1,234
edits
Changes
→PART 2: IPTABLES
* Use yum to uninstall firewalld and install iptables-services
* Use systemctl to start the iptables service and configure it to be started on boot.
* Run <code>iptables -L</code>. We will be learning how to read that mess in the next section.
IPtables is a complex system, and there's a lot of material this week to cover it. Keep in mind as you're going through the lab that you're trying to learn three things:
::# Since the '''RELATED,ESTABLISHED''' rule already exists, we are only concerned about <u>'''controlling'''</u> the '''incoming traffic on the server''', which in our example, the '''chain is: INPUT''', the '''protocol is: tcp''', and the '''destination is: port 80'''.
:* 'Most other services work in a similar way as discussed above. == Adding a rule == '''<source>iptables -I OUTPUT -p tcp -s0/0 -d 0/0 --dport 80 -j DROP</source>''' Can be read like this: ''Insert a rule into the iptables OUTPUT chain that will match any tcp packet, with any a source address, any destination address, and a deistination port of 80. Any packet that matches will be dropped.'' '''Let's break down the <u>command displayed above</u> to see how it works:''' {|cellpadding="15" width="60%"|- valign="top"| | <span style="font-family:courier; font-weight:bold">-I</span>| | tells iptables to INSERT this line into the OUTPUT policy. This means it will be the first line in the policy. If we used a <span style="font-family:courier; font-weight:bold">-A</span> switch it would have appended the line and it would be the last line of the policy. If you are writing complex iptables rules where multiple matches can occur, it is important that the lines go in the right order. If you follow the -I with a number, the new rule will be inserted at that location in the chain (for example, <code>-I 3 OUTPUT</code> will insert the rule into the 3rd position in the OUTPUT chain, moving the existing rules down as necessary (the old rule #3 will become the new rule #4, for example)|- valign="top"|width="75" | '''-p tcp'''| | tells iptables to only match TCP packets. Alternately, the protocol could be set to '''udp''', '''icmp''', or '''all'''|- valign="top"| |'''-s0/0'''| |specifies the source IP address. 0/0 means a source address of “anywhere.” this has been put into the lab because your ip address will change because it is dynamically assigned. You can change this value if you want to the IP address that has been specifically assigned to your PC|- valign="top"| |'''-d0/0'''| |specifies the destination address. It makes sense that this address is set to “anywhere” because if we want to block all requests to the WWW, we will never know the specific IP address of web server that is trying to be accessed|- valign="top"| |'''--dport 80'''| |tells iptables to look at the destination port in the packet and see if it is equal to 80. Alternately, you can filter based on source addresses using the <code>--sport</code> switch|- valign="top"| |'''-j'''| |means when condition is met, then jump to a particular target – Basic targets are '''ACCEPT''', '''DROP''', '''REJECT''', and '''LOG'''. The available targets depend on which table contains the chain|- valign="top"| |'''DROP''' | |means drop the packet – make it disappear - and do not continue processing rules. '''REJECT''' is similar, but causes an error packet to be sent back to the source host. '''ACCEPT''' causes the packet to be processed. '''LOG''' causes an entry to be made in the system logs showing that the packet was processed. Note that the LOG target is the only one that does not stop rule-checking in the chain - so you can log a packet with one rule, and then use a later rule in the chain to DROP, REJECT, or ACCEPT it|}