User Tools

Site Tools


linux:firewalls

iptables

Five predifined tables (operations) and chains.

Tables include:

  • nat
  • mangle
  • raw
  • filter
  • security

chain: a list of rules that act on a packet flowing through the system.

Chains include:

  • prerouting
  • forward
  • postrouting
  • input
  • output

We'll cover the filter table and the nat tables. As applied:

  • filter table, the default table
    • forward: for packets destined to be routed through local
    • input: for packets destined to local
    • output: for locally generated packets
  • nat table, when a packet that creates a new connection is encountered
    • prerouting: for altering packets as soon as they come in
    • postrouting: for alterning packets as they are about to go out
    • output: for altering locally-generated packets before routing

usage

# iptables -L -v | less
# iptables -L | grep policy

Let's change the default policy for the FORWARD chain:

# iptables --policy FORWARD DROP
# iptables -L | grep policy
  1. To locate the IP address for FB.
  2. To locate the CIDR value or IP range for FB.
  3. To block the IP range for FB.
$ host www.facebook.com
$ whois 157.240.2.35 | grep CIDR
$ sudo su
# iptables -A OUTPUT -p tcp -d 157.240.0.0/16 -j DROP
# iptables -A INPUT -p tcp -d 157.240.0.0/16 -j DROP
# w3m facebook.com
# ping facebook.com
  1. since table isn't added, this uses the default table, which is the filter table
  2. -A OUTPUT: append to table
  3. -p tcp: the protocol for the rule
  4. -d IP address: destination address
  5. -j DROP: specifies the target of the rule -- what to do if the packet matches. In this case, the target is to drop the package. Usual options include:
  • ACCEPT : allow the connection
  • DROP : drop and ignore the connection
  • REJECT : do not allow the connect and return error to source

Allow connections only from subnet

# comment: first, set policy to drop all incoming
$ sudo iptables --policy INPUT DROP
# comment: second, set policy to drop all forwarding 
$ sudo iptables --policy FORWARD DROP
# comment: thir , set policy to drop all outgoing 
$ sudo iptables --policy OUTPUT DROP
# comment: review new policies for the above chains
$ sudo iptables -L | grep policy
# comment: now accept only input, forwarding, and output from the following
# network ranges:
$ sudo iptables -A INPUT -s 10.163.34.0/24 -j ACCEPT
$ sudo iptables -A FORWARD -s 10.163.34.0/24 -j ACCEPT
$ sudo iptables -A OUTPUT -s 10.163.34.0/24 -j ACCEPT

Saving changes

Save changes permanently, otherwise on restart, iptables reverts to default settings:

$ sudo su
# /sbin/service iptabels save

There are lots of examples on the web. Examples from:

  • http://www.tecmint.com/linux-iptables-firewall-rules-examples-commands/
  • https://www.howtogeek.com/177621/the-beginners-guide-to-iptables-the-linux-firewall/

PREROUTING

Forward all traffice to port 25 to port 2525:

# iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 25 -j REDIRECT --to-port 2525

OUTPUT

Disable outgoing eamil:

# iptables -A OUTPUT -p tcp --dports 25,465,587 -j REJECT

firewall-cmd

firewalld is a slightly more user friendly interface to netfilters in Red Hat based distros.

Zones are important concept in firewalld. Some predefine zones:

  • DROP : strictest. All incoming network packets are dropped
  • BLOCK : all very strict
  • PUBLIC : only selected incoming connections are accepted. Good zone for web server, email server, etc.
  • EXTERNAL : external networks (useful for NAT)
  • DMZ : computers located in DMZ
  • work : trust most computers in network and accept some services
  • home : trust most computers in network and accept some services
  • trusted : trust all machines in network

Check if running:

# firewall-cmd --state

Get active zones and interfaces attached to them:

# firewall-cmd --get-zones
# firewall-cmd --get-default-zone
# firewall-cmd --get-active-zones
FedoraServer
  interfaces: enp0s3
# firewall-cmd --zone=FedoraServer --add-port=22/tcp
# firewall-cmd --zone=FedoraServer --list-ports
# firewall-cmd --zone=FedoraServer --remove-service=ssh --permanent
# firewall-cmd --zone=FedoraServer --add-service=smtp --permanent

Go into panic mode (drop all incoming/outgoing packets):

# firewall-cmd --panic-on
# firewall-cmd --panic-off

To change default zone:

# firewall-cmd --permanent --set-default-zone=public

ufw

$ host www.facebook.com
$ whois 157.240.2.35 | grep CIDR
$ sudo su
# sudo ufw reject out to 157.240.0.0/16
# sudo ufw reject in to 157.240.0.0/16
linux/firewalls.txt · Last modified: 2019/01/21 11:22 by seanburns