iptables 는 netfilter의 부분으로 filtering의 rule을 정하는 filter table이다.
Chain 은 A chain is a list of rules that defines the actions applied to packets. 종류는 기본 INPUT/FORWARD/OUTPUT 이고 custom chain 도 추가 가능하다.
- INPUT - All packets destined for the host computer.
- OUTPUT - All packets originating from the host computer.
- FORWARD
- All packets neither destined for nor originating from the host
computer, but passing through (routed by) the host computer. This chain
is used if you are using your computer as a router.
# iptables -L 로 rule을 볼 수 있으며, 순서대로 적용된다. 아래에서 REJECT all 이후로는 모든 packet 이 reject된다. 첫 번째 Rule이 1번.
iptables -A chain (INPUT/FORWARD/OUTPUT) -j target (ACCEPT/REJECT/DROP)
iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
--dport : destination port
--sport : start port
--state
httpd server 추가하기
- REJECT 앞에 추가해야 함.
- >iptables -I INPUT 5 -p tcp -m tcp --dport 80 -j ACCEPT
- >iptables -I INPUT 6 -m tcp -p tcp --dport 443 -j ACCEPT
특정 port 열기
# iptables -I INPUT (last index -1) -m state --state NEW -m tcp -p tcp --dport 6888 -j ACCEPT
모든 port reject
>iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited
iptables 저장하기
iptables command 는 reboot하면 초기화되므로 계속 반영하려면, 저장이 필요하다.
# service iptables save
# vi /etc/sysconfig/iptables-config
iptables -P INPUT ACCEPT If
connecting remotely we must first temporarily set the default policy on
the INPUT chain to ACCEPT otherwise once we flush the current rules we
will be locked out of our server.
iptables -F We used the -F switch to flush all existing rules so we start with a clean state from which to add new rules.
iptables -A INPUT -i lo -j ACCEPT
Now it's time to start adding some rules. We use the -A switch to
append (or add) a rule to a specific chain, the INPUT chain in this
instance. Then we use the -i switch (for interface) to specify packets
matching or destined for the lo (localhost, 127.0.0.1) interface and
finally -j (jump) to the target action for packets matching the rule -
in this case ACCEPT. So this rule will allow all incoming packets
destined for the localhost interface to be accepted. This is generally
required as many software applications expect to be able to communicate
with the localhost adaptor.
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
This is the rule that does most of the work, and again we are adding
(-A) it to the INPUT chain. Here we're using the -m switch to load a
module (state). The state module is able to examine the state of a
packet and determine if it is NEW, ESTABLISHED or RELATED. NEW refers to
incoming packets that are new incoming connections that weren't
initiated by the host system. ESTABLISHED and RELATED refers to incoming
packets that are part of an already established connection or related
to and already established connection.
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
Here we add a rule allowing SSH connections over tcp port 22. This is
to prevent accidental lockouts when working on remote systems over an
SSH connection. We will explain this rule in more detail later.
iptables -P INPUT DROP
The -P switch sets the default policy on the specified chain. So now
we can set the default policy on the INPUT chain to DROP. This means
that if an incoming packet does not match one of the following rules it
will be dropped. If we were connecting remotely via SSH and had not
added the rule above, we would have just locked ourself out of the
system at this point.
iptables -P FORWARD DROP
Similarly, here we've set the default policy on the FORWARD chain to
DROP as we're not using our computer as a router so there should not be
any packets passing through our computer.
iptables -P OUTPUT ACCEPT
and finally, we've set the default policy on the OUTPUT chain to
ACCEPT as we want to allow all outgoing traffic (as we trust our users).
iptables -L -v Finally, we can list (-L) the rules we've just added to check they've been loaded correctly.
NEW -- meaning that the packet has started a new connection, or otherwise
associated with a connection which has not seen packets in both
directions, and
ESTABLISHED -- meaning that the packet is associated with a connection
which has seen packets in both directions,
RELATED -- meaning that the packet is starting a new connection, but is
associated with an existing connection, such as an FTP data transfer,
or an ICMP error.
5. IP Addresses
Opening
up a whole interface to incoming packets may not be restrictive enough
and you may want more control as to what to allow and what to reject.
Lets suppose we have a small network of computers that use the
192.168.0.x private subnet. We can open up our firewall to incoming
packets from a single trusted IP address (for example, 192.168.0.4):
# Accept packets from trusted IP addresses
iptables -A INPUT -s 192.168.0.4 -j ACCEPT # change the IP address as appropriate
Breaking
this command down, we first append (-A) a rule to the INPUT chain for
the source (-s) IP address 192.168.0.4 to ACCEPT all packets (also note
how we can use the # symbol to add comments inline to document our
script with anything after the # being ignored and treated as a
comment).
Obviously
if we want to allow incoming packets from a range of IP addresses, we
could simply add a rule for each trusted IP address and that would work
fine. But if we have a lot of them, it may be easier to add a range of
IP addresses in one go. To do this, we can use a netmask or standard
slash notation to specify a range of IP address. For example, if we
wanted to open our firewall to all incoming packets from the complete
192.168.0.x (where x=1 to 254) range, we could use either of the
following methods:
# Accept packets from trusted IP addresses
iptables -A INPUT -s 192.168.0.0/24 -j ACCEPT # using standard slash notation
iptables -A INPUT -s 192.168.0.0/255.255.255.0 -j ACCEPT # using a subnet mask
Finally,
as well as filtering against a single IP address, we can also match
against the MAC address for the given device. To do this, we need to
load a module (the mac module) that allows filtering against mac
addresses. Earlier we saw another example of using modules to extend the
functionality of iptables when we used the state module to match for
ESTABLISHED and RELATED packets. Here we use the mac module to check the
mac address of the source of the packet in addition to it's IP address:
# Accept packets from trusted IP addresses
iptables -A INPUT -s 192.168.0.4 -m mac --mac-source 00:50:8D:FD:E6:32 -j ACCEPT
First we use -m mac to load the mac module and then we use --mac-source
to specify the mac address of the source IP address (192.168.0.4). You
will need to find out the mac address of each ethernet device you wish
to filter against. Running ifconfig (or iwconfig for wireless devices) as root will provide you with the mac address.
This
may be useful for preventing spoofing of the source IP address as it
will allow any packets that genuinely originate from 192.168.0.4 (having
the mac address 00:50:8D:FD:E6:32) but will block any packets that are
spoofed to have come from that address. Note, mac address filtering
won't work across the internet but it certainly works fine on a LAN.
References
http://www.cyberciti.biz/faq/rhel-fedorta-linux-iptables-firewall-configuration-tutorial/
http://leepfe.tistory.com/139
http://l2j.co.kr/1419
http://blog.naver.com/PostView.nhn?blogId=nawoo&logNo=80150436796
http://wiki.centos.org/HowTos/Network/IPTables (Best!!)
