Welcome!

Linux Containers Authors: Liz McMillan, Yeshim Deniz, Elizabeth White, Sematext Blog, Ian Khan

Related Topics: Linux Containers

Linux Containers: Article

10 minutes to an iptables-based Linux firewall

You can harden your Linux 2.4 machines in no time at all.

(LinuxWorld) -- As I write this column, the world suffers infestation by yet another Internet worm, and again the worms are intended to attack Microsoft-based machines. Fortunately for my company, we don't run any Microsoft-based machines, but the Nimda worm still affects us.

 

Nimda eats our bandwidth since other companies sharing our subnet are running infectious Windows 98, NT, and 2000 machines. These diseased, ill-maintained beasts from the land of insufficient light are now trying to infest our stable, secure, long running, easy-to-use, well-behaved Linux machines. (Can you tell I'm a bit irritated?)

 

This has led me to start editing some of our firewall rules, and in the process, consider that, as we have recently migrated to the 2.4 kernel, some people may be interested in how to create a Linux 2.4 kernel-based firewall quickly.

 

The following examples do not create the perfect firewall. What I describe is designed to give a system administrator a little piece of mind by fortifying a machine from obvious attacks.

 

Why 2.4/iptables?

 

The 2.2 version of the Linux kernel used the ipchains application to control the firewall. For standard firewalling, ipchains is a decent solution. We still use it on some of our machines, and there is still a positive argument for 2.2 kernel-based firewalls, because the 2.4 kernel still has some stability issues under heavy load.

 

Those heavy load issues aside, the 2.4 kernel provides a wealth of networking capabilities 2.2 lacks. These include stateful firewalling and solid quality-of-service options. One could argue that the 2.4 kernel, and its iptables firewall code, enables a person to build intricate firewalls capable of competing with the likes of CheckPoint.

 

Using iptables

 

The command to execute iptables is simple: as root type iptables. The execution of the previous command should display output similar to the following:

 

[[email protected] root]# /sbin/iptables
iptables v1.2.1: no command specified
Try `iptables -h' or 'iptables --help' for more information.
[[email protected] root]#

 

If you would like an output of the available options when using the iptables you can pass the -h flag during program execution. The -h command will result in output similar to the following:

 

[[email protected] root]# /sbin/iptables -h
iptables v1.2.1
Usage: iptables -[ADC] chain rule-specification [options]
       iptables -[RI] chain rulenum rule-specification [options]
       iptables -D chain rulenum [options]
       iptables -[LFZ] [chain] [options]
       iptables -[NX] chain
       iptables -E old-chain-name new-chain-name
       iptables -P chain target [options]
       iptables -h (print this help information)

Commands: Either long or short options are allowed. --append -A chain Append to chain --delete -D chain Delete matching rule from chain --delete -D chain rulenum [...]

 

For this article, I am not going to go into exhaustive explanation of all the iptables options. If you want an advanced introduction, to iptables I suggest the Linux 2.4 Packet Filtering HOWTO (see resources below).

 

When developing a personal or desktop firewall I practice a very simple philosophy. If you aren't going to use it, don't open it. For example, if you are not hosting a Web site, do not open port 80. If you are not using telnet (and there is not a good reason on this Earth to use telnet), do not open port 23!

 

In an effort to follow my philosophy, the quickest way to port protection nirvana is the following iptables chain:

 

/sbin/iptables -A INPUT -p tcp --syn -j DROP

 

The previous statement will allow you to, as the user of the computer, performed all your normal Internet activities. You will be able to browse the Web, ssh out, or chat with a colleague on ICQ. On the other hand, the outside world, when trying to connect to your Linux box via TCP/IP, will simply be ignored. This is a reasonable solution for most Linux computers.

 

However, one of the benefits of Linux is its remote management capabilities. One of the more popular ways that people remotely manage Linux machines is via the SSH (see resources) suite. SSH typically operates on port 22 and thus, we would need to enable connections to port 22, while keeping the rest of the connections closed. This can be done with the following iptable chains:

 

/sbin/iptables -A INPUT -p tcp --syn --destination-port 22 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --syn -j DROP

 

It is probably not a good idea to let the world connect to your machine on port 22 unless you run a public server. Therefore, we can limit which machines can connect to port 22 by modifying the iptable chain, and adding the -s option. The -s in this example specifies what source address is allowed to connect to the server.

 

/sbin/iptables -A INPUT -p tcp --syn -s 192.168.1.110/32 --destination-port 22 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --syn -j DROP

 

The addition of the -s 192.168.1.110/32 will enable only the remote machine with the IP address of 192.168.1.110 to connect to your protected host.

 

When you create an iptables-based firewall, each chain (for simplicity's sake, each line) will be read sequentially. Thus, it is possible to have the previous configuration of only one machine having rights to connect via SSH, and to run a public Web server. This could be done with the following commands:

 

/sbin/iptables -A INPUT -p tcp --syn -s 192.168.1.110/32 --destination-port 22 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --syn --destination-port 80 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --syn -j DROP

 

This is just an introduction to iptables, but it does give a reasonable representation of the bare essentials for a firewall. If you are currently running Linux with kernel 2.4, it may be a good time to review what your firewall looks like. On a closing note, if you are still running kernel 2.2 and you are looking for a good firewall configuration utility, take a look at Guard Dog (see resources).

More Stories By Joshua Drake

Joshua Drake is the co-founder of Command Prompt, Inc., a PostgreSQL and Linux custom development company. He is also the current author of the Linux Networking HOWTO, Linux PPP HOWTO, and Linux Consultants HOWTO. His most demanding project at this time is a new PostgreSQL book for O'Reilly, 'Practical PostgreSQL'

Comments (3) View Comments

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


Most Recent Comments
Peter 10/04/04 12:38:21 PM EDT

Thank you... this is the info I have been looking for, a quick and simple way to secure a basic web server.

Jules 07/24/04 02:19:10 PM EDT

Thankyou! At last an article that shows me how to create a simple set of rules.

Pankaj Kumar 09/27/03 12:17:26 AM EDT

Good introductory article on iptables for newbies.

@ThingsExpo Stories
Video experiences should be unique and exciting! But that doesn’t mean you need to patch all the pieces yourself. Users demand rich and engaging experiences and new ways to connect with you. But creating robust video applications at scale can be complicated, time-consuming and expensive. In his session at @ThingsExpo, Zohar Babin, Vice President of Platform, Ecosystem and Community at Kaltura, will discuss how VPaaS enables you to move fast, creating scalable video experiences that reach your ...
In his keynote at 18th Cloud Expo, Andrew Keys, Co-Founder of ConsenSys Enterprise, provided an overview of the evolution of the Internet and the Database and the future of their combination – the Blockchain. Andrew Keys is Co-Founder of ConsenSys Enterprise. He comes to ConsenSys Enterprise with capital markets, technology and entrepreneurial experience. Previously, he worked for UBS investment bank in equities analysis. Later, he was responsible for the creation and distribution of life sett...
One of biggest questions about Big Data is “How do we harness all that information for business use quickly and effectively?” Geographic Information Systems (GIS) or spatial technology is about more than making maps, but adding critical context and meaning to data of all types, coming from all different channels – even sensors. In his session at @ThingsExpo, William (Bill) Meehan, director of utility solutions for Esri, will take a closer look at the current state of spatial technology and ar...
The vision of a connected smart home is becoming reality with the application of integrated wireless technologies in devices and appliances. The use of standardized and TCP/IP networked wireless technologies in line-powered and battery operated sensors and controls has led to the adoption of radios in the 2.4GHz band, including Wi-Fi, BT/BLE and 802.15.4 applied ZigBee and Thread. This is driving the need for robust wireless coexistence for multiple radios to ensure throughput performance and th...
SYS-CON Events announced today that SoftLayer, an IBM Company, has been named “Gold Sponsor” of SYS-CON's 18th Cloud Expo, which will take place on June 7-9, 2016, at the Javits Center in New York, New York. SoftLayer, an IBM Company, provides cloud infrastructure as a service from a growing number of data centers and network points of presence around the world. SoftLayer’s customers range from Web startups to global enterprises.
SYS-CON Events announced today that Bsquare has been named “Silver Sponsor” of SYS-CON's @ThingsExpo, which will take place on November 1–3, 2016, at the Santa Clara Convention Center in Santa Clara, CA. For more than two decades, Bsquare has helped its customers extract business value from a broad array of physical assets by making them intelligent, connecting them, and using the data they generate to optimize business processes.
In this strange new world where more and more power is drawn from business technology, companies are effectively straddling two paths on the road to innovation and transformation into digital enterprises. The first path is the heritage trail – with “legacy” technology forming the background. Here, extant technologies are transformed by core IT teams to provide more API-driven approaches. Legacy systems can restrict companies that are transitioning into digital enterprises. To truly become a lea...
Internet of @ThingsExpo, taking place November 1-3, 2016, at the Santa Clara Convention Center in Santa Clara, CA, is co-located with 19th Cloud Expo and will feature technical sessions from a rock star conference faculty and the leading industry players in the world. The Internet of Things (IoT) is the most profound change in personal and enterprise IT since the creation of the Worldwide Web more than 20 years ago. All major researchers estimate there will be tens of billions devices - comp...
What are the new priorities for the connected business? First: businesses need to think differently about the types of connections they will need to make – these span well beyond the traditional app to app into more modern forms of integration including SaaS integrations, mobile integrations, APIs, device integration and Big Data integration. It’s important these are unified together vs. doing them all piecemeal. Second, these types of connections need to be simple to design, adapt and configure...
Adobe is changing the world though digital experiences. Adobe helps customers develop and deliver high-impact experiences that differentiate brands, build loyalty, and drive revenue across every screen, including smartphones, computers, tablets and TVs. Adobe content solutions are used daily by millions of companies worldwide-from publishers and broadcasters, to enterprises, marketing agencies and household-name brands. Building on its established design leadership, Adobe enables customers not o...
SYS-CON Events announced today the Enterprise IoT Bootcamp, being held November 1-2, 2016, in conjunction with 19th Cloud Expo | @ThingsExpo at the Santa Clara Convention Center in Santa Clara, CA. Combined with real-world scenarios and use cases, the Enterprise IoT Bootcamp is not just based on presentations but with hands-on demos and detailed walkthroughs. We will introduce you to a variety of real world use cases prototyped using Arduino, Raspberry Pi, BeagleBone, Spark, and Intel Edison. Y...
Just over a week ago I received a long and loud sustained applause for a presentation I delivered at this year’s Cloud Expo in Santa Clara. I was extremely pleased with the turnout and had some very good conversations with many of the attendees. Over the next few days I had many more meaningful conversations and was not only happy with the results but also learned a few new things. Here is everything I learned in those three days distilled into three short points.
“We're a global managed hosting provider. Our core customer set is a U.S.-based customer that is looking to go global,” explained Adam Rogers, Managing Director at ANEXIA, in this SYS-CON.tv interview at 18th Cloud Expo, held June 7-9, 2016, at the Javits Center in New York City, NY.
Why do your mobile transformations need to happen today? Mobile is the strategy that enterprise transformation centers on to drive customer engagement. In his general session at @ThingsExpo, Roger Woods, Director, Mobile Product & Strategy – Adobe Marketing Cloud, covered key IoT and mobile trends that are forcing mobile transformation, key components of a solid mobile strategy and explored how brands are effectively driving mobile change throughout the enterprise.
Ask someone to architect an Internet of Things (IoT) solution and you are guaranteed to see a reference to the cloud. This would lead you to believe that IoT requires the cloud to exist. However, there are many IoT use cases where the cloud is not feasible or desirable. In his session at @ThingsExpo, Dave McCarthy, Director of Products at Bsquare Corporation, will discuss the strategies that exist to extend intelligence directly to IoT devices and sensors, freeing them from the constraints of ...
SYS-CON Events announced today that Sheng Liang to Keynote at SYS-CON's 19th Cloud Expo, which will take place on November 1-3, 2016 at the Santa Clara Convention Center in Santa Clara, California.
Technology vendors and analysts are eager to paint a rosy picture of how wonderful IoT is and why your deployment will be great with the use of their products and services. While it is easy to showcase successful IoT solutions, identifying IoT systems that missed the mark or failed can often provide more in the way of key lessons learned. In his session at @ThingsExpo, Peter Vanderminden, Principal Industry Analyst for IoT & Digital Supply Chain to Flatiron Strategies, will focus on how IoT de...
Complete Internet of Things (IoT) embedded device security is not just about the device but involves the entire product’s identity, data and control integrity, and services traversing the cloud. A device can no longer be looked at as an island; it is a part of a system. In fact, given the cross-domain interactions enabled by IoT it could be a part of many systems. Also, depending on where the device is deployed, for example, in the office building versus a factory floor or oil field, security ha...
24Notion is full-service global creative digital marketing, technology and lifestyle agency that combines strategic ideas with customized tactical execution. With a broad understand of the art of traditional marketing, new media, communications and social influence, 24Notion uniquely understands how to connect your brand strategy with the right consumer. 24Notion ranked #12 on Corporate Social Responsibility - Book of List.
Businesses are struggling to manage the information flow and interactions between all of these new devices and things jumping on their network, and the apps and IT systems they control. The data businesses gather is only helpful if they can do something with it. In his session at @ThingsExpo, Chris Witeck, Principal Technology Strategist at Citrix, will discuss how different the impact of IoT will be for large businesses, expanding how IoT will allow large organizations to make their legacy ap...