Iptables: Creating just the required rules from scratch

firewall

It is a challenging task to create the perfect iptables rules allowing only the required traffic.

*** VERY IMPORTANT* ** 

Before making any changes in the iptables ensure that you have console access to the host so that you will not get locked out.

In this exercise we are going to use a CentOS 7 system. Since firewalld is the firewall that comes by default, it will be good to uninstall firewalld to avoid any confusion. The focus of this tutorial will be to guide how to view logs and make adjustments in firewall accordingly.

[root@host1 ~]# yum remove firewalld -y

Now install iptables:
[root@host1 ~]# yum install iptables iptables-services -y

Start IPTABLES service in the server host
[root@host1 ~]# systemctl start iptables

List all entries in an Iptables
[root@host1 ~]# iptables -L

Flush all iptables rules
[root@host1 ~]# iptables -F

====== ===== =====

Now let us start the actual lab

Resetting all chains to DROP all traffic:

  • iptables -P OUTPUT DROP
  • iptables -P INPUT DROP
  • iptables -P FORWARD DROP

Enable logging:

  • iptables -N LOGGING
  • iptables -A INPUT -j LOGGING
  • iptables -A OUTPUT -j LOGGING
  • iptables -A LOGGING -m limit --limit 2/min -j LOG --log-prefix “IPTables-Dropped: ” --log-level 4
  • iptables -A LOGGING -j DROP

Save all entries:

  • service iptables save
  • You may get blocked from SSH since there are no rules allowing SSH connections now. You will require console access now

Explanation:

  1. iptables -N LOGGING: This creates a new chain called LOGGING
  2. iptables -A <INPUT,OUTPUT> -j LOGGING: All the remaining incoming packets will jump to the LOGGING chain
  3. line No 4: This will write packets dropped to the default syslog, which is /var/log/messages
  4. iptables -A LOGGING -j DROP: Drop all the packets that came to the LOGGING chain

The logs:

The above commands will enable logging, and traffic blocked by iptables will be logged in /var/log/messages with lines starting with IPTables-Dropped.

Example:
Apr 18 07:35:02 host1 kernel: IPTables-Dropped:IN=ens33 OUT= MAC=00:0c:29:6f:51:93:00:26:82:93:e9:4e:08:00 SRC=192.168.1.7 DST=192.168.1.9 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=32353 DF PROTO=TCP SPT=53352 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0

Adding rules:

Let us add rules to allow SSH to the host.

Let us check the present rules and the sequence numbers associated with them:

[root@host1 ~]# iptables -L --line-numbers
Chain INPUT (policy DROP)
num target prot opt source destination
1 LOGGING all — anywhere anywhere

Chain FORWARD (policy DROP)
num target prot opt source destination

Chain OUTPUT (policy DROP)
num target prot opt source destination
1 LOGGING all — anywhere anywhere

Chain LOGGING (2 references)
num target prot opt source destination
1 LOG all — anywhere anywhere limit: avg 2/min burst 5 LOG level warning prefix “IPTables-Dropped:”

=======

We need to insert rules so that they get added before the logging entries.

[root@host1 ~]#iptables -I INPUT 1 -p tcp --dport 22 -j ACCEPT
[root@host1 ~]#iptables -I OUTPUT 1 -p tcp --sport 22 -j ACCEPT

[root@host1 ~]# service iptables save

Be the first to comment on "Iptables: Creating just the required rules from scratch"

Leave a comment