Iptables
From Cheatsheet
Iptables is the native firewall on RedHat and other distro's, you have to enter some commands to get it to work, because it really doesn't look like it's doing anything, and you won't find it in /etc/init.d/ like a good little daemon, the commands are run from
/sbin/iptables
- online iptables generator
- Good iptables overview here or Redhat or Wikipedia
The Basics
- first list what you're starting with by running:
/sbin/iptables -L
if you see something like:
Chain INPUT (policy ACCEPT) target prot opt source destination
and then nothing below it, it means you don't have any rules, you need rules to start blocking stuff.
- service iptables save
- you have to save what you just did, or it will be gone on reboot
There's 4 things Iptables can do, it can route:
- INPUT
- stuff coming into computer
- OUTPUT
- stuff coming out of computer
- NAT
- translate an IP address to some other address, usually for security reasons, or to share a connection
- FORWARD
- stuff going through computer to some other computer
it routes everything through chains, and it will do the first chain that matches some packet trying to go somewhere.
- -s is source
- -d is destination
- -j ACCEPT, DENY, or DROP tells what to do with it
- DENY sends a message back to whoever sent it telling them we're not accepting connections, DROP just ignored it and does nothing.
- -A tells what chain to put it on the end of the rule list, either the INPUT OUTPUT or FORWARD list of rules
- -I tells it to insert your rule somewhere in the list, but not neccesarily at the end, you can also specify where you want it using "INPUT 2" or similar
- -p tells what protocol, so TCP, UDP, or ICMP, most of the time you want TCP
- --destination-port tells which port, so like 22 for ssh
- --source-port same thing but incoming
- -i is the incoming interface, like ETH0
- -o is the outgoing interface
iptables -A INPUT -s 200.200.200.5 -j DROP
so that would block (or ignore really) all the incoming stuff from that ip (200.200.200.5)
iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP
sets a default policy of not allowing any incoming, outgoing, or forwarded traffic, this is if you want anal security initially, then allow each individual rule later
iptables -t nat -A PREROUTING -o eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080
NAT's port 80 to port 8080, kinda nice
Setting up your machine as a Gateway for others inside a LAN
You have to use the MASQUERADE feature if you want the boxes inside your LAN to be on a different IP range, along with some other trickiness, this howto is if you have one externally facing computer, and you want to stick a bunch of computers behind it and let them all share the connection/talk to each other/etc. This assumes you have 2 ethernet cards, 1 facing the public, 1 facing the inside of your network. I did this on Redhat, but except the interface configuration, it would also work on Debian variants. This assumes your external interface eth0 is set using simple DHCP and your cable modem happened to give it the IP of 10.1.10.43, adjust those settings if it gave you something different. You'll need to know your external nameserver IP's too.
we will:
- add stuff to iptables (your firewall) to route internal connections using the MASQUERADE function, which takes DHCP on an interface and sends them somewhere
- configure the second interface
- set up DHCP so it will find incoming requests, give them an IP and send them on their way to the public network through eth0
| iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE | lets everything that comes through eth1 (your internal network) go out through the eth0 (your public facing internet connection) |
| service iptables save | saves the change you just made |
| echo 1 > /proc/sys/net/ipv4/ip_forward | tells your kernel you really want to forward stuff, since iptables is a kernel thing |
| vi /etc/sysconfig/network | |
| FORWARD_IPV4=YES | add this line to that file, that way it will forward after you reboot |
| vi /etc/sysctl.conf | uncomment the net.ipv4.conf.default.forwarding=1 line |
Now we have to set up DHCP on eth1 so you can connect up all your computers on the inside of your gateway to access the internet
| yum install dhcp | installs the dhcp server with a sample file you have to copy to the real one for it to work |
| cd /usr/share/doc/dhcp-whateverversionyouhave/ | look at the example there called dhcpd.conf.sample, it has a basic setup that should work on the 192.168.0.x network, so your gateway on the client would be 192.168.0.1, and your clients would have an IP range of 192.168.0.128-254 |
here's what mine looked like after I edited it to tweak stuff
ddns-update-style none; # keep it simple for now
ignore client-updates; # here too
DHCPARGS=eth1; # tells it what interface to listen on
subnet 192.168.0.0 netmask 255.255.255.0 {
# --- default gateway
option routers 192.168.0.1; # local gateway
option subnet-mask 255.255.255.0; # local subnet mask
option nis-domain "domain.org"; # use your domain
option domain-name "cox-sd.net"; # domain name given to client
option domain-name-servers 209.242.10.10; # the IP of your ISP's nameservers you're using
option time-offset -18000; # Eastern Standard Time
range 192.168.0.128 192.168.0.254; # the range of IP's your clients will get
default-lease-time 21600; # how long the client's will keep the same IP
max-lease-time 43200;
# we want the nameserver to appear at a fixed address
host ns {
next-server ns1.cox.net; # your ISP's nameservers
hardware ethernet 00:09:5B:8E:05:67; # not sure really
fixed-address 209.242.128.100; # your ISP's nameserver IP
}
}
| cp dhcpd.conf.sample /etc/dhcpd.conf | overwrite the placeholder file in /etc/ so it will start reading your new one |
| service dhcpd configtest | test your configuration for errors before you start it up |
| service dhcpd start | watch for errors |
now you want to set up your eth1 (inside network) interface
GATEWAY=10.1.10.1 TYPE=Ethernet DEVICE=eth1 HWADDR=00:1a:a0:37:26:e3 BOOTPROTO=none NETMASK=255.255.255.0 IPADDR=192.168.0.1 ONBOOT=yes USERCTL=no IPV6INIT=no PEERDNS=yes
the GATEWAY line tells it to use your eth0 gateway as the gateway, the rest is pretty straightforward (hopefully). Next you have to tell your computer to listen for the telltale DHCP request to come across the inside network. When a client computer goes looking for a DHCP address, it sends out a blast to anyone that'll listen that has an IP address of 255.255.255.255, so you have to tell your DHCP server to listen for that IP
| route add -host 255.255.255.255 dev eth1 | when a client tries to get a DHCP address they send it out to anyone who'll listen with and address of 255.255.255.255, so this is what your server has to be told to respond on with the eth1 interface |
