These classnotes are depreciated. As of 2005, I no longer teach the classes. Notes will remain online for legacy purposes

UNIX03/IPTables Firewall Scripts

Classnotes | UNIX03 | RecentChanges | Preferences

NOTE: This applies to both IP Tables and IP Chains!

Because IP Tables resides inside of the Linux kernel memory allocations, it will be lost upon reboot or power failure. Thus, for firewall settings to stick, it is advisable to place them in a bootup script and have them run during boot.

If you will recall, you can add new scripts to boot up in one of a few places:

  • Under Red Hat (and other RPM-based distros)
Placing extra commands into /etc/rc.d/rc.local, or into one of the specific run-levels inside of rc.d.
  • Under Debian (and other similar distros)
Placing scripts into /etc/init.d and then symlinking them into /etc/rcS.d

Remember, these scripts are shell scripts, and need to start out specifying the shell to use when interpreting them.

Abstracting the Firewall tools

One of the most common methods utilized in writing a firewall script is to first abstract out everything that will be repeated over and over again. This can help cut back on the amount of typing that must be done, as well as make modifications to these scripts trivial.

 IPT=/sbin/iptables
 $IPT -I OUTPUT   1 -s 1.2.3.4 -j DENY   -l
 $IPT -I INPUT   1 -s 1.2.3.4 -j DROP
 $IPT -I FORWARD 1 -s 1.2.3.4 -j DROP

You can realistically set any number of variables as needed for these scripts. For example, if you were planning on having many rules for the same host (for example, crackorz.net) you could define it as a variable:

 IPT=/sbin/iptables
 CRKZ=crackorz.net
 $IPT -I INPUT -s CRKZ -j DENY -i eth+
 $IPT -I OUTPUT -s CRKZ -j DROP -d mail.geekcomix.com ! smtp
 $IPT -I FORWARD -s CRKZ -j REJECT
 # We have a honey pot here! :-)
 $IPT -I INPUT -s CRKZ -j REDIRECT -i ! eth3

We might also wish to specify an interface which may change in the future

 EXTIF=eth0
 $IPT -A INPUT -i $EXTIF -s evilguys.org -j DROP
 $IPT -A FORWARD -i $EXTIF -s evilguys.org -j DROP

Recall that if any of the conditions do not match, the kernel tests subsequent rules either until a match is found or until the end of the chain is reached. If the end is reached, the policy is executed; this may result in the packet being dropped or rejected.

Thus, for our internal network, it may be more important to block packets with incorrect source addresses. On a large network, there is the chance that these are from somone operating from an internal system trying to crack someone else on the Internet. As a good net citizen we will be very careful about this. This is known as Egress filtering: and is explained more thoroughly on page 81 of the book. If we set our internal interface to $INTIF and the internet net to $INTNET, we could get something like the following for our rules:

 $IPT -A INPUT -i $INTIF -s $INTNET -j ACCEPT
 $IPT -A FORWARD -i $INTIF -s $INTNET -j ACCEPT

Thus, packets coming from the internal interface must have an internal source address and packets destined for the internel interface must have a destination address that is internal or they will not proceed.



Classnotes | UNIX03 | RecentChanges | Preferences
This page is read-only | View other revisions
Last edited June 21, 2003 5:28 am (diff)
Search:
(C) Copyright 2003 Samuel Hart
Creative Commons License
This work is licensed under a Creative Commons License.