In the previous article, Linux versions were carefully studied to provide an insight about the versions that are made available in the METU Computer
Center. However, shortly after this study, the versions announced the distribution of their new releases Slackware 9.0, Mandrake 9.1 and RedHat 9.0
versions were quick to put a new face upon Linux. We will continue to examine the new features of these new versions in the later issues of CISN.
This article will mainly address a technical issue, especially an extremely useful tool that is most frequently resorted to by the users who would like
to solve the problem of security attacks to their systems. These security problems are most frequently addressed to by such software which is typically
named as firewall or operating systems are now introduced with built-in solutions to address this issue of security.
Linux operating systems provide a firewalling solution at the level of kernel of the system. For that a support should be provided as built in the
kernel or as modular. Linux operating system carries out the filtering tasks on 2.0.x Kernel with ipfwadm, on 2.2.x Kernel with ipchains
and on 2.4.x
Kernel with iptables programs. During the configuration of the kernel, the required programs should be selected or they should later be added to
kernel as modules.
The recent Linux systems use Kernel 2.4 or above. For this reason, we are going to concentrate on iptables program in this article.
On Linux under the following path, you should select the modules that suit the purpose of firewalling; Networking options è IP: Netfilter Configuration è IP tables support
(required for filtering/masq/NAT)
Using Linux operating system as a standard security firewall:
If it is not provided as built-in in the kernel, the following commands will install the modules (this is the most frequently used method);
There are three main chains on the firewall of the Linux operating system: INPUT, FORWARD and OUTPUT. Here, you must specify the default settings of
these chains. Default setting of the firewall will DROP all the packets and only the packets that are allowed will be ACCEPTED. To specify the default
settings, you should first define the exact location of the iptables program:
Then the default settings of the three main chains will be specified:
$IPTABLES -P INPUT DROP
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT DROP
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
After that you should set the rules to accept the packets that are wanted. For example, to accept the packets that come from and that is sent to the IP
number 22.214.171.124, the following commands should be entered;
$IPTABLES -A INPUT -s 126.96.36.199 -j ACCEPT
$IPTABLES -A OUTPUT -d 188.8.131.52 -j ACCEPT
In a similar way, you can specify a single IP number or you can specify block IPs:
$IPTABLES -A INPUT -s 184.108.40.206/255.255.202.0 -j ACCEPT
$IPTABLES -A OUTPUT -d 220.127.116.11/255.255.202.0 -j ACCEPT
You can also set restrictions according to the type of the packet (tcp, udp, icmp etc.) and according to its port number. One must know the types of the
packets and their port numbers for the proper operation of this filtering. To get more information about the standard services, you can refer to the
/etc/services file on the Linux operating systems.
# 21 is registered to ftp, but also used by fsp
ftp 21/udp fsp fspd
ssh 22/tcp # SSH Remote Login
ssh 22/udp # SSH Remote Login
# 24 - private mail system
smtp 25/tcp mail
smtp 25/udp mail
For example, web servers provide service on 80th port with tcp packets. The following rules should be entered to the system to make the Web server
accessible from everywhere:
$IPTABLES -A INPUT -p tcp --dport 80 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --sport 80 -j ACCEPT
In a similar way, DNS servers use both tcp and udp packets on the 53rd port. For example, the following rules must be specified, if you want the DNS
server to be accessible only by the IPs (144.122 block) allocated to METU:
$IPTABLES -A INPUT -p tcp -s 18.104.22.168/255.255.0.0 --dport 53 -j ACCEPT
$IPTABLES -A INPUT -p udp -s 22.214.171.124/255.255.0.0 --dport 53 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp -d 126.96.36.199/255.255.0.0 --sport 53 -j ACCEPT
$IPTABLES -A OUTPUT -p udp -d 188.8.131.52/255.255.0.0 --sport 53 -j ACCEPT
Various options available on the kernel will allow you to use such features as advanced level filtering and keeping LOG information with iptables program.
Creating Virtual Networks with Iptables program:
According to the international standards, the following IP blocks are allocated for virtual networks;
In Internet cafes and centers, in places where there is not sufficient IPs, or due to the safety measures that must be taken, the Internet access is
provided over virtual networks or Internet access is provided over several computers. To do this, an athernet card (or a modem), on which the real IP is
designated, should be affixed to the computer, where the Internet access will be provided from; and a secondary ethernet card should also be fixed to
furnish the virtual network connection inside. To use the operating system as IP MASQUERADE, the required module should be installed on the kernel with
/sbin/insmod iptable_nat command.
For example let's assume that the real access is provided over the first ethernet card (eth0), the virtual network access is provided over the second
ethernet card (eth1) and a virtual network with 10 computers is created. Then the following designations should be done;
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
$IPTABLES -t nat -F
$IPTABLES -t nat -A POSTROUTING -o $DISAG -j MASQUERADE
Then, the IP should be entered as 10.x.x.x, subnet mask should be entered as 255.0.0.0 and the gateway should be entered as10.0.0.1. The Internet is now
accessible after all these settings are completed.
Please visit the following address to download Iptaples program and to get more information about the subject; http://www.netfilter.org
Have fun with Linux operating system's reliable and secure computing...
Selçuk Han AYDIN