Linux firewall : iptables! plays very important role in securing your Linux system. System hardening or locking down can not be completed without configuring iptables. Here we are discussing about basics of iptables. This article can be referred by beginners as a iptables guide. In this article we will walk through :
- What is iptables
- iptables chains
- Chain policy defining strategy
We discussed about how to set iptables rules, how to save iptables settings in this article. Lets start with iptables basics.
What is iptables
iptables is a Linux native firewall and almost comes pre-installed with all distributions. If by any chance its not on your system you can install iptables package to get it. As its a firewall, it has got policies termed as ‘chain policies’ which are used to determine whether to allow or block incoming or outgoing connection to or from Linux machine. Different chains used to control different type of connections defined by its travel direction and policies are defined on each of chain type.
In newer version like RHEL7, firewall is still powered by iptables only management part is being handled by new daemon called firewalld.
As there are policies you can define, one default policy is also exist for all chains. If connection in question does not match with any of the defined policy chain then iptable applies default policy action to that connection. By default (generally) ALLOW rule is configured in defaults under iptables.
iptable chains
As we saw earlier iptables relies on chains to determine action to be taken on connection, lets understand what are chains. Chains are connection type defined from its travel direction/behavior. There are three types of chains : Input, Output, Forward.
Input chain :
This chain is used to control incoming connections to Linux machine. For example if user try to connect server via ssh (port 22) then input chain will be checked for IP or user and port if those are allowed. If yes then only user will be connected to server otherwise not.
Output chain :
Yes, this chain controls outgoing connections from Linux machine. If any application or user try to connect to outside server/IP then output chain decides if app/user can connect to destination ip/port or not.
Both chains are stateful. Meaning only said connection is allowed and response is not. Means you have to exclusively define input and output chain if your connection needs both way communication (from source to destination and back)
Forward chain :
In most of the systems, its not used. If your system is being used as pass through or for natting or for forwarding traffic then only this chain is used. When connections/packets are to be forwarded to next hop then this chain is used.
You can view status of all these chains using below command :
In above output you can see all three chains details, how many packets were transferred, how much data transferred and default action policy.
Chain policy defining strategy
- ACCEPT : Allow connection
- REJECT : Block connection and send back error message informing source that destination blocked it
- DROP : Block connection only (behave like connection never questioned) . Source is unaware of being blocked at destination.
By default, all chains configured with ACCEPT policy for all connections. When configuring policies manually you have to pick either way of below two :
- Configure default as REJECT/DROP and exclusively configure each chain and its policy of ALLOW for required IP/subnet/ports.
- Configure default as ACCEPT and exclusively configure each chain and its policy of REJECT for required IP/subnet/ports.
You will go with number two unless your system has highly sensitive, important data and should be locked out of outer world. Obviously, its environment criticality and number of ip/subnet/ports to be allowed/denied makes easier to select strategy.
0 comments:
Post a Comment