Chapter 7. Firewalls


69


Warning


The IPChains and IP6Tables services must be turned off to use the IPTables service with the following


commands:


service ipchains off


service ip6tables off


To make IPTables start by default whenever the system is booted, you must change runlevel status on


the service using


chkconfig


.


chkconfig   level 345 ip6tables on


The syntax of


iptables


is separated into tiers. The main tier is the chain. A chain specifies the state


at which a packet will be manipulated. For example:


iptables  P OUTPUT ACCEPT


The


OUTPUT


chain specifies any packets that originate from inside a LAN and travels outside (for


example, to a remote website). In the example above, the rule states that all packets coming from


the inside to the outside of the local network is allowed to pass through the firewall. This is usually


an acceptable rule for administrators because the likelihood of dangerous packets going out into an


untrusted carrier network such as the Internet is small compared to malicious packets going into the


local network. The three built in chains of


iptables


(that is, the chains that affect every packet which


traverses a network) are INPUT, OUTPUT, and FORWARD. These chains are permanent and cannot


be deleted, whereas user defined chains can be.


Some basic rules established from the outset can aid as a foundation for building more detailed, user 


defined rules. For example, you may want to allow all connections originating from the inside by


default and then customize unique cases with their own rule sets. Accepting all


OUTPUT


by default is


a sufficient foundation to build upon regarding outbound connections. It is also recommended that,


by default, all incoming connections be denied by your firewall. The following rule will block all


incoming connections:


iptables  P INPUT REJECT


Additionally, it is recommended that any forwarded packets   network traffic that is to be routed from


the firewall to its destination node   be denied as well, to restrict internal clients from inadvertent


exposure to the Internet (for example, if a LAN user accidentally turns on a service on some arbitrary


port, then your network becomes vulnerable because of that machine's service). To do this, use the


following rule:


iptables  P FORWARD REJECT


After setting basic rules, you can now create new rules for your particular network and security re 


quirements. The following sections will outline some common rules you may implement in the course


of building your


iptables


firewall.


7.1.2.1. Saving and Restoring IPTables Rules


Firewall rules are only valid for the time the computer is on. If you reboot your system, the rules will


be automatically flushed and reset. To save your rules so that they will load later, use the following


command:


service iptables save








footer






  


 


 


        

 


 

  

    

      
      
 Home 
      | About Us | Network 
      | Services | Support 
      | FAQ | Control Panel 
      | Order Online |
      Sitemap | Contact

      

      web hosting comparison

      
 

    

  

  




Our partners: 
PHP: Hypertext Preprocessor Best Web Hosting
Java Web Hosting
Inexpensive Web Hosting 
Jsp Web Hosting 




Cheapest Web Hosting
Jsp Hosting
Cheap Hosting



Visionwebhosting.net Business web hosting division of Web 
Design Plus. All rights reserved