Very rarely do I have to do any modification of Linux netfilter firewall rules directly using iptables. I generally use Debian based Linux distributions personally e.g. Ubuntu which come preinstalled with UFW as an abstraction layer to iptables but there are occasions where it does come up. In fact this instance is one of those cases where a Raritan Console device required the firewall enabling with associated firewall rules both IPv4 and IPv6 to ensure access is restricted to a limited range of prefixes / IP addresses.

If you have enabled IPv6 in your enterprise, firstly well done as making any progress with this latest protocol can be a hard slog. Having this protocol in operation however can provide you some benefits as it can help minimise the risk of incorrectly modifying firewalls to your detriment. For example, you can immediately focus on locking down IPv4 via the firewall before then locking down IPv6 once you are certain you have correctly implemented the IPv4 firewall controls correctly.

The methodology required to use iptables to implement firewall rules with netflter though can be fairly straight forward.

First the IPv4 ruleset:

iptables -P INPUT ACCEPT
iptables -F
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp -s --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -s --dport 443 -j ACCEPT
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -L -v

The following configuration elements perform the following function.

The first line starts you off on a clean slate allowing all traffic on the INPUT chain. The second line flushes your tables of any existing rules. The third line ensures that a rule is installed that allows stateful established flows pass through the firewall unhindered. The fourth and fifth example allow access to both the SSH & HTTPS ports, 22 and 443 respectively. Of course you may need multiple further rules following for additional prefixes / IP addresses and the services which are being exposed. We finally change the default action of the INPUT and FORWARD chains to DROP all other traffic. All traffic from the device itself is allowed out in the OUTPUT chain. Finally we finish with a verbose listing of the currently implemented rules. The rules on a Raritan Console Switch require saving with a designated command which combines the saving of all configured rulesets both IPv4 and IPv6. If you are performing the changes on a server then you will need to use the associated independent rules for each protocol.

The methodology is the same for IPv6:

ip6tables -P INPUT ACCEPT
ip6tables -F
ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
ip6tables -A INPUT -p ipv6-icmp -j ACCEPT
ip6tables -A INPUT -p tcp -s 2001:4860:4860::8888 --dport 22 -j ACCEPT
ip6tables -A INPUT -p tcp -s 2001:4860:4860::8888 --dport 443 -j ACCEPT
ip6tables -P INPUT DROP
ip6tables -P FORWARD DROP
ip6tables -P OUTPUT ACCEPT
ip6tables -L -v

The secret to getting changes like this right is to wherever possible practice the commands in advance on a local device to confirm the behaviour you would expect. This is where a virtual machine can provide a great test bed to ensure you are comfortable with the process required.

Updating Netfilter Firewall Rules
Tagged on:         

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.