IPtables Intro

From SysadminWiki

iptables is a much more sophisticated and therefore complicated system to control packet traffic on your system than TCP_Wrapper. It is a packet based type of firewall and it operates at kernel level rather than tcp level. It is stateful which means it can take decisions based on previously received packets.

The firewall rules are organised in chains into tables. There are 3 tables filter, nat and mangle. Nat and mangle are for routing and manipulating packets and we will not consider them here.

Filter table contains 3 predefined chains: INPUT for packets coming in, OUTPUT for pachets going out, FORWARD for packets to be forwarded; user defined chains can be created as well. Important to remember that rules in a chain (as the name might indicate:) are evaluated in order and only the first matching rule is executed all the others are discarded.

Each rule can perform one of four actions called targets: ACCEPT (accept), REJECT (reject with an answer), DROP (reject without an answer), RETURN (jump to another chain in the table).

The difference between REJECT and DROP is that DROP looks as if there is no host at that address or there are network problems. The machine contacting your doesn't receive an answer and times out much more slowly. It is therefore a very good protection against ssh password scanning because it delays the scan (even if the scan has a time out of its own it will always be slower than receiving an acknowledgement - machines are no different than humans :) but must be used with care.

iptables uses DNS to resolve host or domain names. It is highly recommended that you use IP addresses and netmasks or bitmasks depending on your preference.

The way to implement the "deny everything not explicitely allowed" policy both in OUTPUT and in INPUT starts with: 

iptables -P INPUT REJECT
iptables -P OUTPUT REJECT

These two rules are called "chain policies" because they set the default behaviour of the chain when no rule is found. On top of the policies more complicated set of rules can be built. Let's say, for example, that you want to configure your Worker Nodes to drop ssh incoming connections if they don't come from your domain and allow outgoing connections only to your Computing Element. 

iptables -A INPUT --protocol tcp --destination-port ssh --jump DROP --source ! <domain>/<netmask>
iptables -A OUTPUT --protocol tcp --source-port ssh --jump ACCEPT --destination <your-CE-IP-address>

An ! inverts the selection, it's a negative selector. Leave a blank space after it otherwise it becomes a shell command expansion character.

If you are not sure of what you are doing don't play with iptables on a machine that you cannot physically access especially if you are trying the examples in this introductive guide.

Remember to save your configuration otherwise at the first reboot you lose everything you have so patiently put together. To save them: 

/sbin/service iptables save

For more information see this HOWTO (http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch14_:_Linux_Firewalls_Using_iptables).

Retrieved from "http://www.sysadmin.hep.ac.uk/wiki/IPtables_Intro"