So, you want to install a firewall on your Linux-based infrastructure, but you're hung up in the research phase. All that Web-surfing, those phone calls, the demo installations and other research is making you reach for the Pepto-Bismol. Close that medicine cabinet, at least until your next service request! In this tip, I'll describe how to install and configure a firewall on Red Hat Enterprise Linux 4 (RHEL4).
Let's start with some background information. With Linux, packet filtering is configured at the kernel level, meaning that they are compiled as kernel modules, which are loaded automatically, or automagically. The configuration itself is done with iptables, which became available on Linux as of the 2.4 kernel. In prior kernel releases, ipchains were used.
There are different modes of operation with iptables. They include:
Back to RHEL4: On the Firewall Config screen of the installation, you are asked if you want to enable a basic firewall. You are also given options to allow specific devices, incoming services and ports. Post-install, you can change these preferences by using the Security Level Configuration Tool.
To start this application, from the main menu on the panel, go to => System Settings => Security Level or do this:
[IMAGE]
This is the graphical tool. The other way of starting your services is using the iptables command. For the purposes of this tip, we will focus on the command line, though I have used the graphical utility, and I like it a lot.
Here's the iptables command with which to start your services:
The first thing you will need to do is start your services:
You should then make sure that the ip6tables services are turned off.
To make iptables start by default whenever the system is booted, you must change runlevel status on the service using chkconfig.
Then you should list the rules:
Delete any user defined chains and set the default po
To continue reading for free, register below or login
To read more you must become a member of SearchEnterpriseLinux.com
licy, thusly:
Now, allow the loopback device to accept packets.
The syntax of iptables is separated into tiers. The main tier is what is called the chain, which specifies the state at which a packet is manipulated. The usage is as follows:
To allow some frames in, do this :
Why did we do this? Let's say that instead of 127.168.0.X we really had a valid address which could be used somewhere on the internet. Doing this would be a way to keep anything from leaving or entering the firewall that wasn't from or to the external IP address.
View the rules:
Netfilter (iptables) uses five default "chains", each containing rules which are applied to packets. A rule can specify different things to do with a packet: ACCEPT, DROP, REJECT, LOG, SNAT, DNAT, MASQUERADE
The syntax for iptables is as follows:
This is a sample of an initial set-up:
The summary step listed above does the following:
Note the following flags:
You should know that the Linux kernel has the built-in ability to filter packets. The kernel's netfilter has three built-in tables or rules lists:
Each of these tables has a group of built-in chains (rules) which correspond to actions performed on the packet by the netfilter. The commands are as follows:
Filter built-in chains:
NAT built-in chains:
Mangle built-in chains :
Rules created with the iptables command are stored in memory. If the system is restarted before saving the iptables rule set, all rules are lost. For netfilter rules to persist through system reboot, they need to be saved. To do this, log in as root and type:
What this does is execute the iptables initscript, which runs the /sbin/iptables-save program and writes the current iptables configuration to /etc/sysconfig/iptables. The existing /etc/sysconfig/iptables file is then saved as /etc/sysconfig/iptables.save.
On a reboot, the iptables init script reapplies the rules saved in /etc/sysconfig/iptables by using the /sbin/iptables-restore command.
For more information, you may want to download a copy of the RHEL4 reference guide from Red Hat. You may also want to go to the Netfilter site, for a wealth of information on netfilter.
