Open main menu

CDOT Wiki β

Changes

OPS235 Lab 6 - Fedora17

1,126 bytes added, 19:41, 13 March 2011
Investigation 8: How do I view and configure the IPTABLES firewall? -- Basic Function/Configuration
'''FORWARD''' – LINUX PC's are often used as routers or gateways for other PC's. This means that data may have to be passed through this LINUX box, but the data is not intended for the LINUX PC nor is it being sent by the LINUX PC. Even though the data will go into this PC and it will exit this PC, the INPUT and OUTPUT chains do not apply here. Because the PC is acting as a router it does not actually send or receive data, it FORWARDS data from one machine to another. When this process happens, the data is checked against the FORWARD chain to see if it is allowed through. If it is the router will forward the data to it's destination. If not, the packet is dropped.}}
{{Admon/important | Note! Non-Persistent Changes to your Host System | We will complete Complete this lab on the your host machinesystem (f13host).
It should be noted that all of the commands that we do here with iptables will not be persistentunless you have your configuration. That means if you re-boot, the default iptables configuration will be loaded.}}1
# As root on the fedora host enter the following commands at the prompt:
#* <code>iptables -I OUTPUT -p tcp -s0/0 -d 0/0 --dport 80 -j DROP</code>
{{Admon/note| Interpreting iptables commands |This command can be read like this, : Insert a line rule into the iptables OUTPUT chain that will look at match any tcp information and DROP any packet , with any a source address from anywhere, to a any destination address to anywhere if the destination , and a deistination port is of 80. Any packet that matches will be dropped. Let's break down the command to see how it works.
The '''-I''' switch tells iptables to INSERT this line into the OUTPUT policy. This means it will be the first line in the policy. If we used a -A switch it would have appended the line and it would be the last line of the policy. If you are writing complex iptables rules where multiple matches can occur, it is important that the lines go in the right order. Most people simply write scripts to ensure thisIf you follow the -I with a number, the new rule will be inserted at that location in the chain (for example, <code>-I 3 OUTPUT</code> will insert the rule into the 3rd position in the OUTPUT chain, moving the existing rules down as necessary (the old rule #3 will become the new rule #4, for example).
The '''-p tcp''' switch tells iptables to filter data by looking at only match TCP information in the packets. For nowAlternately, we simply want the protocol could be set to filter data by source and destination TCP ports so we need this switchudp, icmp, or all.
The '''-s0/0''' switch specifies the source IP address. 0/0 means a source address of “anywhere.” this has been put into the lab because your ip address will change because it is dynamically assigned. You can change this value if you want to the IP address that has been specifically assigned to your PC. (Since the rule will, by default, match any source address, this switch may be left out).
The '''-d0/0''' switch specifies the destination address. It makes sense that this address is set to “anywhere” because if we want to block all requests to the WWW, we will never know the specific IP address of web server that is trying to be accessed. (Since the rule will, by default, match any destination address, this switch may be left out).
The switch '''--dport 80''' tells iptables to look at the destination port in the packet and see if it is equal to 80. Alternately, you can filter based on source addresses using the <code>--sport</code> switch.
'''-j''' means jump to a particular condition target – Basic conditions targets are ACCEPT, DROP , REJECT, and LOG. There are others and you also have The available targets depend on which table contains the ability to create your ownchain.
'''DROP''' means drop the packet – make it dissapear - and do not let continue processing rules. '''REJECT''' is similar, but causes an error packet to be sent back to the source host. '''ACCEPT''' causes the packet to be processed. '''LOG''' causes an entry to be made in the system logs showing that the packet was processed. Note that the ACCEPT target is the only one that does not stop rule-checking in the chaing - so you can log a packet with one rule, and then use a later rule in the chain to DROP, REJECT, or ACCEPT it leave the computer.
}}
# Make a backup of the file <code>/etc/sysconfig/iptables</code>
# Examine the file to see how rules are added.
# Enter in Issue the command: <code>service iptables save</code> to save the rules you added with the iptables command, above.# Verify that the file <code>/etc/sysconfig/iptables</code> was updated with your 2 new rules created above.
{{Admon/important | Carefull! | Remember that mistakes in iptables can have a significant impact on your system. Make sure you are '''appending the rules to the INPUT chain'''}}
# Restart your iptables service and test your configuration.
# Write a short bash script to append add a rule allowing the fedora1 and fedora3 VM's to connect to <code>ssh</code> on the fedora host.# Answer the investigation in your logbook.
== New Configuration ==