Linux has long had the capability for filtering packets, and it has come a long way since the early days in terms of both power and flexibility. The first generation of packet-filtering code, called ipfw (for “IP firewall”), provided basic filtering capability.
The iptables command makes changes to the Netfilter chains and rule sets. Using iptables, you can create new chains, delete chains, list the rules in a chain, flush chains (i.e., remove all rules from a chain), and set the default action for a chain. iptables also allows you to insert, append, delete, and replace rules in a chain.
Before we get started with some example rules, it’s important to set a default behavior for all the chains. To do this, use the -P (which stands for “policy”) command-line switch:
UNIX> iptables -P INPUT DROP
UNIX> iptables -P FORWARD DROP
This ensures that only those packets covered by subsequent rules that you specify will make it past your firewall. After all, with the relatively small number of services that your network will likely provide, it is far easier to explicitly specify all the types of traffic that you want to allow than it is to specify all the traffic that you don’t.
With the default policy set to DROP, you’ll specify what is actually allowed. Here’s where you’ll need to figure out what services will have to be accessible to the outside world. For the rest of these examples, assume that eth0 is the external interface on the firewall and eth1 is the internal one. The sample network will contain a web server (192.168.1.20), a mail server (192.168.1.21), and a DNS server (192.168.1.18)a fairly minimal setup for a self-managed Internet presence.
We’ll begin specifying rules momentarily, but first, remove filtering from the loopback interface:
Network Packet Filtering Security
UNIX> iptables -A INPUT -i lo -j ACCEPT
UNIX> iptables -A OUTPUT -o lo -j ACCEPT
Now, let’s construct some rules to allow this traffic through. First, make a rule to allow traffic on TCP port 80the standard port for web servers to pass to the web server unfettered by the firewall:
UNIX> iptables -A FORWARD -m state --state NEW -p tcp -d 192.168.1.20 --dport 80 -j ACCEPT
And now for the mail server, which uses TCP port 25 for SMTP:
UNIX> iptables -A FORWARD -m state --state NEW -p tcp -d 192.168.1.21 --dport 25 -j ACCEPT
You might also want to allow remote POP3, IMAP, and IMAP+SSL access:
UNIX> iptables -A FORWARD -m state --state NEW -p tcp -d 192.168.1.21 --dport 110 -j ACCEPT
UNIX> iptables -A FORWARD -m state --state NEW -p tcp -d 192.168.1.21 --dport 143 -j ACCEPT
UNIX> iptables -A FORWARD -m state --state NEW -p tcp -d 192.168.1.21 --dport 993 -j ACCEPT
Finally, allow DNS access via port 53:
UNIX> iptables -A FORWARD -m state --state NEW -p tcp -d 192.168.1.21 --dport 53 -j ACCEPT
Unlike the other services, DNS can use both TCP and UDP port 53. Using a default deny policy makes it slightly more difficult to use UDP for DNS. This is because the policy relies on the use of state-tracking rules, and since UDP is a stateless protocol, there is no way to track it. In this case, you can configure the DNS server either to use only TCP, or to use a UDP source port of 53 for any response that it sends back to clients that were using UDP to query the name server.
If the DNS server is configured to respond to clients using UDP port 53, you can allow this traffic through with the following two rules:
UNIX> iptables -A FORWARD -p udp -d 192.168.1.18 --dport 53 -j ACCEPT
UNIX> iptables -A FORWARD -p udp -s 192.168.1.18 --sport 53 -j ACCEPT
The first rule allows traffic destined for the DNS server into your network, and the second rule allows responses from the DNS server to leave the network.
Next» Securing Network With Firewall (MAC Filtering)