Taste of Training Webinar Series

Hardening access to network

services with iptables

Rob Locke
Curriculum Manager - Linux
August 27, 2013

ROBERT LOCKE

2

Hardening access to network services with iptables

●

Review how to establish a stateful host firewall

●

Learn iptables rule-management practices for using
iptables remotely

●

Discover how to troubleshoot iptables problems

ROBERT LOCKE

3

iptables as a filter

●

Table filter contains 3 predefined chains: INPUT,
FORWARD, and OUTPUT

●

A chain is a list of rules

●

A rule is a set of matching criteria and a target:
ACCEPT, DROP, REJECT ...

ROBERT LOCKE

4

Demo

ROBERT LOCKE

5

iptables matching criteria

●

-i , -o : interfaces

●

-s, -d : IP addresses

●

-p : protocol (i.e. tcp, udp, icmp)

●

-m : match extensions (i.e. tcp, udp, state)

●

--sport, --dport : port (coupled with -m)

●

--state : coupled with -m state for stateful packet

inspection

ROBERT LOCKE

6

Demo

ROBERT LOCKE

7

iptables persistence

●

service iptables save

●

/etc/sysconfig/iptables

●

Process:

●

iptables command ; service iptables save

●

Edit /etc/sysconfig/iptables ; service
iptables restart

ROBERT LOCKE

8

Demo

ROBERT LOCKE

9

Hardening access to network services with iptables

●

Review how to establish a stateful host firewall

●

Learn iptables rule-management practices for using
iptables remotely

●

Discover how to troubleshoot iptables problems

ROBERT LOCKE

10

iptables rule management practices

●

Use a script:

●

iptables -F

●

iptables commands

●

service iptables save

●

Remote getting locked out?

●

iptables-save > /tmp/saveme-iptables

●

at now + 30 min

●

iptables-restore /tmp/saveme-iptables

ROBERT LOCKE

11

Demo

ROBERT LOCKE

12

Hardening access to network services with iptables

●

Review how to establish a stateful host firewall

●

Learn iptables rule-management practices for using
iptables remotely

●

Discover how to troubleshoot iptables problems

ROBERT LOCKE

13

Troubleshoot missing iptables module

●

Target: LOG

●

Sends data to /var/log/messages

●

Does not exit chain

●

Netfilter modules

●

/lib/modules/$(uname -r)/kernel/net/netfilter

●

/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter

●

/etc/sysconfig/iptables-config

ROBERT LOCKE

14

Demo

ROBERT LOCKE

15

Hardening access to network services with iptables

●

Review how to establish a stateful host firewall

●

Learn iptables rule-management practices for using
iptables remotely

●

Discover how to troubleshoot iptables problems

Questions?

ROBERT LOCKE

17

Spare Demo(s)

For more information

Red Hat Server Hardening (RH413)

www.redhat.com/training/courses/rh413/