Thursday, July 31, 2008

Securtiy with IPTABLES

Another way to secure your server is by using iptables, you can use iptables together with tcp_wrappers or on their own, the choice is yours, the advantage with iptables is that iptables can be used to ACCEPT, DROP or REJECT packets of Data, it can also be used to FORWARD specific Data onto different Destinations and it can be used to configure NAT (Network Address Translation) also known as Masquerading.

the usage of IPTABLES is as follows:

iptables -t type (action) (direction) (type of packet) -j (what to do)

their are two types that you can choose (the -t switch)
filter = sets a rule for filtering packets
nat= configures Network Address Translation, also known as Masquerading
the default type is filter , if you don't specify a -t type the iptables command will assume that you are trying to setup a filtering rule. so you can leave out the -t switch if you are setting up a firewall rule.
next is the (action)
you can either
-A append a rule
-D delete a rule
-L list the currently configured Rules
-F flush the rules

next you need to specify which packets are the rules applied to (direction of packet)
INPUT = all incoming packets
OUTPUT = all outgoing packets
FORWARD = all packets that are being forwarded to another computer.

next you need to specify the source or destination address of the packet
-s ipaddress
-d ipaddress

next you need to specify the protocol of the packet using the -p switch
-p tcp and then the port using the --dport switch eg
-p tcp --dport 80
and then finally what needs to be done with the packet which is the -j switch
DROP = the packet is dropped (no message is sent to the requesting host)
REJECT = the packet is rejected and an error message is sent to the requesting host
ACCEPT = the packet is Accepted
an ACCEPTED Packet can be forwarded by using the - A switch and then FORWARD
lets set up an iptable chain.
The first step is always to see what iptables are already configured . type
iptables -L
this reads the iptables from your /etc/sysconfig/iptables file (we do not edit this file directly it is best to use the iptables command with the relevant switches to configure your chains.)
iptables -L will return your rules in three different categories INPUT,FORWARD and OUTPUT
the following command will set a rule that denies all traffic from network
iptables -A INPUT -s -j REJECT
the following rule will make your server un-ping-able as it will drop all ICMP (ping) packets. Assume that your network is the (!) inverts the meaning in this case the command applies to all IP addresses except those on the network

if you need to insert the rule at line number 3 of the chain then type
iptables -I INPUT 3 -s -j REJECT

iptables -A INPUT -s ! -p icmp -j DROP
to delete any of the above commands simply retype them and change the -A to a -D eg:
iptables -D INPUT -s ! -p icmp -j DROP will remove the previous chain
you can check your progress by typing iptables -L at anytime.
Once you have added the iptable rules that you want , you need to save your configuration. This is done with the following command
/etc/init.d/iptables save
this will save your configuration into the /etc/sysconfig/iptables file
you also need to insure that iptables starts up on run levels 2,3,4 and 5 so that it is persistent after a reboot
to do this type the following
chkconfig iptables on

No comments: