- Joined
- Dec 30, 2007
- Messages
- 529
- Solutions
- 5
- Reaction score
- 191
Hello,
I'm a network administrator in my school and I would like to show you my experience about firewalling on linux.
We're going to use a firewall netfilter and tool called iptables. I think every new distros have it compiled default in the kernel so we not need to know how to install it.
Don't try the examples over ssh, cuz you can cut you off!
1. Global policies
Global polices are rules, what tell what to do with packets what don't have any other rule configured.
For example:
This tells that any other packets coming to the server except www and 7171 will be dropped. -P is the global policy flag, INPUT is a type of chain what tells that the packet is incoming (not outgoing), and DROP is to drop the packets, what don't have any other rule.
2. Chains
We have 3 default chains in iptables. They are INPUT, OUTPUT and FORWARD.
INPUT - incomming connections to the server (example: someone is connecting to the server)
OUTPUT - outgoing connections from server (example: you are trying to connect some server)
FORWARD - this chain is for routing only, we don't need it now...
3. Packet actions
There are some actions what we can do with the packets.
ACCEPT - packet will be accepted
DROP - packet will be dropped
QUEUE - send packet to some user-proccess for check
4. Rules to specify packet
4.1 - Source address
Source address is the address from packet is incoming. Syntax of this rule is -s network/mask.
Example:
This will allow 192.168.2.1 to access all services on your server.
This will allow all ips in range 192.168.2.1-255 to access all services on your server.
This rule will block all packets coming to the server except packets from network 10.0.0.0/24. The "!" tell us that all except 10.0.0.0/24 will be dropped. When you use "-s 10.0.0.0/24 -j DROP" it will drop all packets from 10.0.0.0/24 and allow all others!.
4.2 - Destination address
Destination address is ip address if your server, it's good if you have more networks. Syntax of this is "-d ip"
Example:
This will allow all packets coming to 192.168.2.1.
This will allow all packets coming to 192.168.2.1 from network 192.168.2.0/255.255.255.0 (equivalent to 24).
This is all for today people. In the next part we will learn how to specify packets by network card where is coming it and we try to create small firewall...Stay tuned.
Yours,
Gunz.
I'm a network administrator in my school and I would like to show you my experience about firewalling on linux.
We're going to use a firewall netfilter and tool called iptables. I think every new distros have it compiled default in the kernel so we not need to know how to install it.
Don't try the examples over ssh, cuz you can cut you off!
1. Global policies
Global polices are rules, what tell what to do with packets what don't have any other rule configured.
For example:
Code:
iptables -P INPUT DROP
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --dport www -j ACCEPT
iptables -A INPUT -p tcp --dport 7171 -j ACCEPTThis tells that any other packets coming to the server except www and 7171 will be dropped. -P is the global policy flag, INPUT is a type of chain what tells that the packet is incoming (not outgoing), and DROP is to drop the packets, what don't have any other rule.
2. Chains
We have 3 default chains in iptables. They are INPUT, OUTPUT and FORWARD.
INPUT - incomming connections to the server (example: someone is connecting to the server)
OUTPUT - outgoing connections from server (example: you are trying to connect some server)
FORWARD - this chain is for routing only, we don't need it now...
3. Packet actions
There are some actions what we can do with the packets.
ACCEPT - packet will be accepted
DROP - packet will be dropped
QUEUE - send packet to some user-proccess for check
4. Rules to specify packet
4.1 - Source address
Source address is the address from packet is incoming. Syntax of this rule is -s network/mask.
Example:
Code:
iptables -A INPUT -s 192.168.2.2 -j ACCEPT
Code:
iptables -A INPUT -s 192.168.2.0/24 -j ACCEPT
Code:
iptables -A INPUT -s ! 10.0.0.0/24 -j DROP4.2 - Destination address
Destination address is ip address if your server, it's good if you have more networks. Syntax of this is "-d ip"
Example:
Code:
iptables -A INPUT -d 192.168.2.1 -j ACCEPT
Code:
iptables -A INPUT -d 192.168.2.1 -s 192.168.2.0/24 -j ACCEPTThis is all for today people. In the next part we will learn how to specify packets by network card where is coming it and we try to create small firewall...Stay tuned.
Yours,
Gunz.
Last edited:
