Security 101 : Firewalls, iptables by example
- Tables : We are going to use the FILTER table since it is the most used. The filter table as its name indicates filters traffic.
- Chains: tables have chains attached to them. We have the INPUT chain which deals with incoming traffic, the OUTPUT chain which deals with outgoing traffic and FORWARD chain which deals with traffic that is just "passing" through our machine.
- Targets: when the rules are met in the chains, we can apply the target to it, which could be : ACCEPT: accepting the packet, REJECT : rejecting a packet and sending a message to the sender as to why it was rejected and DROP which rejects the packet without informing the sender.
The "rules" are the "characteristics" of a packet asking questions like, does a packet have a certain source IP address, is it destined to a certain port,...?
Stopping traffic from a certain IP address:
Stopping traffic from a network:
Drops traffic coming form the network address "10.1.12.0/24".
Deleting rules from iptables:
Blocking a specific protocol:
Blocks/rejects ICMP packets and sends back a message to inform the source that the packets were rejected
Blocking traffic on a certain interface:
Blocking outbound traffic to a certain site:
Blocking outbound traffic to a whole network:
-d : destination network (10.1.12.0/24).
-P :policy
The order of the commands matters ("1" then "2").
Persistent rules:
It saves the configuration in the "/etc/sysconfig/iptables" file.
We can see the chains : INPUT, FORWARD and OUTPUT.
We see that the policy has changed to DROP in the INPUT chain.
"-A" : means append the rule to the already existing iptables rules.
"INPUT": we are using the IMPUT chain because we are dealing with incoming traffic.
"-s ip_address" : Packets that match that rule(their source IP matches the IP in orange) gets dropped as mentioned in the target.
"-J DROP": target determines the fate of the packet when the rule is met. In our case we drop it.
Stopping traffic from a network:
Deleting rules from iptables:
deletes the rule on line : 2 in the FORWARD chain
Blocking a specific protocol:
Blocks/rejects ICMP packets and sends back a message to inform the source that the packets were rejected
Blocking traffic on certain ports:
Blocks traffic on the "sshd" port :22 without informing the source.
Blocking traffic on a certain interface:
Blocks traffic coming on the "eth0" interface from the source IP address "10.1.12.32" without informing the source.
Blocking outbound traffic to a certain site:
We start by looking up the IP address of the site:
Then we use the below command to block/drop all outbound traffic to that site:
-d : destination.
Blocking outbound traffic to a whole network:
-d : destination network (10.1.12.0/24).
Blocking all traffic except HTTP packets:
Remark:
The order of the commands matters ("1" then "2").
If we reverse the order of the two commands, all "INPUT" traffic will be dropped.
Persistent rules:
For the iptables rules to persist after a reboot, we need to run the below command:
It saves the configuration in the "/etc/sysconfig/iptables" file.
Listing the rules of iptables:
We use the below command to list the rules of the "iptables":
We can see the chains : INPUT, FORWARD and OUTPUT.
The target in the above example is ACCEPT for the INPUT chain for all the protocols.
We can also see the policy, which is ACCEPT for the INPUT chain and OUTPUT chain, and DROP for the FORWARD chain.
We can change the policy for example of the INPUT chain using the below command:
Which means all the INPUT traffic will be dropped:
Comments