networking

Configuring Firewall Packet Filtering Using iptables

Leave a comment

This article was tested using iptables v1.3.5 running on CentOS.

Displaying Currently Active Rule

iptables -L -v -n

-v flag turns on verbose mode, and -n causes hostname to be resolved into IP when displaying.

Adding A New Rule

iptables -A INPUT -j ACCEPT -s  -m comment --comment 'Reverse proxy'

Above rule will be added to the end of INPUT chain, and when rule matches (packing coming from ip ), it will be accepted

Rejecting Packets Created From Inbound Connections

In the following example all packets from inbound connection are rejected except 72.8.190.105 and 199.241.192.0/22

Chain INPUT (policy ACCEPT 704K packets, 218M bytes)
 pkts bytes target     prot opt in     out     source               destination
  36M 4776M ACCEPT     all  --  *      *       72.8.190.105         0.0.0.0/0       /* Allow incoming from Reverse Proxy*/
4439K  577M ACCEPT     all  --  *      *       199.241.192.0/22     0.0.0.0/0       /* Allow incoming from Reverse Proxy */
  10M 2897M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0       state RELATED,ESTABLISHED /* Accept incoming packets from already established conn */
14586  878K REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0       /* Reject everything else */ reject-with icmp-port-unreachable

Pay close attention to the second last rule:

  10M 2897M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0       state RELATED,ESTABLISHED /* Accept incoming packets from already 
established conn */

This rule is absolutely critical to ensure :

  1. Outgoing packets from new outbound connections are allowed (eg: mail client connecting to external smtp server).
  2. Outgoing packets from allowed inbound connection are not blocked. (eg: web server providing response to reverse proxy 72.8.190.105)

Unlike most simple firewall program, iptables observes both inbound and outbound packets. The fact that an inbound packet is allowed through doesn’t mean the corresponding outbound packet is. Hence this rule is required.

Saving Rules

Use

/sbin/service iptables save

to persist changes for the next time the server is rebooted.

Looking up Command for Currently Configure Rules

When you saved your iptables settings, the command used to reconstruct the rules can be looked up on /etc/sysconfig/iptables file. In fact you can edit this file directly (as long as you’re careful) and restart iptables to edit the rules

Restarting iptabled

Use the command

/sbin/service iptables restart

To restart iptables

Leave a Reply