tonywhitmore.co.uk  

 Project Homepage

Netfilter Iptables

Preparation

• Perform this stage using your functioning PC.

1. Download the iptables source code from www.iptables.org.
   • Visit www.iptables.org and click on the "Downloads" link.
   • Click on the link for the source code of the latest version of iptables. You will need the source code in .tar.bz2 format.
     • At the time of writing the latest version of iptables was version 1.2.7a, so the file downloaded was iptables-1.2.7a.tar.bz2.
   • You will be asked to where you wish to save the file. Chose a safe place and make a note of it.
   • The download is about 116kb and will take a few seconds over a modem, and a lot less over a broadband connection.
   • If you are using a download accelerator program, it will save the file to your default download directory.
   • Burn the file iptables-1.2.7a.tar.bz2 to a CD. This page assumes that the subdirectory /apps is used for the .tar.bz2 file. The CD-ROM can be a multi-session disk.
     • Use your CD burning software to create an ISO9660 disc image with the file iptables-1.2.7a.tar.bz2 in the /apps directory.
     • Burn the CD and verify the data stored on it.

Back to simple version

Booting

• Perform this stage and subsequent stages, unless otherwise stated, using your Core Linux PC.

1. Boot your Core Linux PC.
2. Login as root. You will need to enter the password at the prompt.
   • Wait for the following text to appear:
     localhost login:
   • Type root and press Enter.
   • The screen will display this message:
     Password:
   • Enter the password for root that you set earlier.
   • You will be shown a prompt that looks like this:
     [~]#

Back to simple version

Extract the source

1. Place the CD-R in the CD-ROM drive. Mount the CD-ROM drive under /mnt/cdrom.
   • At the prompt enter:
     mount /dev/hdb /mnt/cdrom
   • You will see the following line appear:
     mount: block device /dev/hdb is write-protected, mounting read-only
2. Change to the /apps directory on the CD-R.
   • At the prompt enter:
     cd /mnt/cdrom/apps
   • The prompt will change to:
     [/mnt/cdrom/apps]#
3. Copy the iptables-1.2.7a.tar.bz2 file to the directory /usr/src.
   • At the prompt enter:
     cp iptables-1.2.7a.tar.bz2 /usr/src
   • The system will not display a message if everything is OK.
4. Change to the /usr/src directory and extract the source from the .tar.bz2 file.
   • At the prompt enter:
     cd /usr/src
   • The prompt will change to:
     [/usr/src]#
   • At the prompt enter:
     bunzip2 iptables-1.2.7a.tar.bz2
   • The system will not display a message if everything is OK.
   • At the prompt enter:
     tar -xvf iptables-1.2.7a.tar.bz2
   • A long stream of unzipping files and directories should scroll up the screen for a few seconds.

Back to simple version

Configure and compile

1. Change to the /usr/src/iptables-1.2.7a directory.
   • At the prompt enter:
     cd iptables-1.2.7a
   • The prompt will change to:
     [/usr/src/iptables-1.2.7a]#
2. Run the make program as shown below:
   make BINDIR=/usr/bin LIBDIR=/usr/lib MANDIR=/usr/man KERNEL_DIR=/usr/src/linux
   • At the prompt enter:
     make BINDIR=/usr/bin LIBDIR=/usr/lib MANDIR=/usr/man KERNEL_DIR=/usr/src/linux
   • A long stream of processes should scroll up the screen for about two mintues.
   • The program finishes with the line:
     rm libiptc/libiptc.o libiptc/libip4tc.o libipulog/libipulog.o libipq/libipq.o
3. Run the make program as shown below:
   make BINDIR=/usr/bin LIBDIR=/usr/lib MANDIR=/usr/man KERNEL_DIR=/usr/src/linux install
   • At the prompt enter:
     make BINDIR=/usr/bin LIBDIR=/usr/lib MANDIR=/usr/man KERNEL_DIR=/usr/src/linux install
   • A long stream of processes should scroll up the screen for about thirty seconds.
   • The program finishes with the line:
     cp extensions/libip6t_MARK.so /usr/lib/iptables/libip6t_MARK.so

Back to simple version

Initial Testing

1. Ping the IP address 127.0.0.1. Your pings should be returned.
   • At the prompt enter:
     ping -c 1 127.0.0.1
   • The system will display a message similar to the following:
     PING 127.0.0.1 (127.0.0.1): 56 data bytes
64 bytes from 127.0.0.1: icmp_seq=0 ttl=64 time=0.2 ms
2. Add the following rule using the iptables command:
   iptables -A INPUT -s 127.0.0.1 -p icmp -j DROP
   • At the prompt enter:
     iptables -A INPUT -s 127.0.0.1 -p icmp -j DROP
   • The system will not display a message if everything is OK.
3. Ping the IP address 127.0.0.1. Your pings should not be returned.
   • At the prompt enter:
     ping -c 1 127.0.0.1
   • The system will display a message similar to the following:
     PING 127.0.0.1 (127.0.0.1): 56 data bytes

--- 127.0.0.1 ping statistics ---
1 packets transmitted, 0 packets received, 100% packet loss

Back to simple version

Setting up iptables

• These pages will not tell you how to configure your firewall. The appropriate configuration of your firewall will depend on the services you wish to offer. There are also many tips for tightening firewall security, which are beyond the scope of this page. Rather than provide incomplete information on this topic, and maybe creating a false sense of security, I chose to provide none. If you are looking for more information on configuring firewall rules, then visit www.iptables.org.

Automating iptables

• This section details how to have your iptables rules applied automatically when the system boots. The advantage of this method is that your system is protected as soon as networking is initialised. If you do not want your firewall rules applied at system boot then skip this section.

1. Create a file called /etc/firewall listing all your iptables rules.
   • At the prompt enter:
     nano /etc/firewall
   • The screen will show the blank document with information about the file at the top and bottom of the screen.
   • Add your firewall rules to the file, adding comments to suit. For the DENY rule tested earlier:
     #!/bin/bash
# Deny ping through loopback interface
iptables -A INPUT -s 127.0.0.1 -p icmp -j DROP
   • Save the file and exit the text editor.
     • Press Ctrl+x on the keyboard.
     • The contents of the white line at the bottom of the screen will change to read:
       Save modified buffer (ANSWERING "No" WILL DESTROY CHANGES) ?
     • Type y.
     • The contents of the white line at the bottom of the screen will change to read:
       File Name to write: /etc/firewall
     • Press Enter.
     • You will be returned to the system prompt.
2. Change the properties of the file /etc/firewall to make it executable.
   • At the prompt enter:
     chmod 0755 /etc/firewall
   • The system will not display a message if everything is OK.
3. Append the following line to the /etc/rc.d/rc.mu script:
   /etc/firewall
   You can also add comments and echoes for your own information.
   • At the prompt enter:
     nano /etc/rc.d/rc.mu
   • The screen will show the contents of /etc/rc.d/rc.mu with information about the file at the top and bottom of the screen.
   • Add the following text to the end of the file:
     # Start iptables rules
/etc/firewall
echo Firewall rules applied
   • Reboot the system and check that your firewall rules are implemented.
     • At the system prompt enter:
       shutdown -r now
     • Wait for the system to reboot.
     • As the system reboots, watch for any error messages.
     • To test the DENY rule entered above, once the system has rebooted, try to ping 127.0.0.1 using the command ping -c 1 127.0.0.1. The system should display the same message as before.
       PING 127.0.0.1 (127.0.0.1): 56 data bytes

--- 127.0.0.1 ping statistics ---
1 packets transmitted, 0 packets received, 100% packet loss

Back to simple version

The text of this page is licensed under a Creative Commons License.