IptablesHowTo
|
Size: 5023
Comment: remove double title
|
Size: 7454
Comment: Iptables configuration on startup described.
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 4: | Line 4: |
| Iptables is a firewall, installed by default on the Ubuntu Server (and maybe the regular setup? Someone else know?) | Iptables is a firewall, installed by default on the Ubuntu Server. On regullar ubuntu install, iptables is installed but allows all traffic (thus firewall is ineffective / inactive) |
| Line 6: | Line 6: |
| There is a wealth of information available about iptables, but much of it is fairly complex, and if you want to do a few basic things, this How To is for you. | There is a wealth of information available about iptables, but much of it is fairly complex, and if you want to do a few basic things, this How To is for you. |
| Line 16: | Line 16: |
| target prot opt source destination | target prot opt source destination |
| Line 19: | Line 19: |
| target prot opt source destination | target prot opt source destination |
| Line 32: | Line 32: |
| == Allowing Incoming Trafic on Specific Ports == | == Allowing Incoming Traffic on Specific Ports == |
| Line 45: | Line 45: |
| target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp dpt:ssh |
target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp dpt:ssh |
| Line 59: | Line 59: |
| target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ACCEPT tcp -- anywhere anywhere tcp dpt:www |
target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ACCEPT tcp -- anywhere anywhere tcp dpt:www |
| Line 74: | Line 74: |
| target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ACCEPT tcp -- anywhere anywhere tcp dpt:www DROP all -- anywhere anywhere |
target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ACCEPT tcp -- anywhere anywhere tcp dpt:www DROP all -- anywhere anywhere |
| Line 81: | Line 81: |
| Because we didn't specify an interface or a protocol, any traffic for any port on any interface is blocked, except for web and ssh. | Because we didn't specify an interface or a protocol, any traffic for any port on any interface is blocked, except for web and ssh. |
| Line 91: | Line 91: |
| target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp dpt:ssh |
target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp dpt:ssh |
| Line 95: | Line 95: |
| ACCEPT all -- anywhere anywhere | ACCEPT all -- anywhere anywhere |
| Line 104: | Line 104: |
| == Saving iptables == If you were to reboot your machine right now, your iptables configuration would disapear. Rather than type this each time you reboot, however, you can save the configuration, and have it start up automatically. To save the configuration, you can use {{{iptables-save}}} and {{{iptables-restore}}}. == Configuration on startup == Save your firewall rules to a file {{{ # sudo iptables-save > /etc/iptables.up.rules }}} Then modify the ''/etc/network/interfaces'' script to apply the rules automatically (the bottom line is added) {{{ auto eth0 iface eth0 inet dhcp pre-up iptables-restore < /etc/iptables.up.rules }}} You can also prepare a set of down rules and apply it automatically {{{ auto eth0 iface eth0 inet dhcp pre-up iptables-restore < /etc/iptables.up.rules post-down iptables-restore < /etc/iptables.down.rules }}} == Disabling the firewall == If you need to disable the firewall temporarily, you can flush all the rules using {{{ # sudo iptables -F }}} == Easy configuration via GUI == A newbie can use Firestarter (a gui), available in repositories (Synaptic or apt-get) to configure her/his iptable rules, without needing the command line knowledge. Please see the tutorial though... Configuration is easy, but may not be enough for the advanced user. However, it should be enough for the most home users... The (read:my) suggested outbound configuration is "restrictive", with whitelisting each connection type whenever you need it (port 80 for http, 443 for secure http -https-, 1863 for msn chat etc) from the "policy" tab within firestarter. You can also use it to see active connections from and to your computer... The firewall stays up once it is configured using the wizard. Dialup users will have to specify it to start automatically on dial up in the wizard. Homepage for firestarter: http://www.fs-security.com/ (again, available in repositories, no compiling required) Tutorial: http://www.fs-security.com/docs/tutorial.php Personal note: Unfortunately, it does not have the option to block (or ask the user about) connections of specific applications/programs... Thus, my understanding is that once you enable port 80 (i.e. for web access), any program that uses port 80 can connect to any server and do anything it pleases... |
|
| Line 110: | Line 147: |
| [http://www.netfilter.org/documentation/ Netfilter andn Iptables Multilingual Documentation] | [http://www.netfilter.org/documentation/ Netfilter and Iptables Multilingual Documentation] [http://easyfwgen.morizot.net/gen/ Easy Firewall Generator for IPTables] |
| Line 114: | Line 153: |
CategoryDocumentation CategoryCleanup |
THIS IS NOT COMPLETE AND SHOULD BE COMPLETED BY SOMEONE WHO KNOWS MORE THAN ME! THANKS
Basic Iptables How to for Ubuntu Server Edition
Iptables is a firewall, installed by default on the Ubuntu Server. On regullar ubuntu install, iptables is installed but allows all traffic (thus firewall is ineffective / inactive)
There is a wealth of information available about iptables, but much of it is fairly complex, and if you want to do a few basic things, this How To is for you.
Basic Commands
Typing
# iptables -L
lists your current rules in iptables. If you have just set up your server, you will have no rules, and you should see
Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination
Allowing Established Sessions
We can allow established sessions to receive traffic:
# iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
Allowing Incoming Traffic on Specific Ports
You could start by blocking traffic, but you might be working over SSH, where you would need to allow SSH before blocking everything else.
To allow incoming traffic on port 22 (traditionally used by SSH), you could tell iptables to allow all TCP traffic on port 22 of your network adapter.
# iptables -A INPUT -p tcp -i eth0 --dport ssh -j ACCEPT
Specifically, this appends (-A) to the table INPUT the rule that any traffic to the interface (-i) eth0 on the destination port for ssh that iptables should jump (-j), or perform the action, ACCEPT.
Lets check the rules: (only the first few lines shown, you will see more)
# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
Now, let's allow all web traffic
# iptables -A INPUT -p tcp -i eth0 --dport 80 -j ACCEPT
Checking our rules, we have
# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ACCEPT tcp -- anywhere anywhere tcp dpt:www
We have specifically allowed tcp traffic to the ssh and web ports, but as we have not blocked anything, all traffic can still come in.
Blocking Traffic
Once a decision is made about a packet, no more rules affect it. As our rules allowing ssh and web trafic come first, as long as our rule to block all traffic comes after them, we can still accept the traffic we want. All we need to do is put the rule to block all traffic at the end. The -A command tells iptables to append the rule at the end, so we'll use that again.
# iptables -A INPUT -j DROP # iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ACCEPT tcp -- anywhere anywhere tcp dpt:www DROP all -- anywhere anywhere
Because we didn't specify an interface or a protocol, any traffic for any port on any interface is blocked, except for web and ssh.
Editing iptables
The only problem with our setup so far is that even the loopback port is blocked. We could have written the drop rule for just eth0 by specifying -i eth0, but we could also add a rule for the loopback. If we append this rule, it will come too late - after all the traffic has been dropped. We need to insert this rule onto the fourth line.
# iptables -I INPUT 4 -i lo -j ACCEPT # iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ACCEPT tcp -- anywhere anywhere tcp dpt:www ACCEPT all -- anywhere anywhere DROP all -- anywhere anywhere
The last two lines look nearly the same, so we will list iptables in greater detail.
# iptables -L -v
Saving iptables
If you were to reboot your machine right now, your iptables configuration would disapear. Rather than type this each time you reboot, however, you can save the configuration, and have it start up automatically. To save the configuration, you can use iptables-save and iptables-restore.
Configuration on startup
Save your firewall rules to a file
# sudo iptables-save > /etc/iptables.up.rules
Then modify the /etc/network/interfaces script to apply the rules automatically (the bottom line is added)
auto eth0 iface eth0 inet dhcp pre-up iptables-restore < /etc/iptables.up.rules
You can also prepare a set of down rules and apply it automatically
auto eth0 iface eth0 inet dhcp pre-up iptables-restore < /etc/iptables.up.rules post-down iptables-restore < /etc/iptables.down.rules
Disabling the firewall
If you need to disable the firewall temporarily, you can flush all the rules using
# sudo iptables -F
Easy configuration via GUI
A newbie can use Firestarter (a gui), available in repositories (Synaptic or apt-get) to configure her/his iptable rules, without needing the command line knowledge. Please see the tutorial though... Configuration is easy, but may not be enough for the advanced user. However, it should be enough for the most home users... The (read:my) suggested outbound configuration is "restrictive", with whitelisting each connection type whenever you need it (port 80 for http, 443 for secure http -https-, 1863 for msn chat etc) from the "policy" tab within firestarter. You can also use it to see active connections from and to your computer... The firewall stays up once it is configured using the wizard. Dialup users will have to specify it to start automatically on dial up in the wizard.
Homepage for firestarter: http://www.fs-security.com/ (again, available in repositories, no compiling required) Tutorial: http://www.fs-security.com/docs/tutorial.php
Personal note: Unfortunately, it does not have the option to block (or ask the user about) connections of specific applications/programs... Thus, my understanding is that once you enable port 80 (i.e. for web access), any program that uses port 80 can connect to any server and do anything it pleases...
Further Information
[http://iptables-tutorial.frozentux.net/iptables-tutorial.html Iptables Tutorial]
[http://www.netfilter.org/documentation/HOWTO/packet-filtering-HOWTO.html Iptables How To]
[http://www.netfilter.org/documentation/ Netfilter and Iptables Multilingual Documentation]
[http://easyfwgen.morizot.net/gen/ Easy Firewall Generator for IPTables]
Credits
Thanks to Rusty Russell and his How-To, as much of this is based off that.
IptablesHowTo (last edited 2008-08-06 16:25:16 by localhost)