Monday, September 3, 2012

Redhat / CentOS Iptables Firewall Configuration


H
ow do I configure a host-based firewall called Netfilter (iptables) under CentOS / RHEL / Fedora / Redhat Enterprise Linux?
Icon reference for Firewall


Netfilter is a host-based firewall for Linux operating systems. It is included as part of the Linux distribution and it is activated by default. This firewall is controlled by the program called iptables. Netfilter filtering take place at the kernel level, before a program can even process the data from the network packet.

Iptables Config File

The default config files for RHEL / CentOS / Fedora Linux are:
Ø       /etc/sysconfig/iptables - The system scripts that activate the firewall by reading this file.

Task: Display Default Rules

Type the following command:

# iptables --line-numbers -n -L
Sample outputs:

Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination
1    RH-Firewall-1-INPUT  all  --  0.0.0.0/0            0.0.0.0/0
Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination
1    RH-Firewall-1-INPUT  all  --  0.0.0.0/0            0.0.0.0/0
Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination
Chain RH-Firewall-1-INPUT (2 references)
num  target     prot opt source               destination
1    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
2    ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0     icmp type 255
3    ACCEPT     udp  --  0.0.0.0/0            224.0.0.251   udp dpt:5353
4    ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0     udp dpt:53
5    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0     state 
RELED,ESTABLISHED
6    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0     state NEW 
tcp dpt:22
7    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0     state NEW 
tcp dpt:53
8    REJECT     all  --  0.0.0.0/0            0.0.0.0/0     reject-with
icmp-host-prohibited

Task: Turn On Firewall

Type the following two commands to turn on firewall:
chkconfig iptables on
service iptables start
 
# restart the firewall
service iptables restart
 
# stop the firewall
service iptables stop

Understanding Firewall

There are total 4 chains:
1.      INPUT - The default chain is used for packets addressed to the system. Use this to open or close incoming ports (such as 80,25, and 110 etc) and ip addresses / subnet (such as 202.54.1.20/29).
2.      OUTPUT - The default chain is used when packets are generating from the system. Use this open or close outgoing ports and ip addresses / subnets.
3.      FORWARD - The default chains is used when packets send through another interface. Usually used when you setup Linux as router. For example, eth0 connected to ADSL/Cable modem and eth1 is connected to local LAN. Use FORWARD chain to send and receive traffic from LAN to the Internet.
4.      RH-Firewall-1-INPUT - This is a user-defined custom chain. It is used by the INPUT, OUTPUT and FORWARD chains.

Packet Matching Rules

1.      Each packet starts at the first rule in the chain .
2.      A packet proceeds until it matches a rule.
3.      If a match found, then control will jump to the specified target (such as REJECT, ACCEPT, DROP).

Target Meanings

1.      The target ACCEPT means allow packet.
2.      The target REJECT means to drop the packet and send an error message to remote host.
3.      The target DROP means drop the packet and do not send an error message to remote host or sending host.

/etc/sysconfig/iptables

Edit /etc/sysconfig/iptables, enter:

# vim /etc/sysconfig/iptables

You will see default rules as follows:

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j 
ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 53 -j 
ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT

Drop All Traffic

Find lines:
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]

Update as follows to change the default policy to DROP from ACCEPT for the INPUT and FORWARD built-in chains:

:INPUT DROP [0:0]
:FORWARD DROP [0:0]

 

Log and Drop Spoofing Source Addresses

Append the following lines before final COMMIT line:
-A INPUT -i eth0 -s 10.0.0.0/8 -j LOG --log-prefix "IP DROP SPOOF "
-A INPUT -i eth0 -s 172.16.0.0/12 -j LOG --log-prefix "IP DROP SPOOF "
-A INPUT -i eth0 -s 192.168.0.0/16 -j LOG --log-prefix "IP DROP SPOOF "
-A INPUT -i eth0 -s 224.0.0.0/4 -j LOG --log-prefix "IP DROP MULTICAST "
-A INPUT -i eth0 -s 240.0.0.0/5 -j LOG --log-prefix "IP DROP SPOOF "
-A INPUT -i eth0 -d 127.0.0.0/8 -j LOG --log-prefix "IP DROP LOOPBACK "
-A INPUT -i eth0 -s 169.254.0.0/16  -j LOG --log-prefix "IP DROP MULTICAST "
-A INPUT -i eth0 -s 0.0.0.0/8  -j LOG --log-prefix "IP DROP "
-A INPUT -i eth0 -s  240.0.0.0/4  -j LOG --log-prefix "IP DROP "
-A INPUT -i eth0 -s  255.255.255.255/32  -j LOG --log-prefix "IP DROP  "
-A INPUT -i eth0 -s 168.254.0.0/16  -j LOG --log-prefix "IP DROP "
-A INPUT -i eth0 -s 248.0.0.0/5  -j LOG --log-prefix "IP DROP "

Log and Drop All Traffic

Find the lines:
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT

Update it as follows:

-A RH-Firewall-1-INPUT -j LOG
-A RH-Firewall-1-INPUT -j DROP
COMMIT

 

Open Port


To open port 80 (Http server) add the following before COMMIT line:
-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 80 -j ACCEPT

To open port 53 (DNS Server) add the following before COMMIT line:

-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -m udp -p tcp --dport 53 -j ACCEPT

To open port 443 (Https server) add the following before COMMIT line:

-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 443 -j ACCEPT

To open port 25 (smtp server) add the following before COMMIT line:

-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 25 -j ACCEPT

 

Only allow SSH traffic From 192.168.1.0/24


-A RH-Firewall-1-INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 22 
-j ACCEPT

 

Enable Printing Access For 192.168.1.0/24


-A RH-Firewall-1-INPUT -s 192.168.1.0/24 -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.1.0/24 -p tcp -m tcp --dport 631 -j ACCEPT

 

Allow Legitimate NTP Clients to Access the Server


-A RH-Firewall-1-INPUT -s 192.168.1.0/24 -m state --state NEW -p udp 
--dport 123 -j ACCEPT

 

Open FTP Port 21 (FTP)


-A RH-Firewall-1-INPUT -m state --state NEW -p tcp --dport 21 -j ACCEPT

Save and close the file. Edit /etc/sysconfig/iptables-config, enter:

# vi /etc/sysconfig/iptables-config

Make sure ftp module is loaded with the space-separated list of modules:

IPTABLES_MODULES="ip_conntrack_ftp"

To restart firewall, type the following commands:

# service iptables restart

# iptables -vnL --line-numbers

 

Edit /etc/sysctl.confFor DoS and Syn Protection

 

Edit /etc/sysctl.conf to defend against certain types of attacks and append / update as follows:
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
net.ipv4.icmp_echo_ignore_broadcasts = 1
#net.ipv4.icmp_ignore_bogus_error_messages = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)
Powered by Blogger.