Ivy Consultants Inc.

Consulting Services for Security, Networking, Wi-Fi and Windows Server

You Are Here

Linux

Linux Firewalls

no Comments

In this lesson, you will learn about Linux firewalls. We will focus on iptables which is one of the most widely used firewall utilities in Linux. Firewalls are critical for network security, acting as gatekeepers to control incoming and outgoing network traffic based on predetermined security rules.

By the end of this lesson, you’ll understand how to list existing firewall rules, create new rules, and delete existing ones. We’ll also touch briefly on other common firewall utilities in Linux, such as firewalld and ufw, to give you a broader perspective.

The Role of Firewalls in Linux

Firewalls in Linux are essential for protecting your system from unauthorized access and controlling the flow of network traffic. They enable you to define rules that specify which traffic should be allowed or blocked. This functionality is vital for servers and systems exposed to the internet, as it helps prevent unauthorized access and mitigate various network threats.

Common Linux Firewall Utilities

  1. iptables: This is the most traditional and flexible tool for managing network packet filtering rules in Linux. It works by inspecting, modifying, redirecting, or dropping packets based on the rules defined by the user.
  2. firewalld: A more recent addition to Linux firewalls, firewalld is the default on many distributions like Fedora and CentOS. It provides a dynamic firewall management tool with support for network/firewall zones.
  3. ufw (Uncomplicated Firewall): As the name suggests, ufw is designed to be an easy-to-use interface for iptables, making the process of configuring a firewall more accessible.

Focusing on iptables

iptables is a user-space utility program that allows you to configure the Linux kernel’s firewall. It uses a set of tables which contain chains, and each chain contains a list of rules. These rules dictate how to process packets.

iptables Chains

At the heart of iptables functionality are the concept of chains, which are essentially sets of rules used to determine what to do with network packets.

Chains are collections of rules that iptables processes sequentially. Each rule within a chain has a criterion and an action (also known as a ‘target’). When a packet matches the criteria of a rule, the specified action is taken. If a packet doesn’t match, iptables moves to the next rule in the chain.

iptables primarily deals with three built-in chains:

  1. INPUT Chain: This chain is used to control the behavior of incoming packets destined for the host itself. For example, if you want to block or allow traffic coming to your server (like SSH or web traffic), you would use rules in the INPUT chain.
  2. FORWARD Chain: The FORWARD chain is used for packets that are not destined for the host itself but are being routed through the host. This is common in scenarios where your Linux machine acts as a router or a gateway for other networks.
  3. OUTPUT Chain: This chain is for managing outgoing packets originating from the host. If you need to control what type of traffic is allowed to leave your server, you would place rules in the OUTPUT chain.

Managing iptables rules

Listing Existing iptables Rules

To view the existing iptables rules, you use the -L (list) and -v (verbose) options.

The v option is important when you want to see the interface that the rule applies to.

This command displays all the current rules in a table format.

sudo iptables -Lv

Creating a Firewall Rule with iptables

To create a new rule, you specify the table, chain, criteria for the packet, and what action to take if the packet meets the criteria. For example, to allow SSH traffic (typically on port 22), you would use:

sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT

Saving iptables Rules

If you’re using a distribution that doesn’t have iptables-persistent or a similar tool, you can save your IP tables by using the iptables-save to dump your config to a file, write a script to use iptables-restore to add the rules again every time the system boots.

To have our script that we will make automatically executed, we will need to make sure the ifupdown package is installed on our system:

sudo apt install ifupdown

Installing this package ensures when we place our bash script in the /etc/network/if-pre-up.d/ directory, it will be executed automatically at boot.

Creating the backup file

Now run the following commands to save our newly created iptables rules to a file, then move that file into the /etc/iptables directory:

If the /etc/iptables directory does not exist, create it with the mkdir command # Create the rules file

sudo iptables-save > rules.v4

 # Move the file to the iptables directory
sudo mv rules.v4 /etc/iptables/rules.v4

The process of creating a backup file will need to be completed each time we update the firewall rules.

Create a Script to Load Rules on Boot:

Create a script in /etc/network/if-pre-up.d/ to load the rules when the network interface comes up: sudo nano /etc/network/if-pre-up.d/iptables

Add the following lines to the script:

#!/bin/sh

/sbin/iptables-restore < /etc/iptables/rules.v4

Make the script executable:

sudo chmod +x /etc/network/if-pre-up.d/iptables

Now we can safely reboot our server, and when we run iptables -L we should see our rule for port 22 still listed in the Input chain.