1. University of Science and Technology
The Faculty of Computer and Information Technology
Postgraduate studies
Master of Information Technology
Network Administration
Firewall (iptables)
Prepared by :
Mohaned Mahmoud Ahmed
Mohamed Izzalden Mohamed
Khalid Abdelazim Ahmed
Baraa ali Abdallah
supervisor :
Mr: Ekrma Abdelgani
2. What is a Firewall?
A firewall is hardware, software, or a combination of both that is used to prevent
unauthorized programs or Internet users from accessing a private network
and/or a single computer.
A set of related programs that protects the resources of a private network from
users from other networks.
A mechanism for filtering network packets based on information contained
within the IP header.
3. Linux Firewall Programs:
Ipfwadm : Linux kernel 2.0.34
Ipchains : Linux kernel 2.2.
Iptables : Linux kernel 2.4. & above
4. What Is iptables?
It is the modified firewall package available in linux operating system. Before it was known
as ipchanes, later it comes with capabilities like natting and routing. Some other
improvements are:
Better integration with the Linux kernel, so improved speed and reliability.
Stateful packet inspection.
Filter packets according to TCP header and MAC address.
System logging that provides the option of adjusting the level of detail of the
reporting.
Better network address translation.
Support for transparent integration with such Web proxy programs as Squid.
A rate limiting feature that helps iptables block some types of denial of service (DoS)
attacks.
5.
6. The core of the firewall consists of four
parts
tables, chains, matches and targets.
A system administrator is able to dene an iptables policy, i.e. tables of chains, which
describe how a kernel should react against deferent groups of packets. Rules are
used to create a chain - collection of rules that is applied to every packet. There are
five predened chains:
INPUT: used for incoming packets before routing.
OUTPUT: used for packets coming into the box itself.
FORWARD: used for packets being routed through the box.
PREROUTING: used for locally-generated packets before routing.
POSTROUTING: used for packets as they about to leave iptables.
7.
8. Pre-routing chain: NATs packets when the destination address of the packet needs to be changed.
Post-routing chain: NATs packets when the source address of the packet needs to be changed.
9. Installing iptables:
In most Linux distros including Redhat / CentOS Linux installs iptables by default. You
can use the following procedure to verify that iptables has been installed or not in
Redhat.
10.
11. If the above message does not appear, then type the following command to install iptables:
To Start iptables:
You can start, stop, and restart iptables after booting by using the
commands:
[root@localhost ~]# service iptables start
[root@localhost ~]# service iptables stop
[root@localhost ~]# service iptables restart
To get iptables configured to start at boot, use the chkconfig command:
[root@localhost ~]# chkconfig iptables on
12. Determining The Status of iptables:
You can determine whether iptables is running or not via the service iptables status. command
[root@localhost ~]# service iptables status
13. Targets And Jumps:
Each firewall rule inspects each IP packet and then tries to identify it as
the target of some sort of operation. Once a target is identified, the
packet needs to jump over to it for further processing.
14.
15. Important Iptables Command Switch
Operations:
Each line of an iptables script not only has a jump, but they also have a number
of command line options that are used to append rules to chains that match your
defined packet characteristics, such the source IP address and TCP port. There
are also options that can be used to just clear a chain so you can start all over
again.
16.
17. Example
Allow Ping from Outside to Inside:
The following rules allow outside users to be able to ping your servers.
19. Example cont.
Block Specific IP Address in IPtables Firewall
If you find an unusual or abusive activity from an IP address you can block that IP
address with the following rule:
# iptables -A INPUT -s xxx.xxx.xxx.xxx -j DROP
20. Example cont.
Block Specific Port on IPtables Firewall
Sometimes you may want to block incoming or outgoing connections on a specific
port. It’s a good security measure and you should really think on that matter when
setting up your firewall.
To block outgoing connections on a specific port use:
To allow incoming connections use:
# iptables -A OUTPUT -p tcp --dport xxx -j DROP
# iptables -A INPUT -p tcp --dport xxx -j ACCEPT
21. Example cont.
Flush IPtables Firewall Chains or Rules
If you want to flush your firewall chains, you can use:
You can flush chains from specific table with:
# iptables -F
# iptables -t nat -F
22. Example cont.
Save IPtables Rules to a File
If you want to save your firewall rules, you can use the iptables-save command. You can use the following to
save and store your rules in a file:
# iptables-save > ~/iptables.rules
23. Example cont.
Restore IPtables Rules from a File
If you want to restore a list of iptables rules, you can use iptables-restore. The command looks like this:
# iptables-restore < ~/iptables.rules
24. Example cont.
Disable Outgoing Mails through IPTables
If your system should not be sending any emails, you can block outgoing ports on
SMTP ports. For example you can use this:
# iptables -A OUTPUT -p tcp --dports 25,465,587 -j REJECT
25. Prevent DoS Attack:
The following iptables rule will help you prevent the Denial of Service (DoS)
attack on your webserver.
In the above example:
-m limit: This uses the limit iptables extension
–limit 25/minute: This limits only maximum of 25 connection per minute.
Change this value based on your specific requirement
–limit-burst 100: This value indicates that the limit/minute will be enforced
only after the total number of connection have reached the limit-burst level.
26. Saving iptables Scripts:
The above command permanently saves the iptables configuration in the
/etc/sysconfig/iptables file. When the system reboots, the iptables-restore program
reads the configuration and makes it the active configuration.