How to edit iptables rules

From FedoraProject

(Difference between revisions)
Jump to: navigation, search
(Adding TUI way to editing rules of iptables.)
Line 174: Line 174:
 
There is high chance that your service is part of the list of trusted services. This is basic activation of some standards services. Select what is needed and go '''forward''' :
 
There is high chance that your service is part of the list of trusted services. This is basic activation of some standards services. Select what is needed and go '''forward''' :
 
[[File:Firewall_TUI_Trusted_services..PNG|center|700px|Editing trusted service with firewall tui interface.]]
 
[[File:Firewall_TUI_Trusted_services..PNG|center|700px|Editing trusted service with firewall tui interface.]]
 +
Now Edit other allowed ports :
 
[[File:Firewall_TUI_other_ports.PNG|center|700px|Editing Other ports on firewall configuration by TUI interface.]]
 
[[File:Firewall_TUI_other_ports.PNG|center|700px|Editing Other ports on firewall configuration by TUI interface.]]
 +
Select the trusted interfaces. These interfaces will become open face of network, all traffic will be allowed and the precedents rules will never match. So select an interface that face of a private network and never an interface that have to directly deal with internet.
 +
[[File:Firewall_TUI_trusted_interfaces.PNG|center|700px|Trusted interfaces.]]
 +
Select interfaces to be masqueraded. Masquerading is better known as '''[http://en.wikipedia.org/wiki/Network_address_translation NAT]''' (Network Address Translation), it is useful by example when your Fedora computer is used as gateway to access the internet :
 +
[[File:Firewall_TUI_masquerading.PNG|center|700px|Firewall TUI interface : masquerading.]]
 +
Port forwarding is also known as '''[http://en.wikipedia.org/wiki/Network_address_translation PAT]''' permit to reroute traffic from a port to another port
 +
[[File:Firewall_TUI_Port_Forwarding.PNG|center|700px|Firewall TUI interface : configuring Port Forwarding.]]
 +
[[File:Firewall_TUI_Port_Forwarding_Adding.PNG|center|700px|Firewall TUI : adding port forwarding rules.]]
 +
You can define ICMP behaviour of your fedora. By default, no limitations are made but you can define rules to reject ICMP traffic, define the return error to an ICMP request, etc.
 +
[[File:Firewall_TUI_ICMP_Filter.PNG|center|700px|Firewall TUI: configuring ICMP behaviour.]]
 +
Finally, you can define some custom rules. But you need to edit a file before containing your custom rules with same format than the iptables file, but without specifying the table of iptables used.
 +
[[File:Firewall_TUI_Custom_Rules.PNG|center|700px|Firewall TUI: create custom rules.]]
 +
For adding custom rules you have specify the protocol between '''ipv4''' or '''ipv6''' and on what table add the custom rules '''filter''', '''mangle''' or '''nat''' then the path to the file containing rules to add :
 +
[[File:Firewall_TUI_Custom_Rules_Adding.PNG|center|700px|Firewall TUI: adding a custom rules.]]
 +
When it's done, you can ''Close '' the interface and this bring you and first screen of firewall configuration. Select ''OK'' and you have a warning appear :
 +
[[File:Firewall_TUI_Warning.PNG|center|700px|Firewall TUI warning.]]
 +
Select ''Yes'' if the configuration that you made fit to you and exit interface, or ''No'' for came back to the firewall configuration screen.
 +
 
== GUI ==
 
== GUI ==

Revision as of 16:10, 11 December 2011

How to edit IPtables rules.

In this how to we will learn three differents way to edit IPtables rules :

  • CLI : iptables command and his config file /etc/sysconfig/iptables.
  • ncurse interface : setup or system-config-firewall-tui
  • GUI : system-config-firewall

It is not an how to about making elaborates rules with iptables, we only use iptables on a basic way.

Let's go.

Contents

my CLI way

Hot changes in iptables rules content

This method allow you to change behaviour of your iptables firewall when is running.

Stop (medium size).png
Caution
You can break up your connection with mistakes in rules.

I invite you to read the man pages about iptables for further explanation and more sophisticated rules. You must have superuser rights to launch these commands, please use sudo or su as your convenience. Example of iptables rules which allow any connections established or related, icmp requests, all local traffic and finally ssh communication :

[root@server ~]# iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:ssh

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination 

First thing to know, the rules apply in order of appearance and exit if there is a match. So, if we have a rule that reject ssh connections then after another rules allowing ssh then once the reject rule is reached, the packets exit and apply the reject rule but never reached the accept rule. So with that in mind, we can edit iptables's rules.

Append a rule

This is add a rule at the end of the specified chain of iptables :

[root@server ~]# iptables -A INPUT -p tcp --dport 80 -j ACCEPT
[root@server ~]# iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination 

Notice the last line in chain INPUT. There are now 5 rules in that chain. Let's delete the last one for recreate on the top of the same chain.

[root@server ~]# iptables -D INPUT 5
[root@server ~]# iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:ssh

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination 

Now, recreate it on the top :

[root@server ~]# iptables -I INPUT 1 -p tcp --dport 80 -j ACCEPT
[root@server ~]# iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:ssh

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination 

Notice the number append after the name of the chain. As we say that we insert the rule at the top, we must insert it before the first. So, you want to insert this rules before the third rule you as to change this number to 3. Simple isn't it!

For the next, we replace a rules already existing. The rules about the http server is pretty wide for acceptance. Restrict a little more this rule by only allow a specific network 192.168.0.0/24 :

[root@server ~]# iptables -R INPUT 1 -p tcp -s 192.168.0.0/24 --dport 80 -j ACCEPT
[root@server ~]# iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     tcp  --  192.168.0.0/24       anywhere             tcp dpt:http
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:ssh

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination 

So, summarize, we now know how to :

  • append
iptables -A <chain>
  • insert
iptables -I <chain> <rule_position>
  • replace
iptables -R <chain> <rule_position>
  • delete
iptables -D <chain> <rule_position>

Make changes persistant

Ok, when editing iptables rules with iptables command, if we reboot the pc then we loose rules that we make. So we have to save them!

Happily, iptables comes with two useful utilities : iptables-save and iptables-restore.

  • iptables-save : print a reusable dump of current iptables rules. You have to redirect to a file like that :
[root@server ~]# iptables-save > iptables.dump 
[root@server ~]# cat iptables.dump 
# Generated by iptables-save v1.4.12 on Wed Dec  7 20:10:49 2011
*filter
:INPUT DROP [45:2307]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1571:4260654]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
COMMIT
# Completed on Wed Dec  7 20:10:49 2011
  • iptables-restore : restore a dump of rules made by iptables-save.
[root@server ~]# iptables-restore < iptables.dump 
[root@server ~]# iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:ssh

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Now, we can imagine to automatize startup and stop of iptables based on a dump file restored and saved. This mechanism already exists, this what is going on when you start and stop the iptables service. At each stop of service, it saves the current state of iptables rules set on a file and each stop it restores this file. And this file is :

  • /etc/sysconfig/iptables
    for IPv4
  • /etc/sysconfig/ip6tables
    for IPv6

So, if you prefer, you can edit this file and restart the iptables service to commit the changes. The format is pretty the same than iptables command :

# Generated by iptables-save v1.4.12 on Wed Dec  7 20:22:39 2011
*filter <--------------------------------------------------------- Specify the table of the next rules
:INPUT DROP [157:36334] <----------------------------------------- This is the three chain belong to filter table, then the policy of the chain
:FORWARD ACCEPT [0:0] <------------------------------------------- and between brackets [<packet-counter>:<byte-counter>] numbers is for
:OUTPUT ACCEPT [48876:76493439] <--------------------------------- debug/informations purpose only. Leave them at their current value.
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT <--------- A rule.
-A INPUT -p icmp -j ACCEPT <-------------------------------------- You just have to take all arguments
-A INPUT -i lo -j ACCEPT <---------------------------------------- of an iptables command.
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
COMMIT <---------------------------------------------------------- Needed at each end of table definition. Commit rules in that table.
# Completed on Wed Dec  7 20:22:39 2011

TUI/semi graphical

There is two ways for managing iptables rules with textual interface, by setup and system-config-firewall-tui. When in the first you need to select 'firewall configuration' and then edit rules, the second will bring directly to the edition of rules. So, with setup, select 'Firewall configuration' :

setup menu utility

On the next screen, we leave Firewall enabled or we activate it if it wasn't enabled. Then we go on Customize :

Firewall Configuration by TUI. First screen.

There is high chance that your service is part of the list of trusted services. This is basic activation of some standards services. Select what is needed and go forward :

Editing trusted service with firewall tui interface.

Now Edit other allowed ports :

Editing Other ports on firewall configuration by TUI interface.

Select the trusted interfaces. These interfaces will become open face of network, all traffic will be allowed and the precedents rules will never match. So select an interface that face of a private network and never an interface that have to directly deal with internet.

Trusted interfaces.

Select interfaces to be masqueraded. Masquerading is better known as NAT (Network Address Translation), it is useful by example when your Fedora computer is used as gateway to access the internet :

Firewall TUI interface : masquerading.

Port forwarding is also known as PAT permit to reroute traffic from a port to another port

Firewall TUI interface : configuring Port Forwarding.
Firewall TUI : adding port forwarding rules.

You can define ICMP behaviour of your fedora. By default, no limitations are made but you can define rules to reject ICMP traffic, define the return error to an ICMP request, etc.

Firewall TUI: configuring ICMP behaviour.

Finally, you can define some custom rules. But you need to edit a file before containing your custom rules with same format than the iptables file, but without specifying the table of iptables used.

Firewall TUI: create custom rules.

For adding custom rules you have specify the protocol between ipv4 or ipv6 and on what table add the custom rules filter, mangle or nat then the path to the file containing rules to add :

Firewall TUI: adding a custom rules.

When it's done, you can Close the interface and this bring you and first screen of firewall configuration. Select OK and you have a warning appear :

Firewall TUI warning.

Select Yes if the configuration that you made fit to you and exit interface, or No for came back to the firewall configuration screen.

GUI