You're reading from Linux Networking Cookbook Over 40 recipes to help you set up and configure Linux networks

Product type Paperback

Published in Jun 2016

Publisher

ISBN-13 9781785287916

Length 152 pages

Edition 1st Edition

Tools

Ubuntu Server

Concepts

Networking

Authors (2):

Gregory Boyce

Agnello Dsouza

View More author details

Table of Contents (14) Chapters

Preface

1. Configuring a Router

2. Configuring DNS FREE CHAPTER

3. Configuring IPv6

4. Remote Access

5. Web Servers

6. Directory Services

7. Setting up File Storage

8. Setting up E-mail

9. Configuring XMPP

10. Monitoring Your Network

11. Mapping Your Network

12. Watching Your Network

Index

Setting up a firewall with IPtables

We touched upon iptables a little while discussing NAT, but now we're going to go a bit deeper into configuring a secure firewall for your network.

How to do it…

A properly configured firewall should be configured in a default deny configuration with specific allows (Whitelist) for what you want to accept:

# iptables -A INPUT -i lo -j ACCEPT 
# iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT 
# iptables -A INPUT -p tcp --dport 22 -j ACCEPT
# iptables -P INPUT DROP 
# iptables -P FORWARD DROP
# iptables -P OUTPUT ACCEPT
# iptables -A FORWARD -i eth0 -j ACCEPT
# iptables -t nat -A POSTROUTING -o eth2 \
-j MASQUERADE
# iptables -A FORWARD -i eth2 -o eth0 -m \
state --state RELATED,ESTABLISHED -j ACCEPT
# iptables -A FORWARD -i eth0 -j ACCEPT

How it works…

We start off by setting an ACCEPT policy on traffic destined to the local system on the localhost adapter (-i lo). A lot of software expects to be able to communicate over the localhost adapter, so we want to make sure we don't inadvertently filter it.

Next, we set an ACCEPT policy for any packet that matches a state (-m state) of ESTABLISHED, RELATED. This command accepts packets which are a part of, or related to, an established connection. ESTABLISHED should be pretty straightforward. RELATED packets are special cases that the connection tracking module needs to have a prior knowledge of. An example of this is the FTP protocol operating in active mode. The FTP client in active mode connects to the server on port 21. Data transfers however, operate on a second connection originating from the ftp server from port 20. During the operation of the connection, the port 21 packets are ESTABLISHED, while the port 20 packets are RELATED.

The third command accepts any TCP connection (-p tcp) destined for port 22 (--dport 22) that is destined for your system. This rule allows you to SSH into the machine.

Next, we will define the default policies. By default, we drop packets on the INPUT and FORWARD chains and accept packets on the OUTPUT chain.

The last three lines you'll recognize from the NAT section, which tells the firewall to allow any packets starting on the internal network and heading out to the Internet.

Additional ACCEPT rules based upon destination ports can be opened as needed as INPUT lines, like the port 22 one.

The rest of the chapter is locked

You're reading from Linux Networking Cookbook Over 40 recipes to help you set up and configure Linux networks

Table of Contents (14) Chapters

Setting up a firewall with IPtables

How to do it…

How it works…

Unlock this book and the full library FREE for 7 days

Authors (2)

Personalised recommendations for you