Understanding Iptables

My first hack with debian was smooth except for the firewall issues. RHEL/Fedora/CentOS stores its firewall policies in /etc/sysconfig/iptables, in Debian, you have to write down the chains and run it. Writing the chain rules is basically the same for both distros since it is iptables, however it is not pretty obvious for a newbie. So my problem was, I cannot ping a domainname but can ping an IP address instantly. I misinterpreted the root cause of the problem as a dns problem, so I disabled ipv6.. still a no go. Later I found out it was one of the rules in my iptables policies.

So here is the iptables firewall shell script that resolved the issue…

1. vi firewall.sh

iptables -F
iptables -N FIREWALL
iptables -F FIREWALL
iptables -A INPUT -j FIREWALL
iptables -A FORWARD -j FIREWALL
iptables -A FIREWALL -i lo -j ACCEPT
 
iptables -A FIREWALL -p icmp --icmp-type any -j ACCEPT
 
#iptables -A FIREWALL -p 50 -j ACCEPT
#iptables -A FIREWALL -p 51 -j ACCEPT
 
#iptables -A FIREWALL -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
#iptables -A FIREWALL -p udp -m udp --dport 631 -j ACCEPT
 
iptables -A FIREWALL -m state --state ESTABLISHED,RELATED -j ACCEPT
 
iptables -A FIREWALL -p tcp -m tcp --dport 22 --syn -j ACCEPT
iptables -A FIREWALL -p tcp -m tcp --sport 80 -j ACCEPT
iptables -A FIREWALL -p tcp -m tcp --sport 3306 -j ACCEPT
iptables -A FIREWALL -p tcp -m tcp --sport 5432 -j ACCEPT
iptables -A FIREWALL -p tcp -m tcp --syn -j REJECT
iptables -A FIREWALL -p udp -m udp -j REJECT
iptables-save > /etc/firewall-rules
iptables-restore < /etc/firewall-rules

1. Run sh -v firewall_setup.sh

Here’s a brief explanation of the iptables flag taken from man.

-F, –flush [chain]
Flush the selected chain (all the chains in the table if none is given). This is equivalent to deleting all the rules one by one.

-N, –new-chain chain
Create a new user-defined chain by the given name. There must be no target of that name already.

-A, –append chain rule-specification
Append one or more rules to the end of the selected chain. When the source and/or destination names resolve to more than one address, a rule will be added for each possible address combination.

-j, –jump target
This specifies the target of the rule; i.e., what to do if the packet matches it. The target can be a user-defined chain (other than the one this rule is in), one of the special builtin targets which decide the fate of the packet immediately, or an extension (see EXTENSIONS below).

So I checked out my CentOS4 box and found out that I four (4) lines which I don’t understand. See commented lines above. Here’s an explanation of them..

Port 50 is Remote Mail Checking Protocol
Killing this may stop you checking if you have new mail on your provider’s POP server. Haven’t confirmed this…

Port 51 is IMP Logical Address Maintenance. Dunno what this is for..

Port 5353
This port is used for the Apple Bonjour network discovery protocol, as you can read here: http://www.apple.com/support/downloads/bonjourforwindows_readme.html

Port 631 IPP (Internet Printing Protocol). Enable this if you want to print from Linux.