A firewall is a program running on a Gateway, Bridge or PC/Laptop/Smartphone that is capable of filtering incoming, outgoing, and forwarded network packets. A firewall is essentially a tool that lets you restrict you or your network’s access to the Internet, and someone else’s access from the Internet to your network.

Linux comes with a host based firewall called Netfilter. According to the official project site:

netfilter is a set of hooks inside the Linux kernel that allows kernel modules to register callback functions with the network stack. A registered callback function is then called back for every packet that traverses the respective hook within the network stack.

This Linux based firewall is controlled by the program called iptables to handles filtering for IPv4, and ip6tables handles filtering for IPv6.

IP Tables is a Lower Level Firewall Implementation Solution available in Linux Systems.

Most Distro’s have other Firewalll options as well:

For examples,

RHEL/ CentOS has Firewalld. Firewalld is a easier to use/implement IP Tables but some programs are not compatible, and would direct interaction with IP Tables.

SELinux ( Security Enhanced Linux) : Here is more info of you are curious about this topic:

https://www.digitalocean.com/community/tutorials/an-introduction-to-selinux-on-centos-7-part-1-basic-concepts

IP Tables provides basic low level routing system for how Linux deals with IP Traffic/ Packets.

Contains Several Important Tables:

1) NAT – NW Address Translation

Network address translation (NAT) is a methodology of remapping one IP address space into another by modifying network address information in Internet Protocol (IP) packet headers while they are in transit across a traffic routing device

This is the basic method through which several VMs running on same Hardware Server (Hypervisor) can get unique IP/MAC Addresses etc. The Virtualization programs like VMWare ESXi/ KVM would modify the IP Packets that are received by Hypervisors NIC and map them to appropriate IP Addresses of VM’s the program is managing.

In Cloud Computing world, we also use NAT to provide Outbound Internet Access to VMs running in a private subnet.

2) MANGLE – for modifying packets

3) Filter – Decide which packets gets processed

IP Tables deals with Tables

Tables have Chains

A Chain is a sequential list of rules

A Rule defines particular kinds of packets and where they go.

Filter Table: Default Chains

INPUT

OUTPUT

FORWARD

Each Rule has 2 things:

1) Specification of type of packet – criteria for matching

2) Routing policy – ACCEPT, DROP, REJECT etc

Iptables Config File

The default config files for RHEL / CentOS / Fedora Linux are:

• /etc/sysconfig/iptables – The system scripts that activate the firewall by reading this file.

Turn On Firewall

Type the following two commands to turn on firewall:

chkconfig iptables on       #starts the service on boot

service iptables start

service iptables restart     # restart the firewall

service iptables stop                 # stop the firewall

Understanding Firewall

There are total 3 chains:

1. INPUT – The default chain is used for packets addressed to the system. Use this to open or close incoming ports (such as 80,25, and 110 etc) and ip addresses / subnet (such as 202.54.1.20/29).
2. OUTPUT – The default chain is used when packets are generating from the system. Use this open or close outgoing ports and ip addresses / subnets.
3. FORWARD – The default chains is used when packets send through another interface. Usually used when you setup Linux as router. For example, eth0 connected to ADSL/Cable modem and eth1 is connected to local LAN. Use FORWARD chain to send and receive traffic from LAN to the Internet.

Packet Matching Rules

1. Each packet starts at the first rule in the chain .
2. A packet proceeds until it matches a rule.
3. If a match found, then control will jump to the specified target (such as REJECT, ACCEPT, DROP).

Target Meanings

1. The target ACCEPT means allow packet.
2. The target REJECT means to drop the packet and send an error message to remote host.
3. The target DROP means drop the packet and do not send an error message to remote host or sending host.

Iptables Match Criteria

-t <-table->	If you don’t specify a table, then the filter table is assumed. The possible built-in tables include: filter, nat, mangle
-j <target>	Jump to the specified target chain when the packet matches the current rule.
-A	Append rule to end of a chain
-F	Flush. Deletes all the rules in the selected table
-p <protocol-type>	Match protocol. Types include, icmp, tcp, udp, and all
-s <ip-address>	Match source IP address
-d <ip-address>	Match destination IP address
-i <interface-name>	Match “input” interface on which the packet enters.
-o <interface-name>	Match “output” interface on which the packet exits

Examples to Understand How To Write a Firewall Rule

1. Rule to accept tcp packets coming on interface eth0 from any address to my machine

         iptables -A INPUT -s 0/0 -i eth0 -d 192.168.1.1 -p TCP -j ACCEPT

0/0 – Means any IP address

2. Rule to allow ssh connection from a network

         iptables -A INPUT -i eth0 -p tcp -s 192.168.1.0/25 –dport 22 -m state –state NEW,ESTABLISHED     -j ACCEPT

         iptables -A OUTPUT -o eth0 -p tcp –sport 22 -m state –state ESTABLISHED -j ACCEPT

3. Rule to restrict ICMP echo requests no more than one per second. This will allow the system to filter traffice that characterize DOS.

         iptables -A INPUT -p tcp –syn -m limit –limit 5/s -i eth0 -j ACCEPT

–syn – used to identify a new tcp connection

A distributed denial-of-service (DDoS) attack occurs when multiple systems flood the bandwidth or resources of a targeted system, usually one or more web servers. Such an attack is often the result of multiple compromised systems (for example a botnet) flooding the targeted system with traffic.

4. Rule to Forward packets.

iptables -A FORWARD -s 0/0 -i eth0 -d 192.168.1.2 -o eth1 -p TCP –sport 1024:65535 -m multiport    –dports 80,443 -j ACCEPT

         iptables -A FORWARD -d 0/0 -o eth0 -s 192.168.1.2 -i eth1 -p TCP -m state –state ESTABLISHED -j ACCEPT

5. Rule to block an IP address range

iptables -A INPUT -s 192.168.1.0/24 -j DROP

There are many blogs that are available online about iptable rules. Following are some of thee references:

– http://www.linuxhowtos.org/Security/iptables.htm

– http://www.tecmint.com/basic-guide-on-iptables-linux-firewall-tips-commands/

– http://www.thegeekstuff.com/2011/06/iptables-rules-examples/