dport 21 -j ACCEPT # ssh incoming, including non-standard port (if needed) $IPTABLES -A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT #$IPTABLES -A INPUT -p tcp -m state --state NEW --dport 222 -j ACCEPT # web serving, let's allow it! $IPTABLES -A INPUT -p tcp -m state --state NEW --dport 80 -j ACCEPT # nagios (5666); monitor time (123), allow snmp (161) $IPTABLES -A INPUT -p tcp -m state --state NEW --dport 5666 -j ACCEPT $IPTABLES -A INPUT -p udp -m state --state NEW --dport 123 -j ACCEPT $IPTABLES -A INPUT -p udp -m state --state NEW --dport 161 -j ACCEPT # OUTBOUND POLICY # =============== # of course, accepting loopback is a good idea $IPTABLES -A OUTPUT -o lo -j ACCEPT # (Applies to packets sent to the network interface from local processes) $IPTABLES -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
Example 2 - /etc/iptables.bak for a web-server with both http and https, including an nfs-mounted directory (this machine client-only). Also, our amanda-tape-server reaches out to back up this example, and we have SSH connectivity. To complicate matters, we run a Sassafrass keyserver, and a flexlm license-server. Again, monitoring by nagios:
#! /bin/sh # /etc/iptables.bak # Let's save typing & confusion with variables IPTABLES=/sbin/iptables # Flush active rules and custom tables $IPTABLES --flush $IPTABLES --delete-chain # set the defaults so that by-default incoming packets are dropped, unless explicitly allowed; # for a desktop workstation, we'll let lots of (unpredictable) outgoing packets go freely. $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP $IPTABLES -P OUTPUT ACCEPT # INBOUND POLICY # ============== # of course, accepting loopback is a good idea $IPTABLES -A INPUT -i lo -j ACCEPT # (Applies to packets entering our network interface from the network, # and addressed to this host.) $IPTABLES -A INPUT -m state --state INVALID -j DROP $IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT # ftp incoming #$IPTABLES -A INPUT -p tcp -m state --state NEW --dport 20 -j ACCEPT #$IPTABLES -A INPUT -p tcp -m state --state NEW --dport 21 -j ACCEPT # ssh incoming, including non-standard port (if needed) $IPTABLES -A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT #$IPTABLES -A INPUT -p tcp -m state --state NEW --dport 222 -j ACCEPT # this machine is a mail-server, aggregating logs + hosting mailing-lists $IPTABLES -A INPUT -p tcp -m state --state NEW --dport 25 -j ACCEPT # web serving, let's allow it! Both http and https ports $IPTABLES -A INPUT -p tcp -m state --state NEW --dport 80 -j ACCEPT $IPTABLES -A INPUT -p tcp -m state --state NEW --dport 443 -j ACCEPT # portmapper, in support of NFS-client $IPTABLES -A INPUT -p tcp -m state --state NEW --dport 111 -j ACCEPT # nagios (5666); monitor time (123), allow snmp (161) $IPTABLES -A INPUT -p tcp -m state --state NEW --dport 5666 -j ACCEPT $IPTABLES -A INPUT -p udp -m state --state NEW --dport 123 -j ACCEPT $IPTABLES -A INPUT -p udp -m state --state NEW --dport 161 -j ACCEPT # amanda tape-backups; we reach out and tape things from this machine $IPTABLES -A INPUT -p udp -m state --state NEW --dport 10080 -j ACCEPT $IPTABLES -A INPUT -p tcp -m state --state NEW --dport 10082 -j ACCEPT $IPTABLES -A INPUT -p tcp -m state --state NEW --dport 10083 -j ACCEPT # flexlm (lmgrd) license-server listens here (set in license.dat file) $IPTABLES -A INPUT -p tcp -m state --state NEW --dport 7111 -j ACCEPT # Sassafrass keyserver listens here on both udp and tcp $IPTABLES -A INPUT -p tcp -m state --state NEW --dport 19283 -j ACCEPT $IPTABLES -A INPUT -p udp -m state --state NEW --dport 19283 -j ACCEPT # OUTBOUND POLICY # =============== # of course, accepting loopback is a good idea $IPTABLES -A OUTPUT -o lo -j ACCEPT # (Applies to packets sent to the network interface from local processes) $IPTABLES -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
Save the configuration:
etc/init.d/iptables save
And then back up your working configuration in case you break something later you can quickly revert:
cp /var/lib/iptables/rules-save /var/lib/iptables/rules.working
Viewing/checking the active ruleset:
iptables -L