Linux System Administration

0 of 85 lessons complete (0%)

TCP/IP Firewall and IP Masquerade

iptables and firewalld

You don’t have access to this lesson

Please register or sign in to access the course content.

Choosing Between iptables and firewalld:

  • If you’re just starting out or want a simpler approach, firewalld might be a better choice. It’s like having a smart guard who understands zones and services.
  • If you want more control and are comfortable with detailed rules, iptables might be a better fit. It’s like being a bouncer with a detailed list of who’s allowed in.

Remember, both tools do the same job, but they do it in different ways. It’s like choosing between a smart guard and a bouncer based on what works best for you.

So, depending on your needs and preferences, you can pick the tool that makes more sense for you. Keep in mind that learning both can be beneficial, as you might encounter different systems that use either iptables or firewalld.

Firewall entries using using ‘iptables’

In Linux, firewall configurations are typically managed using tools like iptables, nftables, or firewalld. Below are different types of firewall rules or entries that you can configure, along with their meanings:

1. Input Rule

  • Purpose: Controls the incoming traffic to the system.
  • Example: iptables -A INPUT -p tcp --dport 22 -j ACCEPT
  • Explanation: This rule allows incoming traffic on port 22 (SSH).
    • iptables: This is a command-line utility for configuring the Linux kernel’s netfilter firewall. It allows you to manage and configure the rules that control the incoming and outgoing network traffic on the system.
    • -A INPUT: The -A flag stands for “append,” which means the rule is being added to the end of the existing rules in the INPUT chain. The INPUT chain handles incoming network traffic to the system.
    • -p tcp: The -p flag specifies the protocol. In this case, it’s tcp, which is the protocol used by many common network services, including SSH.
    • –dport 22: The --dport option specifies the destination port. Here, 22 refers to the port number used by the SSH service. This means the rule applies to traffic that is destined for port 22 (SSH).
    • -j ACCEPT: The -j flag stands for “jump,” which determines what action to take when the rule matches. ACCEPT means that the firewall will allow the traffic that matches this rule to pass through.

2. Output Rule

  • Purpose: Controls the outgoing traffic from the system.
  • Example:iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
  • Explanation: This rule allows outgoing traffic on port 80 (HTTP).
    • iptables: This is the command-line utility for configuring the firewall rules in Linux.
    • -A OUTPUT: The -A flag stands for “append,” which means the rule is being added to the end of the existing rules in the OUTPUT chain. The OUTPUT chain handles outgoing traffic from the system.
    • -p tcp: The -p flag specifies the protocol. In this case, it’s tcp, which is the protocol used by many internet services, including HTTP.
    • –dport 80: The --dport option specifies the destination port. Here, 80 is the port used for HTTP traffic. This means the rule applies to outgoing traffic that is destined for port 80.
    • -j ACCEPT: The -j flag stands for “jump,” which determines the action to take when the rule matches. ACCEPT means that the firewall will allow the traffic that matches this rule to pass through.

3. Forward Rule

  • Purpose: Controls traffic that is routed through the system (e.g., when the system is acting as a gateway).
  • Example: iptables -A FORWARD -p tcp --dport 80 -j ACCEPT
  • Explanation: This rule allows forwarding of packets destined for port 80.

4. Drop Rule

  • Purpose: Drops the traffic, meaning it will be silently discarded without informing the sender.
  • Example: iptables -A INPUT -p tcp --dport 23 -j DROP
  • Explanation: This rule drops incoming traffic on port 23 (Telnet).

5. Reject Rule

  • Purpose: Rejects the traffic and sends an ICMP message back to the sender, informing them that the packet was rejected.
  • Example: iptables -A INPUT -p tcp --dport 23 -j REJECT
  • Explanation: This rule rejects incoming traffic on port 23 (Telnet) and informs the sender.

6. Allow Rule

  • Purpose: Explicitly allows traffic to pass through the firewall.
  • Example: iptables -A INPUT -p tcp --dport 443 -j ACCEPT
  • Explanation: This rule allows incoming traffic on port 443 (HTTPS).

7. Log Rule

  • Purpose: Logs the traffic matching the rule to the system logs for monitoring or debugging purposes.
  • Example: iptables -A INPUT -p tcp --dport 21 -j LOG --log-prefix "FTP traffic: "
  • Explanation: This rule logs incoming traffic on port 21 (FTP) with a custom prefix.
    • iptables: This is the command-line utility for managing firewall rules in Linux.
    • -A INPUT: The -A flag stands for “append,” which means the rule is being added to the end of the existing rules in the INPUT chain. The INPUT chain handles incoming network traffic to the system.
    • -p tcp: The -p flag specifies the protocol. In this case, it’s tcp, which is the protocol used by FTP.
    • –dport 21: The --dport option specifies the destination port. Here, 21 refers to the port number used by FTP. This means the rule applies to traffic that is destined for port 21.
    • -j LOG: The -j flag stands for “jump,” which determines the action to take when the rule matches. LOG means that instead of blocking or allowing the traffic, the rule will log information about it.
    • –log-prefix “FTP traffic: “: This option adds a custom prefix to the log entries generated by this rule. In this case, the prefix will be "FTP traffic: ". This makes it easier to identify log entries related to this rule in your system logs.

8. Masquerade Rule

  • Purpose: Enables NAT (Network Address Translation) for outgoing traffic. Commonly used in scenarios where the system is acting as a gateway.
  • Example: iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
  • Explanation: This rule enables NAT for outgoing traffic on interface eth0.
    • iptables: This is the command-line utility for managing firewall and routing rules on a Linux system.
    • -t nat: This option specifies the table in which the rule is added. The nat (Network Address Translation) table is used for altering packets that create a new connection, typically for tasks like IP masquerading or port forwarding.
    • -A POSTROUTING: The -A flag stands for “append,” which means the rule is being added to the end of the existing rules in the POSTROUTING chain. The POSTROUTING chain is used to alter packets as they are about to leave the system (i.e., after routing decisions have been made).
    • -o eth0: The -o flag specifies the outgoing network interface. Here, eth0 is the network interface, which typically refers to the first Ethernet interface on the system. This means the rule applies to traffic that is being sent out through the eth0 interface.
    • -j MASQUERADE: The -j flag stands for “jump,” which determines what action to take when the rule matches. MASQUERADE is a form of Source NAT (SNAT) that dynamically hides the private IP addresses of machines in a local network behind the public IP address of the eth0 interface. This is commonly used in scenarios where the public IP address of the outgoing interface may change (e.g., when using DHCP).

9. SNAT (Source Network Address Translation) Rule

  • Purpose: Changes the source address of packets leaving the system.
  • Example: iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 192.168.1.100
  • Explanation: This rule changes the source IP address to 192.168.1.100 for outgoing traffic on eth0.
    • iptables: This is the command-line utility for managing firewall rules and network traffic in Linux.
    • -t nat: This specifies that the rule is being added to the nat (Network Address Translation) table, which is used for altering packets that create a new connection, such as when performing NAT.
    • -A POSTROUTING: The -A flag stands for “append,” meaning the rule is being added to the end of the existing rules in the POSTROUTING chain. The POSTROUTING chain modifies packets as they are about to leave the system (after routing decisions have been made).
    • -o eth0: The -o flag specifies the outgoing network interface. Here, eth0 refers to the Ethernet interface through which the traffic will leave the system. The rule applies to traffic leaving through this interface.
    • -j SNAT: The -j flag stands for “jump,” which determines the action to take when the rule matches. SNAT stands for Source Network Address Translation, which changes the source IP address of the packets.
    • –to-source 192.168.1.100: This option specifies the IP address to which the source IP of the outgoing packets should be changed. In this case, the source IP address of the packets leaving through eth0 will be replaced with 192.168.1.100.

10. DNAT (Destination Network Address Translation) Rule

  • Purpose: Changes the destination address of packets entering the system.
  • Example: iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 192.168.1.200:80
  • Explanation: This rule redirects incoming traffic on port 80 to another internal IP address 192.168.1.200.
    • iptables: This is the command-line utility for configuring firewall rules in Linux.
    • -t nat: This option specifies the table where the rule is added. The nat (Network Address Translation) table is used for altering packets that create a new connection, such as in port forwarding or IP redirection.
    • -A PREROUTING: The -A flag stands for “append,” meaning the rule is added to the end of the existing rules in the PREROUTING chain. The PREROUTING chain is used to alter packets as they arrive at the network interface, before any routing decisions are made. This chain is often used to modify the destination address or port of incoming packets.
    • -p tcp: The -p flag specifies the protocol. In this case, it’s tcp, which is the protocol used for HTTP traffic.
    • –dport 80: The --dport option specifies the destination port of the incoming traffic. Here, 80 is the port number used for HTTP, so this rule will apply to traffic destined for port 80.
    • -j DNAT: The -j flag stands for “jump,” which determines the action to take when the rule matches. DNAT stands for Destination Network Address Translation, which changes the destination IP address of the packets.
    • –to-destination 192.168.1.200:80: This option specifies the new destination IP address and port. In this case, incoming traffic on port 80 will be redirected to 192.168.1.200 on port 80.

11. Port Forwarding Rule

  • Purpose: Forwards traffic from one port to another port.
  • Example: iptables -t nat -A PREROUTING -p tcp --dport 8080 -j REDIRECT --to-port 80
  • Explanation: This rule forwards incoming traffic on port 8080 to port 80.
    • iptables: This is the command-line utility for managing firewall rules and network traffic on a Linux system.
    • -t nat: This option specifies that the rule is being added to the nat (Network Address Translation) table. The nat table is used for altering packets that create a new connection, such as in port redirection or IP address translation.
    • -A PREROUTING: The -A flag stands for “append,” which means the rule is being added to the end of the existing rules in the PREROUTING chain. The PREROUTING chain is used to alter packets as they arrive at the network interface, before any routing decisions are made. This is typically where DNAT (Destination NAT) rules are applied.
    • -p tcp: The -p flag specifies the protocol. In this case, it’s tcp, which is the protocol used by many internet services, including HTTP.
    • –dport 8080: The --dport option specifies the destination port. Here, 8080 refers to the port on which incoming traffic is being received. This rule will apply to traffic destined for port 8080.
    • -j REDIRECT: The -j flag stands for “jump,” which determines the action to take when the rule matches. REDIRECT is used to redirect the traffic to a different port on the same machine.
    • –to-port 80: This option specifies the port to which the traffic should be redirected. In this case, traffic destined for port 8080 will be redirected to port 80.

12. Rate Limiting Rule

  • Purpose: Limits the rate of incoming traffic to prevent abuse or DoS attacks.
  • Example: iptables -A INPUT -p tcp --dport 22 -m limit --limit 3/min -j ACCEPT
  • Explanation: This rule limits incoming SSH connections to 3 per minute.
    • iptables: This is the command-line utility for configuring firewall rules on a Linux system.
    • -A INPUT: The -A flag stands for “append,” which means the rule is added to the end of the existing rules in the INPUT chain. The INPUT chain handles incoming network traffic to the system.
    • -p tcp: The -p flag specifies the protocol. In this case, it’s tcp, which is the protocol used for SSH connections.
    • –dport 22: The --dport option specifies the destination port. Here, 22 is the port number used for SSH. This rule will apply to traffic destined for port 22.
    • -m limit: The -m flag loads the limit module, which is used to limit the rate of packets.
    • –limit 3/min: This option specifies the rate limit. In this case, it allows a maximum of 3 connections per minute. Any connections beyond this limit within a minute will be dropped.
    • -j ACCEPT: The -j flag stands for “jump,” which determines the action to take when the rule matches. ACCEPT means that the traffic matching the rule will be allowed.

13. Stateful Rule

  • Purpose: Allows traffic based on the connection state (e.g., established or related).
  • Example: iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
  • Explanation: This rule allows incoming traffic for established or related connections.
    • iptables: This is the command-line utility for managing firewall rules on a Linux system.
    • -A INPUT: The -A flag stands for “append,” meaning the rule is added to the end of the existing rules in the INPUT chain. The INPUT chain handles incoming traffic.
    • -m state: The -m flag loads the state module, which allows rules to match based on the connection state of the packet.
    • –state ESTABLISHED,RELATED: This option specifies the connection states that the rule should match:
      • ESTABLISHED: This matches packets that are part of an existing connection that has already been established. For example, after you make a request to a website, the returning packets from the server are part of an established connection.
      • RELATED: This matches packets that are related to an existing connection but are not part of the connection itself. For example, if you establish a connection to an FTP server, the data connection that follows (for file transfer) would be considered related.
    • -j ACCEPT: The -j flag stands for “jump,” which determines the action to take when the rule matches. ACCEPT means that the traffic matching this rule will be allowed through the firewall.

14. ICMP Rule

  • Purpose: Controls ICMP (ping) traffic.
  • Example: iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
  • Explanation: This rule allows ICMP echo requests (ping) to the system.
    • iptables: This is the command-line utility for managing firewall rules on a Linux system.
    • -A INPUT: The -A flag stands for “append,” meaning the rule is added to the end of the existing rules in the INPUT chain. The INPUT chain handles incoming network traffic.
    • -p icmp: The -p flag specifies the protocol. In this case, it’s icmp (Internet Control Message Protocol), which is used for network diagnostic operations like ping.
    • –icmp-type echo-request: This option specifies the type of ICMP packet. In this case, echo-request refers to a ping request, which is used to check the availability of a host on the network.
    • -j ACCEPT: The -j flag stands for “jump,” which determines the action to take when the rule matches. ACCEPT means that the traffic matching this rule will be allowed through the firewall.

15. Custom Chain Rule

  • Purpose: Allows the creation of custom chains for specific traffic handling.
  • Example: iptables -N MYCHAIN iptables -A MYCHAIN -p tcp --dport 22 -j ACCEPT iptables -A INPUT -j MYCHAIN
  • Explanation: This creates a custom chain called MYCHAIN that handles SSH traffic.

16. Flush Rules

  • Purpose: Removes all existing firewall rules.
  • Example:iptables -F
  • Explanation: This command flushes all current firewall rules, resetting the firewall.

17. Save/Restore Rules

  • Purpose: Saves or restores firewall configurations.
  • Example: iptables-save > /etc/iptables/rules.v4
  • iptables-restore < /etc/iptables/rules.v4
  • Explanation: These commands save the current firewall rules to a file and restore them from a file.
    • Save the Current Rules:
    • iptables-save > /etc/iptables/rules.v4
    • This command saves the current iptables configuration to a file (/etc/iptables/rules.v4). The iptables-save utility outputs the current rules in a format that can be read by iptables-restore, and the > operator redirects this output to the specified file.

These are some of the fundamental firewall entries you can configure in Linux. Each rule type serves a different purpose, from controlling traffic to logging and translating network addresses.

Firewall entries using ‘firewalld’

Below are various types of firewall entries using the firewalld tool in Linux, along with their meanings. These entries use the firewall-cmd command-line utility, which is the interface for managing firewall rules with firewalld.

1. Add Service

  • Purpose: Allows a predefined service in a particular zone.
  • Example: firewall-cmd --zone=public --add-service=http firewall-cmd --zone=public --add-service=http --permanent
  • Explanation: This rule allows HTTP traffic in the public zone. The --permanent option ensures the rule persists after a reboot.

2. Add Port

  • Purpose: Allows traffic on a specific port.
  • Example: firewall-cmd --zone=public --add-port=8080/tcp firewall-cmd --zone=public --add-port=8080/tcp --permanent
  • Explanation: This rule allows traffic on port 8080 for the TCP protocol in the public zone.

3. Allow ICMP Type

  • Purpose: Allows specific ICMP traffic, such as ping requests.
  • Example: firewall-cmd --zone=public --add-icmp-block=echo-request firewall-cmd --zone=public --add-icmp-block=echo-request --permanent
  • Explanation: This rule blocks ICMP echo requests (ping) in the public zone.

4. Add Forwarding Rule

  • Purpose: Forwards traffic from one interface to another.
  • Example: firewall-cmd --zone=public --add-forward-port=port=80:proto=tcp:toport=8080 firewall-cmd --zone=public --add-forward-port=port=80:proto=tcp:toport=8080 --permanent
  • Explanation: This rule forwards traffic from port 80 to port 8080 for TCP traffic.

5. Block a Service

  • Purpose: Blocks a predefined service in a specific zone.
  • Example: firewall-cmd --zone=public --add-service=http --remove firewall-cmd --zone=public --add-service=http --remove --permanent
  • Explanation: This rule removes the HTTP service from the public zone.

6. Add Masquerading (NAT)

  • Purpose: Enables Network Address Translation (NAT) for outgoing traffic.
  • Example: firewall-cmd --zone=public --add-masquerade firewall-cmd --zone=public --add-masquerade --permanent
  • Explanation: This rule enables masquerading (NAT) for traffic leaving the public zone, typically used when the system acts as a gateway.

7. Add Source IP

  • Purpose: Adds a source IP or network to a zone.
  • Example: firewall-cmd --zone=home --add-source=192.168.1.0/24 firewall-cmd --zone=home --add-source=192.168.1.0/24 --permanent
  • Explanation: This rule associates the 192.168.1.0/24 network with the home zone.

8. Add Rich Rule

  • Purpose: Adds a more complex rule with specific conditions.
  • Example: firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.1.100" service name="ssh" accept' firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.1.100" service name="ssh" accept' --permanent
  • Explanation: This rule allows SSH traffic from the IP address 192.168.1.100 in the public zone.

9. Block IP Address

  • Purpose: Blocks traffic from a specific IP address.
  • Example: firewall-cmd --add-rich-rule='rule family="ipv4" source address="203.0.113.1" drop' firewall-cmd --add-rich-rule='rule family="ipv4" source address="203.0.113.1" drop' --permanent
  • Explanation: This rule drops all traffic from the IP address 203.0.113.1.

10. Enable Logging for Dropped Packets

  • Purpose: Logs dropped packets for auditing or debugging purposes.
  • Example: firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.1.100" drop log prefix="Dropped: "' firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.1.100" drop log prefix="Dropped: "' --permanent
  • Explanation: This rule drops and logs traffic from 192.168.1.100 with the log prefix “Dropped: “.

11. Set Default Zone

  • Purpose: Sets the default zone for firewall rules.
  • Example: firewall-cmd --set-default-zone=work
  • Explanation: This command sets the work zone as the default zone for firewall rules.

12. Remove Port

  • Purpose: Removes an allowed port from a zone.
  • Example: firewall-cmd --zone=public --remove-port=8080/tcp firewall-cmd --zone=public --remove-port=8080/tcp --permanent
  • Explanation: This command removes the rule allowing traffic on port 8080 for TCP in the public zone.

13. Query Rules

  • Purpose: Lists or checks current firewall rules.
  • Example: firewall-cmd --zone=public --list-all
  • Explanation: This command lists all the active rules in the public zone.

14. Reload Configuration

  • Purpose: Reloads the firewall configuration to apply changes.
  • Example: firewall-cmd --reload
  • Explanation: This command reloads the firewalld configuration, applying any changes made.

15. Enable/Disable Firewalld

  • Purpose: Enables or disables the firewall service.
  • Example: systemctl enable firewalld systemctl disable firewalld
  • Explanation: These commands enable or disable the firewalld service at system startup.

16. Add Interface to Zone

  • Purpose: Associates a network interface with a specific zone.
  • Example: firewall-cmd --zone=home --add-interface=eth0 firewall-cmd --zone=home --add-interface=eth0 --permanent
  • Explanation: This rule adds the eth0 interface to the home zone.

17. Remove Masquerading (NAT)

  • Purpose: Disables Network Address Translation (NAT) for outgoing traffic.
  • Example: firewall-cmd --zone=public --remove-masquerade firewall-cmd --zone=public --remove-masquerade --permanent
  • Explanation: This command disables masquerading (NAT) for traffic leaving the public zone.

18. Reload Firewalld Configuration

  • Purpose: Reloads all firewall rules and settings.
  • Example: firewall-cmd --reload
  • Explanation: This command reloads the firewalld configuration, applying any changes.

19. Flush All Rules

  • Purpose: Removes all rules from the firewall.
  • Example: firewall-cmd --complete-reload
  • Explanation: This command reloads the entire firewalld service, effectively flushing all existing rules.

20. Persistent Rules (Firewalld)

  • Purpose: Configures rules that persist after a reboot.
  • Example: firewall-cmd --add-service=http --permanent firewall-cmd --reload
  • Explanation: This command permanently allows HTTP traffic and reloads the firewall configuration.

These commands allow you to manage your firewall rules using the firewalld tool in Linux, providing a higher-level and more flexible approach than the iptables tool.