Networking / Beginners

Packet filtering with iptables

As the last line of defense against an attack from the network, the UNIX workstation can run a host-based firewall, such as iptables. iptables is a packet filter that works off rules controlling packets on the input, output, and when they are forwarded through the interfaces.

A packet filter such as iptables will examine the header of packets as they pass through and process the packet in one of three ways, as follows:

  • Deny the packet-Discard the packet with no trace of having received it.
  • Accept the packet-Let the packet go through.
  • Reject the packet-Similar to deny, but the sender is notified that the packet was rejected.

Although iptables is a fully functional firewall, its use is discussed here as a hostbased or personal firewall. The typical iptables configuration for a UNIX workstation is as follows:

  • Allow all network-bound traffic to leave the workstation. Generally, outbound traffic does not pose a threat to the workstation itself. It may be advisable to limit outbound traffic to prevent the spread of viruses and worms. Unfortunately, these often function similarly to how a user might (sending e-mail, for example) and are, therefore, difficult to block on the outbound path.
  • Block all incoming traffic that is not specifically allowed. With only a few exceptions, the world (everyone coming in from the network) does not have a need to reach ports on the workstation.
  • Explicitly open individual ports (services) that are needed from the network. On a UNIX workstation, this is usually just ssh (port 22) for remote access, but even that may not be needed. Other typical services that might be allowed are usually on dedicated servers, such as HTTP Web service (port 80), FTP file transfer (port 21), and SMTP e-mail (port 25).

The second configuration item in the preceding list ("block all incoming traffic") is the key defense-in-depth backup to other security preparations taken on the UNIX workstations. Unneeded services should not be running, but if they are, they can still be blocked from use by the network with iptables. Unneeded software should not be available on the workstation, but if it is found and launched as a service by an attacker, it can still be blocked by iptables.

[Previous] [Contents]