Writing rules for firewall is became nightmare( but it’s good) for me when I am setting up server for my application. After bagging my head two days I found how to program a firewall and how it works. Here is the stuff for you.
First of all before diving into actual content I hope that everyone knows what is firewall and why we use it. It is recommended to know prior to read this post if you don’t know.
Netfilter is a host based firewall for linux systems. It controls by a program called IPtables and it is activated by default. It works at kernel level, before a program can even process the data from the network packet.
Iptables are located at /etc/sysconfig/iptables.
How to Turn on Firewall:
chkconfig iptables on service iptables start # restart the firewall service iptables restart # stop the firewall service iptables stop
Understanding Firewall :
There are total 4 chains:
INPUT – The default chain is used for packets addressed to the system. Use this to open or close incoming ports (such as 80,25, and 110 etc) and ip addresses / subnet (such as 220.127.116.11/29).
OUTPUT – The default chain is used when packets are generating from the system. Use this open or close outgoing ports and ip addresses / subnets.
FORWARD – The default chains is used when packets send through another interface. Usually used when you setup Linux as router. For example, eth0 connected to ADSL/Cable modem and eth1 is connected to local LAN. Use FORWARD chain to send and receive traffic from LAN to the Internet.
RH-Firewall-1-INPUT – This is a user-defined custom chain. It is used by the INPUT, OUTPUT and FORWARD chains.
How rules works :
Each packet starts at the first rule in the chain .
A packet proceeds until it matches a rule.
If a match found, then control will jump to the specified target (such as REJECT, ACCEPT, DROP).
The target ACCEPT means allow packet.
The target REJECT means to drop the packet and send an error message to remote host.
The target DROP means drop the packet and do not send an error message to remote host or sending host.
When you open firewall you will find something like below:
*filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :RH-Firewall-1-INPUT - [0:0] -A INPUT -j RH-Firewall-1-INPUT -A FORWARD -j RH-Firewall-1-INPUT -A RH-Firewall-1-INPUT -i lo -j ACCEPT -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT -A RH-Firewall-1-INPUT -p udp --dport 5353 -d 18.104.22.168 -j ACCEPT -A RH-Firewall-1-INPUT -p udp -m udp --dport 53 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited COMMIT
If you want to drop all traffic, update the rules like below and restart the firewall. If you write firewall rules correctly the firewall will restart successfully otherwise it won’t.
:INPUT DROP [0:0] :FORWARD DROP [0:0]
Here is some rules to open ports . Add below rules before commit line.
To open HTTP port
A RH-Firewall-1-INPUT -m tcp -p tcp --dport 80 -j ACCEPT
To open HTTPS port
-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 443 -j ACCEPT
To open SMTP port :
-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 25 -j ACCEPT
To open FTP port:
-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 21 -j ACCEPT
Explanation for above rules:
-A = To append a rule for firewall
RH-Firewall-1-INPUT = one of the chains in filter Iptable
-p = To specify the protocol
–dport = To specify destination port
-j = Jump if rule matches with the IPpacket
ACCEPT = It allows the packet through the firewall.
For detail explanation check man pages of IPtables in any linux distribution. Last but not least checkout http://ping.eu this website to check whether port has been opened or not.
I hope you enjoy this post. Any queries or suggestions would be welcome.