Chapter 7. Firewalls
69
Warning
The IPChains and IP6Tables services must be turned off to use the IPTables service with the following
commands:
service ipchains off
service ip6tables off
To make IPTables start by default whenever the system is booted, you must change runlevel status on
the service using
chkconfig
.
chkconfig level 345 ip6tables on
The syntax of
iptables
is separated into tiers. The main tier is the chain. A chain specifies the state
at which a packet will be manipulated. For example:
iptables P OUTPUT ACCEPT
The
OUTPUT
chain specifies any packets that originate from inside a LAN and travels outside (for
example, to a remote website). In the example above, the rule states that all packets coming from
the inside to the outside of the local network is allowed to pass through the firewall. This is usually
an acceptable rule for administrators because the likelihood of dangerous packets going out into an
untrusted carrier network such as the Internet is small compared to malicious packets going into the
local network. The three built in chains of
iptables
(that is, the chains that affect every packet which
traverses a network) are INPUT, OUTPUT, and FORWARD. These chains are permanent and cannot
be deleted, whereas user defined chains can be.
Some basic rules established from the outset can aid as a foundation for building more detailed, user
defined rules. For example, you may want to allow all connections originating from the inside by
default and then customize unique cases with their own rule sets. Accepting all
OUTPUT
by default is
a sufficient foundation to build upon regarding outbound connections. It is also recommended that,
by default, all incoming connections be denied by your firewall. The following rule will block all
incoming connections:
iptables P INPUT REJECT
Additionally, it is recommended that any forwarded packets network traffic that is to be routed from
the firewall to its destination node be denied as well, to restrict internal clients from inadvertent
exposure to the Internet (for example, if a LAN user accidentally turns on a service on some arbitrary
port, then your network becomes vulnerable because of that machine's service). To do this, use the
following rule:
iptables P FORWARD REJECT
After setting basic rules, you can now create new rules for your particular network and security re
quirements. The following sections will outline some common rules you may implement in the course
of building your
iptables
firewall.
7.1.2.1. Saving and Restoring IPTables Rules
Firewall rules are only valid for the time the computer is on. If you reboot your system, the rules will
be automatically flushed and reset. To save your rules so that they will load later, use the following
command:
service iptables save
footer
Our partners:
PHP: Hypertext Preprocessor Best Web Hosting
Java Web Hosting
Inexpensive Web Hosting
Jsp Web Hosting
Cheapest Web Hosting
Jsp Hosting
Cheap Hosting
Visionwebhosting.net Business web hosting division of Web
Design Plus. All rights reserved