Learning MySQL / PostgreSQL and other stuff

Just somewhere to keep my notes while I'm playing.

Friday, June 28, 2013

iptables - the Linux firewall

I needed to test to see how a package would behave if a certain server was not available. I decided that the easiest way to do this was to use a firewall. As I haven't done much with firewalls previously, I though I should write it up.

To see what you have configures, use:
[root@ebl-oel57vm1 ~]# iptables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
DROP       all  --  144.20.15.203        0.0.0.0/0

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
[root@ebl-oel57vm1 ~]#
[root@ebl-oel57vm1 ~]# iptables -A INPUT -s 138.1.187.71 -j DROP
[root@ebl-oel57vm1 ~]# ping 138.1.187.71 | head -3
^C
[root@ebl-oel57vm1 ~]#
This tells me that I have 3 different "chains" configured (a chain of rules), but only the INPUT chain has anything configured. It tells me that I will not accept requests from 144.20.15.203

This wasn't exactly what I wanted, I wanted to stop my server contacting this IP address, so I needed to do the following:

[root@ebl-oel57vm1 ~]# ## Revert back to the start
[root@ebl-oel57vm1 ~]# iptables -F INPUT
[root@ebl-oel57vm1 ~]# iptables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
[root@ebl-oel57vm1 ~]# ## Define an outbound firewall rule
[root@ebl-oel57vm1 ~]# iptables -A OUTPUT -d 138.1.187.71  -j REJECT
[root@ebl-oel57vm1 ~]# iptables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
REJECT     all  --  0.0.0.0/0            138.1.187.71        reject-with icmp-port-unreachable
[root@ebl-oel57vm1 ~]#
[root@ebl-oel57vm1 ~]# ping 138.1.187.71 | head -3
PING 138.1.187.71 (138.1.187.71) 56(84) bytes of data.
From 10.79.243.156 icmp_seq=1 Destination Port Unreachable
From 10.79.243.156 icmp_seq=1 Destination Port Unreachable
[root@ebl-oel57vm1 ~]#
Notice how when I blocked the IP Address on the inbound side my requests out didn't receive a reply, whilst when I blocked on the outbound side I got the message that the port was unreachable.

Pings
To stop your server responding to a Ping:
iptables -A INPUT -p icmp --icmp-type echo-request -j DROP
To stop your server from pinging another server
iptables -A OUTPUT -p icmp --icmp-type echo-request -j DROP

Editing IPTables
iptables-save > myfile
edit myfile
iptables-restore < myfile
rm myfile
 
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)