Using iptables (netfilter) to Protect a Red Hat 7.x Workstation
This page contains information about Red Hat networking security options.
Red Hat 8 version
Instructions for setting up iptables on a Red Hat Linux 8.0 workstation are located at http://www.cites.illinois.edu/wsg/talks/iptables/iptables-rh8.html.
Red Hat 7 version
The slideshow that accompanies this page is located at http://www.cites.illinois.edu/wsg/talks/iptables/iptables.html.
This page contains simple configuration and init files, as well as instructions on how to install them on a Red Hat 7.1 system.
The following instructions only apply to Red Hat 7.1 installations. You may be able to adapt the scripts to work under other Linux distributions, but this has not been tested, and many of the following instructions will not be applicable to other distributions.
Note that I don't use the standard Red Hat method of implementing iptables. I personally think that iptables-restore, which is used in Red Hat's init script, is broken, and I'd much rather run an init script that calls a script to activate the desired rulesets.
Note amended 9 Jan 2003:
I have tested this procedure successfully under Red Hat 7.2 and 7.3.
Outline of procedure
- Determine if the iptables kernel module is installed on your system.
- Determine if the iptables user-space package is installed on your system.
- Create the iptables configuration and system initialization scripts.
- If ipchains is running:
- Set all ipchains chains to "accept."
- Stop ipchains module.
- Disable automatic startup of ipchains at boot.
- Start iptables.
- Confirm that iptables works as expected.
- Set the system up to start ipchains at boot.
Detailed procedure
- Determine if the iptables kernel module is installed on your system:
- Determine if the iptables user-space package is installed on your system:
- Create the iptables configuration script, and create a system initialization script to start/stop the iptables configuration:
- If ipchains is running:
- Check to see if ipchains is running with the following
command:
/sbin/lsmod | grep ipchainsIf the above command does not return output, then ipchains is not active; skip to step #5. If ipchains is running, the following steps will disable it.
- Set all ipchains chains to "accept," i.e., deactivate ipchains. Run the following command:
- Stop ipchains module: Run the following command:
- Disable automatic startup of ipchains at boot: Run the following command:
- Start iptables (run initialization script).
- Make sure that the configuration script is owned and executable by root.
- Put the configuration script somewhere you can find it. (The sample system initialization script expects the configuration script to be located in /etc/iptables.rules by default.)
- Make sure that the system initialization script is owned and executable by root.
- Replace the existing Red Hat-provided iptables script (if it exists):
- Run the system initialization script.
- Debug your scripts until you cease to get errors.
- Confirm that iptables works as expected.
- Set the system up to start ipchains at boot.
Run the following command:
/sbin/modinfo ip_tables
If an error message is returned, e.g., "modinfo: ip_tables: no module by that name found," then support for iptables has not been compiled into your kernel. One of the many resources that describes how to do so can be found at http://www.unixreview.com/articles/2001/0103/0103c/0103c.htm.
Run the following command:
/bin/rpm -q iptables
If the message "package iptables is not installed" appears, you will need to install the iptables package. which can be found on your favorite Red Hat Linux mirror site or on the first installation CD-ROM under (CD mount point)/RedHat/RPMS/. Once you have the package, you can install it with the rpm command, e.g.,
/bin/rpm -ivh iptables-1.2.1a-1.rpm
Once you have both the iptables kernel module and iptables user-space package installed, you can continue with the installation.
You will need to create a configuration script. The configuration script simply runs a sequence of iptables commands in order to create the needed packet filtering chains.
A simple, not-too-fancy iptables configuration script. (Note: last revised 12 Feb 2002)
You should also create a system initialization script that runs at system boot. The initialization script calls the configuration script, and can also include an option to "stop" iptables by setting all chains to "accept," i.e., open up all access.
/etc/rc.d/init.d/ipchains stop
This should allow through all inbound/outbound packets.
/sbin/rmmod ipchains
This removes the ipchains module from the running kernel.
/sbin/chkconfig --del ipchains
This will remove the symlinks in the appropriate system runlevels that point to the ipchains initialization script (prevents ipchains from being loaded at system boot).
e.g., assuming that the configuration script is named "iptables.rules":
chown root iptables.rules
chmod 700 iptables.rules
e.g., assuming that you had temporarily stored the new configuration script in /tmp/iptables.rules:
cd /etc
cp /tmp/iptables.rules .
e.g., assuming that the system initialization script is named "iptables":
chown root iptables
chmod 700 iptables
e.g., assuming that you had temporarily stored the new script in /tmp/iptables:
cd /etc/rc.d/init.d
mv iptables iptables.orig
cp /tmp/iptables .
To run the system initialization script (assuming you named it "iptables"):
/etc/rc.d/init.d/iptables start
The following command lists the properties of the current iptables packet-filtering chains:
/sbin/iptables -L
However, for peace of mind, it's a good idea to check the machine. A port scanner, such as nmap is useful for this purpose.
Once you are confident that your iptables setup runs correctly, create symlinks to the system initialization script from the appropriate runlevels.
/sbin/chkconfig --add iptables
References
- The Netfilter Project
- James C. Stevens' page
- The first of two articles about iptables in Unix Review
Last updated 9 January 2003 by m-woo@uiuc.edu
CITES Workstation Services Group http://www.cites.illinois.edu/wsg/