24.3 About Packet-filtering Firewalls

24.3.1 Controlling the Firewall Service
24.3.2 Listing Firewall Rules
24.3.3 Inserting and Replacing Rules in a Chain
24.3.4 Deleting Rules in a Chain
24.3.5 Saving Rules
Note

The iptables and system-config-firewall packages provide the components of the packet-filtering firewall and the accompanying utilities.

A packet filtering firewall filters incoming and outgoing network packets based on the packet header information. You can create packet filter rules that determine whether packets are accepted or rejected. For example, if you create a rule to block a port, any request is made to that port that is blocked by the firewall, and the request is ignored. Any service that is listening on a blocked port is effectively disabled.

The Oracle Linux kernel uses the Netfilter feature to provide packet filtering functionality for IPv4 and IPv6 packets respectively.

Netfilter consists of two components:

To implement a simple, general-purpose firewall, you can use the Firewall Configuration GUI (system-config-firewall) to create basic Netfilter rules.

Figure 24.1 shows the Firewall Configuration GUI.

Figure 24.1 Firewall Configuration

The figure shows the Firewall Configuration GUI.


To create a more complex firewall configuration, use the iptables and ip6tables utilities to configure the packet filtering rules.

Netfilter records the packet filtering rules in the /etc/sysconfig/iptables and /etc/sysconfig/ip6tables files, which netfilter reads when it is initialized.

The netfilter tables include:

Filter

The default table, which is mainly used to drop or accept packets based on their content.

Mangle

This table is used to alter certain fields in a packet.

NAT

The Network Address Translation table is used to route packets that create new connections.

The kernel uses the rules stored in these tables to make decisions about network packet filtering. Each rule consists of one or more criteria and a single action. If a criterion in a rule matches the information in a network packet header, the kernel applies the action to the packet. Examples of actions include:

ACCEPT

Continue processing the packet.

DROP

End the packet’s life without notice.

REJECT

As DROP, and additionally notify the sending system that the packet was blocked.

Rules are stored in chains, where each chain is composed of a default policy plus zero or more rules. The kernel applies each rule in a chain to a packet until a match is found. If there is no matching rule, the kernel applies the chain’s default action (policy) to the packet.

Each netfilter table has several predefined chains. The filter table contains the following chains:

FORWARD

Packets that are not addressed to the local system pass through this chain.

INPUT

Inbound packets to the local system pass through this chain.

OUTPUT

Locally created packets pass through this chain.

The chains are permanent and you cannot delete them. However, you can create additional chains in the filter table.

For more information, see the iptables(8) and ip6tables(8) manual pages.

24.3.1 Controlling the Firewall Service

To start the firewall service (iptables) and configure it to start when the system boots, enter the following commands:

# service iptables start
# chkconfig iptables on

To save any changes that you have made to the firewall rules to /etc/sysconfig/iptables and /etc/sysconfig/ip6tables, so that the service loads them when it next starts:

# service iptables save

To restart the service so that it re-reads its rules from /etc/sysconfig/iptables and /etc/sysconfig/ip6tables:

# service iptables restart

To stop the service:

# service iptables stop

24.3.2 Listing Firewall Rules

Use the iptables -L command to list firewall rules for the chains of the filter table. The following example shows the default rules for a newly installed system:

# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source       destination         
ACCEPT     all  --  anywhere     anywhere        state RELATED,ESTABLISHED 
ACCEPT     icmp --  anywhere     anywhere            
ACCEPT     all  --  anywhere     anywhere            
ACCEPT     tcp  --  anywhere     anywhere        state NEW tcp dpt:ssh 
ACCEPT     udp  --  anywhere     anywhere        state NEW udp dpt:ipp 
ACCEPT     udp  --  anywhere     224.0.0.251     state NEW udp dpt:mdns 
ACCEPT     tcp  --  anywhere     anywhere        state NEW tcp dpt:ipp 
ACCEPT     udp  --  anywhere     anywhere        state NEW udp dpt:ipp 
REJECT     all  --  anywhere     anywhere        reject-with icmp-host-prohibited 

Chain FORWARD (policy ACCEPT)
target     prot opt source       destination         
REJECT     all  --  anywhere     anywhere        reject-with icmp-host-prohibited 

Chain OUTPUT (policy ACCEPT)
target     prot opt source       destination

In this example, the default policy for each chain is ACCEPT. A more secure system could have a default policy of DROP, and the additional rules would only allow specific packets on a case-by-case basis.

If you want to modify the chains, specify the --line-numbers option to see how the rules are numbered.

# iptables -L --line-numbers
Chain INPUT (policy ACCEPT)
num  target     prot opt source           destination         
1    ACCEPT     all  --  anywhere         anywhere        state RELATED,ESTABLISHED 
2    ACCEPT     icmp --  anywhere         anywhere            
3    ACCEPT     all  --  anywhere         anywhere            
4    ACCEPT     tcp  --  anywhere         anywhere        state NEW tcp dpt:ssh 
5    ACCEPT     udp  --  anywhere         anywhere        state NEW udp dpt:ipp 
6    ACCEPT     udp  --  anywhere         224.0.0.251     state NEW udp dpt:mdns 
7    ACCEPT     tcp  --  anywhere         anywhere        state NEW tcp dpt:ipp 
8    ACCEPT     udp  --  anywhere         anywhere        state NEW udp dpt:ipp 
9    REJECT     all  --  anywhere         anywhere        reject-with icmp-host-prohibited 

Chain FORWARD (policy ACCEPT)
num  target     prot opt source           destination         
1    REJECT     all  --  anywhere         anywhere        reject-with icmp-host-prohibited 

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source           destination

24.3.3 Inserting and Replacing Rules in a Chain

Use the iptables -I command to insert a rule in a chain. For example, the following command inserts a rule in the INPUT chain to allow access by TCP on port 80:

# iptables -I INPUT 4 -p tcp -m tcp --dport 80 -j ACCEPT
# iptables -L --line-numbers
Chain INPUT (policy ACCEPT)
num  target     prot opt source           destination         
1    ACCEPT     all  --  anywhere         anywhere        state RELATED,ESTABLISHED 
2    ACCEPT     icmp --  anywhere         anywhere            
3    ACCEPT     all  --  anywhere         anywhere            
4    ACCEPT     tcp  --  anywhere         anywhere        tcp dpt:http 
5    ACCEPT     tcp  --  anywhere         anywhere        state NEW tcp dpt:ssh 
6    ACCEPT     udp  --  anywhere         anywhere        state NEW udp dpt:ipp 
7    ACCEPT     udp  --  anywhere         224.0.0.251     state NEW udp dpt:mdns 
8    ACCEPT     tcp  --  anywhere         anywhere        state NEW tcp dpt:ipp 
9    ACCEPT     udp  --  anywhere         anywhere        state NEW udp dpt:ipp 
10   REJECT     all  --  anywhere         anywhere        reject-with icmp-host-prohibited 

Chain FORWARD (policy ACCEPT)
num  target     prot opt source           destination         
1    REJECT     all  --  anywhere         anywhere        reject-with icmp-host-prohibited 

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source           destination

The output from iptables -L shows that the new entry has been inserted as rule 4, and the old rules 4 through 9 are pushed down to positions 5 through 10. The TCP destination port of 80 is represented as http, which corresponds to the following definition in the /etc/services file (the HTTP daemon listens for client requests on port 80):

http            80/tcp          www www-http    # WorldWideWeb HTTP

To replace the rule in a chain, use the iptables -R command. For example, the following command replaces rule 4 in the INPUT chain to allow access by TCP on port 443:

# iptables -I INPUT 4 -p tcp -m tcp --dport 443 -j ACCEPT
# iptables -L --line-numbers
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination         
1    ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
2    ACCEPT     icmp --  anywhere             anywhere            
3    ACCEPT     all  --  anywhere             anywhere            
4    ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:https
...

The TCP destination port of 443 is represented as https, which corresponds to the following definition in the /etc/services file for secure HTTP on port 443:

https           443/tcp                         # http protocol over TLS/SSL

24.3.4 Deleting Rules in a Chain

Use the iptables -D command to delete a rule in a chain. For example, the following command deletes rule 4 from the INPUT chain:

# iptables -D INPUT 4

To delete all rules in a chain, enter:

# iptables -F chain

To delete all rules in all chains, enter:

# iptables -F

24.3.5 Saving Rules

To save your changes to the firewall rules so that they are loaded when the iptables service next starts, use the following command:

# service iptables save

The command saves the rules to /etc/sysconfig/iptables and /etc/sysconfig/ip6tables.