Linux.com Article DB: Linux.com Security: Firewalls; IPtables and Rules

SYN Packets

Let's get a bit more advanced. We know that these packets use a certain protocol, and if that protocol is TCP, then it also uses a certain port. Now you might be compelled to just close all you ports to incoming traffic, but remember, after your computer talks to another computer, that computer must talk back. If you close all of your incoming ports, you'll essentially render your connection useless. And for most non-service programs, you can't predict which port they're going to be communicating on. But there's still a way. Whenever two computers are talking over a TCP connection, that connection must first be initialized. This is the job of a SYN packet. A SYN packet simply tells the other computer that it's ready to talk. Now only the computer requesting the service sends a SYN packet. So if you only block incoming SYN packets, it stops other computers from opening services on your computer but doesn't stop you from communicating with them. It makes your computer ignore anything that it didn't speak to first. It's mean but it gets the job done. Well, the option for this is --syn after you've specified the TCP protocol. So to make a rule that would block all incoming connections on only the Internet:

iptables -A INPUT -i ppp0 -p tcp --syn -j DROP

That's a likely rule that you'll be using unless you have a web service running. If you want to leave one port open, for example 80 (HTTP), there's a simple way to do this too. As with many programming languages, an exclamation mark means "not". For instance, if you wanted to block all SYN packets on all ports except 80, the command would look like this:

iptables -A INPUT -i ppp0 -p tcp --syn --destination-port ! 80 -j DROP

It's somewhat complicated but it's not so hard to comprehend.

Chain Policy

There's one last thing I'd like to cover and that's changing the policy for a chain. The chains INPUT and OUTPUT are usually set to ACCEPT by default and FORWARD is set to DENY. Well, if you want to use this computer as a router, you would probably want to set the FORWARD policy to ACCEPT. How do we do this you ask? It's really very simple: All you have to do is use the -P option. Just follow it by the chain name and the new policy and you have it made. To change the FORWARD chain to an ACCEPT policy, we'd do this:

iptables -P FORWARD ACCEPT

Nothing to it, huh? In this article we have really just covered the basics of IPtables. The information here should help you set up a limited firewall but there's still a lot more that I couldn't talk about. You can look at the man page "man iptables" to learn more of the options (or refresh your memory when you forget). You can find more advanced documents if you want to learn some of the more advanced features of IPtables. At the time of this writing, IPtables documents are somewhat rare because the technology is new but they should be springing up soon. Good luck.

Originally Published: Wednesday, 13 June 2001	Author: David LeCount
Published to: enchance_articles_security/Advanced Security Articles	Page: 3/3 - [Printable]
Linux.com Security: Firewalls; IPtables and Rules Linux.com contributor David LeCount recently got jiggy with IPtables and router rules. Check out this fine article if you want to take the first steps towards securing your Linux box on the network.

	<< Page 3 of 3
SYN Packets Let's get a bit more advanced. We know that these packets use a certain protocol, and if that protocol is TCP, then it also uses a certain port. Now you might be compelled to just close all you ports to incoming traffic, but remember, after your computer talks to another computer, that computer must talk back. If you close all of your incoming ports, you'll essentially render your connection useless. And for most non-service programs, you can't predict which port they're going to be communicating on. But there's still a way. Whenever two computers are talking over a TCP connection, that connection must first be initialized. This is the job of a SYN packet. A SYN packet simply tells the other computer that it's ready to talk. Now only the computer requesting the service sends a SYN packet. So if you only block incoming SYN packets, it stops other computers from opening services on your computer but doesn't stop you from communicating with them. It makes your computer ignore anything that it didn't speak to first. It's mean but it gets the job done. Well, the option for this is --syn after you've specified the TCP protocol. So to make a rule that would block all incoming connections on only the Internet: `iptables -A INPUT -i ppp0 -p tcp --syn -j DROP` That's a likely rule that you'll be using unless you have a web service running. If you want to leave one port open, for example 80 (HTTP), there's a simple way to do this too. As with many programming languages, an exclamation mark means "not". For instance, if you wanted to block all SYN packets on all ports except 80, the command would look like this: `iptables -A INPUT -i ppp0 -p tcp --syn --destination-port ! 80 -j DROP` It's somewhat complicated but it's not so hard to comprehend. Chain Policy There's one last thing I'd like to cover and that's changing the policy for a chain. The chains INPUT and OUTPUT are usually set to ACCEPT by default and FORWARD is set to DENY. Well, if you want to use this computer as a router, you would probably want to set the FORWARD policy to ACCEPT. How do we do this you ask? It's really very simple: All you have to do is use the -P option. Just follow it by the chain name and the new policy and you have it made. To change the FORWARD chain to an ACCEPT policy, we'd do this: `iptables -P FORWARD ACCEPT` Nothing to it, huh? In this article we have really just covered the basics of IPtables. The information here should help you set up a limited firewall but there's still a lot more that I couldn't talk about. You can look at the man page "man iptables" to learn more of the options (or refresh your memory when you forget). You can find more advanced documents if you want to learn some of the more advanced features of IPtables. At the time of this writing, IPtables documents are somewhat rare because the technology is new but they should be springing up soon. Good luck.
	<< Page 3 of 3