Running Linux, 5th Edition - Matthias Kalle Dalheimer [468]
IP Filter Management and Script Files
Filtering rules are stored and used by the kernel in much the same way as routing entries: when the system reboots, IP filtering rules must be reconfigured. To ensure that a firewall configuration is reinstated when a reboot occurs, you should place the appropriate iptables commands in a script file that is automatically executed at system boot time. Bundled with the iptables software package are two programs called iptables-save and iptables-restore that respectively save the current netfilter configuration to a file and restore it from that file. These tools greatly simplify the task of managing firewall configuration.
Each Linux distribution takes a slightly different approach to managing firewall configuration:
Red Hat (versions 7.0 and later)
First configure your IP filtering rules using the appropriate iptables commands. Then, execute the following command:
/sbin/service iptables save
This causes the filtering rules to be saved to /etc/sysconfig/iptables, which is automatically read at boot time.
Debian
In order to set up iptables rules you either need to write a /etc/init.d script manually or use one of the many packages available that generate firewall rules for you.
SUSE Linux
For a simple, albeit not as flexible, configuration, run yast2 and select the firewall configuration module Security & Users → Firewall. Otherwise:
Edit /etc/sysconfig/SUSEfirewall2. This file is thoroughly documented.
If necessary, define custom filter rules in /etc/sysconfig/scripts/SUSEfirewall2-custom. This requires deeper knowledge about how firewalls work on Linux.
Start the firewall by invoking /sbin/SUSEfirewall2 start.
Sample netfilter Configurations
In this section we provide some simple but useful IP filtering configurations. The aim here is not to provide you with a set of solutions that you accept uncritically. Instead, we introduce you to what a useful set of IP filtering rules looks like and provide you with a skeleton on which you can base your own configurations.
Simple IP filtering example
Here we demonstrate the basic use of IP filtering, which is similar to our use of TCP wrappers described earlier in the chapter. Here we want to screen out packets from all hosts on the Internet, except for packets destined for the finger daemon from a small set of hosts. Although TCP wrappers can be used to perform the same function, IP filtering can be used to screen many different types of packets (for example, ICMP "ping" packets), and is often necessary to protect services that aren't managed by TCP wrappers.
Unlike TCP wrappers, iptables rules cannot use hostnames to identify the origin or destination of a packet; you must use IP addresses when specifying rules. This is a good idea anyway, since reverse hostname lookup is not a completely secure way to identify a packet (it is possible to spoof DNS, making it appear as though an IP address has a different hostname). In Examples 26-1 and 26-2, we use IP addresses instead of hostnames, which can be obtained using a tool such as host.
Example 26-1. Simple ipchains example
# Load the connection tracking modules if they're not compiled into the
# kernel.
modprobe ip_conntrack
modprobe ip_conntrack_ftp
# Set default policy on the INPUT chain to DROP.
iptables -P INPUT DROP
# ACCEPT packets belonging to an existing connection.
# '-A INPUT' is used to append to the INPUT chain.
# '-m state' uses the stateful inspection module.
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# ACCEPT all packets that have come from the loopback interface, that
# is, from the local host. '-i lo' identifies the loopback interface.
iptables -A INPUT -i lo -j ACCEPT
# ACCEPT new incoming connections, and packets belonging to existing
# connections, to port 22 (ssh).
iptables -A INPUT