Sunday, September 9, 2007
Wednesday, July 18, 2007
IPTABLES
Installing and Configuring iptables
All operations described below require that you have the root password in order to su to root.
Iptables is the basic program for implementing a Linux firewall. The iptables program essentially implements a list of rules that will accept or deny network traffic called packets to or from any source that you specify. These rules can be complex and are powerful tools in securing Linux.
Installing iptables
Installing iptables is usually pretty simple since it has become a standard option in most Linux installs, especially Red Hat. There is a very good chance that iptables is already installed on your machine. An easy way to check is to open a terminal window (making sure to be logged in as root) and typing: # iptables. If iptables installed, you should get a message that looks like the following:
iptables v1.2.8: no command specified
Try 'iptables -h' or 'iptables --help' for more information If this message does not appear, then you must follow the direction below to install iptables. This document will give a quick overview of how to install iptables manually, but each distribution's package manager (apt-get for Debian, YaST2 for SuSE, and so on) should be able to install iptables for you.
Manual Instructions
Manually installing iptables, while it may be a bit more complicated, allows you to use the latest version of iptables as well as any additional options that you may wish to install. If you manually install iptables, however, you will not be able to use your distribution's packet manager to update it later. This document will simply run through the basic install steps that should work on nearly all versions of Linux. Please note that this manual installation also requires that the kernel-source package be installed. This can usually be installed through each distributions package utility, please check your distributions instructions for installing the kernel-source packages
- The first step is the get the iptables tarball containing all the needed files. To get the latest version of iptables go to netfilter.org . The download page is http://www.netfilter.org/downloads.html. The file should named iptables-1.*.*.tar.bz2 where the asterisks represent the numbers of the latest version. Save this file to a temporary directory, we will use /tmp in this example.
- Open a terminal window and change your directory to where you saved iptables by typing: # cd /tmp
- Uncompress the archive to the /usr/src directory (in order to save the source if we need it later) by typing: # tar -xvjf ./iptables-1.*.*.tar.bz2 -C /usr/src where the asterisks represent the version number of the file you downloaded.
- Change to the directory it created, typically iptables-1.*.*, by typing: # cd /usr/src/iptables-1.*.*
- First, we must type, using the kernel directories above: # /bin/sh -c make
- Finally, we must type: # /bin/sh -c make install
Iptables should now be installed. You can test the installation as described in the beginning of this section to see if it is working. If the install steps from above seemed to execute without any error and typing: # iptables -V brings up an error, it is possible that the program did not install itself to the sbin directory, so typing the following command from the iptables-1.*.* directory should fix the problem:
ComputerName:~# cp ./iptables /sbin
Using iptables
This introduction will only talk about the basics of iptables, as the rules can get quite complex. An important thing to remember that is often overlooked is that if you create a set of rules in iptables during one session and then reboot your computer, all the rules that were added will be lost. This means that if you want the rules to persist, you should put the commands to add them into a startup script. An example startup script and instructions for making your own can be found below. One of the first things you will want to do once you get iptables installed is to check what rules are already implemented. To do this, simply type into a terminal window:
ComputerName:~# iptables -L
A list of the present rules will appear on the screen under a variety of headings. There are three basic components to each rule. The first is where the rule is implemented. There are three different places during the process of sending and receiving packets that these rules can be applied. These three different places are called chains and they are:
- INPUT: The input chain applies rules to packets being received from the network.
- OUTPUT: The output chain applies rules to packets being sent from your computer.
- FORWARD: The forward chain applies rules to packets that your machine is forwarding to others on the network
Rules can also have three different effects regardless of where they are applied. These three effects are:
- ACCEPT: This option accepts a given packet and allows it to pass either in or out.
- DENY: This option does not allow a packet to pass but sends an error message back to its sender.
- DROP: This option completely ignores a packet without sending an error message to its sender.
Each chain also has a default policy (usually ACCEPT) that is applied if a specific packet does not match any rules. The final important component is the location you want to block packets from or going to. This location is usually called the source and can be written as either an IP address or a DNS name (such as www.yahoo.com). Each of these three components are used to create a rule through command line arguments. To add a rule, we use the argument -A
ComputerName:~# iptables -A INPUT -s 200.200.200.1 -j DROP
Typing # iptables -L again will now show the new rule under the INPUT chain heading and should look like this:
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP all -- 200.200.200.1 anywhere
Removing a rule is even easier, just use the argument -D <Chain_Name> <Rule_Num> where Rule_Num starts at 1 and counts down from the top of each list of rules. To remove our rule, we simply type in (assuming that the new rule is the first in the list):
ComputerName:~# iptables -D INPUT 1
Now, typing: # iptables -L should show that the rule has been deleted. There are many other advanced options for these rules, one of the most important of which is the ability to specify what "type" of packets to block by blocking specific ports on which certain services operate. For example, we could specify that we wanted to block only telnet packets, or in other words packets going into port 23, coming into your computer from 200.200.200.1 by writing the rule:
ComputerName:~# iptables -A INPUT -s 200.200.200.1 -j DROP -p tcp --destination-port telnet
There are many other ports that can be specified and a full list of ports being used on your computer and the name or type attached to each can be found in your /etc/services file. Other common ports to block are: HTTP (port 80), FTP (port 21), and SSH (22). There are also a wide variety of other command line arguments that can be used, but these simple rules so far introduced allow for a wide variety of applications. For example, if you wanted to block all incoming telnet connections to your computer, you would simply have to write the rule:
ComputerName:~# iptables -A INPUT -j DROP -p tcp --destination-port telnet
Since there is no defined source, any telnet request to your computer will be blocked. Another useful extension of this rule is if you have two or more network connections, you can specify which of these connections you would like to apply your rule with -i command for input rules and -o command for output rules. For example, if we would like to block any incoming tcp packets on your second Ethernet connection (eth1), you would type:
ComputerName:~# iptables -A INPUT -j DROP -p tcp -i eth1
This rule is not very useful since all incoming ports are blocked, rendering our connection for the most part useless since we would not hear any tcp packet replies to our outbound requests, but we can specify ports that we want open while the rest would remain closed. We do this by implementing two rules: one that explicitly accepts packets on the port we want to open and the second which blocks all of the ports. For the web server example above, the first rule would accept tcp packets on port 80 through eth1 and the second, like the one above, would block all incoming tcp traffic. This combination of rules works because iptables implements the rules in order, so when a new incoming tcp packet bound for port 80 arrives, iptables will see the accept rule first and admit the packet before the all-encompassing deny rule takes effect. These two rules are given below:
- ComputerName:~# iptables -A INPUT -j ACCEPT -p tcp --destination-port 80 -i eth1
- ComputerName:~# iptables -A INPUT -j DROP -p tcp -i eth1
Another solution to this problem of blocking tcp packets is to block only incoming tcp transactions but allow our computer to start new transactions with other web servers or the like. Since all tcp connections must first be initialized, we can block all incoming SYN tcp packets which are the packets that take of the task of initializing the connection. By blocking these packets on the INPUT chain, we essentially tell our computer to ignore anything it did not speak to first. The option for this is --syn and the rule would look like this:
ComputerName:~# iptables -A INPUT -p tcp --syn -j DROP
While this solution above will work, a better implementation is to put the following as the first rule in your list:
ComputerName:~# iptables -A INPUT -m star --state ESTABLISHED,RELATED -S ACCEPT
Iptables can also be used to block specific, rowdy users on your network from accessing your computer. You could do this by blocking their IP, but if his or her IP ever changed they would be able to access your computer once again. A more efficient way is to block the hardware address or MAC address of their Ethernet card. This address is a set of six two-digit hexadecimal numbers separated by colons (ex: 00:0B:DB:45:56:42) and the option for specifying a MAC address --mac-source <MAC address> and could be used as follows:
ComputerName:~# iptables -A INPUT --mac-source 00:0B:DB:45:56:42 -j DROP
For more information on other command line options for iptables, please refer to the man page otherwise a good the list of tutorials and other help documents for iptables can be found at http://www.netfilter.org/documentation/index.html#FAQ.
Using an iptables startup script
For the rules you created in the previous section to persist after you reboot your computer, they must be reapplied each time the computer starts. This can be done for you be means of a startup script. This file should be placed into your /etc/init.d directory and have it run automatically on startup. You can also start service manually (assuming the service is called iptables) by typing:
ComputerName:~# /etc/init.d/iptables start
You can also restart or stop the service by replacing start in the line above with either restart or stop. Here is an example of an iptables startup script. This script is a good base to start from and you can modify it to your needs. You will need to make sure that the path to the iptables program within the script is valid. You can double-check what is the current location of your iptables install by typing: # whereis iptables into the command line. When the service is started, all the old rules are flushed and the script first blocks all SSH and telnet calls to this machine. We would recommend adding before these reject rules a set of accept rules on the SSH and telnet ports for a few selected sources that you could use to access your machine remotely in case of a problem. The script then writes a final deny rule for all ports, allowing only pings to come through. Before this rule is where you should place accept rules for all of your trusted sources or open ports for the services on you machine that you want exposed. For example, if you wanted to run a web server that you needed to access from anywhere, you could add an accept rule on port 80 for all traffic before the final deny rule to allow only web traffic into your server from the outside world. Rules for this example can be found within the example startup script. If you are on a small private network, you could also write a series of accept rules that allowed only traffic from your network's range of IP addresses into your machine and the final deny rule would stop any other traffic.
Diambil dari http://www.cae.wisc.edu/site/public/?title=liniptables
