1. What
are IPtables or
firewalls?
IP tables is a command-line firewall utility that uses policy chains to
allow or block traffic. When a connection tries to establish itself on your
system, iptables looks for a rule in its list to match it to. If it doesn’t
find one, it resorts to the default action. IP tables almost always comes
pre-installed on any Linux distribution.
We
can update/Reinstall the IP tablespackage by # yum
install iptables* -y
command.
2. What are the types of firewalls?
There are four
types of firewalls.
(i) Packet firewalls :
It works atPhysical, Data Link
and Network Layers.
It works fast and
efficiently.
It treats each packet in isolation.
(ii) Statefull firewalls :
It identifies a
packets connection state.
It maintains packets history in
the state tables.
(iii) Application layer
firewalls :
It inspects and
filter packets on
OSI layer upto Application Layer.
It identifies if
protocols are being misused.
(iv) Proxies
firewalls :
It acts as an intermediary.
It operates at
Application Layer.
It won't allow direct
connections.
3. What
are the tables maintained by IP
tables?
Normally IP tables maintain 3
tables.
(i) INPUT table:
This chain handles all packets that are addressed to
your server and also to control the behaviour
for incoming connections. For example, if
a user attempts to SSH into your PC/server, iptables will attempt to match
the IP address and port to a rule in the input chain.
(ii) OUTPUT table :
This chain contains rules for traffic created by your
server. This chain is used for outgoing connections. For example, if you try to ping google.com, iptables will check its
output chain to see what the rules are regarding
ping and google.combefore making a
decision to allow or deny the connection attempt.
(iii) FORWARD table :
This chain is used for incoming connections that aren’t
actually being delivered locally. Think of a router – data is always being sent to it but rarely actually destined for
the router itself; the data is just forwarded to its target. Unless you’re doing some kind of routing, NATing, or
something else on your system that requires forwarding,
you won’t even use this chain.This chain is used to deal with traffic destined
for other servers that are not
created on your server. This chain is basically a way to configure your server
to route requests to other
machines.
4. What are the meanings of
REJECT, DROP and
ACCEPT ?
REJECT :
REJECT means
server receives the FTP request
from the specified IP
address and rejects
that request and
also send the
acknowledgement.
DROP :
DROP means
server receives the FTP requests
from the specified IP
address and drop the request without sending any acknowledgement.
ACCEPT :
ACCEPT means
server receives the FTP
requests from the specified IP address
and allow that system for
FTP services.
5. What is the configuration file
of IP tables and
what are the options available in IP tables command?
/etc/sysconfig/iptables is the configuration file of IP tables.
# iptables firewall-rule
The options
are as follows.
-A ----->
Add or append
the rule.
-p ----->
Indicates the protocol for that
rule (tcp, udp,
icmp, ....etc.;).
-s ----->
Indicates the source of the packet
(IP address, Network ID or
Hostname).
-d ----->Indicates the destination of the
packet.
-j ----->
'Jump to target'
indicates the interface through
which the incoming packets are coming through
the
INPUT , FORWARD and
PREROOTING chain.
-o ----->
'Output Interface' indicates
the interface through which the outgoing packets are sent through the
INPUT, FORWARD and
PREROOTING chain.
-sport or
-source-port -----> Source port
for -p tcp
or -p udp.
-dport or
-destination-port -----> Destination
port for -p
tcp or -p
udp.
6. How to allow a ping from outside
to inside and
inside to outside?
# iptables -A
INPUT -p
icmp --icmp-type echo-request -j
ACCEPT
# iptables -A
OUTPUT -p icmp
--icmp-type echo-reply -j
ACCEPT
# iptables -A
OUTPUT -p icmp
--icmp-type echo-request -j
ACCEPT
# iptables -A
INPUT -p icmp
--icmp-type echo-reply -j
ACCEPT
7. In how many ways can we protect the
network?
There are 4 ways to protect the network.
(i) SELinux
(ii) IP tables
(iii) Firewalld
(iv) TCP wrappers
IP tables and
firewalld both are used to protect our systems services from
outside. But we can use only one way at a time.
8. How to configure the firewalld?
(i) Install the firewalld package
by #
yum install firewalld*
-y command.
(ii) Check whether the firewalld package is installed or
not by #
rpm -qa firewalld command.
(iii) Check the status of the firewalld by executing the below commands.
# systemctl
status firewalld or # firewall-cmd --status
Examples
of IP tables commands :
# service iptables
status
(to check the IP tables status)
# service iptables
start (to
start the IP tables)
# service iptables
stop (to
stop the IP tables)
# service iptables
restart (to
restart the IP tables)
# service iptables
save (to save the iptable rules
permanently)
# chkconfig iptables
on (to enable the iptables at next boot)
# chkconfig iptables
off (to disable the iptables at next boot)
# iptables -A
INPUT -i eth0
-p tcp --deport
22 -j ACCEPT (to add the rules to the existing iptables to
allow ssh)
where
-A ---> Add
or append a rule
to the INPUT chain for incoming traffic.
-i
eth0 ---> Incoming
packets through the interface
eth0 will be verified against
this added new rule.
-p
tcp -deport 22 --->
protocol is tcp
and the destination port is 22.
-j
ACCEPT ---> Accept the packet.
# iptables -A
INPUT -p tcp
-m state --state
NEW -m tcp
--deport 80 -j
ACCEPT
(to allow http traffic)
# iptables -A
INPUT -s 9.9.9.9
-p tcp -m
state --state NEW
-m tcp --deport
443 -j ACCEPT
(to allow https traffic)
# iptables -A
INPUT -i eth0
-p tcp --deport
22 -m state
--state NEW, ESTABLISHED -j
ACCEPT and # iptables
-A INPUT -o
eht0 -p tcp
--sport 22 -m
state --state
ESTABLISHED -j ACCEPT
(to
allow ssh input and
output on port
number 22 through
a device eth0)
# iptables -A
IN PUT -p udp
-m state --state
NEW -m udp
--deport 161 -j
ACCEPT
(to
allow SNMP traffic through
port number 161)
# iptables -P
INPUT DROP (to block the input traffic)
# iptables -P
FORWARD DROP (to
block the forward traffic)
# iptables -p
OUTPUT DROP (to block the output traffic)
(where P is capital
letter)
# iptables -A
INPUT -s 9.9.9.9
-j DROP (to block the 9.9.9.9
input traffic)
# iptables -L (to see the list of the IP tables)
# iptables -F
(to flush the iptable rules nothing but deleting all the rules)
* Don't run this command on production
servers or real time environment.
# iptables -save
> /root/iptables (to save
all the existing iptables rules as backup copy in /root/iptables file)
# iptables -F
(to delete all iptables rules)
# iptables -restore
< /root/iptables (to restore the IP tables from the backup file)
# iptables -I
INPUT -s -p tcp
--deport 21 -j
or
or
(to REJECT
or DROP or
ACCEPT the FTP
requests from the specified IP address
system)
# iptables -I
INPUT -s /
-p tcp --deport
21 -j or
or
(to REJECT, DROP
or ACCEPT the
FTP requests from
all the systems in that network )
# iptables -I
INPUT -s /
-p tcp -j
or
or
(to REJECT,
DROP or ACCEPT
all the requests
from the specified system
all the systems in that network)
# watch -d
-n 5 free (to repeat a free command for every 5
seconds)
* Default
is for every 2
seconds. -d option
highlights the change. Press Ctrl+c
to quit from the above command.
# ping -a
192.168.10.1 (to ping the IP
address with audiable ping ie., it makes
noises)
# shred -n
5 trail.txt (to over write the trail.txt
file five times
default is 3 times)
# shred -u
5 trail.txt
(to remove a file after over writing)
* This shed
tool may not work in
journaling or RAID
file systems.
# file (to
know what type file is that)
# mtr (to check the connection between
the source and the destinations)
* The above
command gives the report continuously until the user press Ctrl+c.
# htop (it is an improved top command
and it allows to scroll
vertically or horizontally)
# logsave filelist.txt ls
-l (to capture the output of any command and
stores it in a file along with the starting and
ending time of the command)
# look "printf" avltree.c (to display all the lines in a
file that start with a particular string
and performance
of this command is more than grep)
# stat (to display the
status of a file or file system like absolute path of the
files, the no of blocks used
by the file, the I/O
block size, inode access
specifier, access time, time of modification, ....etc)
# mc (it is a powerful text based file manager and it
is a directory browsing tool and allows
to see
thecontents of the archived files, ...etc.;)
* In RHEL - 6 we have to write the rules and
regulations to allow or deny the system but,
in RHEL - 7 we have
enable or
disable the firewalld options
only.
# firewall-config (to manage the firewalld services
using graphical user mode)
#
firewall-cmd --get-zones (to display all available zones)
#
firewall-cmd --get-default-zone (to check the
default zone, the default zone is public zone)
#
firewall-cmd --set-default-zone=work (to activate the work
zone, nothing but changing default zone
temporarily)
# firewall-cmd --permanent
--set-default-zone=work
(to set the default zone as work permanently)
#
firewall-cmd --get-activate-zones (to display which zone is an active with
IP address and interface
eth0)
#
firewall-cmd
--add-service=172.25.0.0/24
--zone=public (to add the source
to the public zone temporarily)
# firewall-cmd --get-activate-zone (to see the default zone which is activated)
# firewall-cmd --get-activate-zone (to see the default zone which is activated)
#
firewall-cmd --permanent -add-source=172.25.0.0/24 --zone=public
(to
add the IP address to public zone
permanently)
#
firewall-cmd --remove -souce =172.25.0.0/24 --zone=public (to remove the iP address from public zone temporarily)
#
firewall-cmd --permanent --remove-source=172.25.0.0/24 --zone=public
(to remove the
iP address from public zone
permanently)
#
firewall-cmd --add-interface=eth1 --zone=public (to
change the interface or add
interface to the public zone temporarily)
#
firewall-cmd --permanent --add-interface=eth1 --zone=public
(to change the interface or add interface to the public zone permanently)
#
firewall-cmd --get-active-zones (to see the
activated zones)
* All
rules what we have written are
temporary. If the system is rebooted
then all changed values are revert
back to it's previous state
* To make the changed values
permanent then, add --permanent
to all the commands set of firewalld.
#
firewall-cmd --reload
(to apply the changed rules immediately)
#
firewall-cmd --permanent --add-service=sshd (to
add the sshd service to firewall
permanently)
#
firewall-cmd --list-services (to list all the firewall added
services)
#
firewall-cmd --list-all (to list all the all the firewall added
services with detailed information)
#
firewall-cmd --permanent --remove-service=sshd (to remove sshd service from firewall permanently)
#
firewall-cmd --permanent --add-port=22/tcp (to add the port number 22 with tcp protocol to firewall permanently)
#
firewall-cmd --permanent --remove-port=22/tcp (to remove the
port number 22 permanently)
#
firewall-cmd --complete-reload (first it unload all the firewall settings and
again reload the firewall settings completely)
TCP WRAPPERS :
* Firewalld
will protect all the services.
* TCP WRAPPER
will also protect the services,
but it can support for only limited services. And it can protect
the services which are having the libwrap.so module is loaded for that service.
* So,
TCPWRAPPER does not support to
protect all the services except libwrap.so module loaded.
# ldd (this command is used to check the modules
which are loaded for this services)
# ldd (to
display all the loaded modules of the specified service)
# ldd /usr/sbin/sshd (to display all the loaded modules of
the sshd
service)
# ldd /usr/sbin/sshd | grep
-i libwrap.so (to
check whether libwrap.so module is loaded or
not)
To configure the TCPWRAPPER :
(i) Open
/etc/hosts.deny or /etc/hosts.allow file
by # vim /etc/hosts.deny or
hosts.allow commands.
* The above files
are to be edited or modified
to enable or disable
the tcpwrapper services the users.
#
vim /etc/hosts.deny (Go
to last line and type as below)
sshd
: 172.25.9.11 or
system9.example.com (to
deny the
specified host or hostname)
sshd : ALL (to
deny all the clients)
sshd
: ALL EXCEPT
*.eample.com (to deny all the clients except
all the systems of example.com domain)
(ii) save
and exit this
file.
(iii) Open /etc/hosts.allow by # vim
/etc/hosts.allow
command and go to last line and type as below.
sshd : 172.25.9.11 172.25.6.11 (to allow
2 systems only)
(iv) save and
exit this file.
* If the client system's entry is there in both
/etc/hosts.deny and /etc/hosts.allow files,
then the
TCPWRAPPER will look
/etc/hosts.allow file first.
Then it will look /etc/hosts.deny file.
If there is an entry in both the files, then it will allow the system because based
on the above rule first it will
read /etc/hosts.allow file
and allow the system. It won't
read the /etc/hosts.deny file.
No comments:
Post a Comment