Basic Firewall Policies - Red Hat ENTERPRISE LINUX 4 - SECURITY GUIDE Manual

Hide thumbs Also See for ENTERPRISE LINUX 4 - SECURITY GUIDE:

Manual (410 pages)

System administration manual (400 pages)

Administration manual (200 pages)

Table Of Contents

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

page of 136

/ 136
Contents
Table of Contents
Bookmarks

Table of Contents

service ip6tables stop

chkconfig ip6tables off

To make iptables start by default whenever the system is booted, you must change runlevel status

on the service using chkconfig.

chkconfig --level 345 iptables on

The syntax of iptables is separated into tiers. The main tier is the chain. A chain specifies the state

at which a packet is manipulated. The usage is as follows:

iptables -A chain -j target

The -A option appends a rule at the end of an existing ruleset. The chain is the name of the chain

for a rule. The three built-in chains of iptables (that is, the chains that affect every packet which

traverses a network) are INPUT, OUTPUT, and FORWARD. These chains are permanent and

cannot be deleted. The -j target option specifies the location in the iptables ruleset where this

particular rule should jump. Some built in targets are ACCEPT, DROP, and REJECT.

New chains (also called user-defined chains) can be created by using the -N option. Creating a new

chain is useful for customizing granular or elaborate rules.

7.2.1. Basic Firewall Policies

Establishing basic firewall policies creates a foundation for building more detailed, user-defined rules.

iptables uses policies (-P) to create default rules. Security-minded administrators usually elect to

drop all packets as a policy and only allow specific packets on a case-by-case basis. The following

rules block all incoming and outgoing packets on a network gateway:

iptables -P INPUT DROP

iptables -P OUTPUT DROP

Additionally, it is recommended that any forwarded packets — network traffic that is to be routed from

the firewall to its destination node — be denied as well, to restrict internal clients from inadvertent

exposure to the Internet. To do this, use the following rule:

iptables -P FORWARD DROP

After setting the policy chains, you can create new rules for your particular network and security

requirements. The following sections outline some rules you may implement in the course of building

your iptables firewall.

Basic Firewall Policies

Table of Contents

Basic Firewall Policies - Red Hat ENTERPRISE LINUX 4 - SECURITY GUIDE Manual

7.2.1. Basic Firewall Policies

Related Manuals for Red Hat ENTERPRISE LINUX 4 - SECURITY GUIDE

Related Content for Red Hat ENTERPRISE LINUX 4 - SECURITY GUIDE

Table of Contents