HOWTO Setup iptables: Difference between revisions

From Research
Jump to navigation Jump to search
Line 57: Line 57:


[[example_webserver_nfs_keyserver_iptable_ruleset|Example 3 - /etc/iptables.bak for a web-server with both http and https, nfs-client, amanda-tape-backup-client, SSH connectivity, a Sassafrass keyserver, a flexlm license-server, and monitoring by nagios]]
[[example_webserver_nfs_keyserver_iptable_ruleset|Example 3 - /etc/iptables.bak for a web-server with both http and https, nfs-client, amanda-tape-backup-client, SSH connectivity, a Sassafrass keyserver, a flexlm license-server, and monitoring by nagios]]
[[example_ldap_samba_iptable_ruleset|Example 4 - /etc/iptables.bak for samba-server, LDAP, amanda-tape-backup-client, SSH connectivity, and monitoring by nagios]]


==Scripting the Rules==
==Scripting the Rules==

Revision as of 17:48, 30 January 2008

Kernel Configuration

NOTE This configuration is for basic firewalling only; we don't do NAT/packet-forwarding... so, if you're reading this, and wish to use NAT/forwarding, you will be missing a few key configuration items :-O

   Typical kernel 2.6.22 and higher kernel options for our very-basic firewalling:

Networking  ---->
 Networking options  ---->
  Network packet filtering framework (Netfilter)--->
   Core Netfilter Configuration ---->
    ["enable"] Netfilter connection tracking support--->Layer 3 Independent Connection tracking
    ["enable"] Netfilter Xtables support (required for ip_tables)
    ["enable"] "state" match support 
   IP: Netfilter Configuration --->
    ["enable"] IPv4 connection tracking support (required for NAT) required by "Layer 3 Independent Connection tracking" above (caused many headaches)
    ["enable"] IP tables support (required for filtering/masq/NAT)
    ["enable"]   Packet Filtering
    ["enable"]     REJECT target support

Iptables Installation

hostname ~ # emerge iptables
hostname ~ # rc-update add iptables default

Usually, when you try to start a new installation of iptables, you get an error, sometimes like this:

 hostname ~ # /etc/init.d/iptables start
* Not starting iptables.  First create some rules then run:
* /etc/init.d/iptables save

Or, you may see this kind of error:

FATAL: Module ip_tables not found.
iptables v1.3.8: can't initialize iptables table `filter': iptables who? (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.

Occasionally, there are complaints about "mangle"... it may be that there is some previous ruleset which included NAT/forwarding. For our application, we do not need mangling-capability!
In any of the above startup cases, we will manually start iptables (that is, not using the init-script), and give it a very-simple command-line rule, just to get iptables going:

hostname ~ # /sbin/iptables -A INPUT -i lo -j ACCEPT

This usually (should!) result in very simple, default "all-pass" ruleset, which doesn't actually do anything except keep the init-scripts happy:

hostname ~ # iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

We then use the init-script to save our ruleset, which will at least then allow iptables to start properly the next time with the init-scripts:

hostname ~ # /etc/init.d/iptables save
* Saving iptables state ...

Creating iptables Rulesets

To develop rulesets, it's often a great starting-point to see what ports are currently in-use, and reckon that these may need to be opened through our firewall, in order for the server to perform it's intended function. So, let's see what ports are in-use, and by what programs/services:

hostname ~ # netstat -alnp


On a complex server, there can be many, many unfamiliar ports open, and some may vary with each invocation of the associated program :-( Google around, and first see if you can identify all the services. Then, see if you can nail down these services to always use a known/specific port. Some examples are provided below, which may help.
In a worst-case scenario, you may decide it's too scary to actually begin blocking ports and breaking services to users. While this is a crummy approach, it can work OK with fail2ban! So, you will gain some protection anyway, against dictionary-attacks. This basically starts with our all-pass default filter (shown above), and along with the fail2ban script invocation adding a few extra lines for you, to perform it's blocking.

Example 1 - very-basic /etc/iptables.bak to prevent breaking extensive/weird/complex services

Example 2 - /etc/iptables.bak for a web-server with vsftpd upload, also SSH connectivity, and being monitored by nagios

Example 3 - /etc/iptables.bak for a web-server with both http and https, nfs-client, amanda-tape-backup-client, SSH connectivity, a Sassafrass keyserver, a flexlm license-server, and monitoring by nagios

Example 4 - /etc/iptables.bak for samba-server, LDAP, amanda-tape-backup-client, SSH connectivity, and monitoring by nagios

Scripting the Rules

Once iptables is up-and-running, simply execute one of the scripts below, to implement the policies, Or, use these scripts as a basis for your own similar-but-custom rulesets, which Google can help you with. Our standard is to save the ruleset-script as /etc/iptables.bak. So, once iptables is running (in very-basic-form), invoking the ruleset-script is very simple:

hostname ~ # sh /etc/iptables.bak

Save the configuration:

hostname ~ # etc/init.d/iptables save

And then back up your working configuration in case you break something later you can quickly revert:

hostname ~ # cp /var/lib/iptables/rules-save /var/lib/iptables/rules.working

Viewing/checking the active ruleset:

hostname ~ # iptables -L