Common Iptables Filtering - Red Hat ENTERPRISE LINUX 5 - DEPLOYMENT Deployment Manual
Hide thumbs
Also See for ENTERPRISE LINUX 5 - DEPLOYMENT:
- Manual (402 pages) ,
- Configuration (86 pages) ,
- Overview (68 pages)
Table of Contents
Advertisement
Common IPTables Filtering
Each iptables chain is comprised of a default policy, and zero or more rules which work in concert
with the default policy to define the overall ruleset for the firewall.
The default policy for a chain can be either DROP or ACCEPT. Security-minded administrators
typically implement a default policy of DROP, and only allow specific packets on a case-by-case basis.
For example, the following policies block all incoming and outgoing packets on a network gateway:
[root@myServer ~ ] # iptables -P INPUT DROP
[root@myServer ~ ] # iptables -P OUTPUT DROP
It is also recommended that any forwarded packets — network traffic that is to be routed from the
firewall to its destination node — be denied as well, to restrict internal clients from inadvertent
exposure to the Internet. To do this, use the following rule:
[root@myServer ~ ] # iptables -P FORWARD DROP
When you have established the default policies for each chain, you can create and save further rules
for your particular network and security requirements.
The following sections describe how to save iptables rules and outline some of the rules you might
implement in the course of building your iptables firewall.
43.8.3.3. Saving and Restoring IPTables Rules
Changes to iptables are transitory; if the system is rebooted or if the iptables service is restarted,
the rules are automatically flushed and reset. To save the rules so that they are loaded when the
iptables service is started, use the following command:
[root@myServer ~ ] # service iptables save
The rules are stored in the file /etc/sysconfig/iptables and are applied whenever the service is
started or the machine is rebooted.
43.8.4. Common IPTables Filtering
Preventing remote attackers from accessing a LAN is one of the most important aspects of network
security. The integrity of a LAN should be protected from malicious remote users through the use of
stringent firewall rules.
However, with a default policy set to block all incoming, outgoing, and forwarded packets, it is
impossible for the firewall/gateway and internal LAN users to communicate with each other or with
external resources.
To allow users to perform network-related functions and to use networking applications, administrators
must open certain ports for communication.
For example, to allow access to port 80 on the firewall, append the following rule:
703
Advertisement
Table of Contents
