IPTABLES RHEL 6
Netfilter and IPTables
The Linux kernel features a powerful networking subsystem called Netfilter. The Netfilter subsystem provides stateful or stateless packet filtering as well as NAT and IP masquerading services. Netfilter also has the ability to mangle IP header information for advanced routing and connection state management. Netfilter is controlled using the iptables
tool.
The IPTables similar to IPChains.
Note:
The IPTables cannot be used if IPChains is already running. If IPChains is present at boot time, the kernel issues an error and fails to start IPTables.
Firewall Configuration Tool
The Firewall Configuration Tool only configures a basic firewall. If the system needs more complex rules, refer to “IPTables” for details on configuring specific iptables
rules.
System → Administration → Firewall
system-config-firewall
IPTables Required Package
[root@server1 Desktop]# rpm -qa iptables
iptables-1.4.7-4.el6.x86_64
IPTables Service start | stop etc..,
/etc/rc.d/init.d/iptables {start|stop|restart|condrestart|status|panic|save}
service iptables {start|stop|restart|condrestart|status|panic|save}
chkconfig iptables on | off | –list
IPTables Configuration File
[root@server1 Desktop]# rpm -qlc iptables
/etc/sysconfig/iptables-config
[root@server1 Desktop]# grep -v ‘#’ /etc/sysconfig/iptables-config
IPTABLES_MODULES=”nf_conntrack_ftp”
IPTABLES_MODULES_UNLOAD=”yes”
IPTABLES_SAVE_ON_STOP=”no”
IPTABLES_SAVE_ON_RESTART=”no”
IPTABLES_SAVE_COUNTER=”no”
IPTABLES_STATUS_NUMERIC=”yes”
IPTABLES_STATUS_VERBOSE=”no”
IPTABLES_STATUS_LINENUMBERS=”yes”
Backup and Restore IPTables
By default, firewall rules are saved in the /etc/sysconfig/iptables or /etc/sysconfig/ip6tables files.
[root@server1 ~]# ll /etc/sysconfig/iptables*
-rw——-. 1 root root 272 Sep 17 19:41 /etc/sysconfig/iptables
-rw——-. 1 root root 1756 Jul 19 21:58 /etc/sysconfig/iptables-config
-rw——-. 1 root root 1740 Jan 7 2011 /etc/sysconfig/iptables-config.old
-rw——-. 1 root root 476 Jul 20 03:03 /etc/sysconfig/iptables.old
-rw——-. 1 root root 184 Sep 17 19:41 /etc/sysconfig/iptables.save
[root@server1 ~]#cp -rf /etc/sysconfig/iptables /etc/sysconfig/iptables.backup
[root@server1 ~]# iptables-restore -c /etc/sysconfig/iptables.backup
Understanding IPTables
The IPTables three built-in rules
Filter – The default table for handling network packets.
Nat – Used to alter packets that create a new connection and used for Network Address Translation
Mangle – Used for specific types of packet alteration.
Each table has a group of built-in chains, which corresponding to the actions performed on the packet by netfilter. There are five predefine chains INPUT, OUTPUT, FORWARD, PREROUTING, POSTROUTING
Filter built-in chains
INPUT — Applies to network packets that are targeted for the host.
OUTPUT— Applies to locally-generated network packets.
FORWARD — Applies to network packets routed through the host.
Nat built-in chains
PREROUTING — Alters network packets when they arrive.
OUTPUT — Alters locally-generated network packets before they are sent out.
POSTROUTING — Alters network packets before they are sent out.
Mangle built-in chains
INPUT — Alters network packets targeted for the host.
OUTPUT — Alters locally-generated network packets before they are sent out.
FORWARD— Alters network packets routed through the host.
PREROUTING — Alters incoming network packets before they are routed.
POSTROUTING — Alters network packets before they are sent out.
Every chain has a default policy to ACCEPT, DROP, REJECT or QUEUE
IPTables rules processing flow
1. Rules are processed from upper to lower.
2. Once rules matched criteria no further processing would be done and it goes to the rules specified in the target (or) executes the special values mentioned in the target.
3. If the criteria are not matched, it moves on the next rule.
4. At the end of list default value is ACCEPT so if a packet do not meet any criteria it would pass the packet.
Table
|
Table Function
|
Chain
|
Chain Function
|
Filter
|
Packet filtering
|
INPUT
|
Incoming to firewall. For packets coming to the local server.
|
OUTPUT
|
Filters packets originating from the firewall
|
FORWARD
|
Packet for another NIC on the local server. For packets routed through the local server.
|
Nat
|
Network Address Translation
|
PREROUTING
|
Packets will enter this chain before a routing decision is made.
|
POSTROUTING
|
Routing decision has been made. Packets enter this chain just before handing them off to the hardware.
|
OUTPUT
|
NAT for locally generated packets on the firewall.
|
Mangle
|
TCP header modification
|
PREROUTING, POSTROUTING,
OUTPUT, INPUT,
FORWARD
|
Modification of the TCP packet quality of service bits before routing occurs.
|
Structure of IPTables Command Options
Syntax:
iptables –t [Table-types] [options] [chain] –j [target]
|
Table-types
filter, nat, mangle
Options
-A – Append a rule to the end of a chain
-I – Insert in chain as rulenum (default1=first)
-R – Replace chain rulenum
-L – List the all chains
-S – List all rules in the selected chain
-D – Delete chain rulenum (1=first)
-F – Flushes all of the rules in the current iptables chain.
–N – Create a new user-defined chain
-P – Policy rules change
-p – protocol (tcp,udp,icmp,all)
-s – source (hostname, ipaddress, with /mask (24 or 255.255.255.0). A “!” argument before the address specification inverts the sense of the address.
-d – destination
–sport – source port [–sport X | –sport X:X]
–dport – destination port [–dport X | –dport X:X]
-i – input-interface (eth0)
-o – output-interface (eth0)
-n – numeric
–line-numbers – listing rules with line number
Chain
INPUT
OUTPUT
FORWARD
PREROUTING
POSTROUTING
Target
ACCEPT – Allow the packets
DROP – Drops the packets and give no response
REJECT – Rejects the packets and sends a rejection response
Iptables examples
1. iptables chain rules listening types
[root@server1 Desktop]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp — anywhere anywhere udp dpt:domain
ACCEPT tcp — anywhere anywhere tcp dpt:domain
DROP icmp — client1.example.com server1.example.com icmp echo-request
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@server1 Desktop]# iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp — 0.0.0.0/0 0.0.0.0/0 udp dpt:53
ACCEPT tcp — 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
DROP icmp — 192.168.1.101 192.168.1.100 icmp type 8
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@server1 Desktop]# iptables -L -n –line-numbers
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT udp — 0.0.0.0/0 0.0.0.0/0 udp dpt:53
2 ACCEPT tcp — 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
3 DROP icmp — 192.168.1.101 192.168.1.100 icmp type 8
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
[root@server1 Desktop]# iptables -t filter -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp — anywhere anywhere udp dpt:domain
ACCEPT tcp — anywhere anywhere tcp dpt:domain
DROP icmp — client1.example.com server1.example.com icmp echo-request
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@server1 Desktop]# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@server1 Desktop]# iptables -t mangle -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
2. Delete the particular iptables chain rule
[root@server1 Desktop]# iptables -L INPUT –line-numbers
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT udp — anywhere anywhere udp dpt:domain
2 ACCEPT tcp — anywhere anywhere tcp dpt:domain
3 DROP icmp — client1.example.com server1.example.com icmp echo-request
[root@server1 Desktop]# iptables -D INPUT 3
[root@server1 Desktop]# iptables -L INPUT –line-numbers
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT udp — anywhere anywhere udp dpt:domain
2 ACCEPT tcp — anywhere anywhere tcp dpt:domain
3. How to flush the all iptables chain rules
[root@server1 Desktop]# iptables –F
[root@server1 Desktop]# service iptables save
[root@server1 Desktop]# service iptables restart
[root@server1 Desktop]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
4. Block all incoming and outgoing packets on a network gateway
[root@server1 Desktop]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@server1 Desktop]# iptables -P INPUT DROP
[root@server1 Desktop]# iptables -P OUTPUT DROP
[root@server1 Desktop]# iptables -P FORWARD DROP
[root@server1 Desktop]# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy DROP)
target prot opt source destination
[root@server1 Desktop]# service iptables save
[root@server1 Desktop]# service iptables restart
[root@server1 Desktop]# ping 192.168.1.101
PING 192.168.1.101 (192.168.1.101) 56(84) bytes of data.
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted
5. I have a two linux system
a> Server1.example.com – 192.168.1.100
b> Client1.example.com – 192.168.1.101
Practice 1
I have decided server1.example.com block icmp echo request service from client1.example.com.
[root@server1 Desktop]# iptables -t filter -I INPUT -s 192.168.1.101
-d 192.168.1.100 -p icmp –icmp-type echo-request -j REJECT
[root@server1 Desktop]# iptables -L INPUT –line-numbers
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 REJECT icmp — client1.example.com server1.example.com icmp echo-request reject-with icmp-port-unreachable
[root@server1 Desktop]# service iptables save
[root@server1 Desktop]# service iptables restart
[root@server1 Desktop]# ping -c 3 192.168.1.101
PING 192.168.1.101 (192.168.1.101) 56(84) bytes of data.
64 bytes from 192.168.1.101: icmp_seq=1 ttl=64 time=0.283 ms
64 bytes from 192.168.1.101: icmp_seq=2 ttl=64 time=0.166 ms
64 bytes from 192.168.1.101: icmp_seq=3 ttl=64 time=0.171 ms
[root@client1 Desktop]# ping -c 3 192.168.1.100
PING 192.168.1.100 (192.168.1.100) 56(84) bytes of data.
From 192.168.1.100 icmp_seq=1 Destination Port Unreachable
From 192.168.1.100 icmp_seq=2 Destination Port Unreachable
From 192.168.1.100 icmp_seq=3 Destination Port Unreachable
Practice 2
Now I have decided server1.example.com block icmp ping request to client1.example.com
[root@server1 Desktop]# ping -c 3 client1.example.com
PING client1.example.com (192.168.1.101) 56(84) bytes of data.
64 bytes from client1.example.com (192.168.1.101): icmp_seq=1 ttl=64 time=0.193 ms
64 bytes from client1.example.com (192.168.1.101): icmp_seq=2 ttl=64 time=0.244 ms
64 bytes from client1.example.com (192.168.1.101): icmp_seq=3 ttl=64 time=0.218 ms
[root@server1 Desktop]# iptables -t filter -I OUTPUT -s 192.168.1.100 -d 192.168.1.101 -p icmp –icmp-type echo-request -j REJECT
[root@server1 Desktop]# iptables -L OUTPUT
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
REJECT icmp — server1.example.com client1.example.com icmp echo-request reject-with icmp-port-unreachable
[root@server1 Desktop]# service iptables save
[root@server1 Desktop]# service iptables restart
[root@server1 Desktop]# ping -c 3 client1.example.com
PING client1.example.com (192.168.1.101) 56(84) bytes of data.
From server1.example.com (192.168.1.100) icmp_seq=1 Destination Port Unreachable
From server1.example.com (192.168.1.100) icmp_seq=1 Destination Port Unreachable
From server1.example.com (192.168.1.100) icmp_seq=1 Destination Port Unreachable
6. I have a three system lap setup details.
System 1 – server1.example.com – 192.168.1.100
System 2 – client1.example.com – 192.168.1.101
System 3 – client2.example.com – 192.168.1.102
Practise 1
System 1 configured as an ftp server. I have decided client1.example.com not access ftp server using iptables.
[root@server1 Desktop]# iptables -t filter -I INPUT -s client1.example.com -p tcp –dport 21 -j REJECT
[root@server1 Desktop]# iptables -L INPUT
Chain INPUT (policy ACCEPT)
target prot opt source destination
REJECT tcp — client1.example.com anywhere tcp dpt:ftp reject-with icmp-port-unreachable
[root@server1 Desktop]# service iptables save
[root@server1 Desktop]# service iptables restart
[root@client1 ~]# ftp server1.example.com
ftp: connect: Connection refused
ftp> bye
[root@client2 ~]# ftp server1.example.com
Connected to server1.example.com (192.168.1.100).
220 (vsFTPd 2.2.2)
Name (server1.example.com:root): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> bye
Practice 2
System 1 configured as an ftp server block all network except client1.example.com
[root@server1 Desktop]# iptables -t filter -I INPUT -s ! client1.example.com -p tcp –dport 21 -j REJECT
Using intrapositioned negation (`–option ! this`) is deprecated in favor of extrapositioned (`! –option this`).
[root@server1 Desktop]# iptables -L INPUT
Chain INPUT (policy ACCEPT)
target prot opt source destination
REJECT tcp — !client1.example.com anywhere tcp dpt:ftp reject-with icmp-port-unreachable
[root@client1 ~]# ftp server1.example.com
Connected to server1.example.com (192.168.1.100).
220 (vsFTPd 2.2.2)
Name (server1.example.com:root): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> bye
221 Goodbye.
[root@client2 ~]# ftp server1.example.com
ftp: connect: Connection refused
ftp> bye
[root@client2 ~]# logout
Connection to client2.example.com closed.
[root@server1 Desktop]#
Practice 3
System 1 server1.example.com ftp and ssh services does not access from system 2 client1.example.com in a single iptables chain rules
[root@server1 Desktop]# iptables -t filter -I INPUT -s 192.168.1.101 -p tcp –dport 21:22 -j REJECT
[root@server1 Desktop]# service iptables save
[root@server1 Desktop]# service iptables restart
[root@client1 ~]# ssh server1.example.com
ssh: connect to host server1.example.com port 22: Connection refused
[root@client1 ~]# ftp server1.example.com
ftp: connect: Connection refused
ftp> bye
[root@client1 ~]#