WARNING: The commands in this post could break the communications from or to your iptbales device and network(s). For this reason, don't use them in a production system or if you are remotely connected.
First a backup
Before we start to play with some commands, is important to create a backup of our rules. We can use iptables-persistent package to create a backup of the current rules. Once installed write the following command:
Iptables use this file to reconfigure the seated rules on reboots.
To recover the previously configured rules from /etc/iptables/rulesv4 run the following command:
There is another useful command to use when we start to create rules in our Linux box:
This command flushes the rules configurated, but don't change the chains' policies.
Allow all vs deny all
When we configure a firewall it is possible to have 2 different approaches:
- allow all the connections and deny some of them.
- deny all connections and allows someones.
Choose some of this approaches depends on the necessities that you or your organization require.
Lest take the approaches to deny all. To make this we have to change our Chins' policies to Drop.
Be careful with these commands, if you are connected remotely using ssh, for example, you will lose the communication because all of them are not allowed after run these commands.
Excellent now nothing can go out, come in or pass throw our computer. Now our computer is totally secure... and useless, for this reason, let's configure some rules to connect to it remotely.
I mentioned in the last post, I'm using ssh to connect remotely to my raspberry pi and manage it. To allow this connection I need to know the protocol used by ssh and the port where the ssh service listens. in this case, ssh has a TCP/22 port in my raspberry pi.
As we can see, external communication comes IN to the TCP/22 port in our Rasberry, for this reason, we are going to create a rule to exempt the DROP general policy in our INPUT chain. To do this, let's create a rule.
Wait!! Don't run anything yet.
The basic of our rule is this:
we can see two of the three parts that compose a rule, the first part is the name of the chain where we are going to Append the rule.
-A INPUT (-A can be changed for --append)
The last part is what we are going to do with the rule. in this case, accept
-j ACCEPT (-j for jump, in following examples we are going to understand why jump)
The second and most important part of our rule is not present in this example but it is the "why" the exception
If we run this command at is, this going to allow all the coming in communications to the computer, overwriting the default Policy DROP.
OK, lest doing something with this, let's include what we know about our service ssh
We are including the protocol TCP and the destination port:22. I don't see a problem with the protocol, but Why a dport or destination port?
When we try to connect from our computer to our raspberry, the raspberry has open the port 22. When we start the communication from our computer the destination of this communication is the raspberry and its port 22.
Great now we can configure this rule in our raspberry but...wait. This configuration allows a connection to the port 22 from any of the nets connected to the raspberry. and we just want to connect to port 22 from our LAN... we can specify from which interface we allow the connection
Now it looks better. Let's run our command, try it and... it fails. Why? Because we configured the general Policy for our OUTPUT chain with DROP, for this reason, the communication answers from the raspberry never go out. To fix this lets create a new rule
These rules have two important changes:
the option to declare the port changed to "sport" or "source port". This is because the responses come from port 22 in the Rasberry Pi to our remote computer.
The other change is the option to declare the interface. It change to "o" (output) is because when we want to specify an interface we have to indicate if it is an interface to receive or to send a communication.
Now you are able to connect using ssh to your raspberry, and is a good moment to create a backup of our rules.
No comments:
Post a Comment