Posted on by admin

Fedora 14: firewall (iptables)

By default iptables firewall stores its configuration at /etc/sysconfig/iptables file.

Use the following commands to disable the iptables firewall:

service iptables status
service iptables save
service iptables stop
chkconfig iptables off

To see what rulesets we currently have in place, execute:

iptables -L
  • INPUT – Holds rules for traffic directed at this server
  • FORWARD – Holds rules for traffic that will be forwarding on to an IP behind this server
  • OUTPUT – Holds rules for traffic that is coming from this server out to the internet

These rules are organized into groups called chains. A chain is a set of rules that a packet is checked against sequentially. When the packet matches one of the rules, it executes the associated action and is not checked against the remaining rules in the chain. So rules 3 en 4 will never checked againt because there is a reject rule which will match everything:

-- Wrong --
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited
ACCEPT     tcp  --  192.168.1.0          anywhere             tcp dpt:mysql /* 3 */
ACCEPT     all  --  192.168.1.1          anywhere                           /* 4 */
 
-- Correct --
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     tcp  --  192.168.1.0          anywhere             tcp dpt:mysql /* 3 */
ACCEPT     all  --  192.168.1.1          anywhere                           /* 4 */
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited

Mainly we will be dealing with traffic directed at this server, and will be issuing rules for the INPUT Chain. When traffic passes through the kernel, it determines a TARGET based on whether the packet matches a rule or not. General targets are:

  • ACCEPT – Traffic is accepted for delivery
  • REJECT – Traffic is rejected, sending a packet back to the sending host
  • DROP – The traffic is dropped. Nothing is sent back to the sending host

Also to note is that nothing you do is saved on disk until you execute:

iptables-save

The following is a list of common rules:

; HTTP Port 80
iptables -I INPUT 1 -p tcp --dport http -j ACCEPT
 
; HTTPS / SSL Port 443
iptables -I INPUT 1 -p tcp --dport https -j ACCEPT
 
; SSH - Port 22
iptables -I INPUT 1 -p tcp --dport ssh -j ACCEPT
 
; FTP - Port 21
iptables -I INPUT 1 -p tcp --dport ftp -j ACCEPT
iptables -I INPUT 1 -p tcp --dport ftp-data -j ACCEPT
 
:MySql - Port 3306 - Source 192.168.0.1
iptables -A INPUT -p tcp -s 192.168.0.1 --dport 3306 -j ACCEPT
: To remove this rule
iptables -D INPUT -p tcp -s 192.168.0.1 --dport 3306 -j ACCEPT
 
iptables save

Leave a Reply