Topic: IPTABLES / FIREWALL / NAT

In this section we will be covering some basic and semi-advanced IPTABLES configurations. Modifying the /etc/sysconfig/iptables file is not the recommended approach by Netfilter.org or RedHat. You should be warned that a simple typo or incorrect ordering can leave your computer(s) wide open to the rest of the world. Xinn.org offers no warranties explict or implied, and takes no responsibility for any misconfigurations. To the best of our knowledge these files are accurate and should work for most setups, these are offered as is, use caution.



NAT'ing using IPTABLES

STEP 1: Configure your Linux box to be a firewall for other PC's as well as itself.


		# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended. /etc/sysconfig/iptables
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -o eth1 -j MASQUERADE #Eth1 would be your Public/Internet facing NIC
#All other NIC's when trying to reach the internet will NAT out of that NIC, in our example
#Eth0 is the only other nic in this PC, and is the connection to the firewall for other PC's
COMMIT
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -i eth1 -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -i eth1 -j DROP
-A RH-Firewall-1-INPUT -i eth0 -j ACCEPT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
COMMIT

STEP 2: Turning on IpFWD'ing

Now that the firewall and routing/Nat'ing is configured, we need to enable IPFWD'ing

Edit /etc/sysctrl.conf and change the following FROM A ZERO TO A ONE

net.ipv4.ip_forward = 0     <--- Change to 1 and then save the file

Now restart the network service and iptables service:

service network restart
service iptables restart

If all goes well you should not have any reported failures. That's all there is to it. This is a very basic firewall, it allows ssh conenctions to be made to the outside interface, and allows all traffic from the inside (eth0) to the outside if that is the destination. All other traffic to eth1 will be dropped, meaning no response will be sent, the packets are just ignored. Below is a recommended firewall setup if you have Windows machines behind this firewall.



Recommended Firewall with Windows users behind it

This firewall is made to contain/prevent the spread of viri that infect many windows machines. These are known as Egress filters. In our below configuration, we are blocking spoofed packets from the internet to the inside, we are blocking our PC's from reaching outside should they become infected with a virus that 1) has an smtp engine, 2) that scans for other pc's outside to infect via SMB and or 3) from contacting public TFTP servers. These are some of the latest trends in recent viri, self contained SMTP engines, SMB scanning, and using TFTP to download further payload. These are by no means complete, you should block all that you can, not only incomming, but outgoing if possible.

NOTE: We are blocking SMB to the public internet. If someone has a Windows FileShare publicly accessable from the internet, users behind this firewall will not be able to reach that share any longer. Along with TFTP servers. If you have SMTP servers on your private lan, you'll need to make an exception for them, however they should be statically nat'd, masquerade in this example is not configured to do any static nat's. Chances are your SMTP servers don't recieve much mail in this config... However they could send if an exception rule were made.

						
		# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -o eth1 -j MASQUERADE #Eth1 would be your Public/Internet facing NIC
#All other NIC's when trying to reach the internet will NAT out of that NIC, in our example
#Eth0 is the only other nic in this PC, and is the connection to the firewall for other PC's
COMMIT
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -i eth1 -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
#Drop Spoofed packets! RFC 1918 ip's should not be comming into our public interface
-A RH-Firewall-1-INPUT -i eth1 -s 10.0.0.0/8 -j DROP
-A RH-Firewall-1-INPUT -i eth1 -s 192.168.0.0/24 -j DROP
-A RH-Firewall-1-INPUT -i eth1 -s 172.16.0.0/12 -j DROP
-A RH-Firewall-1-INPUT -i eth1 -s 127.0.0.0/8 -j DROP
#Drop Packets with a Destination of port 25, our pc's are not smtp servers
-A FORWARD -i eth0 -p all --dport 25 -j DROP
#NOTE the "-p all" blocks tcp/udp in one line
#Drop packets for TFTP
-A FORWARD -i eth0 -p udp --dport 69 -j DROP
#Drop packets that try to spread via SMB
-A FORWARD -i eth0 -p tcp -m multiport --dport 135,137-139,445,593 -j DROP
-A FORWARD -i eth0 -p udp -m multiport --dport 135,137-139,445,593 -j DROP
-A RH-Firewall-1-INPUT -i eth1 -j DROP #Note that this rule effectively, should block spoofed (incomming)packets as well.
-A RH-Firewall-1-INPUT -i eth0 -j ACCEPT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
COMMIT