Differences between current version and revision by previous author of HowFirewallingWorks.
Other diffs: Previous Major Revision, Previous Revision, or view the Annotated Edit History
| Newer page: | version 11 | Last edited on Friday, April 22, 2005 11:56:33 am | by JohnMcPherson | |
| Older page: | version 10 | Last edited on Friday, September 20, 2002 7:29:42 pm | by PerryLorier | Revert |
@@ -47,10 +47,11 @@
!What are tables?
A table is a collection of chains that perform a related task such as filtering, address rewriting (nat) or modifying packet charactoristics (mangle). You cannot create your own tables without modifying the kernel.
The kernel starts out with three chains in the "filter" (main) table: INPUT, FORWARD and OUTPUT.
- _ _ _
- Incoming
/ \
Outgoing
+<verbatim>
+
_ _ _
+ Incoming
/ \
Outgoing
-->[[Routing ]--->|FORWARD|------->
[[Decision] \_ _ _/ ^
| |
v _ _
@@ -59,8 +60,9 @@
|INPUT| \_ _ /
\_ _/ ^
| |
----> Local Process ----
+</verbatim>
The three circles represent the three chains. When a packet reaches a circle in the diagram, that chain is examined to decide the fate of the packet. If the chain says to DROP the packet, it is killed there, but if the chain says to ACCEPT the packet, it continues traversing the diagram. The chain can say other things too like "LOG" (log this packet to syslog and continue processing), or jump to a user specified chain, or return from a user specified chain.
# When a packet comes in to the computer (normally from an ethernet card) the kernel first looks at the __destination__ of the packet: this is called __`routing'__.
@@ -85,21 +87,46 @@
Once a rule matches, you then have to jump somewhere else. If not, control will just pass to the next rule.
Some good places to jump:
-;
-j ACCEPT : Automatically accept this packet and stop traversing any chains for it
-;
-j DROP
: Automatically drop this packet
-;
-J
REJECT : Send back a message saying that this packet was not allowed
+~
-j ACCEPT:
+
Automatically accept this packet and stop traversing any chains for it
+~
-j DROP:
+
Automatically drop this packet
+~
-j
REJECT:
+
Send back a message saying that this packet was not allowed
+!!!Examples
!The world's simplest firewall and what it does
+<verbatim>
+# Create a new chain which blocks new connections on the ppp0 interface,
+# except if coming from inside.
+iptables -N block
+iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
+iptables -A block -m state --state NEW -i ! ppp0 -j ACCEPT
+iptables -A block -j DROP
- ## Create chain which blocks new connections on the ppp0 interface, except if coming from inside.
- iptables -N block
- iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
- iptables -A block -m state --state NEW -i ! ppp0 -j ACCEPT
- iptables -A block -j DROP
-
- #
# Jump to that chain from INPUT and FORWARD chains.
- iptables -A INPUT -j block
- iptables -A FORWARD -j block
+# Jump to that chain from INPUT and FORWARD chains.
+iptables -A INPUT -j block
+iptables -A FORWARD -j block
+</verbatim>
When a packet comes into the machine, it will either go to INPUT or FORWARD depending on where the destination is (See above.) Then, when any other rules in the chain have completed, we will jump to the 'block' chain, executing all the rules up until we either ACCEPT or DROP the packet.
+
+!Restrict incoming [SSH] traffic
+<verbatim>
+# set up a new chain for ssh traffic
+iptables -N ssh_syn
+# filter the start of incoming ssh connections (includes forwarded!)
+iptables -A INPUT -p tcp --syn --dport 22 -j ssh_syn
+# allow these packets from local addresses
+iptables -A ssh_syn -s 10.0.0.0/8 -j ACCEPT
+iptables -A ssh_syn -s 192.168.0.0/16 -j ACCEPT
+# university of waikato
+iptables -A ssh_syn -s 130.217.0.0/16 -j ACCEPT
+# hoiho.wlug.org.nz
+iptables -A ssh_syn -s 203.97.10.50/32 -j ACCEPT
+# default is to deny incoming ssh connections
+iptables -A ssh_syn -j LOG
+# the LOG target returns, so now either drop or reject these packets
+iptables -A ssh_syn -j DROP
+</verbatim>
