From dc79fd5e5ced0ffaeba1f807ad2c226ee40a4e36 Mon Sep 17 00:00:00 2001 From: Stephan Mueller Date: Sun, 27 Jan 2019 13:42:39 +0100 Subject: [PATCH] Convert and polish old wiki iptables article --- modules/ROOT/nav.adoc | 30 +- modules/ROOT/pages/edit-iptables-rules.adoc | 510 -------------------- modules/ROOT/pages/iptables/cli.adoc | 251 ++++++++++ modules/ROOT/pages/iptables/gui.adoc | 85 ++++ modules/ROOT/pages/iptables/overview.adoc | 11 + modules/ROOT/pages/iptables/tui.adoc | 98 ++++ 6 files changed, 471 insertions(+), 514 deletions(-) delete mode 100644 modules/ROOT/pages/edit-iptables-rules.adoc create mode 100644 modules/ROOT/pages/iptables/cli.adoc create mode 100644 modules/ROOT/pages/iptables/gui.adoc create mode 100644 modules/ROOT/pages/iptables/overview.adoc create mode 100644 modules/ROOT/pages/iptables/tui.adoc diff --git a/modules/ROOT/nav.adoc b/modules/ROOT/nav.adoc index 14d46ed..a108a3c 100644 --- a/modules/ROOT/nav.adoc +++ b/modules/ROOT/nav.adoc @@ -51,9 +51,32 @@ * xref:upgrading.adoc[Upgrading to a new release] ** xref:dnf-system-upgrade.adoc[Upgrading Fedora using the DNF system upgrade] - - - +* xref:using-aide.adoc[Checking integrity with AIDE] +* xref:anaconda/anaconda.adoc[Anaconda] +** xref:anaconda/anaconda_distros.adoc[Anaconda-based Distributions] +** xref:anaconda/anaconda_updates.adoc[Anaconda Updates] +** xref:anaconda/anaconda_logging.adoc[Anaconda Logging] +** xref:anaconda/anaconda_product_image.adoc[Anaconda Product Image] +* xref:getting-started-with-apache-http-server.adoc[Getting started with Apache HTTP Server] +* xref:finding-and-installing-linux-applications.adoc[Finding and installing Linux applications] +* xref:installing-chromium-or-google-chrome-browsers.adoc[Installing Chromium or Google Chrome browsers] +* xref:switching-desktop-environments.adoc[Switching desktop environments] +* xref:fedora-and-red-hat-enterprise-linux.adoc[Difference between Fedora and Red Hat Enterprise Linux] +* xref:dnf.adoc[Using the DNF software package manager] +* xref:dnf-system-upgrade.adoc[Upgrading Fedora using the DNF system upgrade] +* xref:securing-the-system-by-keeping-it-up-to-date.adoc[Securing the system by keeping it up-to-date] +* xref:upgrading.adoc[Upgrading to a new release of Fedora] +* xref:firewalld.adoc[Controlling network traffic with firewalld] +* xref:iptables/overview.adoc[How to edit iptables rules] +** xref:iptables/cli.adoc[Command Line Interface] +** xref:iptables/tui.adoc[Text-based Interface] +** xref:iptables/gui.adoc[Graphical User Interface] +* xref:using-adobe-flash.adoc[Using Adobe Flash] +* xref:adding-new-fonts-fedora.adoc[Adding new fonts in Fedora] +* xref:create-gpg-keys.adoc[Creating GPG Keys] +* xref:bootloading-with-grub2.adoc[Bootloading with GRUB2] +* xref:creating-and-using-a-live-installation-image.adoc[Creating and using a live installation image] +* xref:installing-java.adoc[Installing Java] * xref:kernel/overview.adoc[Kernel] ** xref:kernel/troubleshooting.adoc[Troubleshooting] ** xref:kernel/build-custom-kernel.adoc[Building a Custom Kernel] @@ -72,7 +95,6 @@ //FIXME * xref:debug-systemd-problems.adoc[How to debug systemd problems] //FIXME * xref:debug-wayland-problems.adoc[How to debug Wayland problems] - note: maintained on wiki, does not fit quick-docs IMHO //FIXME * xref:fedora-life-cycle.adoc[Fedora Release Life Cycle] - note: maintained on wiki, does not fit quick-docs IMHO -//FIXME * xref:edit-iptables-rules.adoc[How to edit iptables rules] //FIXME * xref:enable-touchpad-click.adoc[How to enable touchpad click] //FIXME * xref:mirroring.adoc[Mirroring] //FIXME * xref:openh264.adoc[OpenH264] diff --git a/modules/ROOT/pages/edit-iptables-rules.adoc b/modules/ROOT/pages/edit-iptables-rules.adoc deleted file mode 100644 index 60d63a6..0000000 --- a/modules/ROOT/pages/edit-iptables-rules.adoc +++ /dev/null @@ -1,510 +0,0 @@ -= How to edit iptables rules - -''' - -[IMPORTANT] -====== - -This page was automatically converted from https://fedoraproject.org/wiki/How_to_edit_iptables_rules - -It is probably - -* Badly formatted -* Missing graphics and tables that do not convert well from mediawiki -* Out-of-date -* In need of other love - - -Pull requests accepted at https://pagure.io/fedora-docs/quick-docs - -Once you've fixed this page, remove this notice, and update -[filename]`modules/ROOT/nav.adoc`. - -Once the document is live, go to the original wiki page and replace its text -with the following macro: - -.... -{{#fedoradocs: https://docs.fedoraproject.org/whatever-the-of-this-new-page}} -.... - -====== - -''' - -include::{partialsdir}/unreviewed-message.adoc[] - -In this how-to, we will illustrate three ways to edit iptables Rules : - -* *CLI :* iptables command line interface and system configuration file -/etc/sysconfig/iptables. -* *TUI (text-based) interface :* setup or system-config-firewall-tui -* *GUI :* system-config-firewall - -NOTE: This how-to illustrates editing existing iptables Rules, not the -initial creation of Rules chains. - -__TOC__ - -[[cli-command-line-interface]] -== CLI (command line interface) - -[[hot-changes-to-iptables-rules]] -=== Hot changes to iptables Rules - -The following procedures allow changes in the behaviour of the firewall -while it is running. - -Read the man pages for iptables (man iptables) for further explanations -and more sophisticated Rules examples. - -[[listing-rules]] -==== Listing Rules - -Current running iptables Rules can be viewed with the command - -.... -iptables -L -.... - -. - -Example of iptables Rules allowing any connections already established -or related, icmp requests, all local traffic, and ssh communication: - -.... -[root@server ~]# iptables -L -Chain INPUT (policy DROP) -target prot opt source destination -ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED -ACCEPT icmp -- anywhere anywhere -ACCEPT all -- anywhere anywhere -ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh - -Chain FORWARD (policy ACCEPT) -target prot opt source destination - -Chain OUTPUT (policy ACCEPT) -target prot opt source destination -.... - -Note that Rules are applied in order of appearance, and the inspection -ends immediately when there is a match. Therefore, for example, if a -Rule rejecting ssh connections is created, and afterward another Rule is -specified allowing ssh, the Rule to reject is applied and the later Rule -to accept the ssh connection is not. - -[[appending-rules]] -==== Appending Rules - -The following adds a Rule at the end of the specified chain of iptables: - -.... -[root@server ~]# iptables -A INPUT -p tcp --dport 80 -j ACCEPT -[root@server ~]# iptables -L -Chain INPUT (policy DROP) -target prot opt source destination -ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED -ACCEPT icmp -- anywhere anywhere -ACCEPT all -- anywhere anywhere -ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh -ACCEPT tcp -- anywhere anywhere tcp dpt:http - -Chain FORWARD (policy ACCEPT) -target prot opt source destination - -Chain OUTPUT (policy ACCEPT) -target prot opt source destination -.... - -Notice the last line in chain INPUT. There are now five Rules in that -chain. - -[[deleting-rules]] -==== Deleting Rules - -To delete a Rule, you must know its position in the chain. The following -example deletes an existing Rule created earlier that is currently in -the fifth position: - -.... -[root@server ~]# iptables -D INPUT 5 -[root@server ~]# iptables -L -Chain INPUT (policy DROP) -target prot opt source destination -ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED -ACCEPT icmp -- anywhere anywhere -ACCEPT all -- anywhere anywhere -ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh - -Chain FORWARD (policy ACCEPT) -target prot opt source destination - -Chain OUTPUT (policy ACCEPT) -target prot opt source destination -.... - -[[inserting-rules]] -==== Inserting Rules - -Create a Rule at the top (first) position: - -.... -[root@server ~]# iptables -I INPUT 1 -p tcp --dport 80 -j ACCEPT -[root@server ~]# iptables -L -Chain INPUT (policy DROP) -target prot opt source destination -ACCEPT tcp -- anywhere anywhere tcp dpt:http -ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED -ACCEPT icmp -- anywhere anywhere -ACCEPT all -- anywhere anywhere -ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh - -Chain FORWARD (policy ACCEPT) -target prot opt source destination - -Chain OUTPUT (policy ACCEPT) -target prot opt source destination -.... - -The number given after the chain name indicates the position *before* an -existing Rule. So, for example, if you want to insert a Rule *before* -the third rule you specify the number 3. Afterward, the existing Rule -will then be in the fourth position in the chain. - -[[replacing-rules]] -==== Replacing Rules - -Rules may be specified to replace existing Rules in the chain. - -In the example shown previously, the first Rule given allows connections -to the http port (port 80) from anywhere. The following replaces this -Rule, restricting connections to the standard http port (port 80) only -from the network address range 192.168.0.0/24: - -.... -[root@server ~]# iptables -R INPUT 1 -p tcp -s 192.168.0.0/24 --dport 80 -j ACCEPT -[root@server ~]# iptables -L -Chain INPUT (policy DROP) -target prot opt source destination -ACCEPT tcp -- 192.168.0.0/24 anywhere tcp dpt:http -ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED -ACCEPT icmp -- anywhere anywhere -ACCEPT all -- anywhere anywhere -ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh - -Chain FORWARD (policy ACCEPT) -target prot opt source destination - -Chain OUTPUT (policy ACCEPT) -target prot opt source destination -.... - -[[flushing-rules]] -==== Flushing Rules - -To flush or clear iptables Rules, use the *--flush*, *-F* option : - -.... -iptables -F -.... - -Specifying a ** is optional; without a chain specification, all chains -are flushed. - -Example to flush Rules in the *OUTPUT* chain : - -.... -[root@server ~]# iptables -F OUTPUT -.... - -[[making-changes-persistent]] -=== Making changes persistent - -The iptables Rules changes using CLI commands will be lost upon system -reboot. However, iptables comes with two useful utilities: -*iptables-save* and *iptables-restore*. - -* *iptables-save* prints a dump of current iptables rules to *stdout*. -These may be redirected to a file: - -.... -[root@server ~]# iptables-save > iptables.dump -[root@server ~]# cat iptables.dump -# Generated by iptables-save v1.4.12 on Wed Dec 7 20:10:49 2011 -*filter -:INPUT DROP [45:2307] -:FORWARD ACCEPT [0:0] -:OUTPUT ACCEPT [1571:4260654] --A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT --A INPUT -p icmp -j ACCEPT --A INPUT -i lo -j ACCEPT --A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -COMMIT -# Completed on Wed Dec 7 20:10:49 2011 -.... - -* iptables-restore : restore a dump of rules made by iptables-save. - -.... -[root@server ~]# iptables-restore < iptables.dump -[root@server ~]# iptables -L -Chain INPUT (policy DROP) -target prot opt source destination -ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED -ACCEPT icmp -- anywhere anywhere -ACCEPT all -- anywhere anywhere -ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh - -Chain FORWARD (policy ACCEPT) -target prot opt source destination - -Chain OUTPUT (policy ACCEPT) -target prot opt source destination -.... - -In the default configuration, stopping or restarting the iptables -service will discard the running configuration. This behavior can be -changed by setting IPTABLES_SAVE_ON_STOP="yes" or -IPTABLES_SAVE_ON_RESTART="yes" in /etc/sysconfig/iptables-config. If -these values are set, the affected files are: - -* .... -/etc/sysconfig/iptables -.... -+ -for IPv4 -* .... -/etc/sysconfig/ip6tables -.... -+ -for IPv6 - -If preferred, these files may be edited directly, and iptables service -restarted to commit the changes. The format is similar to that of the -iptables CLI commands: - -.... -# Generated by iptables-save v1.4.12 on Wed Dec 7 20:22:39 2011 -*filter <--------------------------------------------------------- Specify the table of the next rules -:INPUT DROP [157:36334] <----------------------------------------- This is the three chain belong to filter table, then the policy of the chain -:FORWARD ACCEPT [0:0] <------------------------------------------- and between brackets [:] numbers is for -:OUTPUT ACCEPT [48876:76493439] <--------------------------------- debug/informations purpose only. Leave them at their current value. --A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT <--------- A rule. --A INPUT -p icmp -j ACCEPT <-------------------------------------- You just have to take all arguments --A INPUT -i lo -j ACCEPT <---------------------------------------- of an iptables command. --A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -COMMIT <---------------------------------------------------------- Needed at each end of table definition. Commit rules in that table. -# Completed on Wed Dec 7 20:22:39 2011 -.... - -If needed, to reset packet and byte counters, use *-Z*, *--zero* : - -.... -iptables -Z -.... - -It is possible to reset only reset a single rule counter. It can be -useful, if you want to know how many packets were captured for a -specific rule. - -[[tui-text-based-user-interface]] -== TUI (text-based user interface) - -There is two ways to managing iptables rules with a text-based user -interface, either using *setup* or *system-config-firewall-tui*. Using -*system-config-firewall-tui* takes you directly to editing the rules. -Using *setup* you need to select *firewall configuration* and then you -can edit rules. Starting with *setup* looks like this: - -image:Firewall-tui.PNG[setup menu -utility,title="setup menu utility",width=700] - -On the next screen, which is where you start with -*system-config-firewall-tui*, make sure that "Firewall" is enabled, or -you cannot edit the settings. Then select *Customize* : - -image:First_menu_firewall_tui.PNG[Firewall Configuration by TUI. First -screen.,title="Firewall Configuration by TUI. First screen.",width=700] - -There is good chance that a service you want to modify is part of the -list of standard "Trusted" services. Select the services you want to -trust (ports to open) and press *Forward* (which means 'next', it is not -port forwarding): - -image:Firewall_TUI_Trusted_services.PNG[Editing trusted service with -firewall tui -interface.,title="Editing trusted service with firewall tui interface.",width=700] - -The Other Ports menu lets you open additional ports not in the list of -standard Trusted Services, or to edit an existing list of additional -ports : - -image:Firewall_TUI_other_ports.PNG[Editing Other ports on firewall -configuration by TUI -interface.,title="Editing Other ports on firewall configuration by TUI interface.",width=700] - -To add other ports, specify one port or a port range, and choose between -*tcp* or *udp* for the protocol. The port range format is _beginningPort -- endingPort_. - -image:Firewall_TUI_adding_other_ports.PNG[Adding other ports on firewall -configuration by TUI -interface.,title="Adding other ports on firewall configuration by TUI interface.",width=700] - -The trusted interfaces menu allows you to trust all traffic on a network -interface. All traffic will be allowed and the port filtering rules will -never match. You should only select an interface that faces a private -network, never an interface that directly faces the Internet. - -image:Firewall_TUI_trusted_interfaces.PNG[Trusted -interfaces.,title="Trusted interfaces.",width=700] - -The Masquerading menu lets you select an interface to be masqueraded. -Masquerading is better known as -*http://en.wikipedia.org/wiki/Network_address_translation[NAT]* (Network -Address Translation), and it is useful for example when your computer is -used as gateway to access the internet: - -image:Firewall_TUI_masquerading.PNG[Firewall TUI interface : -masquerading.,title="Firewall TUI interface : masquerading.",width=700] - -Port forwarding, also known as -*http://en.wikipedia.org/wiki/Network_address_translation#Port_address_translation[PAT]*, -permits traffic from one port to be rerouted to another port. - -image:Firewall_TUI_Port_Forwarding.PNG[Firewall TUI interface : -configuring Port -Forwarding.,title="Firewall TUI interface : configuring Port Forwarding.",width=700] - -For example: - -image:Firewall_TUI_Port_Forwarding_Adding.PNG[Firewall TUI : adding port -forwarding -rules.,title="Firewall TUI : adding port forwarding rules.",width=700] - -The ICMP Filter menu lets you reject various types of ICMP packets. By -default, no limitations are made, but you can define rules to reject -ICMP traffic, define the return error to an ICMP request, etc. - -image:Firewall_TUI_ICMP_Filter.PNG[Firewall TUI: configuring ICMP -behaviour.,title="Firewall TUI: configuring ICMP behaviour.",width=700] - -Finally, you can add custom firewall rules. These must be prepared ahead -of time in files that use the same format as the iptables file. - -image:Firewall_TUI_Custom_Rules.PNG[Firewall TUI: create custom -rules.,title="Firewall TUI: create custom rules.",width=700] - -For adding custom rules you have specify the protocol between *ipv4* or -*ipv6* and on what table add the custom rules *filter*, *mangle* or -*nat* then the path to the file containing rules to add : - -image:Firewall_TUI_Custom_Rules_Adding.PNG[Firewall TUI: adding a custom -rules.,title="Firewall TUI: adding a custom rules.",width=700] - -When you have completed all menus, *Close* the interface, which brings -you back to the first screen of firewall configuration. Select *OK* and -a warning message appear : - -image:Firewall_TUI_Warning.PNG[Firewall TUI -warning.,title="Firewall TUI warning.",width=700] - -Select *Yes* if the configuration you made fits to you and exit -interface, or *No* to go back to the firewall configuration screen. - -[[gui]] -== GUI - -[[red-hat-gui-configuration-tool]] -=== Red Hat GUI configuration tool - -GUI interface allow you exactly the same thing that TUI interface, but -it is more friendly usable. - -First time you start GUI, you have a welcome message that warning you -that if you have existing manual rules then this rules will be -overwritten. image:Firewall_GUI_First_Time_Startup.PNG[First time -startup message,title="fig:First time startup message"] - -Before all, you need to *Enable* your firewall to use Firewall -Configuration utility. - -image:FireWwall_GUI_startup.PNG[Firewall Gui startup -screen,title="Firewall Gui startup screen"] - -Then utility warn you that you don't have any existing configuration and -want you execute the wizard. Click on *Start wizard*: - -image:No_configuration.PNG[No firewall -configuration,title="No firewall configuration"] - -Click on forward : - -image:Firewall_Wizard.PNG[Firewall Wizard : welcome -screen,title="Firewall Wizard : welcome screen"] - -_System with network access_ enable Firewall and _System without network -access_ disable Firewall, so select _System with network access_ : - -image:Firewall_Wizard_2.PNG[Firewall Wizard : network -access?,title="Firewall Wizard : network access?"] - -Beginner allow you to modify only _Trusted Services_, it's fine if you -use only known services like ftp, dns, http, etc but don't allow you to -configure customs ports range, select _Expert_ to have full featured -Firewall Configuration utility, you can change this option later in the -*Options* menu Main windows, in *User Skill Level* : - -image:Firewall_Wizard_3.PNG[Firewall Wizard : -skill?,title="Firewall Wizard : skill?"] - -*Server* template enable only ssh port on firewall configuration -_Desktop_ template enable additional ports for _IPsec_, _Multicast DNS_, -_Network Printing Client_ and _SSH_. For convenience select Desktop, and -*OK* : - -image:Firewall_Wizard_4.PNG[Firewall Wizard : configuration -base?,title="Firewall Wizard : configuration base?"] - -As described earlier _Desktop_ template enable 4 services _IPsec_, -_mDNS_, _IPP_ and _SSH_. If you have services listed in *Trusted -Services* section that you want to enabled, you just have to click on -it, that's all. It is possible to change template by using the *Options* -menu, in *Load Default Configuration*. - -image:Firewall_Wizard_5.PNG[Firewall Main interface : -enabled,title="Firewall Main interface : enabled"] - -*Other Ports* allow you to edit custom rules if your service port wasn't -in *Trusted service*. To begin, just click on *Add* button. Then either -you choose in services list the right service or you tick *User Defined* -and fill requested information about *Port / Port Range* and *Protocol*. - -image:Firewall_GUI_other_ports.PNG[Firewall GUI : edit other ports -rules.,title="Firewall GUI : edit other ports rules."] - -*Trusted Interfaces*, *Masquerading*, *Port Forwarding*, *ICMP Filter* -and _Custom Rules_' have exactly the same effect than in TUI interface. - -When configuration fits to you, just click on the *Apply* button. - -[[others-gui]] -=== Others GUI - -There are others GUI available to configure iptables rules. - -* http://www.fwbuilder.org/_fwbuilder[http://www.fwbuilder.org/ -fwbuilder] : very complete gui tools to configure iptables. -* http://shorewall.net/_Shorewall[http://shorewall.net/ Shorewall] : -another very complete gui like fwbuilder. -* http://www.turtlefirewall.com/_Turtle_firewall_project[http://www.turtlefirewall.com/ -Turtle firewall project] : web interface and integrated to webmin. Fits -to basic usage of Iptables, can not handle all iptables options like -fwbuilder -* http://users.telenet.be/stes/ipmenu.html_IPmenu[http://users.telenet.be/stes/ipmenu.html -IPmenu] : console based interface that allow you all iptables -functionalities. -''' - -See a typo, something missing or out of date, or anything else which can be -improved? Edit this document at https://pagure.io/fedora-docs/quick-docs. diff --git a/modules/ROOT/pages/iptables/cli.adoc b/modules/ROOT/pages/iptables/cli.adoc new file mode 100644 index 0000000..1199d7b --- /dev/null +++ b/modules/ROOT/pages/iptables/cli.adoc @@ -0,0 +1,251 @@ +== Command Line Interface + +=== Changes to iptables Rules + +The following procedures allow for changes in the behaviour of the firewall +while it is running. It is important to understand that every change +is applied immediately. + +Read the man pages (`man iptables`) for further explanations +and more sophisticated examples. + + +==== Listing Rules + +Currently running iptables rules can be viewed with the command: + +.... +# iptables -L +.... + + +The following example shows four rules. These rules permit +established or related connections, any ICMP traffic, any local traffic as +well as incoming connections on port 22. Please note that the output has +no indication that the third rule applies only to local traffic. Therefore +you might want to add the `-v` option. This will reveal that the rule only +applies to traffic on the loopback interface. + +.... +[root@server ~]# iptables -L +Chain INPUT (policy DROP) +target prot opt source destination +ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED +ACCEPT icmp -- anywhere anywhere +ACCEPT all -- anywhere anywhere +ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh + +Chain FORWARD (policy ACCEPT) +target prot opt source destination + +Chain OUTPUT (policy ACCEPT) +target prot opt source destination +.... + +Also remember that rules are applied in order of appearance and that after the +first match, no further rules are considered (there are exceptions, please refer +to the man pages for details). For example, in case there is a rule rejecting +ssh connections and subsequently a second rule permitting ssh connections, the +first rule would be applied to incoming ssh connections while the latter would +never be evaluated. + +==== Appending Rules + +The following adds a rule at the end of the specified chain of iptables: + +.... +[root@server ~]# iptables -A INPUT -p tcp --dport 80 -j ACCEPT +[root@server ~]# iptables -L +Chain INPUT (policy DROP) +target prot opt source destination +ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED +ACCEPT icmp -- anywhere anywhere +ACCEPT all -- anywhere anywhere +ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh +ACCEPT tcp -- anywhere anywhere tcp dpt:http + +Chain FORWARD (policy ACCEPT) +target prot opt source destination + +Chain OUTPUT (policy ACCEPT) +target prot opt source destination +.... + +Notice the last line in the INPUT chain. There are now five rules. + +==== Deleting Rules + +To delete a rule you need to know its position in the chain. The following will +delete the rule from the previous example. To do so, the rule in the fifth +position has to be deleted: + +.... +[root@server ~]# iptables -D INPUT 5 +[root@server ~]# iptables -L +Chain INPUT (policy DROP) +target prot opt source destination +ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED +ACCEPT icmp -- anywhere anywhere +ACCEPT all -- anywhere anywhere +ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh + +Chain FORWARD (policy ACCEPT) +target prot opt source destination + +Chain OUTPUT (policy ACCEPT) +target prot opt source destination +.... + +==== Inserting Rules + +You can also insert rules at a specific position. To insert a rule at the top +(i.e. first) position, use: + +.... +[root@server ~]# iptables -I INPUT 1 -p tcp --dport 80 -j ACCEPT +[root@server ~]# iptables -L +Chain INPUT (policy DROP) +target prot opt source destination +ACCEPT tcp -- anywhere anywhere tcp dpt:http +ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED +ACCEPT icmp -- anywhere anywhere +ACCEPT all -- anywhere anywhere +ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh + +Chain FORWARD (policy ACCEPT) +target prot opt source destination + +Chain OUTPUT (policy ACCEPT) +target prot opt source destination +.... + +The number given after the chain name indicates the position of your new rule +*after* the insertion. So, for example, if you want to insert a rule at the +third position, you specify the number 3. Afterwards your new rule is at +position 3, while the old rule from position 3 is now shifted to position 4. + +==== Replacing Rules + +Rules may be specified to replace existing rules in the chain. + +In the previous example, the first rule grants access to tcp port 80 from +any source. To restrict the access to sources within a local net, the following +command replaces the first rule: + +.... +[root@server ~]# iptables -R INPUT 1 -p tcp -s 192.168.0.0/24 --dport 80 -j ACCEPT +[root@server ~]# iptables -L +Chain INPUT (policy DROP) +target prot opt source destination +ACCEPT tcp -- 192.168.0.0/24 anywhere tcp dpt:http +ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED +ACCEPT icmp -- anywhere anywhere +ACCEPT all -- anywhere anywhere +ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh + +Chain FORWARD (policy ACCEPT) +target prot opt source destination + +Chain OUTPUT (policy ACCEPT) +target prot opt source destination +.... + +==== Flushing Rules + +To flush or clear all iptables rules, use the `--flush`, `-F` option: + +.... +# iptables -F +.... + +Specifying a chain is optional. Without a given chain, all chains +are flushed. Remember that the new rule set is immediately active. +Depending on the default policies, you might loose access to a remote machine +by flushing the rules. + +To flush all rules in the OUTPUT chain use: + +.... +# iptables -F OUTPUT +.... + +=== Making changes persistent + +All changes to iptables rules using the CLI commands will be lost upon system +reboot. However, `iptables` comes with two useful utilities: +`iptables-save` and `iptables-restore`. + +`iptables-save` prints a dump of current rule set to *stdout*. This may be + redirected to a file: + +.... +[root@server ~]# iptables-save > iptables.dump +[root@server ~]# cat iptables.dump +# Generated by iptables-save v1.4.12 on Wed Dec 7 20:10:49 2011 +*filter +:INPUT DROP [45:2307] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [1571:4260654] +-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT +-A INPUT -p icmp -j ACCEPT +-A INPUT -i lo -j ACCEPT +-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT +COMMIT +# Completed on Wed Dec 7 20:10:49 2011 +.... + +Use `iptables-restore` to restore a dump of rules made by `iptables-save`. + +.... +[root@server ~]# iptables-restore < iptables.dump +[root@server ~]# iptables -L +Chain INPUT (policy DROP) +target prot opt source destination +ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED +ACCEPT icmp -- anywhere anywhere +ACCEPT all -- anywhere anywhere +ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh + +Chain FORWARD (policy ACCEPT) +target prot opt source destination + +Chain OUTPUT (policy ACCEPT) +target prot opt source destination +.... + +In the default configuration, stopping or restarting the iptables +service will discard the running configuration. This behavior can be +changed by setting `IPTABLES_SAVE_ON_STOP="yes"` or +`IPTABLES_SAVE_ON_RESTART="yes"` in `/etc/sysconfig/iptables-config`. If +these values are set, the configuration will be automatically dumped to +`/etc/sysconfig/iptables` and `/etc/sysconfig/ip6tables` for IPv4 and IPv6 +respectively. + +If you prefer, you may edit these files directly. Restart the iptables +service or restore the rules to apply your changes. The rules are in the same +format as you would specify them on the command line: + +.... +# Generated by iptables-save v1.4.12 on Wed Dec 7 20:22:39 2011 +*filter +:INPUT DROP [157:36334] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [48876:76493439] +-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT +-A INPUT -p icmp -j ACCEPT +-A INPUT -i lo -j ACCEPT +-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT +COMMIT +# Completed on Wed Dec 7 20:22:39 2011 +.... + +The numbers in brackets are counters and usually you don't have to mangle them. +If needed, you can reset packet and byte counters using the `-Z` or `--zero` +option: + +.... +# iptables -Z +.... + +It is possible to reset only a single rule counter. This might become handy + if you want to know how many packets were captured for a specific rule. \ No newline at end of file diff --git a/modules/ROOT/pages/iptables/gui.adoc b/modules/ROOT/pages/iptables/gui.adoc new file mode 100644 index 0000000..6d3a693 --- /dev/null +++ b/modules/ROOT/pages/iptables/gui.adoc @@ -0,0 +1,85 @@ +== Graphical User Interface + +There are several graphical user interfaces available to configure iptables. + +* link:http://www.fwbuilder.org/_fwbuilder[fwbuilder]: Very complete GUI tools + to configure iptables. +* link:http://shorewall.net/_Shorewall[Shorewall]: Another very complete GUI +like fwbuilder. +* link:http://www.turtlefirewall.com/_Turtle_firewall_project[Turtle firewall +project]: Web interface and integrated to webmin. But it can not handle all +iptables options. +* link:http://users.telenet.be/stes/ipmenu.html_IPmenu[IPmenu] :A console based +interface that covers all iptables functionality. + +The following section describes yet another frontend: `system-config-firewall`. + +=== system-config-firewall + +The GUI interface is similar to the text based interface just more friendly. + +The first time you start the GUI you will receive a warning. The program will +*not* load your custom configuration. So any preexisting rules will be +overwritten. + +image:Firewall_GUI_First_Time_Startup.PNG[First time +startup message,title="fig:First time startup message"] + +Before you start, you have to enable your firewall to activate the +configuration utility. + +image:FireWwall_GUI_startup.PNG[Firewall Gui startup +screen,title="Firewall Gui startup screen"] + +The initial configuration is empty and will not allow any network traffic. + +image:No_configuration.PNG[No firewall +configuration,title="No firewall configuration"] + +You can ignore the warning and start the wizard. Click _forward_: + +image:Firewall_Wizard.PNG[Firewall Wizard : welcome +screen,title="Firewall Wizard : welcome screen"] + +Choose _System with network access_ to enable the firewall. The other option +_System without network access_ would disable the firewall and don't allow +access to any network. + +image:Firewall_Wizard_2.PNG[Firewall Wizard : network +access?,title="Firewall Wizard : network access?"] + +Next, you have to choose your skill level. The *Beginner* options only +allows the configuration of _trusted services_. This option is fine if you only +want to use services like _ftp_, _dns_, _http_, etc. It does not allow you to +configure customs port ranges. If you select *Expert*, you will have access to +firewall options. You can change the skill level later via _Options_ in the +main window. + +image:Firewall_Wizard_3.PNG[Firewall Wizard : +skill?,title="Firewall Wizard : skill?"] + +You can choose from a set of default configurations to start with. The *Server* +template will only enable SSH on the firewall. The _desktop template_ enables +additional ports (_IPsec_, _multicast DNS_, _Network Printing Client_ and +_SSH_). For convenience select *Desktop* and continue: + +image:Firewall_Wizard_4.PNG[Firewall Wizard : configuration +base?,title="Firewall Wizard : configuration base?"] + +To enable additional _trusted services_ just choose the services from the list. + +image:Firewall_Wizard_5.PNG[Firewall Main interface : +enabled,title="Firewall Main interface : enabled"] + +You can add custom rules after choosing *Other ports* from the side bar. Click +the *Add* button and either choose form services list on the right or tick +*User Defined* and fill in the requested information. + +image:Firewall_GUI_other_ports.PNG[Firewall GUI : edit other ports +rules.,title="Firewall GUI : edit other ports rules."] + +The other options in the sidebar *Trusted Interfaces*, *Masquerading*, *Port +Forwarding* and so on work exactly as in the text based interface. + +When you finished the configuration, click *Apply* to save and activate the +firewall. \ No newline at end of file diff --git a/modules/ROOT/pages/iptables/overview.adoc b/modules/ROOT/pages/iptables/overview.adoc new file mode 100644 index 0000000..0455329 --- /dev/null +++ b/modules/ROOT/pages/iptables/overview.adoc @@ -0,0 +1,11 @@ += How to edit iptables rules + +In this how-to, we will illustrate three ways of editing iptables rules, via: + +* xref:iptables/cli.adoc[Command line interface] (CLI) `iptables` and system configuration file +`/etc/sysconfig/iptables`. +* xref:iptables/tui.adoc[Text-based interfaces] (TUI) `setup` or `system-config-firewall-tui` +* xref:iptables/gui.adoc[Graphical user interface](GUI) `system-config-firewall` + +NOTE: This how-to illustrates editing existing iptables rules, not the +initial creation of rules chains. \ No newline at end of file diff --git a/modules/ROOT/pages/iptables/tui.adoc b/modules/ROOT/pages/iptables/tui.adoc new file mode 100644 index 0000000..0df9ccf --- /dev/null +++ b/modules/ROOT/pages/iptables/tui.adoc @@ -0,0 +1,98 @@ +== Text-based User Interface + +There are two ways to manage iptables rules using a text-based user +interface. These are `setup` and `system-config-firewall-tui`. If you start +`setup`, you will see something similar to the following: + +image:Firewall-tui.PNG[setup menu +utility,title="setup menu utility",width=700] + +If you select "Firewall configuration" you will see the screen below. You could +also invoke `system-config-firewall-tui`. This will take you directly to the +same screen. Make sure that "Firewall" is enabled, otherwise you cannot edit its +rule set. Continue by selecting "Customize": + +image:First_menu_firewall_tui.PNG[Firewall Configuration by TUI. First +screen.,title="Firewall Configuration by TUI. First screen.",width=700] + +There is a good chance, that a service you want to modify is part of the +list of standard "trusted services". Select the services you want to +trust (i.e. open their ports) and press "Forward". (This has to be read as +"next", it has nothing to do with port forwarding): + +image:Firewall_TUI_Trusted_services.PNG[Editing trusted service with +firewall tui +interface.,title="Editing trusted service with firewall tui interface.",width=700] + +The "Other ports" menu lets you open additional ports which are not in the list +of standard trusted services: + +image:Firewall_TUI_other_ports.PNG[Editing Other ports on firewall +configuration by TUI +interface.,title="Editing Other ports on firewall configuration by TUI interface.",width=700] + +To add other ports, specify one port or a port range. Choose between +_tcp_ and _udp_ for the protocol. The port range format is: _beginningPort +- endingPort_. + +The "Trusted interfaces" menu allows you to trust all traffic on a network +interface. All traffic will be allowed and the port filtering rules will +never apply. You should only select interfaces which face private +networks. Never trust an interface that deals with traffic from networks which +are not under your full control. + +image:Firewall_TUI_trusted_interfaces.PNG[Trusted +interfaces.,title="Trusted interfaces.",width=700] + +The masquerading menu lets you select an interface to be masqueraded. +Masquerading is better known as +*http://en.wikipedia.org/wiki/Network_address_translation[NAT]* (Network +Address Translation). It is useful, to setup your computer as a gateway +between different networks: + +image:Firewall_TUI_masquerading.PNG[Firewall TUI interface : +masquerading.,title="Firewall TUI interface : masquerading.",width=700] + +Port forwarding, also known as +*http://en.wikipedia.org/wiki/Network_address_translation#Port_address_translation[PAT]* +(Port Address Translation), permits traffic from one port to be "rerouted" to +another port. + +image:Firewall_TUI_Port_Forwarding.PNG[Firewall TUI interface : +configuring Port +Forwarding.,title="Firewall TUI interface : configuring Port Forwarding.",width=700] + +You have to specify source and destination, as well as the interface and protocol +accordingly: + +image:Firewall_TUI_Port_Forwarding_Adding.PNG[Firewall TUI : adding port +forwarding +rules.,title="Firewall TUI : adding port forwarding rules.",width=700] + +The ICMP Filter menu lets you reject various types of ICMP packets. By +default, no limitations are made. You may define rules to reject +ICMP traffic, define the return type to ICMP request, etc. + +image:Firewall_TUI_ICMP_Filter.PNG[Firewall TUI: configuring ICMP +behaviour.,title="Firewall TUI: configuring ICMP behaviour.",width=700] + +Finally, you can add custom firewall rules. These must be prepared ahead +of time in files that use the same format for the command line interface. + +image:Firewall_TUI_Custom_Rules.PNG[Firewall TUI: create custom +rules.,title="Firewall TUI: create custom rules.",width=700] + +For adding custom rules you have specify the protocol (i.e. _ipv4_ or +_ipv6_) and the table you want your rules add to (_filter_, _mangle_, _nat_,...) +and - of course - the file containing your rules: + +image:Firewall_TUI_Custom_Rules_Adding.PNG[Firewall TUI: adding a custom +rules.,title="Firewall TUI: adding a custom rules.",width=700] + +When you have completed all menus, choose "Close" to resume to the first screen. +Select "OK" and confirm your changes by choosing "Yes". If you choose "No" you +will get back the configuration screen with no changes applied to your +firewall. + +image:Firewall_TUI_Warning.PNG[Firewall TUI +warning.,title="Firewall TUI warning.",width=700] \ No newline at end of file