Introduction To IPTables
Kyle Waters
Member of The Free Software and Linux Club @ USU
Firewalls
- Each service listens on a port
- Most OS installations install services which open ports
- netstat can be used to find open ports
- nmap can also be used to detect open ports
- Firewalls are used to restrict access to open ports
nmap is include in all major linux distribution and can be found at insecure.org
netstat -lt
Linux Firewalls
- netfilter is part of the Linux kernel
- Most distributions will include the netfilter modules and iptables utilities
- Scripts
- GUI's
iptables by hand
- iptables -A OUTPUT -p tcp --dport 80 -j DROP
- -L -A -I -D for what you want to do
- Name of the chain (INPUT OUTPUT and FORWARD for filter table
- Options (protocol port action)
- iptables-save
-L list the rules for the chain
-A add rule to the chain
-I insert rule in the chain
-D delete rule from the chain
-p tcp/udp select protocl
--dport destination port
-j ACCEPT to accept the package
-j REJECT to reject the package
Shorewall
- A set of scripts to help set up iptables
- rules files -- main file where you set access
- zones -- configure different zones of control
- interfaces -- configure different network cards
- hosts -- place hosts in zones
nmap is include in all major linux distribution and can be found at insecure.org
netstat -lt
GUI's
- firestarter
- Firewall Builder
- dwall
- NetfilterOne
- KMyFirewall
- NuFW
policies
- Block everything you don't use
- Restrict by IP if possible
- Rate limiting
- Security by obscurity
- Update
- Firewalling outbound connections