iptables Firewall rules

For many years, I have been using my own ipchains firewall rules, which are now quite outdated by the new iptables in kernel versions 2.4. So a couple of months ago, I finally made the conversion from ipchains to iptables.

Well, it is nice to have a firewall capability on Linux, but the problem is in writing the rules. There are a number of sites out there that explain how to write the rules, but actually doing it is another thing. I read the tutorial, and just could not "get it", and since I already had a set of working ipchains rules, I didn't want to sacrifice the time necessary to do the conversion.

Then along came Firewall Builder (fwbuilder), which is hosted on SourceForge. Using Firewall Builder and re-reading the the iptables tutorial by Oskar Andreasson, I finally "got it". The key to understanding iptables was the diagram on page 32 of the tutorial. It is was so key for me that I provide a similar diagram here somewhat simplified.

                     Network
                       |
                       v
                 ------------- 
                |   mangle    |
                |  PREROUTING |
                 ------------- 
                      |
                      v
                 ------------- 
                |     nat     |
                |  PREROUTING |
                 ------------- 
                      |
                      v
         --------------------------------- 
         |                               |
         v                               |
    -------------                        |
   |   filter    |                       |
   |   INPUT     |                       |
    -------------                        |
         |                               |
         v                               |
     local process                       |
         |                               |
         v                               v
    -------------                   ------------
   |   mangle    |                 |   filter   |
   |   OUTPUT    |                 |  FORWARD   |
    -------------                   ------------
         |                               |
         v                               |
    -------------                        |
   |    nat      |                       |
   |   OUTPUT    |                       |
    -------------                        |
         |                               |
         v                               |
    -------------                        |
   |   filter    |                       |
   |   OUTPUT    |                       |
    -------------                        |
         |                               |
         --------------------------------- 
                      |
                      v
                 ------------- 
                |     nat     |
                | POSTROUTING |
                 ------------- 
                      |
                      v
                   Network

The above diagram represents the flow of packets through the code in the kernel. Each name in lower case (mangle, nat, filter) corresponds to what is usually referred to as a table. However, I much prefer to think about it as a kernel subroutine that processes certain features of iptables rules that you define. On the iptables command, you specify which subroutine (table) you want with the -t option: e.g. iptables -t nat refers to the nat subroutine. If no -t option is specified, the rule will be processed by the filter subroutine.

The name in upper case (PREROUTING, INPUT, OUTPUT, FORWARD, POSTROUTING) defines a chain. In this case, these are all predefined chains. iptables permits defining your own chains, but I never found that necessary. The default chains provide all the features I need for my site. Chains are referenced on the iptables command line by -P chain-name, e.g. -P INPUT.

Thus the iptables command:

iptables -t nat -A POSTROUTING ...
will place the rule you are defining in the POSTROUTING chain to be executed by the nat subroutine. Each subroutine handles rules slightly differently so you need to be careful about what rule you place in what chain. Firewall Builder will take care of all those little details for you, but it is still a good idea to understand the final script that Firewall Builder produces.

Another example:

iptables -A INPUT ...
places the rule in the INPUT table to be executed by the filter code (default). Looking at the diagram above, you can see exactly when the above two rules will be applied to the packet.

With the above information, and the iptables tutorial, you should be able to understand most iptables commands and what they will do.

With the help of Firewall Builder, I've developed a set of rules for my site that you might find useful if you are running a similar setup (single server, internal network, desire moderate security without being excessive, have no hackers on the inside, don't want to restrict internal users, and want minimal connectivity from the outside but good connectivity to the outside).

Assuming that you put the firewall script in your /etc/rc.d directory, it is invoked from /etc/rc.d/rc.local at boot time by adding the following statements:

echo "Firewall OFF." >/var/log/firewall

/etc/rc.d/firewall # turn on firewall
To use it, you will need to either edit the script (server.fw) by hand (any text editor) and modify the server address (200.200.200.200) to your address, and possibly the local network address (192.168.0.0) to correspond to your local network. Please note, on my site, I put the script in /etc/rc.d/firewall, but it is distributed here with the name server.fw.

If your site has been attacked at one time or another, you might want to added the IP addresses of the offending sites to firewall.block. I have modified the script to include /etc/rc.d/firewall.blocked in place of the list of blocked addresses that are produced with Firewall Builder. This is because I find it easier to simply cut and paste a new address into the firewall.bocked file rather than regenerate a new script using Firewall Builder.

To ensure that my firewall is turned on, since when testing, I often forget and leave it turned off, put the file check.firewall.hourly in your /etc/cron.hourly directory, and it will send you (root) an email message if it finds the firewall turned off.

Now that I have the firewall script working pretty much as I want, I generally edit it directly by hand rather than go back to the Firewall Builder source as it is generally much quicker.

View iptables Firewall Rules

Note, the download contains server.fw, server.xml, firewall.block, and check.firewall.hourly. Where server.fw are the rules generated by Firewall Builder (edited by me), server.xml is the Firewall Builder input file, and firewall.block is a list of a few of the sites that I have blocked.

Download iptables Firewall Rules

 

Log Analyser Program

Home: www.sibbald.com
Contact: kern at sibbald dot com
Last Update: