Iptables Basic Guide

People always complain about how hard iptables are to understand and configure. I’m not saying it’s an easy process but once you get the hang of it, it should seem a little less difficult. Iptables is a user space tool which is used to create rules for packet filtering and NAT modules. Basically, iptables create the firewall for your Internet connection in Linux. If you are new to Linux but will use it on a regular basis, then you must learn how to use iptables as your whole system security is based on it.

Kernel support check

Before you configure iptables, you first have to check if your system has been configured properly. First of all, you must check if the kernel was compiled with iptables support. This can be done with the ‘grep’ command on the kernel config file. The command:

# cat /boot/config-your.kernel.version.here | grep -i “CONFIG_IP_NF”

should print some lines ending with ‘=y’ or ‘=m’. Also, “CONFIG_IP_NF_IPTABLES” line must end with ‘=m’ (that means iptables was compiled as a module).

Iptables check/installing

You must check if you have iptables installed by executing the command:

# rpm -qa | grep iptables.

This should print iptables-your.installed.version and eventually iptables-devel-your.installed.version (this is optional).

If you don’t have it on your system, you can easily install it either by downloading the latest rpm package from iptables homepage and executing the command:

# rpm -Uvh iptables-downloaded.version.rpm.

Or by using yum:

# yum install iptables

Where are the main iptables files stored?

/etc/init.d/iptables is the INIT script which is used to start, stop the service and/or to save the rulesets.

/etc/sysconfig/iptables this is the file that holds the saved rulesets.

/sbin/iptables and this is the iptables binary.

Before you actually start configuring the rules, let’s take a look at the current configuration:

#iptables -L

By default, there are only three chains which hold exclusive rules: INPUT, OUTPUT and FORWARD. The INPUT chain contains rules for traffic incoming to your server, OUTPUT contains the rules for traffic outgoing from your server to the Internet and FORWARD contains the rules for traffic that will be forwarded to other computers behind yours (if your server is a firewall for a LAN).

Iptables are mostly configured to deal with traffic incoming from the Internet to the Linux server, so the chain INPUT is used. When traffic passes through your Linux kernel, a TARGET is determined based on whether the packet matches a rule in the rulesets or not. The mainly used targets are:

ACCEPT: traffic is allowed to pass through to its destination;
REJECT: traffic is blocked from reaching its destination and a packet is sent back to the sending host with a quick explanation;
DROP: traffic is blocked with no explanation sent back whatsoever.

Configuring iptables rulesets

Before the actual configuration, I insist on giving you a few tips I’ve learned the hard way so you don’t have to. You must keep in mind that the order in which you add rules is everything. For example, if you make the mistake of adding the first rule to deny everything, then, no matter what you set to allow after, it will still be denied.

The second thing you must keep in mind is that the rulesets are in memory and are not saved on disk automatically, so if you reboot your computer without first running the INIT script (or iptables-save) to save them, everything you’ve worked for will be gone.

Another important thing that applies if you work on your server from a remote PC, through ssh: it’s important not to block yourself out so make this your first rule:

# iptables -A INPUT -s 213.10.10.13 -d 192.168.1.1 -p TCP –dport 22 -j ACCEPT

Explanation:

-A: appends the rule to the INPUT chain;
-s: source IP, in this case, the IP you are ssh’ing from;
-d: destination IP, in this case, the server IP;
-p: communication protocol;
–dport: destination port, in our case it’s the SSHd port;
-j: stands for ‘Jump’. If everything matches, the packet is accepted.

Next, let’s set some basic rules for general traffic. One of iptables’ features is the ability to determine the state a packet is in. This is the packets’ state on a new connection:

NEW: 1st server sends 2nd a SYN packet that it wants to create a new connection.
RELATED: 2nd server receives the SYN packet and sends to 1st server a SYN-ACK packet which tells that everything is alright.
ESTABLISHED: 1st server receives the SYN-ACK packet and sends 2nd server an ACK packet which is the final acknowledgment, the connection finishes establishing and the traffic start between the two servers.

In order for your server to be able to establish TCP connections with other servers, iptables must be configured with the following rules:

# iptables -A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
# iptables -A FORWARD -i eth0 -m state –state RELATED,ESTABLISHED -j ACCEPT
# iptables -A OUTPUT -m state –state RELATED,ESTABLISHED

Custom rules

To block IPs:

# iptables -A INPUT -s 213.10.10.13 -j DROP
This rule blocks any incoming traffic from 192.168.1.13.

# iptables -A INPUT -d 192.168.1.15 -j REJECT
This rule blocks any incoming traffic for LAN computer with IP 192.168.1.15 (behind your server).

To allow IPs:

# iptables -A INPUT -s 213.10.10.13 -d 192.168.1.4 -p tcp –dport 21
This rule accepts incoming traffic from source IP to destination IP which is a FTP server.

After you’ve configured all the rules for every port on your local or network service you want to allow (or block) traffic to or from, it’s time to block the rest:

# iptables -A INPUT -j REJECT
# iptables -A FORWARD -j REJECT

These block rules MUST be added last.

To delete a rule, simply write it again but replace the ‘-A’ before the chain with ‘-D’ (Delete).

Saving rulesets

To save your iptables configuration, simply execute the command:

# /etc/init.d/iptables save

To stop iptables and flush all rules: (careful, use the save INIT script before stopping iptables and flushing rules)

# /etc/init.d/iptables stop

To start the iptables again and loading the rulesets from /etc/sysconfig/iptables:

# /etc/init.d/iptables start

The End

From : Softpedia

Advertisements

Configuring the Ethernet Interface from The Command Line

Perhaps the most important thing in today’s desktop computer is the network connection. Setting your network connection involves mainly setting the interface you use for connecting to the network. When it comes to setting a network interface, the ifconfig command is the godfather of all the commands.

For most popular distros, you have graphical tools for setting the Ethernet interface, even at the installation stage. There are many various tools for configuring the interface in the desktop environment, but I think that being able to configure it from a command line is an important and very simple task.

To start with, we should check what we are working with. This is done by entering the command “ifconfig -a” in the command line. The “-a” argument is useful for displaying the status of all the interfaces, even for those that are down. Now, you should be able to see your interface there. If there is a standard network card, it will have the name eth0. If you have more than one Ethernet card, there will be more eth adapters. The first one is eth0, the second is eth1 and so on. Some people think that, in case of more than one network interface, the network card that is integrated on the motherboard will be eth0. This is not true at all. In case of a point-to-point connection, you’ll see ppp0.

After locating the adapter you want to configure, you’ll use the ifconfig command to assign TCP/IP configuration values to the network interface. Normally, we’ll need to assign two or three values: the IP address, the network mask and sometimes the broadcast address.

We’ll assume we need to set an IP address of 10.10.10.8 with the subnet 255.255.255.0 to the eth0 network adapter. (Network mask and subnet mask are the same thing, and you might find other similar terms that refer to them.) This is done by entering this command:

ifconfig eth0 10.10.10.8 netmask 255.255.255.0

Defining the broadcast address is important too, because the ifconfig command sometimes sets a very weird broadcast address. In our case, the command will be:

ifconfig eth0 10.10.10.8 netmask 255.255.255.0 broadcast 10.10.10.255

Now, there are two simple ways to see if you managed to configure your Ethernet interface. One is to execute ifconfig in a terminal (and you’ll see all the interfaces that are up), and the other is to execute ifconfig followed by the name of the interface you want to check. In our case, “ifconfig eth0” will show the configuration of eth0.

Your configuration to eth0 will be reset if you reboot. Normally, you will not want to execute this command every time you boot your Linux computer. In most Linux distributions, there is a script in /etc called rc.local that is executed the last, so that it will not get overwritten by other scripts. Adding your ifconfig command here will setup your interface every time the system boots.

You can use the ifconfig command to shutdown an interface or to activate it. To do this, you use the command this way:
fconfig eth0 down
ifconfig eth0 up

If you want to go online, the ifconfig command is not enough. You’ll still have to configure the gateway that the system should use. This is done using the “route” command. Assuming that the gateway we want to use is 10.10.10.1, the command for using this address as the default gateway is:
route add default gw 10.10.10.1. Adding this line in the rc.local script is also recommended if you want to have your Internet connection setup on your machine. You can verify if the correct route was added with the “route” command.

This ‘How-to’ only demonstrates a hypothetical situation of setting up a network interface and an Internet connection. The settings here should be adapted to fit your situation, and if you understand how do the commands explained here work, you won’t have a problem configuring your network. Most probably you’ll be using graphical software from your Linux distribution, but knowing this stuff might come in handy sometimes, and it is really helpful for debuging.

From : Softpedia

Sharing Folders over a Network Using SAMBA

This is a guide written for Fedora Linux, but it MIGHT be useful for other RPM based distributions as well. If you follow this guide successfully, you will be able to drag and drop files from and to Linux shared folders, access any file or folder on the Linux server.

SAMBA is a suite of applications for unix-like operating systems that provide seamless integration between UNIX and Windows machines. It can be configured to register itself with the master browser on the network in order to be listed among the hosts in WIN9x/NT’s “Network Neighborhood”.

Before we proceed, you must ensure that SAMBA is installed on your server. The command:

# rpm -qa | grep samba

should print “samba, samba-common, samba-client and system-config-samba”. If there isn’t any response to that command, simply run as root:

# yum install samba

Firewall and SELinux Settings

Your system security has to be configured in order for SAMBA to work properly. Go to a root terminal and type:

# system-config-securitylevel

From the Firewall Options tab, check the box near Samba to make it a trusted service. Next, go to SELinux tab, look for Samba in the SELinux Policy drop-down list and check all the boxes for Samba. Press OK to close the window. Finally, open /etc/sysconfig/iptables in a text editor and add the following lines just before the -j REJECT line:

-A RH-Firewall-1-INPUT -p udp -m udp -s 10.10.0.0/24 –dport 137 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp -s 10.10.0.0/24 –dport 138 -j ACCEPT
-A RH-Firewall-1-INPUT -m state –state NEW -m tcp -p tcp -s 10.10.0.0/24 –dport 139 -j ACCEPT
-A RH-Firewall-1-INPUT -m state –state NEW -m tcp -p tcp -s 10.10.0.0/24 –dport 445 -j ACCEPT

Save the file and then, open a root terminal and type:

# /etc/init.d/iptables restart

Those iptables config lines are compatible with the Fedora Core firewall, if you use other distributions; simply edit them accordingly, in order to match your distribution’s firewall configuration.

Enabling SAMBA Services

By default, the SMB daemon is not started at boot time, so you’ll have to do it yourself. Open a terminal and, as root, type the commands:

# chkconfig smb on
# /etc/init.d/smb restart

Create Linux Users and Directories

For SAMBA server to function correctly, you must add users to both Linux server and SAMBA server. To add users to the Linux server, open a terminal and, as root, type the command:

# system-config-users

Here, add all the users you want to access the SAMBA shares, as well as their passwords and share directories.

SAMBA Server Configuration

In this section, you will configure SAMBA server to allow certain users to access the server from LAN PCs. From a root terminal, type:

system-config-samba

This step will alter the SAMBA configuration file (/etc/samba/smb.conf) so it’s a good idea to back it up in case you encounter troubles.

Go to Preferences > Server Settings. Be sure to include the same workgroup name used by Windows PCs. In the same window, go to Security tab. Settings in this tab are, by default, the appropriate ones so you won’t have to change anything. Just be sure the authentication mode is set to User. Click OK to close it.

Next, go to Preferences > Samba Users. In this window you must add at least one user who will have access to the SAMBA Server. Click on Add User, choose the user created a few steps back, write its windows username, set a password and click OK.

If you only want to set a Public Shared Folder, first go to Proprieties > Server Settings > Security and choose “Share” for the “Authentication Mode”. Then, add a new share for the directory /tmp, write in the Share Name and Description something like “Public Folder”, check both “Writable” and “Visible” boxes and from the “Access” tab, select “Allow access to everyone”. This way, anyone accessing the server share, will be able to read and write to the public folder (/tmp on Linux server) without being asked for any username or password, allowing users to easily exchange files.

Adding a shared folder. Here, you have to set the shared folder for every user created a few steps back. It’s recommended you use each user’s home directory in order to avoid any permission errors. For instance, if you created the user “tom”, you should create a share with the directory “/home/tom”. And then, repeat this step for every user created. Next, fill the share name and description and check the Writable and Visible boxes. (optional). Further on, go to Access tab and select each user created earlier. So again, if you selected “/home/tom” as the shared directory, you must select the user “tom” from this list. Repeat this step for every share.

Restart SAMBA

For the settings to apply, the SAMBA server has to be restarted. In order to do this, open a root terminal window and execute the following command:

# /etc/init.d/smb restart

If no errors were present and the restart was successful, it’s time to connect to the SAMBA Server.

Access the SAMBA Shares from Linux PCs

Open a Konqueror window and type in the address bar:

smb://10.10.0.11

This is an example IP, you will have to enter you server IP there, but keeping the syntax. The shared folders for each user will appear. When you’ll try to enter a shared directory, a login window will pop up, asking for username and password. To access the shared folder, you will have to enter the login information you used when creating the samba user. From there on, everything is pretty straightforward.

Review image Review image

From : Softpedia