Linux comes with a host based firewall called Netfilter. According to the official project site:
netfilter is a set of hooks inside the Linux kernel that allows kernel modules to register callback functions with the network stack. A registered callback function is then called back for every packet that traverses the respective hook within the network stack.
This Linux based firewall is controlled by the program called iptables to handles filtering for IPv4, and ip6tables handles filtering for IPv6.
Type the following command as root:# iptables -L -n -v
Sample outputs:
Above output indicates that the firewall is not active. The following sample shows an active firewall:# iptables -L -n -v
Sample outputs:
Where,
# iptables -n -L -v --line-numbers
Sample outputs:
You can use line numbers to delete or insert new rules into the firewall.
# iptables -L INPUT -n -v
# iptables -L OUTPUT -n -v --line-numbers
If you are using CentOS / RHEL / Fedora Linux, enter:# service iptables stop
# service iptables start
# service iptables restart
You can use the iptables command itself to stop the firewall and delete all rules:# iptables -F
# iptables -X
# iptables -t nat -F
# iptables -t nat -X
# iptables -t mangle -F
# iptables -t mangle -X
# iptables -P INPUT ACCEPT
# iptables -P OUTPUT ACCEPT
# iptables -P FORWARD ACCEPT
Where,
To display line number along with other information for existing rules, enter:# iptables -L INPUT -n --line-numbers
# iptables -L OUTPUT -n --line-numbers
# iptables -L OUTPUT -n --line-numbers | less
# iptables -L OUTPUT -n --line-numbers | grep 202.54.1.1
You will get the list of IP. Look at the number on the left, then use number to delete it. For example delete line number 4, enter:# iptables -D INPUT 4
OR find source IP 202.54.1.1 and delete from rule:# iptables -D INPUT -s 202.54.1.1 -j DROP
Where,
To insert one or more rules in the selected chain as the given rule number use the following syntax. First find out line numbers, enter:
# iptables -L INPUT -n –line-numbers
Sample outputs:
To insert rule between 1 and 2, enter:# iptables -I INPUT 2 -s 202.54.1.2 -j DROP
To view updated rules, enter:# iptables -L INPUT -n --line-numbers
Sample outputs:
To save firewall rules under CentOS / RHEL / Fedora Linux, enter:# service iptables save
In this example, drop an IP and save firewall rules:# iptables -A INPUT -s 202.5.4.1 -j DROP
# service iptables save
For all other distros use the iptables-save command:# iptables-save > /root/my.active.firewall.rules
# cat /root/my.active.firewall.rules
To restore firewall rules form a file called /root/my.active.firewall.rules, enter:# iptables-restore < /root/my.active.firewall.rules
To restore firewall rules under CentOS / RHEL / Fedora Linux, enter:# service iptables restart
To drop all traffic:# iptables -P INPUT DROP
# iptables -P OUTPUT DROP
# iptables -P FORWARD DROP
# iptables -L -v -n
#### you will not able to connect anywhere as all traffic is dropped ###
To drop all incoming / forwarded packets, but allow outgoing traffic, enter:# iptables -P INPUT DROP
# iptables -P FORWARD DROP
# iptables -P OUTPUT ACCEPT
# iptables -A INPUT -m state --state NEW,ESTABLISHED -j ACCEPT
# iptables -L -v -n
### *** now ping and wget should work *** ###
# ping nixpal.com
IP spoofing is nothing but to stop the following IPv4 address ranges for private networks on your public interfaces. Packets with non-routable source addresses should be rejected using the following syntax:# iptables -A INPUT -i eth1 -s 192.168.0.0/24 -j DROP
# iptables -A INPUT -i eth1 -s 10.0.0.0/8 -j DROP
To block an attackers ip address called 1.2.3.4, enter:# iptables -A INPUT -s 1.2.3.4 -j DROP
# iptables -A INPUT -s 192.168.0.0/24 -j DROP
To block all service requests on port 80, enter:# iptables -A INPUT -p tcp --dport 80 -j DROP
# iptables -A INPUT -i eth1 -p tcp --dport 80 -j DROP
To block port 80 only for an ip address 1.2.3.4, enter:# iptables -A INPUT -p tcp -s 1.2.3.4 --dport 80 -j DROP
# iptables -A INPUT -i eth1 -p tcp -s 192.168.1.0/24 --dport 80 -j DROP
To block outgoing traffic to a particular host or domain such as nixpal.com, enter:# host -t a nixpal.com
Sample outputs:
Note down its ip address and type the following to block all outgoing traffic to 5.16.13.6:# iptables -A OUTPUT -d 75.126.153.206 -j DROP
You can use a subnet as follows:# iptables -A OUTPUT -d 192.168.1.0/24 -j DROP
# iptables -A OUTPUT -o eth1 -d 192.168.1.0/24 -j DROP
First, find out all ip address of facebook.com, enter:# host -t a www.facebook.com
Sample outputs:
Find CIDR for 69.171.228.40, enter:# whois 69.171.228.40 | grep CIDR
Sample outputs:
To prevent outgoing access to www.facebook.com, enter:# iptables -A OUTPUT -p tcp -d 69.171.224.0/19 -j DROP
You can also use domain name, enter:# iptables -A OUTPUT -p tcp -d www.facebook.com -j DROP
# iptables -A OUTPUT -p tcp -d facebook.com -j DROP
From the iptables man page:
… specifying any name to be resolved with a remote query such as DNS (e.g., facebook.com is a really bad idea), a network IP address (with /mask), or a plain IP address …
Type the following to log and block IP spoofing on public interface called eth1# iptables -A INPUT -i eth1 -s 10.0.0.0/8 -j LOG --log-prefix "IP_SPOOF A: "
# iptables -A INPUT -i eth1 -s 10.0.0.0/8 -j DROP
By default everything is logged to /var/log/messages file.# tail -f /var/log/messages
# grep --color 'IP SPOOF' /var/log/messages
The -m limit module can limit the number of log entries created per time. This is used to prevent flooding your log file. To log and drop spoofing per 5 minutes, in bursts of at most 7 entries .# iptables -A INPUT -i eth1 -s 10.0.0.0/8 -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix "IP_SPOOF A: "
# iptables -A INPUT -i eth1 -s 10.0.0.0/8 -j DROP
Use the following syntax:# iptables -A INPUT -m mac --mac-source 00:0F:EA:91:04:08 -j DROP
## *only accept traffic for TCP port # 8080 from mac 00:0F:EA:91:04:07 * ##
# iptables -A INPUT -p tcp --destination-port 22 -m mac --mac-source 00:0F:EA:91:04:07 -j ACCEPT
Type the following command to block ICMP ping requests:# iptables -A INPUT -p icmp --icmp-type echo-request -j DROP
# iptables -A INPUT -i eth1 -p icmp --icmp-type echo-request -j DROP
Ping responses can also be limited to certain networks or hosts:# iptables -A INPUT -s 192.168.1.0/24 -p icmp --icmp-type echo-request -j ACCEPT
The following only accepts limited type of ICMP requests:### ** assumed that default INPUT policy set to DROP ** #############
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
iptables -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
iptables -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
## ** all our server to respond to pings ** ##
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
Use the following syntax to open a range of ports:iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 7000:7010 -j ACCEPT
Use the following syntax to open a range of IP address:## only accept connection to tcp port 80 (Apache) if ip is between 192.168.1.100 and 192.168.1.200 ##
iptables -A INPUT -p tcp --destination-port 80 -m iprange --src-range 192.168.1.100-192.168.1.200 -j ACCEPT
## nat example ##
iptables -t nat -A POSTROUTING -j SNAT --to-source 192.168.1.20-192.168.1.25
When you restart the iptables service it will drop established connections as it unload modules from the system under RHEL / Fedora / CentOS Linux. Edit, /etc/sysconfig/iptables-config and set IPTABLES_MODULES_UNLOAD as follows:
Use the crit log level to send messages to a log file instead of console:iptables -A INPUT -s 1.2.3.4 -p tcp --destination-port 80 -j LOG --log-level crit
The following shows syntax for opening and closing common TCP and UDP ports:
You can use connlimit module to put such restrictions. To allow 3 ssh connections per client host, enter:# iptables -A INPUT -p tcp --syn --dport 22 -m connlimit --connlimit-above 3 -j REJECT
Set HTTP requests to 20:# iptables -p tcp --syn --dport 80 -m connlimit --connlimit-above 20 --connlimit-mask 24 -j DROP
Where,
For more information about iptables, please see the manual page by typing man iptables from the command line:$ man iptables
You can see the help using the following syntax too:# iptables -h
To see help with specific commands and targets, enter:# iptables -j DROP -h
Find out if ports are open or not, enter:# netstat -tulpn
Find out if tcp port 80 open or not, enter:# netstat -tulpn | grep :80
If port 80 is not open, start the Apache, enter:# service httpd start
Make sure iptables allowing access to the port 80:# iptables -L INPUT -v -n | grep 80
Otherwise open port 80 using the iptables for all users:# iptables -A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT
# service iptables save
Use the telnet command to see if firewall allows to connect to port 80:$ telnet nixpal.com 80
Sample outputs:
You can use nmap to probe your own server using the following syntax:$ nmap -sS -p 80 nixpal.com
Sample outputs:
I also recommend you install and use sniffer such as tcpdupm and ngrep to test your firewall settings.
This post only list basic rules for new Linux users. You can create and build more complex rules. This requires good understanding of TCP/IP, Linux kernel tuning via sysctl.conf, and good knowledge of your own setup. Stay tuned for next topics:
Article Number: 680
Posted: Fri, May 15, 2020 12:01 PM
Last Updated: Fri, May 15, 2020 12:01 PM
Online URL: http://kb.ictbanking.net/article.php?id=680