Firewalls iptables Important This section is a brief introduction to setting up customized security beyond what is possible with the GUI tools provided by Red Hat. It’s not meant to be comprehensive, as everyone’s needs are different, and it’d be impossible to cater to them all. However, hopefully it’ll give you a taste of the tools available. Blocking and allowing traffic based on direction (i.e. incoming or outgoing) and port number gives some degree of control over network traffic, but there are situations when we need finer control. For example, we may want to run a Web server that can be accessed only from machines within our department, and not from machines elsewhere. Or we may want to prevent users on certain machines from being able to FTP files from our machine while allowing others to do so. The firewalling code in Red Hat Linux 9 is perfectly able to cope with these situations, and far more complex ones, but we have to roll up our sleeves and configure it from the command line. This is where the iptables command comes in. It is used to manipulate the kernel’s packet filtering tables, so we can fine tune the firewall settings to our environment. Let’s see how to implement a concrete example. Imagine our Red Hat machine has two network interfaces: eth0 has the IP address 192.168.1.1 and eth1 has the IP address 192.168.10.1. Both interfaces have netmasks of 255.255.255.0. We’re running a Web server listening on port 80, and an FTP server that uses ports 20 and 21. We need to allow machines with IP addresses starting with 192.168.10 access to the Web server, but nobody else. We also need to allow all machines in the 192.168.1.0 network access to the FTP server, except 192.168.1.57. How do we configure this? The first thing to do is look at the existing firewall configuration. Log on to the machine and switch to the root user. Run the following command to get a verbose listing of the current firewall rules: # iptables -L -v Rules are grouped together into chains. There are three default chains: INPUT, which handles incoming network packets destined for processes on the local machine OUTPUT, which handles outgoing network packets produced by the local machine FORWARD, which handles packets that arrive on one interface and leave on another (i.e. the local machine is forwarding them). There may be other user defined chains too. To set up our machine to meet the above specification, we’ll clear out (or flush) the existing rules with the following command: # iptables -F Note We can use this command to delete the named user-defined chain: # iptables -X name We’re going to be dealing only with packets coming into our machine in this example, so we’ll be configuring rules in the INPUT chain. Our first step is to configure the default behaviors - or Policy - for the INPUT chain so that if it receives a packet that doesn’t match any rules, it drops (discards) it. This is the most security conscious approach, as it means that everything is blocked unless we explicitly allow it. The command to set 429
Note: If you are looking for cheapest and affordable webspace to host and run your servlet application check Astra j2ee hosting services