Managing iptables and Your Rules in Font

Create DataMatrix in Font Managing iptables and Your Rules

Many distributions come with tools to help you create your firewall. Gnome Lokkit on Red Hat or Debian and third-party tools such as Firestarter,12 MonMotha,13 and GuardDog14 are all examples of these. These tools allow you to input configuration settings and variables, and they output iptables rules. I will not cover any of these tools because they are dangerous and encourage poor security. Gnome Lokkit is a good example of this. Its default policy is to ACCEPT traffic by default and not by exception. This violates what I think is good firewall design and leaves your system exposed whilst giving you the impression it is secure because you have used Red Hat s recommended tool. Additionally, these tools often set extra configuration and firewall settings without consulting you. This assumption that this default configuration will suit your host and environment is a dangerous risk. It is a much better approach to configure your own rules and have a full understanding of how the various rules interact than to assume that a third-party tool

12. http://firestarter.sourceforge.net/ 13. http://monmotha.mplug.org/firewall/index.php 14. http://www.simonzone.com/software/guarddog/

will provide a suitable configuration. This chapter should have shown you that the configuration of host firewalls with iptables is easy to master and that you do not require a third-party tool to achieve secure and hardened firewalls.

Even if I do not recommend using a tool to construct iptables firewalls, a large number of rules and settings are still involved in the average iptables firewall. These can become cumbersome to manage and maintain and can be time consuming to reenter if you accidentally flush your rules or if you need to duplicate firewall settings on multiple hosts. The iptables package comes with some tools to assist in the process of managing your rules. These are iptables-save and iptables-restore. The iptables-save command saves the iptables rules currently in memory to STDOUT or to a file. The iptables-restore command allows you to restore rules from a file or STDIN. Start by saving some of your rules using iptables-save. The iptables-save command without options outputs all current rules to STDOUT. You can see a sample of the output from the command in Listing 2-72. Listing 2-72. Sample iptables-save Output kitten# iptables-save *filter :INPUT ACCEPT [2:184] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [9:904] :BAD_FLAGS - [0:0] ... ... -A INPUT -i lo -j ACCEPT -A ICMP_OUT -o eth0 -p icmp -j LOG --log-prefix "IPT: ICMP_OUT " -A ICMP_OUT -o eth0 -p icmp -j DROP COMMIT The format of the file is not critical, as I recommend you do not change your rules and configuration in the outputted file but rather use iptables to edit your rules as it was designed to do. But to give you some brief information on the structure of the file, you can see that the start of each table described in the iptables-save output is prefixed by the asterisk symbol (*) and the end of the iptables-save output is indicated by the line COMMIT. The iptables-save command had two flags; the first flag -t allows you to specify only those rules from a particular table. To save only the filter table rules, enter the following: kitten# iptables-save -t filter If you omit the -t flag, the table selection defaults to the filter table. The second flag, -c, saves your rules together with the values of the packet and byte counters for each chain and rule. The best approach to storing your iptables configuration is to redirect the output of the iptables-save command to a file, as shown in Listing 2-73.

Listing 2-73. Redirecting the iptables-save Output kitten# iptables-save > kitten-iptables-rules-20040803 Once you have your saved rules and configuration, you can restore them using the iptables-restore command. Listing 2-74 shows the restoration of the rules you saved in Listing 2-74. Listing 2-74. Restoring iptables Rules kitten# iptables-restore < kitten-iptables-rules-20040803 In Listing 2-74 your existing rules will be flushed from the system and replaced with the rules contained in the kitten-iptables-rules-20040803 file. The iptables-restore has two flags; the first -c restores the values of your byte and packet counters (if they were saved with your rules using the iptables-save -c command). The second flag, -n, restores your rules without flushing the existing rules from your system. This adds any restored rules to your current rules.