Taste of Training Webinar Series
Hardening access to network
services with iptables
Rob Locke
Curriculum Manager - Linux
August 27, 2013
Taste of Training Webinar Series
Hardening access to network
services with iptables
Rob Locke
Curriculum Manager - Linux
August 27, 2013
ROBERT LOCKE
2
Hardening access to network services with iptables
●
Review how to establish a stateful host firewall
●
Learn iptables rule-management practices for using
iptables remotely
●
Discover how to troubleshoot iptables problems
ROBERT LOCKE
3
iptables as a filter
●
Table filter contains 3 predefined chains: INPUT,
FORWARD, and OUTPUT
●
A chain is a list of rules
●
A rule is a set of matching criteria and a target:
ACCEPT, DROP, REJECT ...
ROBERT LOCKE
4
Demo
ROBERT LOCKE
5
iptables matching criteria
●
-i , -o : interfaces
●
-s, -d : IP addresses
●
-p : protocol (i.e. tcp, udp, icmp)
●
-m : match extensions (i.e. tcp, udp, state)
●
--sport, --dport : port (coupled with -m)
●
--state : coupled with -m state for stateful packet
inspection
ROBERT LOCKE
6
Demo
ROBERT LOCKE
7
iptables persistence
●
service iptables save
●
/etc/sysconfig/iptables
●
Process:
●
iptables command ; service iptables save
●
Edit /etc/sysconfig/iptables ; service
iptables restart
ROBERT LOCKE
8
Demo
ROBERT LOCKE
9
Hardening access to network services with iptables
●
Review how to establish a stateful host firewall
●
Learn iptables rule-management practices for using
iptables remotely
●
Discover how to troubleshoot iptables problems
ROBERT LOCKE
10
iptables rule management practices
●
Use a script:
●
iptables -F
●
iptables commands
●
service iptables save
●
Remote getting locked out?
●
iptables-save > /tmp/saveme-iptables
●
at now + 30 min
●
iptables-restore /tmp/saveme-iptables
ROBERT LOCKE
11
Demo
ROBERT LOCKE
12
Hardening access to network services with iptables
●
Review how to establish a stateful host firewall
●
Learn iptables rule-management practices for using
iptables remotely
●
Discover how to troubleshoot iptables problems
ROBERT LOCKE
13
Troubleshoot missing iptables module
●
Target: LOG
●
Sends data to /var/log/messages
●
Does not exit chain
●
Netfilter modules
●
/lib/modules/$(uname -r)/kernel/net/netfilter
●
/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter
●
/etc/sysconfig/iptables-config
ROBERT LOCKE
14
Demo
ROBERT LOCKE
15
Hardening access to network services with iptables
●
Review how to establish a stateful host firewall
●
Learn iptables rule-management practices for using
iptables remotely
●
Discover how to troubleshoot iptables problems
Questions?
ROBERT LOCKE
17
Spare Demo(s)
For more information
Red Hat Server Hardening (RH413)
www.redhat.com/training/courses/rh413/