Installing, configuring firewalls, packet filtering in RHEL4

Unix-Linux migration and integration expert Ken Milberg explains how to install and configure a firewall on Red Hat Enterprise Linux 4.

Ken Milberg, Site expert

So, you want to install a firewall on your Linux-based infrastructure, but you're hung up in the research phase. All that Web-surfing, those phone calls, the demo installations and other research is making you reach for the Pepto-Bismol. Close that medicine cabinet, at least until your next service request! In this tip, I'll describe how to install and configure a firewall on Red Hat Enterprise Linux 4 (RHEL4).

Let's start with some background information. With Linux, packet filtering is configured at the kernel level, meaning that they are compiled as kernel modules, which are loaded automatically, or automagically. The configuration itself is done with iptables, which became available on Linux as of the 2.4 kernel. In prior kernel releases, ipchains were used.

There are different modes of operation with iptables. They include:

  • Displaying and flushing rules
  • Resetting and displaying statistics
  • Checking packets against chains
  • Special Display, Insert, Append, Replace and Delete Rules

Back to RHEL4: On the Firewall Config screen of the installation, you are asked if you want to enable a basic firewall. You are also given options to allow specific devices, incoming services and ports. Post-install, you can change these preferences by using the Security Level Configuration Tool.

To start this application, from the main menu on the panel, go to => System Settings => Security Level or do this:

# system-config-securitylevel

This is the graphical tool. The other way of starting your services is using the iptables command. For the purposes of this tip, we will focus on the command line, though I have used the graphical utility, and I like it a lot.

Here's the iptables command with which to start your services:

/sbin/service iptables <option> - 

The first thing you will need to do is start your services:

# /sbin/service iptables restart

You should then make sure that the ip6tables services are turned off.

# service ip6tables stop
# chkconfig ip6tables off

To make iptables start by default whenever the system is booted, you must change runlevel status on the service using chkconfig.

# chkconfig --level 345 iptables on

Then you should list the rules:

# iptables  - nL

Delete any user defined chains and set the default policy, thusly:

#iptables -X
#iptables -F
#iptables -P INPUT -j DROP
#iptables -P OUTPUT -j DROP
#iptables -P FORWARD -j DROP

Now, allow the loopback device to accept packets.

#iptables -A INPUT -i lo -j ACCEPT
#iptables -A OUTPUT -o lo -j ACCEPT

The syntax of iptables is separated into tiers. The main tier is what is called the chain, which specifies the state at which a packet is manipulated. The usage is as follows:

iptables -A chain -j target

To allow some frames in, do this :

#iptables -A INPUT -i eth0 -s 0.0.0.0/0 -d ! 127.168.0.X -j DROP
#iptables -A OUTPUT -o eth0 -s ! 127.168.0.X -d 0.0.0.0/0 -j DROP

Why did we do this? Let's say that instead of 127.168.0.X we really had a valid address which could be used somewhere on the internet. Doing this would be a way to keep anything from leaving or entering the firewall that wasn't from or to the external IP address.

View the rules:

#iptables -nL --line-numbers

Netfilter (iptables) uses five default "chains", each containing rules which are applied to packets. A rule can specify different things to do with a packet: ACCEPT, DROP, REJECT, LOG, SNAT, DNAT, MASQUERADE

The syntax for iptables is as follows:

iptables [-t table] command [chain] [parameters] [-j target]

This is a sample of an initial set-up:

 
# iptables -X
# iptables -F
# iptables -P INPUT DROP
# iptables -P OUTPUT DROP
# iptables -P FORWARD DROP
# iptables -A INPUT -i lo -j ACCEPT
# iptables -A OUTPUT -o lo -j ACCEPT
# iptables -A INPUT -i eth0 -j ACCEPT
# iptables -A OUTPUT -o eth0 -j ACCEPT
# iptables -A INPUT -i ppp0 -d ! 192.186.134.51 -j DROP
# iptables -A OUTPUT -o ppp0 -s ! 192.186.134.72 -j DROP

The summary step listed above does the following:

  • Deletes all user-defined chains
  • Flushes all rules
  • Sets default policy for each chain
  • Enables all traffic over internal interfaces
  • Denies all traffic not destined for or originating from the external interfaces IP address

Note the following flags:


-L: List all rules
-F: Flush all rules
-A: Append a rule
-I: Insert a rule
-P: Default action for this chain

You should know that the Linux kernel has the built-in ability to filter packets. The kernel's netfilter has three built-in tables or rules lists:

  1. filter -- This is the default table for handling network packets.
  2. nat -- This is used to alter packets that create a new connection and used for NAT.
  3. mangle -- This is used for specific types of packet alteration.

Each of these tables has a group of built-in chains (rules) which correspond to actions performed on the packet by the netfilter. The commands are as follows:

Filter built-in chains:

  • INPUT -- Applies to network packets that are targeted for the host.
  • OUTPUT -- Applies to locally-generated network packets.
  • FORWARD -- Applies to network packets routed through the host.

NAT built-in chains:

  • PREROUTING -- Alters network packets when they arrive.
  • OUTPUT -- Alters locally-generated network packets before they are sent out.
  • POSTROUTING -- Alters network packets before they are sent out.

Mangle built-in chains :

  • INPUT -- Alters network packets targeted for the host.
  • OUTPUT -- Alters locally-generated network packets before they are sent out.
  • FORWARD -- Alters network packets routed through the host.
  • PREROUTING -- Alters incoming network packets before they are routed.
  • POSTROUTING -- Alters network packets before they are sent out.

Rules created with the iptables command are stored in memory. If the system is restarted before saving the iptables rule set, all rules are lost. For netfilter rules to persist through system reboot, they need to be saved. To do this, log in as root and type:

# /sbin/service iptables save

What this does is execute the iptables initscript, which runs the /sbin/iptables-save program and writes the current iptables configuration to /etc/sysconfig/iptables. The existing /etc/sysconfig/iptables file is then saved as /etc/sysconfig/iptables.save.

On a reboot, the iptables init script reapplies the rules saved in /etc/sysconfig/iptables by using the /sbin/iptables-restore command.

For more information, you may want to download a copy of the RHEL4 reference guide from Red Hat. You may also want to go to the Netfilter site, for a wealth of information on netfilter.


This was first published in February 2006

Dig deeper on Linux security risks and threats

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchDataCenter

SearchServerVirtualization

SearchCloudComputing

SearchEnterpriseDesktop

Close