Many ages ago I owned and operated the site electronicliberty.com with a friend. Below is an article we wrote on IPTables that existed on that site. I thought I would open up the time capsule and share some of these oldies but goodies. It is also available on the WaybackMachine.
IPTables TutorialIPTables is a stateful firewall service that comes standard on Linux machines. It is a very useful and powerful tool that can be used for packet filtering, stateful filtering, and NAT’ing. There are many advantages to using IPtables, but it is very important to configure the service correctly or serious problems could arise.
To understand the following tutorial it should be noted that we will be running a script to execute the firewall rules in the IPTables service on RedHat version 9.0. The very first thing that we will do with this script is to clear out the default rules that are already running in IPTables. Also, for a definitive idea of what IPTables does please refer to the MAN pages that concern IPTables. To begin we will find out whether or not IPTables is currently running on your Linux box. To do this you will type the following command into the command line:
[root@e-Liberty root]# service iptables status
This should tell you whether or not IPTables is currently running. Note: that servicecommand status will on work with RedHat.
Regardless of whether or not it is running we can continue on in our venture to create new firewall rules.
Create a file in the root directory called firewall with the following command:
[root@e-Liberty root]# touch /firewall
We will use this file for editing rules and then when we are finished we can add it to the /etc/rc.d/rc.local (Adding the file here will ensure that the rules are put into place every time the computer is booted). It is always a good idea to make changes to an arbitrary file and then apply those changes after verifying its validity to allow for easier troubleshooting.
Open the file you just created with your favorite text editor. During this tutorial we will use vim. Open the file by typing the following:
[root@e-Liberty root]# vim /firewall
This should open a blank document ready for editing. Now type the following:
!/bin/sh #Remove the current rules from IPTables iptables –F #Create Policy for IPTables iptables –policy INPUT DROP iptables –policy OUTPUT DROP iptables –policy FORWARD DROP
Hit the Esc key on your keyboard and the type:
(NOTE: this is the process to save a file using vim, use this process each time you are asked to save).
Now that your script is saved you will need to make sure that it is executable, type:
[root@e-Liberty root]# chmod 700 /firewall
To see the affect that our script can have we will now stop iptables from running and ping a machine. Type:
[root@e-Liberty root]# service iptables stop
Iptables is no longer running, therefore the firewall is down and the machine is totally vulnerable to everything (assuming there aren’t any other firewalls running on the machine). Type:
[root@e-Liberty root]# ping google.com
Type Ctrl+C to stop the replied pings from Google. If you did not receive any ping replies then make sure that you have successfully stopped IPtables and that you are connected to the internet. Type:
[root@e-Liberty root]# ./firewall
This will execute the script that we wrote earlier and load the rules that we wrote into iptables. (Note: Even though we stopped Iptables, loading rules will automatically start it again). Type:
[root@e-Liberty root]# ping google.com
Type Ctrl+C to stop the host unreachable replies. Amazing! Nothing can get in or out of your computer. Congratulations you have just made your computer an impregnable fortress. Unfortunately, by creating these rules we have made it impossible to access the internet, or intranet from this machine, or any machines running behind it. Let’s analyze the rules we loaded.
[root@e-Liberty root]# iptables –policy INPUT DROP
iptables is the service we are running and is how we will start every rule concerning iptables in our script, or at the command line.
–policy is the modifier that tell iptables that we want to modify the policy or one of the chains (INPUT, OUTPUT, FORWARD)
INPUT is the chain that we are going to modify.
DROP is what we want iptables to do when the rule preceding it is matched.
To summarize, if anything tries to come INTO the computer via the network it is immediately dropped. However, because we instructed all three chains to DROP, everything going out of the computer or being forwarded to another computer is dropped as well.
Now let’s see what our rules resulted in, type:
[root@e-Liberty root]# Iptables –L –v
This will list the rules iptables has loaded and the number of packets that have matched each rule. At any time if you would like to clear the counters type:
[root@e-Liberty root]# iptables –Z
For this section it will be necessary to change the rules in the /firewall script to all accept. To do this go back into the firewall file and make sure your script looks like the following:
#!bin/sh#Remove the current rules from IPTables iptables –F #Create Policy for IPTables iptables –policy INPUT ACCEPT iptables –policy OUTPUT ACCEPT iptables –policy FORWARD ACCEPT
Doing this will allow all communications in and out of your system to work again. To be sure this works save your script and execute it at the command line. Now try to ping google.com again. This should work. If it does not work then return to your script and be sure that it is correct and that you executed the correct script at the command line. Once you are able to ping google move on to the next portion of the tutorial.
Go back into your script and add the following rule to the bottom of your script.
Iptables –A OUTPUT –p icmp –j REJECT –reject-with THIS OPERATION IS NOT PERMITTED ON THIS MACHINE
Save and execute your script and try to ping http://www.google.com once again. You should receive a message after each ping attempt that says THIS OPERATION IS NOT PERMITTED ON THIS MACHINE. What you have done is stop any ICMP packets from going out of the computer. Essentially if someone tried to ping this machine it would allow the ping to come in but not allow a ping reply. If you have access to two machines on this network, change the rule we just made to INPUT instead of OUTPUT and execute the script again. Now ping the “firewall” machine from your second machine. You should receive the same rejection banner.
Let’s analyze the rule we just created.
-A appends the new rule to the table/chain that you specify, in this case we chose OUTPUT. After the chain is specified we tell iptables to look for a specific protocol to match the rule using –p. The protocol that we want to match is ICMP. The –j option specifies a jump this means that when this rule is matched it will do whatever follows the –j option. For example, we could simply tell it to DROP the packet when the rule is matched. However in this instance we decided to be more specific and let the internal user know that the network administrator does not allow pings to go out of this machine. To specify a message, use the –reject-with option. You can type anything in the text that follows, but it is probably best not to upset anyone and remain professional.
We have now developed a firm understanding of how iptables rules are created and implemented, for this reason we should now add a rule that should always be permitted. The loopback interface should always be allowed to work because iptables will block traffic if the default policy is set to DROP (even though it doesn’t actually generate packet traffic). Because loopback is necessary for several services in Linux it is important to allow this on your computer. Type the following rule:
Iptables –A INPUT -i lo –j ACCEPT Iptables –A OUTPUT -o lo –j ACCEPT
The option -i is short for –in-interface, the -o option is short for –out-interface. The matched option ‘lo’ means the interface named loopback, which is what we want to ACCEPT. This rule means that if the default policy is set to drop our machine will still be allowed to communicate on the loopback interface. This is a good time to explain how iptables drops packets and the ‘deny by default’ mindset.
The ‘deny by default’ mindset means that you will block everything and then allow only specific operations to be permitted. This was demonstrated to you in the original script that we wrote. Everything was set to drop, and nothing could get in or out. However, any rules that you append (using -A) to a chain will be compared to each packet before the default policy is enacted. For instance, if the default policy on the OUTPUT chain is set to DROP and we try to PING, it will not work. However, if we append the rule
Iptables –A OUTPUT –p icmp –j ACCEPT
The PING will work. Iptables will try to match every rule before it executes default policy.
Lastly, we want our firewall script to execute every time we reboot the computer. Therefore we will add the firewall script to: /etc/rc.d/firewall
Now we want to make sure that only root can read, write, and execute on the firewall. At the command prompt type:
[root@e-Liberty root]# chown root.root/etc/rc.d/firewall
[root@e-Liberty root]# chmod 700 /etc/rc.d/firewall
Congratulations you have completed the Beginner tutorial on IPTables.