BCE-C712 Linux System Administration

0 of 75 lessons complete (0%)
Exit Course

TCP/IP Firewall and IP Masquerade

iptables and firewalld

You don’t have access to this lesson

Please register or sign in to access the course content.

iptables:

Imagine iptables as a powerful toolbox. In this toolbox, you have tools to control how data moves in and out of your computer. You can decide which types of data are allowed and which are not.

Example 1 – Imagine a Bouncer:

  • You’re hosting a party, and there’s a bouncer at the door. The bouncer decides who can come in based on a set of rules. In iptables, you’re the bouncer, and you set rules to decide which data (or guests) can come into your computer.
  • If you want to allow guests from a specific address (let’s say your friend’s house), you tell the bouncer to let them in.
  • Command: iptables -A INPUT -s friend_ip_address -j ACCEPT
  • If someone is causing trouble, you tell the bouncer to keep them out.
  • Command: iptables -A INPUT -s troublemaker_ip_address -j DROP

firewalld:

Imagine firewalld as a Smart Guard. This guard doesn’t just stop people from entering; it also understands different areas where people can go.

Example 2 – Zones and Services:

  • Your computer has different areas like ‘Home’ and ‘Work’. In firewalld, these are called zones. You set rules for each zone.
  • You also have certain services you want to allow. For example, you want to allow web browsing (HTTP). In firewalld, this is called a service.
  • You put rules in place like this:
    • Allow web browsing in the ‘Home’ zone.bashCopy codefirewall-cmd --zone=home --add-service=http
    • Allow file sharing in the ‘Work’ zone.bashCopy codefirewall-cmd --zone=work --add-service=samba

Choosing Between iptables and firewalld:

  • If you’re just starting out or want a simpler approach, firewalld might be a better choice. It’s like having a smart guard who understands zones and services.
  • If you want more control and are comfortable with detailed rules, iptables might be a better fit. It’s like being a bouncer with a detailed list of who’s allowed in.

Remember, both tools do the same job, but they do it in different ways. It’s like choosing between a smart guard and a bouncer based on what works best for you.

So, depending on your needs and preferences, you can pick the tool that makes more sense for you. Keep in mind that learning both can be beneficial, as you might encounter different systems that use either iptables or firewalld.

Firewall entries using using ‘iptables’

In Linux, firewall configurations are typically managed using tools like iptables, nftables, or firewalld. Below are different types of firewall rules or entries that you can configure, along with their meanings:

1. Input Rule

  • Purpose: Controls the incoming traffic to the system.
  • Example: iptables -A INPUT -p tcp --dport 22 -j ACCEPT
  • Explanation: This rule allows incoming traffic on port 22 (SSH).

2. Output Rule

  • Purpose: Controls the outgoing traffic from the system.
  • Example:iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
  • Explanation: This rule allows outgoing traffic on port 80 (HTTP).

3. Forward Rule

  • Purpose: Controls traffic that is routed through the system (e.g., when the system is acting as a gateway).
  • Example:iptables -A FORWARD -p tcp --dport 80 -j ACCEPT
  • Explanation: This rule allows forwarding of packets destined for port 80.

4. Drop Rule

  • Purpose: Drops the traffic, meaning it will be silently discarded without informing the sender.
  • Example: iptables -A INPUT -p tcp --dport 23 -j DROP
  • Explanation: This rule drops incoming traffic on port 23 (Telnet).

5. Reject Rule

  • Purpose: Rejects the traffic and sends an ICMP message back to the sender, informing them that the packet was rejected.
  • Example: iptables -A INPUT -p tcp --dport 23 -j REJECT
  • Explanation: This rule rejects incoming traffic on port 23 (Telnet) and informs the sender.

6. Allow Rule

  • Purpose: Explicitly allows traffic to pass through the firewall.
  • Example: iptables -A INPUT -p tcp --dport 443 -j ACCEPT
  • Explanation: This rule allows incoming traffic on port 443 (HTTPS).

7. Log Rule

  • Purpose: Logs the traffic matching the rule to the system logs for monitoring or debugging purposes.
  • Example: iptables -A INPUT -p tcp --dport 21 -j LOG --log-prefix "FTP traffic: "
  • Explanation: This rule logs incoming traffic on port 21 (FTP) with a custom prefix.

8. Masquerade Rule

  • Purpose: Enables NAT (Network Address Translation) for outgoing traffic. Commonly used in scenarios where the system is acting as a gateway.
  • Example: iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
  • Explanation: This rule enables NAT for outgoing traffic on interface eth0.

9. SNAT (Source Network Address Translation) Rule

  • Purpose: Changes the source address of packets leaving the system.
  • Example:iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 192.168.1.100
  • Explanation: This rule changes the source IP address to 192.168.1.100 for outgoing traffic on eth0.

10. DNAT (Destination Network Address Translation) Rule

  • Purpose: Changes the destination address of packets entering the system.
  • Example: iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 192.168.1.200:80
  • Explanation: This rule redirects incoming traffic on port 80 to another internal IP address 192.168.1.200.

11. Port Forwarding Rule

  • Purpose: Forwards traffic from one port to another port.
  • Example: iptables -t nat -A PREROUTING -p tcp --dport 8080 -j REDIRECT --to-port 80
  • Explanation: This rule forwards incoming traffic on port 8080 to port 80.

12. Rate Limiting Rule

  • Purpose: Limits the rate of incoming traffic to prevent abuse or DoS attacks.
  • Example:iptables -A INPUT -p tcp --dport 22 -m limit --limit 3/min -j ACCEPT
  • Explanation: This rule limits incoming SSH connections to 3 per minute.

13. Stateful Rule

  • Purpose: Allows traffic based on the connection state (e.g., established or related).
  • Example: iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
  • Explanation: This rule allows incoming traffic for established or related connections.

14. ICMP Rule

  • Purpose: Controls ICMP (ping) traffic.
  • Example: iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
  • Explanation: This rule allows ICMP echo requests (ping) to the system.

15. Custom Chain Rule

  • Purpose: Allows the creation of custom chains for specific traffic handling.
  • Example: iptables -N MYCHAIN iptables -A MYCHAIN -p tcp --dport 22 -j ACCEPT iptables -A INPUT -j MYCHAIN
  • Explanation: This creates a custom chain called MYCHAIN that handles SSH traffic.

16. Flush Rules

  • Purpose: Removes all existing firewall rules.
  • Example:iptables -F
  • Explanation: This command flushes all current firewall rules, resetting the firewall.

17. Save/Restore Rules

  • Purpose: Saves or restores firewall configurations.
  • Example: iptables-save > /etc/iptables/rules.v4 iptables-restore < /etc/iptables/rules.v4
  • Explanation: These commands save the current firewall rules to a file and restore them from a file.

These are some of the fundamental firewall entries you can configure in Linux. Each rule type serves a different purpose, from controlling traffic to logging and translating network addresses.

Firewall entries using ‘firewalld’

Below are various types of firewall entries using the firewalld tool in Linux, along with their meanings. These entries use the firewall-cmd command-line utility, which is the interface for managing firewall rules with firewalld.

1. Add Service

  • Purpose: Allows a predefined service in a particular zone.
  • Example: firewall-cmd --zone=public --add-service=http firewall-cmd --zone=public --add-service=http --permanent
  • Explanation: This rule allows HTTP traffic in the public zone. The --permanent option ensures the rule persists after a reboot.

2. Add Port

  • Purpose: Allows traffic on a specific port.
  • Example: firewall-cmd --zone=public --add-port=8080/tcp firewall-cmd --zone=public --add-port=8080/tcp --permanent
  • Explanation: This rule allows traffic on port 8080 for the TCP protocol in the public zone.

3. Allow ICMP Type

  • Purpose: Allows specific ICMP traffic, such as ping requests.
  • Example: firewall-cmd --zone=public --add-icmp-block=echo-request firewall-cmd --zone=public --add-icmp-block=echo-request --permanent
  • Explanation: This rule blocks ICMP echo requests (ping) in the public zone.

4. Add Forwarding Rule

  • Purpose: Forwards traffic from one interface to another.
  • Example: firewall-cmd --zone=public --add-forward-port=port=80:proto=tcp:toport=8080 firewall-cmd --zone=public --add-forward-port=port=80:proto=tcp:toport=8080 --permanent
  • Explanation: This rule forwards traffic from port 80 to port 8080 for TCP traffic.

5. Block a Service

  • Purpose: Blocks a predefined service in a specific zone.
  • Example: firewall-cmd --zone=public --add-service=http --remove firewall-cmd --zone=public --add-service=http --remove --permanent
  • Explanation: This rule removes the HTTP service from the public zone.

6. Add Masquerading (NAT)

  • Purpose: Enables Network Address Translation (NAT) for outgoing traffic.
  • Example: firewall-cmd --zone=public --add-masquerade firewall-cmd --zone=public --add-masquerade --permanent
  • Explanation: This rule enables masquerading (NAT) for traffic leaving the public zone, typically used when the system acts as a gateway.

7. Add Source IP

  • Purpose: Adds a source IP or network to a zone.
  • Example: firewall-cmd --zone=home --add-source=192.168.1.0/24 firewall-cmd --zone=home --add-source=192.168.1.0/24 --permanent
  • Explanation: This rule associates the 192.168.1.0/24 network with the home zone.

8. Add Rich Rule

  • Purpose: Adds a more complex rule with specific conditions.
  • Example: firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.1.100" service name="ssh" accept' firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.1.100" service name="ssh" accept' --permanent
  • Explanation: This rule allows SSH traffic from the IP address 192.168.1.100 in the public zone.

9. Block IP Address

  • Purpose: Blocks traffic from a specific IP address.
  • Example: firewall-cmd --add-rich-rule='rule family="ipv4" source address="203.0.113.1" drop' firewall-cmd --add-rich-rule='rule family="ipv4" source address="203.0.113.1" drop' --permanent
  • Explanation: This rule drops all traffic from the IP address 203.0.113.1.

10. Enable Logging for Dropped Packets

  • Purpose: Logs dropped packets for auditing or debugging purposes.
  • Example: firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.1.100" drop log prefix="Dropped: "' firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.1.100" drop log prefix="Dropped: "' --permanent
  • Explanation: This rule drops and logs traffic from 192.168.1.100 with the log prefix “Dropped: “.

11. Set Default Zone

  • Purpose: Sets the default zone for firewall rules.
  • Example: firewall-cmd --set-default-zone=work
  • Explanation: This command sets the work zone as the default zone for firewall rules.

12. Remove Port

  • Purpose: Removes an allowed port from a zone.
  • Example: firewall-cmd --zone=public --remove-port=8080/tcp firewall-cmd --zone=public --remove-port=8080/tcp --permanent
  • Explanation: This command removes the rule allowing traffic on port 8080 for TCP in the public zone.

13. Query Rules

  • Purpose: Lists or checks current firewall rules.
  • Example: firewall-cmd --zone=public --list-all
  • Explanation: This command lists all the active rules in the public zone.

14. Reload Configuration

  • Purpose: Reloads the firewall configuration to apply changes.
  • Example: firewall-cmd --reload
  • Explanation: This command reloads the firewalld configuration, applying any changes made.

15. Enable/Disable Firewalld

  • Purpose: Enables or disables the firewall service.
  • Example: systemctl enable firewalld systemctl disable firewalld
  • Explanation: These commands enable or disable the firewalld service at system startup.

16. Add Interface to Zone

  • Purpose: Associates a network interface with a specific zone.
  • Example: firewall-cmd --zone=home --add-interface=eth0 firewall-cmd --zone=home --add-interface=eth0 --permanent
  • Explanation: This rule adds the eth0 interface to the home zone.

17. Remove Masquerading (NAT)

  • Purpose: Disables Network Address Translation (NAT) for outgoing traffic.
  • Example: firewall-cmd --zone=public --remove-masquerade firewall-cmd --zone=public --remove-masquerade --permanent
  • Explanation: This command disables masquerading (NAT) for traffic leaving the public zone.

18. Reload Firewalld Configuration

  • Purpose: Reloads all firewall rules and settings.
  • Example: firewall-cmd --reload
  • Explanation: This command reloads the firewalld configuration, applying any changes.

19. Flush All Rules

  • Purpose: Removes all rules from the firewall.
  • Example: firewall-cmd --complete-reload
  • Explanation: This command reloads the entire firewalld service, effectively flushing all existing rules.

20. Persistent Rules (Firewalld)

  • Purpose: Configures rules that persist after a reboot.
  • Example: firewall-cmd --add-service=http --permanent firewall-cmd --reload
  • Explanation: This command permanently allows HTTP traffic and reloads the firewall configuration.

These commands allow you to manage your firewall rules using the firewalld tool in Linux, providing a higher-level and more flexible approach than the iptables tool.