From Gentoo Wiki
Jump to: navigation, search
External resources

iptables[1] is a program used to configure and manage the kernels netfilter modules.



First off, you will need to configure your kernel with netfilter support. If you want to be able to add rules based on IP filtering like black listing IP addresses based on a live feed [1], do not forget to add IPSet support to your kernel and merge net-firewall/ipset package.


You need to activate the following kernel options:

Kernel configuration

[*] Networking support  --->
    Networking options  --->
        [*] TCP/IP networking
        [*]   IP: multicasting
        [*]   IP: advanced router
        [*]   IP: ARP daemon support
        [*]   IP: TCP syncookie support
        <M>   IP: AH transformation
        <M>   IP: ESP transformation
        <M>   IP: IPComp transformation
        <M>   IP: IPsec transport mode
        <M>   IP: IPsec tunnel mode
        <M>   IP: IPsec BEET mode
        <*>   Large Receive Offload (ipv4/tcp)
        <*>   INET: socket monitoring interface
        <M>     UDP: socket monitoring interface
        [ ]   TCP: advanced congestion control  --->
        <M>   The IPv6 protocol  --->
        [*] Network packet filtering framework (Netfilter)  --->
            [*]   Advanced netfilter configuration
            Core Netfilter Configuration  --->
                <M>   "addrtype" address type match support
                <M>   "comment" match support
                <M>   "hl" hoplimit/TTL match support
                <M>   "limit" match support
                <M>   "multiport" Multiple port match support
                <M>   "recent" match support

One can setup IPv6 support category to <M> to be safe and enable almost all Netfilter sub category as the following. Or else, enable only what you need and leave the other modules unset. You certainly would want almost all IP virtual server support core components (scheduler are certainly optional), IP: Netfilter Configuration support, IPv6: Netfilter Configuration for IPv6 support, IP set support for IP filtering based on IP, MAC, ports and then pick up what you need in Core Netfilter Configuration with at least: Netfilter: NFQEUE, LOG; Connection tracking: flow, mark, events, netlink; Netfilter Xtables: NFQEUE, LOG, conn{bytes,mark,state}, state helper with Xtables match: conn{bytes,mark,state}... you get the idea.

Kernel configuration

[*] Networking support  --->
    Networking options  --->
        [*] Network packet filtering framework (Netfilter)  --->
            --- Network packet filtering framework (Netfilter)
            [ ]   Network packet filtering debugging
            [*]   Advanced netfilter configuration
            [*]     Bridged IP/ARP packets filtering
                    Core Netfilter Configuration  --->
            <M>   IP set support  --->
            <M>   IP virtual server support  --->
                  IP: Netfilter Configuration  --->
                  IPv6: Netfilter Configuration  --->
                  DECnet: Netfilter Configuration  --->
            <M>   Ethernet Bridge tables (ebtables) support  --->


Install net-firewall/iptables:

→ Information about USE flags
USE flag Default Recommended Description
ipv6 Yes Adds support for IP version 6
netlink No Build against libnfnetlink which enables the nfnl_osf util
static-libs No No Build static libraries
root # emerge --ask iptables


First Run

For some services such as sshguard & fail2ban you need a running firewall. We will save a blank firewall rule set and start the firewall.

ip v4

root # rc-service iptables save
root # rc-service iptables start

to start upon reboot

root # rc-update add iptables default

ip v6

root # rc-service ip6tables save
root # rc-service ip6tables start

to start upon reboot

root # rc-update add ip6tables default

General Rules

To create firewall rules, we are going to use ipt=$(type -p iptables) or ipt=$(type -p ip6tables). For IPv6 support to write down a few rules that will be loaded using "$ipt-restore" <"$rules". (rules file are usally saved to /var/lib/"${ipt##*/}"/rules-save so that whenever your machine is powered on, the rules set will be loaded automatically with /etc/init.d/"${ipt##*/}".

Lets begin with a little example:

root # "$ipt" -P INPUT DROP

If you're looking into the perfect firewall, the previous command will set up the policy for INPUT chain and will satisfy the more paranoid. However, the previous will drop every packet that will be sent to the local host. And usually nobody wants that to be a default policy.

That example shows how we will be generating firewall rules.

Stateless firewall

Traditional firewall uses stateless firewall rules like:

root # "$ipt" -A INPUT --dport 80 -j ACCEPT

That simply opens a local port, to accept HTTP requests (`--dport' switch means destination port, and HTTP servers listen on port 80).

Stateful firewall

In a stateful firewall approach, the previous example will be handled like:

root #
"$ipt" -P INPUT                                                                                       DROP
"$ipt" -A INPUT -i eth0 -p tcp --dport 80 --syn -m conntrack --ctstate --state NEW                 -j ACCEPT
"$ipt" -A INPUT                                 -m conntrack --ctstate --state ESTABLISHED,RELATED -j ACCEPT

First, we will drop everything like a hot potato, then accept only incoming traffic depending on the state of the state of the packets (stated NEW here), and then establish the connection. Even better, we could place the last line before the second to avoid going into complicated filtering chain for already related and established connections.

This is how a stateful firewall operates to avoid opening unneeded holes and accept in/outbound packets based on the state of the packets.

Generating firewall rules

This section will try to build up a script that will generate a set of rules with internal and external interfaces.

IconClipboardTask.png This article has some todo items:
  • finish this section: generating firewall rules with scripts

Show firewall Rules & Status

ip v4

root # iptables -L -n

ip v6

root # ip6tables -L -n


An example of rules setup is shown in the forum discussion.[2].