It cannot:

It (iptables) can also:

You will be safest if you:

You will be at some risk if you:

However,

no nuts, no glory!

Using iptables is actually easy compared to ipchains. If you are new to ipchains and iptables and firewalling, you might want to check out some iptables basics here. Iptables and chains are script languages through which you can tell the
linux kernell what traffic to allow, and what to block, as well as what to log.

It works something like :
iptables -A input -i eth0 -p tcp -d 192.168.0.2 -j ACCEPT
Which means that iptalbes should add a rule to the input chain-of-tules that accepts traffic on the eth0 interface [your internet connection usually] which consists of tcp traffic (so not ping or udp) and is aimed to the ip adress 192.168.0.2.

Since we are using this code to make a firewall it is usually the case that you have a network behind the firewall to protect from the internet. Iptables has made this easier than ipchains. In ipchains all traffic trhough the firewall to the internal net had to get through the input and output chain. This was a drag. Now iptables is better. All traffic from the internet to the internal network and back goes through a forward chain. All traffic from and to the firewall itsself goes through the input and output chains.
This means less rules and thus better security (you can make less mistakes:-))

For instance if you have a firewall that should only forward traffic, and you adjust it locally from the console you input and output can be like this:

iptables -A input -j reject
iptables -A output -j drop

If you want to be able to test from your firewall, so you want to be able to ping outside and so on do:
iptables -A input -m state --state ESTABLISHED,RELATED -j ACCEPT

This invokes the statefull firewalling and tells the kernell to let all traffic that is an answer to your internally generated traffic through.

OK. So far a little introduction. Now lets get to work. First you must decide what you want the firewall to do.

Option basic: Protect your intranet from hackers on the internet

Protect your intranet from hackers. You have this weird feeling that others should not be using your computers to stash their data and nuke www.greenpeace.org and so on. How to proceed?

A basic iptables firewall script for this use is give by the writers of iptables themselves
Rusty's Really Quick Guide To Packet Filtering
:
=========================firewall example 1===========
## Insert connection-tracking modules (not needed if built into kernel)[needed so that ftp and tcp works].
 insmod ip_conntrack
 insmod ip_conntrack_ftp

==================================end firewall example 1==========
And that is it! This example makes shure that only traffic can get into the firewall, via chain input, that is an answer to what the firewall asked from the internet. So you could ping the internet, but they cannot ping you if you do not start it. You can look up urls from your firewall, but no unsollicited traffci can get in.
The intranet you are protecting can also get to the internet, but the internet cannot make connections to your intranet, unsollicited. This goes via the forward chain.

Note that this script is actually very smart. First it uses the same rules for the input and forward chain. By jumping to a home-made chain (-j block) the chain is used twice. Further it uses the fact that the ppp0 device (the modem device) is the only device that goes to the internet. It blocks traffic coming into this device, and thus from the internet, by saying that NEW traffic into this interface is not allowed. You need to know that fro iptables you can say -i ppp0, but also -o ppp0. In the first case ppp0 is the interface where traffic comes inbound to the firewall (input or forward) and the second where traffic goes out.

So if a packet would go from the internet to your intranet and back it will pass
a. -i ppp0
b -o eth1
c -i eth1
d. -o ppp0

If your outside interface is a modem (ppp0) and the interface from your firewall to the intranet eth1.

However, this example is not as safe as it can be, and if you do not have yourown ip-address block it will not even work. And that is what firewalling is about. After all, a few more lines can get you a lot more safety. To improve this script we are going to add two things: nat and trojan horse catchers. As a third we can add logging, so you can if people are trying to break in.

Improvement 1. adding nat

I do not know why but you can achieve network address translation in three ways with iptables. However the bottom line is this: inside the firewall you use private address ranges. You cannot use those on the internet: no router will forward the packages. These are 192.168.x.x and 10.0.0x anbd 172.168.x.x.
Network address translation (nat) mounts up to this principle: all network traffic coming from computers inside your firewall and thus with private range ip source addresses will be changed so that the ip adress (or a range of ip adresses) of the outside network card of your firewall is the source address. To the isp you have the packages you send all come from your firewall judging from the source address.

And why is nat more secure? Well, it makes it impossible for an attacker to make a connection to your inside computers, most of the time.
Not all of the time. No! It does not help you if you use icq for instance, or any program that keeps a line open from the inside to the outside fro traffic coming in. If you open a door from the inside, people can get in.
It also does not work if you re-route ports from your firewall to the inside of course. And last but not least, people can still hijack your connection, spoof a site, make you give your creditcard number when you should not and so on. It will not help you against dos attacks and viruses either. Just so you have some perspective. It will protect you from port scans and so on and some, but not all, trojan horses.

OK, but how do we do nat then?

simply by :

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Notice the this says that your eth0 is the outside and that traffic to the outside will be masqueraded.

Add this together with your other rules and you get

=========================firewall example 2: masquerading ===========
## Insert connection-tracking modules (not needed if built into kernel).
 insmod ip_conntrack
 insmod ip_conntrack_ftp

==============================end example two=========

Step two: catching trojan horses and scanners and so on in the act

A second improvement that you can easily add is to search for ports that are used by well-known worms, trojans and protocols you do not want and then block and logg these ports. You will still need anti-virus software to get these of your computers, but blocking these ports can help.

1. rules to block and log outgoing traffic.
2. rules to log and possibly block incoming traffic.

First rules for outgoing traffic. You can look up
http://www.neohapsis.com/neolabs/neo-ports/neo-ports.html
and block all ports you can find:-)
Or just pick out a few villans and block them.

You can simply do something like this for 1 range of ports you want to log:

iptables -A INPUT -d --dport 136:139 -j LOG --log-prefix ' ##m$oftfilesharing## '

iptables -A input -p tcp -m multiport --destination-port 445,111,137,138,139 -j LOG --log-prefix "unwantedports input block"

You could also block these ports if you wanted, but this is in theory at least not neccesary because the --state thing should do that. You can check that of course by putting these logging rules after the normal rules and see if traffic hits these loggging rules.

If you block these ports anyway going to the outside do this by adding these rules:

iptables -A Forward -p tcp -o ppp0 -m multiport --destination-port 136,137,138,139,111,445,12345,123456 -j DROP

If you have a nic to the internet you should use eth0 and not ppp0.

You can add upto 15 ports and then you should add more rules. I would advise blocking someports as layed out below. #first log if you want
iptables -A forward -j LOG -p tcp -m multiport --destination-port 1723,1745,2049,5631,5632,12345,12346,20034,5742,30303,40421,445
iptables -A forward -j LOG -p udp -m multiport --destination-port 635,sunrpc,1713,1745,2049,5631,5632,31337
#then blocking. first tcp then udp
iptables -A forward -j DROP -p tcp -m multiport --destination-port 1723,1745,2049,5631,5632,12345,12346,20034,5742,30303,40421,445
iptables -A forward -j DROP -p udp -m multiport --destination-port 635,sunrpc,1713,1745,2049,5631,5632,31337

Mind you these are just examples!!!! Please find your own ports to exclude. It would be propper to find an updated list of the latest and most used ports to block. However, blocking msoft filesharing and nfs is the least you should do.

The works: some example scripts with most tricks explained below
The works script with nat and outside interface eth1

=========================firewall example 3: the works ===========
This script is now here

==============================end the works=========

Advanced stuff

There are more advanced things you can do .

1. monitor what is going on for trouble shooting.

2. Another trick is to do limiting.
Back to contents | Why iptables | What can a firewall protect you from and what not section | Introduction to iptables; the syntax | a basic firewall | Improvement1: nat | Improvement 2: stop and log some worms and hackers | The works: scripts with all tricks in them | advanced stuff: trouble shooting , DOS-prevention and mangling and so on | monitor whats going on | prevent a dos attack | nat and re-direction better explained | sourcerouting | qos: guarantee bandwith with quality of service. | Links to other sources and help | sidedish: how to patch and compile a kernell. | What is floppy firewall, lrp? | why floppies | | Ipchains firewall scripts for floppy | Iptables firewall scripts for floppy
For instance by doing

 iptables -A INPUT -m limit --limit 1/second -j LOG

In this case you aren't logging traffic that comes in faster than 1/second, you're logging all traffic, but not logging more than once a second (other log entries would be dropped). The traffic is allowed to pass, just not all the loggings.
You can also take actions upon packet floods, but you might want to test first to make sure you do not block fans of your www-site that just visit a lot!

By limiting new inbound TCP packets you can prevent a Denial of Service attack. This is accomplished with the following rules:
# Create syn-flood chain for detecting Denial of Service attacks
iptables -t nat -N syn-flood
# in the syn table Limit 12 connections per second (burst to 24)
iptables -t nat -A syn-flood -m limit --limit 12/s --limit-burst 24 -j RETURN iptables -t nat -A syn-flood -j DROP
# Check for DoS attack
iptables -t nat -A PREROUTING -i $EXT_IFACE -d $IP -p tcp --syn -j syn-flood
These rules limit new inbound TCP connections (packets with SYN bit set) to 12 per second after 24 connections per second have been seen.

3. To block certain ports you can block in the prerouting chain, that comes before all other. chains. For instance iptables -A prerouting -j block will make your security great:-) It will block everything and you will end up without a connection.

Nat and redirection

If you want to redirect to a remore squid box you can do:
iptables -t nat -A PREROUTING -i eth0 -s ! squid-box -p tcp --dport 80 -j DNAT --to squid-box:3128
iptables -t nat -A POSTROUTING -o eth0 -s local-network -d squid-box -j SNAT --to iptables-box
iptables -A FORWARD -s local-network -d squid-box -i eth0 -o eth0 -p tcp --dport 3128 -j ACCEPT
The first one sends the packets to squid-box from iptables-box. The second makes sure that the reply gets sent back through iptables-box, instead of directly to the client (this is very important!). The last one makes sure the iptables-box will forward the appropriate packets to squid-box. It may not be needed. YMMV. Note that we specified '-i eth0' and then '-o eth0', which stands for input interface eth0 and output interface eth0. If your packets are entering and leaving on different interfaces, you will need to adjust the commands accordingly.

To do this advanced routing in your kernell needs to be on. Thanks for Ronald Verlaan for the beef of this part! See also the advanced routing howto at http://lartc.org/HOWTO//cvs/2.4routing/2.4routing-howto.html

First for starters: here is the chain picture:

--->PRE------>[ROUTE]------>FWD---------->POST------>
Conntrack........|..........Filter...............^....................NAT (Src)
Mangle.............|..................................|.......................Conntrack
NAT (Dst)........|............................[ROUTE]
(QDisc)............v ..............................|
.................IN.Filter.........................OUT Conntrack
..................|..Conntrack. .................^....Mangle
..................|.......................................|....NAT (Dst)
..................v......................................|....Filter

What you can do with the mangling table in iptables is to look at where your packet is coming from in addition to what port it is using (80 or 25 and so on) and decide on the basis of that where you want the packet to be routed to. So you can give some email, http, ssh traffic a different default gateway from other email, http, ssh traffic, depending on where it came from. Notice that you cannot do this with normal routing, or source/destination nat. With normal routing you cannot split on the basis of where traffic comes from. You also cannot split on the basis of service, although destination nat can do this to some degree.
This is for instance usefull when you have two routes to the internet and you want some traffic to go over one, and other traffic over the other connection. You could also split up routes between services, for instance between http and email for instance.
So for instance you want to reroute all port 80 (http) from your internal network going to the internet to go to your server, which is a proxy. But not for a specific range of servers: your intranet servers that are in your dmz. How do you do that?

1. iptables -t mangle -A OUTPUT -p tcp --dport 80 -d ! 197.157.136.240/28 -s 197.157.136.242/32 -j MARK --set-mark 1
Here you mangle traffic to be marked "1" going out the output chain of your firewall, with destination port 80 (http); but not to your dmz (197.157.136.240/28), coming from your internal network 197.157.136.242/32.
Notice that the mangle table only exists in the prerouting and output chain. You cannot mangle at other places like input, forward and so on.

2. To make packets that are marked with "1" get another route we will: A. make a new routingtable 100; B. We will call that table marky with an alias; C. We will send traffic with a mark 1 to route table marky; D. we will give route table marky a default route different from the normal default route.

First we call table 100 marky by alias:
echo 100 marky > /etc/iproute2/rt_tables
Second we send all marked traffic to that table:
ip rule add fwmark 1 table marky
Third we add a defualt gateway to route table marky:
ip route add default via 210.99.155.97 dev eth2 table marky

See the advanced routing howto for the syntax here or man ip route.
That is it!

If you have an adsl line or something like that, where your upload and downlaod can clutter up the linux with kernel 2.4 can help out.

Kernel 2.4 has the ability for advanced routing, see http://lartc.org/

I have succeeded using the wondershaper traffic-control script form that site at: http://lartc.org/wondershaper/

Edit the script, run it with your /etc/rc.d/rc.local script and your line will be much more smoothly. You can:

- make sure some protocols have low priority (kazaa destinationport 1214) so your brother downloading mp3's does not halt your browsing.

- make sure your downlaoding does not DOS your www-site

and so on.

You can check with

ip adress show

if it worked. The eth1 device (your external device ) should have qdisk cbq.

- ip-tables script for floppy fw 194 with kernell 2.4. A script with the internet nic at eth0 and the internal interface at eth1. The internal lan is masqueraded, and the firewall has a static ip. In other words: the internet is at eth0. You have a static ip that connects you at the internet. Your internal network is at 192.168.0.0/24 on eth1.

Links to pages about iptables that helped me

Linux Kernel 2.4 Firewalling Matures: netfilter
By Dave Wreski
http://www.linuxsecurity.com/feature_stories/netfilter-print.html

The Netfilter Project: Packet Mangling for Linux 2.4
http://netfilter.samba.org/

IPTables Tutorial
http://www.boingworld.com/workshops/linux/iptables-tutorial/

Iptables faq http://netfilter.samba.org/documentation/FAQ/netfilter-faq.html

Advanced routing howto http://lartc.org/HOWTO//cvs/2.4routing/2.4routing-howto.html

Ipchains firewall scripts for floppyfw.

A bit out of focus for this howto, but I really need to publish them somewhere.

If you pick up a floppy firewall with kernel smaller then 2.4 you can use these scripts. I have tested them to work!

A. - script for a floppyfw router with on two sides subnetworks with real internet ip's (no nat or masquerading) and some servers on the internal lan that need to be accessed from the internet. Of course internet interface is eth0 (0 stands for 0utside, didn't you know?) and 1nside interface stands for eth1. You need to change the ip's and network. Here it is. To use it you must adjust the ip's to what you are using of course. This scripts has been used commercially, so you can bet it works.here it is

B - script usable for an mxstream adsl connection in the Netherlands, where the outside interface is ppp0, eth0 is an interface where the adsl/ethernet-modem is and where eth1 holds the internal network. The ppp0 device gets a static ip address.
here it is The config file is
here . Anyone using a modem with ppp and a static ip address can use this too: just call your inside nic eth1 and the outside interface ppp0. Just ignore the eth0. Needless to say that you must get your floppy usable for adsl in the netherlands at www.lintegrate.nl.

Iptables firewall scripts for floppyfw.