A system is only as strong as its weakest point of entry. If someone sets up a server with 12345 as the root password, the system is as good as compromised under an hour. It does not matter if the system runs malware detection scripts or alerting applications that warn of a breach. It is always recommended to seal all unwanted doors (ports) on your server. Setting up a strong firewall has an additional benefit, if you block outgoing email ports, even if your system is compromised, it will not churn out spam like it would on a system with no firewall
The first of the three part series on Firewalls will give you an introduction on iptables
Firewall on the Linux platform is achieved through the iptables - a command line utility available on all Linux distributions. iptables is very useful to add enhanced networking security to your server. Behind the scenes, iptables interacts with the kernel’s networking stack (Netfilter) to carry out packet filtering. iptables can manage NAT (network address translation) as well as packet filtering (blocking/allowing traffic)
IPTABLES operates by using levels of organization - tables, chains and rules. There are five tables
As the default iptable, the chains in this table determine if a packet should reach its destination or not. A packet hitting this filter, goes through one of the following chains - input, output or forward.
Input Chain contain the rules for packets entering your system with your server as the destination
Output Chain contains the rules for packets exiting your system with an external destination
Finally, the forward chain is used for packets where your server is neither the source nor the destination. Typical scenarios when the forward chain is used is when the system acts as a router for traffic
To view all the rules in the filter table,
# iptables -t filter --list
The next table is the Network Address Translation table. The chains on this table are primarily for routing. To use the chains in this table, you must enable IP Forwarding.
# cat /proc/sys/net/ipv4/ip_forward
Should return a value of 1. If it returns 0, edit /etc/sysctl.conf with a text editor. Find the parameter net.ipv4.ip_forward and change it to 1. Restart the network by
# systemctl restart networking # Ubuntu/Debian
# systemctl restart network # CentOS/Fedora/RHEL
The chains in this table are
Prerouting chain, which is used mostly for Destination NAT, i.e. change the destination of a packet entering the system to a different address
Postrouting chain, which is mostly used for Source NAT, changing the source information of a packet leaving the system to a different address
Finally, there is the Output chain which is primarily only for packets that are generated by local applications. In many cases, packets passing through the output chain also pass through the Postrouting chain.
To list all NAT rules enter the command
# iptables -t nat --list
This is one of the less common tables that is used and is primarily ised to modify specific headers for IP packets such as the Type of Service (TOS), Time-to-Live (TTL) and MARK.
Adjusting the TTL controls the number of hops the packet can sustain. Adjusting the TOS could be used to setup up policies on the network on how it is routed. This is widely not implemented and should not be adjusted for packets going out to the internet.
The chains available on this table are PREROUTING, OUTPUT, FORWARD, INPUT and POSTROUTING
To view the mangle table list
# iptables -t mangle --list
The Raw table is used for marking packets to opt out of connection tracking. Iptables is stateful, i.e it processes data packets as a series of related data rather than discreet. This connection tracking happens at the very instance a packet hits the network interface. Therefore even if the protocol is stateless (such as UDP), iptables can relate packets as part of the same connection. You could setup a rule handle packets based on the connection states (NEW, ESTABLISHED, RELATED or INVALID). Chains that can be managed on this table are PREROUTING and OUTPUT.
Raw table rules provide a very specific functionality to mark packets to opt-out of connection tracking. Listing the raw table is done via the command
# iptables -t raw --list
The Security table is related to SELINUX and is used to set internal SELinux security context marks on packets at a per-packet or per-connection basis. Seeting the security context marks define how the SELinux system handles the packet and can be used for implementing Mandatory Access Control. To display the contents of this table
# iptables -t security --list
Still to Come
In our next article we will talk about setting up common rules, allowing incoming connections, stopping outgoing connections and in general using iptables to improve server security