Re: IPTABLES

From: Enrique Perez-Terron (enrio_at_online.no)
Date: 11/27/05 

Date: Sun, 27 Nov 2005 19:57:26 +0100

On Mon, 14 Nov 2005 16:44:27 +0100, Charly <NOSPAMMMMM@SPM.spc> wrote:

> Hi, I am a newby but a need to know something I think is quite complex.
> I need to setup the firewall IPTABLES on CentOS (Readhat).
> I wanted to know:
> 1) can I setup it from the conf file ? I see on the newsgroup that normally
> people use the command bar by typing the commands, but I would prefere to do
> it on the configuration file.

If Centos is similar to redhat, then there is a tool,

   /usr/bin/system-config-securitylevel

you should use to set up a first approximation to what you want.

No, and yes, there is (not) a config file. Confused?

You set up the firewall using command line commands. (Write them
into a script.) Then you save the state of the firewall to a file,
which is used to restore the state on each reboot. This file is
kind-of a config file. But read on.

If CentOs still is similar to Redhat/Fedora, saving the state of the
firewall is done with the command

   service iptables save

The tool mentioned above will to this for you, but you need to do this
again manually after you tweak the firewall manually. You do not need to
issue any commands to restore the saved state on boot.

When the computer boots, the init program will run the equivalent of

   service iptables start

The "service" command in turn does "bash /etc/rc.d/init.d/iptables
start" or "... save". If you read the bash script, you will find
that the state file is /etc/sysconfig/iptables. This is a text file
and you can inspect it. It is not quite the same format as the
corresponding command line commands, but not very different either.
You will also find that there is another config file,
/etc/sysconfig/iptables-config, but this contains very little
information. You can learn from it that if you tweak the firewall
and then restart iptables (or reboot) without saving, you lose the
tweaks. This is a good idea, for when you tweak the firewall, it
takes effect immediately, and there is no need to restart. Use save
when you are satisfied, restart if you regret and want to start
over from the last (presumably good) saved config.

The saving of state is done with a program called /sbin/iptables-save,
the converse is, you guessed it, /sbin/iptables-restore.

> 2) I have 2 ethernet: on eth1 I have the wan, on eth0 the lan. I wanted to
> allow to acces FROM the LAN only to a computer with MAC ADRESS xxxxxx. Could

Every rope has two ends and either end is "the end" of it. Almost
nobody seems to be capable of expressing directions unambiguously.
It may be quite likely that you mean one way, but it is not
impossible that you mean the opposite.

May I presume that, you mean you want to give *your permission*
to this MAC-address-equipped computer, to access the linux box,
which of course has an entirely different MAC address; and you
want the permission to be applicable only if the access is
routed directly through the LAN? (As if this MAC-address-xxxxx
computer has another wan access and could access your Linux
box looping back through the internet and the first wan?)

Or should I presume that the computer you are configuring happens
to be the one having mac address xxxxxx on its lan interface,
and you want to allow anything on the lan to access the computer
you are configuring, but only anything on the lan, nothing on the
wan?

Look at your grammar, that is the source of the ambiguity. You use
the word "to" a couple of places, but it is not clear if "to" gives
the direction of the permission assignment or the direction of the
access. I'm not a native English speaker, but to me "wanted to
allow to access to" does not parse. Try "wanted to allow access to X"
or "wanted to allow Y to access X".

You also have the word "from", but you attach it to the lan,
not to a device where the access would really originate. Since
both the accessor and the accessed is on the lan, it does not help
much. Access from the lan to... To what? Access from anything on
the lan to the computer with this mac address? But does it make
sense? How will you control that using iptables on a linux box
sitting... Where? Is the linux box somehow intermediate here?
Or is the linux box the same as the one with the mac address?
In the latter case, why do you use the word "a", "the" would
be more appropriate. Since we have been talking about iptables
all the time, the computer running iptables has been part of the
equation all the time. Then "a computer" is another computer.

Or will you only allow the linux box to access the owner of mac
address xxxxxx (and disallow everything else)? But that would
be access from the linux box to the mac-xxxxxx box, not "from the
lan"?

You use the word "only". Do you mean "from the lan only",
or "only to a computer with mac address xxxxxx"? A comma before
or after "only", even if a bit artifical, would help grouping
the words one way or the other.

This rant only to remind you that the iptables command language
allows you to formulate rules relative to the mac address of either
end of an exchange, and depending on circumstances, both things
may make sense. People thend to formulate the rules relative to the
interface (eth0, eth1, ppp0, etc) rather than the mac address of
the local interfaces, but if you move the nics around, (like I did
when I got worried about the airflow around a video card that was
always very hot), then the cards my change interface name. Still,
if they are different models, you may tend to stick the same cables
in the same card as before.... You get the picture?

> you write me kindly the command I have to put in the conf file ? Or better
> if you could post a small example... would be great !!!

Start here:

   http://www.netfilter.org/documentation/HOWTO//packet-filtering-HOWTO-5.html

and continue here:

   http://www.netfilter.org/documentation/HOWTO//packet-filtering-HOWTO-9.html

Notice that some of the commands in the latter are actually the same as in the
former, just that the former says "if OK, accept, otherwise drop," the latter
says "if not OK, drop, otherwise accept."

If you use system-config-security-level, you will have implemented the advices
on these two pages.

Once this is in order, you can turn to the start of the document and get a
broader understanding.

-Enrique

Relevant Pages

  • RE: Advice on which FreeBSD firewall package to choose.
    ... I have not used iptables or ipfw. ... Advice on which FreeBSD firewall package to choose. ... Software-based VPN connections out from both the Inside LAN and Wireless ...
    (freebsd-questions)
  • Re: [opensuse] Re: simple LAN
    ... No. Kenneth on this list learned me about the command ip a which is ... not mentioned in O'Reilly's Nutshell or the SuSE manual. ... about how to find unknown IP addresses of computers in a LAN. ... if your internet router acts as a firewall for your ...
    (SuSE)
  • Re: cant ping LAN machine, NET pings fine
    ... >> via DHCP and eth1 which serves ip's for the lan and has ip ... >> besides the firewall machine in the network. ... >> ping from firewall to net ... >Can you post iptables -L just after a ping fails? ...
    (Debian-User)
  • Cant receive incoming http traffic via wget and others, can through firefox and links (iptables)
    ... I have a highly intensive iptables firewall. ... Any idea why iptables would block some command line utilities, ... firefox and links? ...
    (Debian-User)
  • Re: Lan to Wan reprise
    ... the machines on the Lan can't get past the firewall. ... #if you're a router (and thus should forward IP packets between interfaces), ... iptables -P INPUT DROP ...
    (Fedora)