Using Iptables
From:     http://www.yolinux.com/TUTORIALS/LinuxTutorialIptablesNetworkGateway.html


Use Iptables For INET Gwy Network Address Translation Switch From Ipchains to Iptables Example 1 Conned Via PPP
Iptables Ipchains Example 2 Conned Via Eth Firewall Cmd
Iptables 2 Ipchains 2 Config route To Gw Sys Config PCs On Office Net 




Using Linux iptables or ipchains to set up 
an internet gateway / firewall / router for home or office 



Methods of connecting your private network to the internet:


This tutorial will cover using a Linux computer as a gateway router between
a private network and the internet. Any internet connection whether it be a
dial-up PPP, DSL, cable modem or a T1 line can be used. In the case of most
dial-up PPP connections and some cable modem connections, only a single IP
address is issued allowing only one computer to connect to the internet at a
time. Using Linux and iptables / ipchains one can configure a gateway which
will allow all computers on a private network to connect to the internet via
the gateway and one single external IP address, using a technology called
"Network Address Translation" (NAT) or masquerading along with a private
subnet (private local area network). Iptables/ipchains can also be
configured so that the Linux computer acts as a firewall, providing
protection to the internal network.

Setting up a Linux system as a NAT gateway router requires the following
steps:

    

  1. Determine a network topology - what IP addresses shall we use?

  2. Configure a Linux "gateway" system with two network ports, one for the 
external network and, one for the internal local NAT network

  3. Enable NAT using firewall rules

  4. Turn on the forwarding of network traffic through the gateway

  5. Configure systems on the internal network to use the gateway

  6. Add security firewall rules




Network Address Translation (NAT) and Network Topologies:



Network Address Translation (NAT) allows an individual on a computer on a
private network to point their web browser to access a site on the internet
via a gateway computer connecting the local LAN to the internet. This
request is recognized to be beyond the local network so it is routed to the
Linux gateway using the private network address. The request for the web
page is sent to the web site using the external internet IP address of the
gateway. The request is returned to the gateway which then translates the IP
address to computer on the private network which made the request. This is
often called IP masquerading. The Linux OS interface which enables one to
configure the kernel for masquerading is either iptables (Linux kernel 2.4)
or ipchains (Linux kernel 2.2).

The gateway Linux computer will need two IP addresses and network
connections, one to the private internal network and another to the external
public internet. The computers (any OS) on the interior Local Area Network
(LAN) will have a locally configured IP address. Use the IP Address range
reserved for local LAN use. Typically the external IP address is assigned to
you by your Internet Service Provider (ISP).

A note on private network IP addresses: A set of IP addresses has been
reserved by IANA for private networks. They range from 192.168.0.1 to
192.168.254.254 for a typical small business or home network and are often
referred to as private network addresses. This is defined by RFC 1918 (IPv4)
and by RFC 4193 (IPv6). Most private networks conform to this scheme.





BlockRangeCIDR NotationDefault Subnet MaskNumber of hosts

24 bit block in class A10.0.0.010.255.255.25510.0.0.0
/8255.0.0.016,777,216

20 bit block in class B172.16.0.0172.31.255.255172
.16.0.0/12255.240.0.01,048,576

16 bit block in class C192.168.0.0192.168.255.2551
92.168.0.0/16255.255.0.065,536



The actual number of hosts will be fewer that listed because addresses on
each subnet will be reserved as a broadcast address, etc.

While Classless Inter-Domain Routing (CIDR) is used to define network
blocks, the notion of a class helps categorize network blocks. For a
description of class A, B, and C networks see the YoLinux Networking
Tutorial class description.

The private networks may be subdivided into various subnets as desired.
Examples:




 RangeCIDR Notation Default Subnet MaskNumber of hosts

10.2.3.010.2.4.25510.2.3.0/23255.255.254.0512

172.16.0.0172.17.255.255172.16.0.0/15255.254.0.0132608

192.168.5.128192.168.5.255192.168.5.128/25255.255.255.128128



Your choice of network addresses for your local LAN will typically conform
to a class "C" address block while your external IP address for the gateway
computer will be that assigned by your ISP or corporate network
administrator.

Firewall versions vs Linux kernel versions: 

First we must determine what firewall mechanisms are available to us to
perform the Network Address Translation and then turn it on if necessary:

Note: References to ipfwadm and ipchains refer to older deprecated
software.




Firewall CommandLinux Kernel VersionRed Hat Version

firewall-cmd3.6.10+RHEL 7, CentOS7,Fedora 18+

iptables2.4.x, 2.6.x, +7.1 - 9.0, RHEL 5/6, CentOS 5/6, Fedora 1-17

ipchains2.2.x6.x, 7.0

ipfwadm2.0.x5.x



Note: the default Linux 2.4 kernel may use ipchains or iptables but not
both. Iptables is the preferred firewall as it supports "state" and can
recognize if a network connection has already been "ESTABLISHED" or if the
connection is related to the previous connection (required for ftp which
makes multiple connections on different ports). Ipchains can not. Ipchain
rules take precedence over iptables rules. During system boot, the kernel
attempts to activate ipchains, then attempts to activate iptables. If
ipchain rules have been activated, the kernel will not start iptables.

The Linux kernel 2.4 will not support ipchains unless that option is
configured (during install or later). If during install you select "Disable
Firewall - no protection" then ipchains will not be available and you must
rely upon iptables for a manual firewall configuration. (iptables only.
ipchains will be unavailable)

GUI configuration:


chkconfig --list | grep ipchains

The default Red Hat Linux 2.4 kernel is compiled to support both iptables
and ipchains. Kernel support for ipchains is available during a kernel
configuration and compilation. During make xconfig or make menuconfig turn
on the feature: "IP: Netfilter Configuration" + "ipchains (2.2-style)
support".

Check your installation by using the command: rpm -q iptables ipchains
These packages must be installed. The commands iptables and ipchains are the
command interfaces to configure kernel firewall rules. The default Red Hat
kernel 2.4 supports iptables and ipchains. (But not both at the same time.)

[Potential Pitfall]: When performing an upgrade instead of a new install,
the upgrade software will not install iptables as did not exist on the
system previously. It will perform an upgrade to a newer version of
ipchains. If you wish to use iptables, you must manually install the
iptables RPM.
i.e.: rpm -ivh iptables-XXX.i386.rpm

[Potential Pitfall]: The Linux operating system kernel may load or not
load what you had expected. Use the command lsmod to see if ip_tables or
ip_chains were loaded.


Switching a running system from ipchains to iptables: 
	(Red Hat - Linux kernel 2.4 specific)




SequenceCommandDescription

1'gchkconfig --del ipchainsRemove ipchains from system
boot/initialization process

2'gchkconfig --add iptablesAdd iptables to system boot/initialization
process

3'gipchains -FFlush ipchains rules

4'gservice ipchains stopStop ipchains. Also: /etc/init.d/ipchains stop

5'grmmod ipchainsUnload ipchains kernel module. Iptables kernel module
can not be loaded if the ipchains module is loaded

6'gservice iptables startLoad iptables kernel module. Also:
/etc/init.d/iptables stop




Example 1: Linux connected via PPP (serial)



This example uses a Linux computer connected to the internet using a dial-up
line and modem (PPP). The Linux gateway is connected to the internal network
using an Ethernet card. The internal network consists of Windows PC's.

The Linux box must be configured for the private internal network and PPP
for the dial-up connection. See the PPP tutorial to configure the dial-up
connection. Use the ifconfig command to configure the private network. i.e.
(as root)

Configure the network interface to the LAN using either the ip of ifconfig
commands:



Note: The modem connection is typically assigned an IP address dynamically
by DHCP from the ISP.

This is often configured during install or can be configured using the Gnome
tool neat (or the admin tool Linuxconf or netcfg for older Red Hat systems).
System changes made with the ifconfig or route commands are NOT permanent
and are lost upon system reboot. Permanent settings are held in
configuration scripts executed during system boot. (i.e. /etc/sysconfig/...)
See the YoLinux Networking tutorial for more information on assigning
network addresses.
Example /etc/sysconfig/network-scripts/ifcfg-eth1:

BOOTPROTO="static" 
IPADDR="192.168.10.101" 
NETMASK="255.255.255.0" 
DEVICE="eth1" 
ONBOOT="yes"

Pick up config file changes: 
systemctl restart NetworkManager

Run one of the following scripts on the Linux gateway computer:


iptables:




    

  1.   iptables --flush                         # Flush all the rules in
filter and nat tables

  2.  iptables --table nat --flush
3 

  3.   # Set up IP FORWARDing and Masquerading

  4.  iptables --table nat --append POSTROUTING --out-interface ppp0 -j
MASQUERADE

  5.   iptables --append FORWARD --in-interface eth0 -j ACCEPT         #
Assuming one NIC to local LAN
7 

  6.  echo 1 > /proc/sys/net/ipv4/ip_forward    # Enables packet forwarding by


kernel



ipchains:



    

  1.  #!/bin/sh

  2.  ipchains -F forward          # Flush all previous rules and settings

  3.  ipchains -P forward DENY     # Default set to deny packet forwarding

  4.  ipchains -A forward -s 192.168.10.0/24 -j MASQ     
	# Use IP address of gateway for private network

  5.  ipchains -A forward -i ppp0 -j MASQ    
		# Sets up external internet connection

  6.  echo 1 > /proc/sys/net/ipv4/ip_forward
		# Enables packet forwarding by kernel


A PPP connection as described by the YoLinux PPP tutorial will create the
PPP network connection as the default route.


Example 2: Linux connected via an Ethernet

 connection (via DSL, Cable, T1)



High speed connections to the internet result in an Ethernet connection to
the gateway. Thus the gateway is required to possess two Ethernet Network
Interface Cards (NICs), one for the connection to the private internal
network and another to the public internet. The Ethernet cards are named eth
and are numbered uniquely from 0 upward.
Configure the network interface using either the ip of ifconfig commands:
        

Also see notes on adding a second NIC.

This is often configured during install or can be configured using the Gnome
tool neat (or the admin tool Linuxconf or netcfg for older Red Hat systems).
System changes made with the ifconfig or route commands are NOT permanent
and are lost upon system reboot. Permanent settings are held in
configuration scripts executed during system boot. (i.e. /etc/sysconfig/...)
See the YoLinux Networking tutorial for more information on assigning
network addresses.
Example /etc/sysconfig/network-scripts/ifcfg-eth1:

BOOTPROTO="static" 
IPADDR="192.168.10.101" 
NETMASK="255.255.255.0" 
DEVICE="eth1" 
ONBOOT="yes"

Pick up config file changes: 
systemctl restart NetworkManager

Run the appropriate script on the Linux computer where eth0 is connected to
the internet and eth1 is connected to a private LAN. Select one of the
options depending on the generation of Linux you are using: firewall-cmd,
iptables or ipchains


firewall-cmd:


Firewalld is preferred for CentOS7/RHEL7/Fedora 18+ and requires the use of
NetworkManager. If not using NetworkManager, use iptables.

Enable and start the firewall daemon:

sudo systemctl enable firewalld
    sudo systemctl start firewalld

Use the preconfigured "default" zone for the public external internet
connection: public
The default zone can be determined with the command: firewall-cmd --get
-default-zone
Use the preconfigured zone for the private internal internet connection:
internal
The firewalld configuration is in /etc/firewalld/firewalld.conf with zones
defined in the directory /etc/firewalld/zones/
All network interfaces by default are assigned to the "default" zone. Assign
a network interface to the private LAN by adding a "ZONE" assignment to the
existing configuration.



Pick up changes: (choose one)


Show zones: firewall-cmd --list-all-zones
 
    

  1.  # Set up IP FORWARDing and Masquerading

  2.  firewall-cmd --permanent --zone=public --add-masquerade

  3.  firewall-cmd --permanent --zone=internal --add-source=192.168.10.0/24

  4.  # or use a "direct" iptables configuration:

  5.  # firewall-cmd --permanent --direct --passthrough ipv4 -t nat -I
	POSTROUTING -o eth0 -j MASQUERADE -s 192.168.10.0/24

  6.  # Add services offered by the gateway. eg if the gateway is acting as
	 a DHCP server and web server:

  7.  firewall-cmd --permanent --zone=internal --add-service=dhcp

  8.  firewall-cmd --permanent --zone=internal --add-service=http

  9.  firewall-cmd --reload
10 

  10.  echo 1 > /proc/sys/net/ipv4/ip_forward    # Enables packet forwarding
by kernel



The command line argument "--permanent" is optional.


iptables:



    

  1.  # Delete and flush. Default table is "filter". Others like "nat" must
	be explicitly stated.

  2.  iptables --flush       # Flush all the rules in filter and nat tables

  3.  iptables --table nat --flush 4 

  4.  # Set up IP FORWARDing and Masquerading

  5.  iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE

  6.  iptables --append FORWARD --in-interface eth1 -j ACCEPT 8 

  7.  echo 1 > /proc/sys/net/ipv4/ip_forward    # Enables packet forwarding by kernel



Linux kernel 2.4.x+


ipchains:



    

  1.  #!/bin/sh

  2.  ipchains -F forward                           # Flush rules

  3.  ipchains -P forward DENY        # Default set to deny packet
		# forwarding Use IP address of gateway

  4.  ipchains -A forward -s 192.168.10.0/24 -j MASQ 
		# Use IP address of gateway for private network

  5.  ipchains -A forward -i eth1 -j MASQ   # Sets up ext inet conn

  6.  echo 1 > /proc/sys/net/ipv4/ip_forward


Linux kernel 2.2.x

Configure route for the gateway system:



Create a route for your local LAN to the outside world:

route add  -net 192.168.10.0  netmask 255.255.255.0 gw XXX.XXX.XXX.XXX dev
eth0

Where XXX.XXX.XXX.XXX is the internet gateway defined by your ISP. This
route may be assigned via DHCP if the system is configured. For more
information on routing see the YoLinux networking tutorial
Hardware:

Note: While this configuration requires that the Linux gateway computer have
two network cards, if you only have one PCI slot available you may use a
card such as the Intel Pro 100 or Pro 1000 Dual Port which has two Ethernet
connections which reside on a single card. (This is what I use) Yolinux


Hardware tutorial:
More on Network interface cards



Intel Dual Pro network card
Intel PCI Dual Pro 100 or Pro 1000 NIC card supports two physical Ethernet
connections (eth0, eth1) on one card.
Compliant Standards: IEEE 802.3-LAN, IEEE 802.3U-LAN , Plug and Play
Connectivity Technology: Cable - 10Base-T, 100Base-TX
Data Link Protocol: Ethernet, Fast Ethernet
Processor: 82550 - Intel


Configuring PCs on the office network:



All PC's on the private office network should set their "gateway" to be the 
local private network IP address of the Linux gateway computer.  The DNS 
resolution should be set to that of the ISP on the internet.


Windows '95 Configuration:





Linux computers:


             
    Where the NAT gateway Linux router has the IP address 192.168.10.101
    This can also be set by the GUI tool /usr/bin/netcfg or console tool
/usr/sbin/netconfig which can permanently set the values in
/etc/sysconfig/network-scripts/ifcfg-eth0

  • DNS: Configure file /etc/resolv.conf to set the DNS resolvers and
default domain. Example:
	search internal.megacorp.com
    nameserver 172.31.0.2
    nameserver 172.31.0.3
    See the Network configuration files portion of the Networking tutorial.


  • Simple firewall for the desktop Linux system: (not required, just added
security protection)
	
      
    
    1.  iptables -P INPUT   DROP
    
    2.  iptables -P FORWARD DROP
    
    3.  iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    
    4.  iptables -A INPUT -i lo -j ACCEPT
    
    5.  iptables -A OUTPUT -o lo -j ACCEPT
	
    
Allow network connections which have already been established (started by host)
and related to your connection. FTP requires this as it may use various ports 
in support of the file transfer.)
Allow network input/output from self (lo).


Iptables options: (Linux kernel 2.4/2.6 firewall)

General /sbin/iptables format to add rules:
iptables [-t|--table table] -command [chain] [-i interface] [-p protocol] [
-s address [port[:port]]] [-d address [port[:port]]] -j policy

Six pre-defined "chain" rules are available:

iptables options:
--table
-t     Description
filter     Default table. This is used if not specified
nat     Network address translation
mangle     Used for Quality Of Service (QOS) and preferential treatment
raw     Enables optimization. i.e. Ignore firewall state matching for port
80 for enhanced speed due to less processing. Requires kernel patch
Command
(Use one)     Description
-A
--append     Append rule to chain
-D
--delete     Delete rule from chain
-I
--insert     Insert rule at beginning or at specified sequence number in
chain.
-R
--replace     Replace rule
-F
--flush     Flush all rules
-Z
--zero     Zero byte counters in all chains
-L
--list     List all rules.
Add option --line-numbers for rule number.
-N
--new-chain     Create new chain
-X
--delete-chain     Delete user defined chain
-P
--policy     Set default policy for a chain
-E
--rename-chain     Rename a chain
Command Option     Description
-s
--source     Source address of packet
-d
--destination     Destination address of packet
-i
--in-interface     Interface packet is arriving from
-o
--out-interface     Interface packet is going to
-p
--protocol     Protocol:
°tcp
--sport port[:port]
--dport port[:port]
--syn
°udp
°icmp
°mac
...
-j
--jump     Target to send packet to
-f
--fragment     Fragment matching
-c
--set-counters     Set packet/byte counter
-m tcp
--match tcp     °--source-port port[:port]
(port # or range #:#)
°--destination-port port[:port]
°--tcp-flags
-m state
--match state     --state
°ESTABLISHED
°RELATED
°NEW
°INVALID
(Push content, not expected to receive this packet)
Defined Policies     Description
ACCEPT     Let packet through
DROP     Deny packet with no reply
REJECT     Deny packet and notify sender
RETURN     Handled by default targets
MARK     Used for error response.
Use with option --reject-with type
MASQUERADE     Used with nat table and DHCP.
LOG     Log to file and specify message:
°--log-level #
°--log-prefix "prefix"
°--log-tcp-sequence
°--log-tcp-options
°--log-ip-options
ULOG     Log to file and specify userpace logging messages
SNAT     Valid in PREROUTING chain. Used by nat.
REDIRECT     Used with nat table. Output.
DNAT     Valid in POSTROUTING chain. Output.
QUEUE     Pass packet to userspace.

For the full info see the man page for iptables.

Ipchains options: (Linux kernel 2.2 firewall)

General /sbin/ipchains format to add rules:
ipchains -A|I [chain] [-i interface] [-p protocol] [-y] [-s address
[port[:port]]] [-d address [port[:port]]] -j policy [-l]

ipchains options:

Command     Description
-A     Add rule to chain
-D     Delete rule from chain
-I     Insert rule
-R     Replace rule
-F     Flush all rules
-L     List all rules
-N     Create new chain
-X     Delete user defined chain
-P     Set default target
Command Option     Description
-s     Source address of packet
-d     Destination address of packet
-i     Interface packet is arriving from
-p     Protocol
-j     Target to send packet to
-y     For -p tcp. Packet is SYN packet.
--icmp-type     For -p icmp.
-l     Log the packet to syslog.
/var/log/messages
Available in default Red Hat 6.0+ kernel
System targets
(policy)     Description
ACCEPT     Let packet through
DENY     Deny packet
REJECT     Deny packet and notify sender
MASQ     Forward chain masquerade
REDIRECT     Send to different port
RETURN     Handled by default targets

Four chain rule types are available:

    IP input chain
    IP output chain
    IP forwarding chain
    User defined chains (just give it a new name instead of the built-in
names: input, output or forward)

For the full info see the man page for ipchains. To add firewall rules read
the links provided below.

Adding more security rules to your gateway:

iptables:

Deny a specific host: iptables -I INPUT -s XXX.XXX.XXX.XXX -j DROP

Block ports by adding the following firewall rules:
01
    # Allow loopback access. This rule must come before the rules denying
port access!!
02
    iptables -A INPUT  -i lo -p all -j ACCEPT  # Rule for your computer to
be able to access itself via the loopback
03
    iptables -A OUTPUT -o lo -p all -j ACCEPT
04
     
05
    iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 2049 -j DROP       #
Block NFS
06
    iptables -A INPUT -p udp -s 0/0 -d 0/0 --dport 2049 -j DROP       #
Block NFS
07
    iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 6000:6009 -j DROP  #
Block X-Windows
08
    iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 7100 -j DROP       #
Block X-Windows font server
09
    iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 515 -j DROP        #
Block printer port
10
    iptables -A INPUT -p udp -s 0/0 -d 0/0 --dport 515 -j DROP        #
Block printer port
11
    iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 111 -j DROP        #
Block Sun rpc/NFS
12
    iptables -A INPUT -p udp -s 0/0 -d 0/0 --dport 111 -j DROP        #
Block Sun rpc/NFS
13
    iptables -A INPUT -p all -s localhost  -i eth0 -j DROP            #
Deny packets which claim to be from your loopback interface.
These rules may be executed on their own to protect your system while
attached to the internet or they may be appended to the end of the iptables
gateway NAT scripts above.

Debugging and logging:
1
    iptables -A INPUT -j LOG --log-prefix "INPUT_DROP: "
2
    iptables -A OUTPUT -j LOG --log-prefix "OUTPUT_DROP: "
Add this to the end of your rules and you should be able to monitor dropped
connections in /var/log/messages. I do NOT log in this method due to the
outrageous volume of messages it generates. Use this for debugging or short
term monitoring of the network.

Another approach to firewalls is to drop everything and then grant access to
each port you may need.
01
    iptables -F
02
    iptables -A INPUT -i lo -p all -j ACCEPT                       # Allow
self access by loopback interface
03
    iptables -A OUTPUT -o lo -p all -j ACCEPT
04
    iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j
ACCEPT # Accept established connections
05
    iptables -A INPUT -p tcp --tcp-option ! 2 -j REJECT --reject-with tcp
-reset
06
    iptables -A INPUT -p tcp -i eth0 --dport 21 -j ACCEPT          # Open
ftp port
07
    iptables -A INPUT -p udp -i eth0 --dport 21 -j ACCEPT
08
    iptables -A INPUT -p tcp -i eth0 --dport 22 -j ACCEPT          # Open
secure shell port
09
    iptables -A INPUT -p udp -i eth0 --dport 22 -j ACCEPT
10
    iptables -A INPUT -p tcp -i eth0 --dport 80 -j ACCEPT          # Open
HTTP port
11
    iptables -A INPUT -p udp -i eth0 --dport 80 -j ACCEPT
12
    iptables -A INPUT -p tcp --syn -s 192.168.10.0/24 --destination-port
139 -j ACCEPT   # Accept local Samba connection
13
    iptables -A INPUT -p tcp --syn -s trancas --destination-port 139 -j
ACCEPT
14
    iptables -P INPUT DROP               # Drop all other connection
attempts. Only connections defined above are allowed.

ipchains:
This script configures firewall rules for a Linux computer with two Ethernet
ports. One port connects the computer to the internet with an external
address of XXX.XXX.XXX.XXX. The other Ethernet port connects the computer to
an internal network of 192.168.10.0 to 192.168.10.255. This script is more
complex but preferred to the previous scripts because of the extra security
that the extra firewall rules offer. The script does work with a system
running portsentry. For more on portsentry see the YoLinux Internet
Security: portsentry Tutorial.

Internet external network interface: eth0
Internal private network interface: eth1
Local loopback virtual interface: lo

Gateway script for ipchains firewall and NAT:
01
    #!/bin/sh
02
     
03
    # Flush Rules
04
    ipchains -F forward
05
    ipchains -F output
06
    ipchains -F input
07
     
08
    # Set default to deny all
09
    ipchains -P input   DENY
10
    ipchains -P output  DENY
11
    ipchains -P forward DENY
12
     
13
    # Add Rules
14
     
15
    # Accept packets from itself (localhost) (s)ource to itself
(d)estination
16
    # Keeps system logging, X-Windows or any socket based service working.
17
    ipchains -A input  -j ACCEPT -p all -s localhost -d localhost -i lo
18
    ipchains -A output -j ACCEPT -p all -s localhost -d localhost -i lo
19
     
20
    # Deny and log (option -l) spoofed packets from external network (eth0)
which mimic internal IP addresses
21
    ipchains -A input -j REJECT -p all -s 192.168.10.0/24 -i eth0 -l
22
     
23
    # Accept requests/responses from/to your own firewall machine
24
    ipchains -A input   -j ACCEPT -p all -d XXX.XXX.XXX.XXX -i eth0
25
    ipchains -A output  -j ACCEPT -p all -s XXX.XXX.XXX.XXX -i eth0
26
     
27
    # Allow outgoing packets source (s) to destination (d)
28
    ipchains -A input   -j ACCEPT -p all -s 192.168.10.0/24 -i eth1
29
    ipchains -A output  -j ACCEPT -p all -s 192.168.10.0/24 -i eth1
30
     
31
    # Deny and log (option -l) outside packets from internet which claim to
be from your loopback interface
32
    ipchains -A input  -j REJECT -p all -s localhost  -i eth0 -l
33
     
34
    ipchains -A forward -s 192.168.10.0/24 -j MASQ
35
    ipchains -A forward -i eth1 -j MASQ
36
     
37
    # Enable  packet forwarding
38
    echo 1 > /proc/sys/net/ipv4/ip_forward

Notes:

    For this example it was assumed that your private network is from
192.168.10.0 to 192.168.10.255
    The -d 0.0.0.0/0 refers to all or any destination address of packet.
(destination in this case is irrelevant and the -d statement may be
omitted))
    localhost refers to your loopback interface on 127.0.0.1

Red Hat will configure firewall rules as an option during installation.

Example of the security configuration: /etc/sysconfig/ipchains
This is the configuration file for the script /etc/rc.d/init.d/ipchains
(which calls /sbin/ipchains-restore) which may be invoked during system
boot.
01
    # Firewall configuration written by lokkit
02
    # Manual customization of this file is not recommended.
03
    # Note: ifup-post will punch the current nameservers through the
04
    #       firewall; such entries will *not* be listed here.
05
    :input ACCEPT
06
    :forward ACCEPT
07
    :output ACCEPT
08
    -A input -s 0/0 -d 0/0 80 -p tcp -y -j ACCEPT                # Allow
WWW http access to web server
09
    -A input -s 0/0 -d 0/0 22 -p tcp -y -j ACCEPT                # Allow
SSH (Secure Shell) access
10
    -A input -s 0/0 67:68 -d 0/0 67:68 -p udp -i eth0 -j ACCEPT  # Allow
DHCP/BOOTPC
11
    -A input -s 0/0 67:68 -d 0/0 67:68 -p udp -i eth1 -j ACCEPT 
12
    -A input -s 0/0 -d 0/0 -i lo -j ACCEPT
13
    -A input -s 0/0 -d 0/0 -i eth1 -j ACCEPT  # eth1 internal network
access OK. External eth0 goes through firewall rules
14
    -A input -p tcp -s 0/0 -d 0/0 0:1023 -y -j REJECT    # This shuts off
telnet,FTP,bind...! Use for a workstation only
15
    -A input -p tcp -s 0/0 -d 0/0 2049 -y -j REJECT
16
    -A input -p udp -s 0/0 -d 0/0 0:1023 -j REJECT       # Workstation only
or explicitly ports as above with 80, 22
17
    -A input -p udp -s 0/0 -d 0/0 2049 -j REJECT         # Block NFS
18
    -A input -p tcp -s 0/0 -d 0/0 6000:6009 -y -j REJECT # Block remote X
-Window connections
19
    -A input -p tcp -s 0/0 -d 0/0 7100 -y -j REJECT      # Block remote
font server connections
Note: Once ipchains have been invoked for kernel 2.4, one may NOT use
iptables. You may use one or the other but not both.

Save/restore an tables/ipchains configuration:

    IpTables: iptables-save man page
    /sbin/iptables-save > /etc/sysconfig/iptables.rules
    /sbin/iptables-restore < /etc/sysconfig/iptables.rules

    IpChains:
    /sbin/ipchains-save > /etc/sysconfig/ipchains.rules
    /sbin/ipchains-restore < /etc/sysconfig/ipchains.rules

The system init script looks for the file name /etc/sysconfig/ipchains instead of /etc/sysconfig/ipchains.rules. This will make the rules accessible to the init script which will invoke the rules upon system boot. See the YoLinux Init process tutorial for more information on init scripts and system boot procedures.

Also see: how to turn off ICMP and look invisible to ping.

Linux IP Forwarding:

Choose one of the following to allow the Linux kernel to forward IP packets:

    Immediately allow the forwarding of packets. The configuration is not preserved on reboot but sets a flag in the kernel itself.

        echo 1 > /proc/sys/net/ipv4/ip_forward

    Another method is to alter the Linux kernel config file:
/etc/sysctl.conf
    Set the following value:

        net.ipv4.ip_forward = 1

    This will configure the system to allow forwarding of packets upon
system boot. It is stored in this configuration file and thus read and set
upon system boot. If set to "0" then there will be no forwarding of
packets.

    An alternate method is to alter the network script:
/etc/sysconfig/network

         FORWARD_IPV4=true

    Change the default "false" to "true".

All the above methods will result in a proc file value of "1" to allow TCP
packet forwarding. Options 2 and 3 set boot configurations in a
configuration file and will not take effect until system boot or until this
command is issued: sysctl -p
Test the current setting of the kernel: cat /proc/sys/net/ipv4/ip_forward

Note: The /proc directory is NOT on your hard drive but is present in the
running kernel.

CIDR Notation:

    The notation "/24" refers to the use of the first 24 bits of a 32 IP
address. The is the equivalent of using the bitmask 255.255.255.0. To put it
another way, it specifies a range of IP addresses: 0 to 255 for the last
octet while the first three remain constant.

    Example: 192.168.103.0/24 refers to the IP address range 192.168.103.0
to 192.168.103.255

    The notation "/32" refers to a single IP address as it implies that all
32 bits of the IP address are significant.

proc file settings:

Additional security rules for gateway protection: The gateway is the system
exposed to the internet and thus is the first line of defense against
hackers. Here are some extra security tips.

    Turning on Linux kernel support for spoof and DOS (Denial Of Service)
protection:

       echo 1 >/proc/sys/net/ipv4/tcp_syncookies

    Must first be compiled into kernel. (Included in Redhat default kernel)
By default the Redhat install has this disabled (set to 0). This helps to
prevent against the common 'syn flood attack'. A connecting computer (peer)
may not receive reliable error messages from an over loaded server with
syncookies enabled.

    For more on SYS cookies see: CERT Advisory CA-96.21

    Turn on Source Address Verification: (Off by default on Red Hat install 
- set to 0)

       echo 1 >/proc/sys/net/ipv4/conf/eth0/rp_filter
       OR
       echo 1 >/proc/sys/net/ipv4/conf/all/rp_filter

    State the interface appropriate for your installation.
    The first example prevents spoofing attacks against your external
networks only.

    IP spoofing is a technique where a host sends out packets which claim to
be from another host. It is also used to hide the identity of the attacker.

The TCP Man page - Linux Programmer's Manual and /usr/src/linux/proc.txt
[link] (Kernel 2.4) cover /proc/sys/net/ipv4/* file descriptions.

Also see:

    local file:/usr/src/linux/Documentation/proc.txt
    proc man page

Configuration Tools:

GUI tools and scripts exist to help you with the configuration of ipchains.
See:

    Firestarter - Configuration of firewall and real-time hit monitor for
the Gnome desktop. Configures ipchains (kernel 2.2) and iptables (kernel
2.4)
    Firewall Builder - iptables, ipfilter and OpenBSD PF. (GTK--)

Included with Red Hat 7.x is the Gnome GUI tool gnome-lokkit. (ipchains)

Tools for iptables configuration:

    Webmin - Linux web admin tool
    Shorewall
    NARC: Netfilter Automatic Rule Configurator

SSH Tunneling Through The Gateway:

One can give access and expose a system on the local LAN to the outside
network via the gateway router. For example one can use SSH to allow web
traffic to the gateway to be passed on the an internal web server.
Run the following command on the NAT'ed web server on the local LAN to
generate a connection between the web server and the gateway which will
forward all web traffic received on the gateway on port 8080 and re-route it
to port 80 on the internal web server.

ssh -nNT -R 8080:localhost:80  user1@gateway.megacorp.com

or using port 80 for all web traffic:

ssh -nNT -R 80:localhost:80  user1@gateway.megacorp.com

Links and information:

firewalld:

    Fedora Firewalld home page
    RHEL7 firewalls
    RHEL7 firewald getting started

iptables:

    IpTables.org - Netfilter/Iptables home page
    Linux iptables syntax - by Shane Chen
    ipmenu - Console based application for viewing and editing iptables and
chains.
    Bastille Linux - Security hardening system (script)
    IPTables Firewall Script - Bob Sully

ipchains:

    Man page for ipchains
    Man page for ifconfig
    Ipchains HOWTO - LDP - Paul Russell
    Linux Firewall Script - ipchains and ipfwadm scripts and configuration.
(It's the fanciest I've seen.) - by Craig Zeller
    linas.org: Linux NAT, Load Balancing, and High Availability
    Config /etc/rc.d/init.d/firewall script file -Web Server
    Config /etc/rc.d/init.d/firewall script file - Mail Server

Relevant networking links:

    Traffic shaping - bandwidth allocation using tc - by Shane Chen
        tc examples
    PPP Dialing your ISP - TUTORIAL
    Man page for resolv.conf
    Man page for pppd
    Man page for chat
    Connecting to an ISP
    Networking overview HOWTO - LDP
    Modem HOWTO - LDP
    Smoothwall.org - Web managed OS for Firewall, VPN, Dialup, Intrusion
detection, DMZ, dynamic DNS, DHCP, port forwarding, ...
    DSLreports.com: Reviews of DSL providers, bandwidth speed measurement,
Tools, Info

Linux Based Routers:

    Leaf - Linux Embedded Application firewall
    Eigerstein

SOCKS Proxy Servers:

I can no longer find the NEC reference implementation but here are some
other SOCKS proxy server options for Linux:

    sSOCKS5
    Polipo - SOKS 5, web caching, IPV6 support
    DeleGate - proprietary software
    DeleGate
    DeleGate

One may also configure ssh to provide SOCKS5 proxy capability:

    ssh -f -N -D 0.0.0.0:1080 localhost 

Where:

    -D: port forwarding on port 1080. The IP address 0.0.0.0 specifies the
socket option INADDR_ANY which means that it is listening for connections
from any IP address.
    -N: stays idle and does not allow for the execution of commands on
localhost
    -f: Run in the background as a daemon

Iptables can be used to further restrict IP sources accessing port 1080 and
add further security constraints.