Originally Published: Wednesday, 13 June 2001 Author: David LeCount
Published to: enchance_articles_security/Advanced Security Articles Page: 1/3 - [Printable]

Linux.com Security: Firewalls; IPtables and Rules

Linux.com contributor David LeCount recently got jiggy with IPtables and router rules. Check out this fine article if you want to take the first steps towards securing your Linux box on the network.

Blocking an IP Address   Page 1 of 3  >>

I'm sure many of you have been wondering how to use IPtables to set up a basic firewall. I was wondering the same thing for a long time until I recently figured it out. I'll try to explain the basics to at least get you started.

First you need to know how the firewall treats packets leaving, entering, or passing through your computer. Basically there is a chain for each of these paths. Any packet entering your computer goes through the INPUT chain. Any packet that your computer sends out to the network goes through the OUTPUT chain. Any packet that your computer picks up on one network and sends to another goes through the FORWARD chain. The chains are half of the logic behind IPtables themselves.

The way that IPtables work is that you set up certain rules in each of these chains that control what happens to packets of data that pass through them. For instance, if your computer were to send out a packet to www.yahoo.com in order to request an HTML page, the packet would first pass through the OUTPUT chain. The kernel would look through the rules in the chain and see if any of them match. The first one that matches will decide the outcome of that packet. If none of the rules match, then the policy of the whole chain will be the final decision maker. Then whatever reply Yahoo! sends back will pass through the INPUT chain. It's no more complicated than that.

Blocking an IP Address

Now that we have the basics out of the way, we can start working on putting all this to practical use. There are a lot of different letters to memorize when using IPtables and you'll probably have to peek at the man page often to remind yourself of a certain one. Now let's start with manipulation of certain IP addresses. Suppose you wanted to block all packets coming from 200.200.200.1. First of all, -s is used to specify a source IP or DNS name. So from that, to refer to traffic coming from this address, we'd use this: iptables -s 200.200.200.1.

But that doesn't tell the kernel what to do with the packets. The -j option is used to specify what happens to the packet. The most common three options are ACCEPT, DENY, and DROP. Now you can probably figure out what ACCEPT does and it's not what we want. DENY sends a message back that this computer isn't accepting connections. DROP just totally ignores the packet. If we're really suspicious about this certain IP address, we'd probably prefer DROP over DENY. So here is the command with the result: iptables -s 200.200.200.1 -j DROP

But the computer still won't understand this. There's one more thing we need to add and that's to specify what chain it goes on. You use the -A option for this. It just appends the rule to the end of whichever chain you specify. Since we want to keep the computer from talking to us, we'd put it on INPUT. So here's the entire command:

iptables -A INPUT -s 200.200.200.1 -j DROP

This single command would instruct the machine to ignore everything coming from 200.200.200.1 (with exceptions, but we'll get into that later). The order of the options doesn't matter; the -j DROP could go before -s 200.200.200.1. I just like to put the outcome part at the end of the command. Ok, we're now capable of ignoring a certain computer on a network. If you wanted to keep your computer from talking to it, you'd simply change INPUT to OUTPUT and change the -s to -d for destination. Now that's not too hard, is it?





Blocking an IP Address   Page 1 of 3  >>