Keeping remote attackers out of a LAN is an important aspect of
network security, if not the most
important. The integrity of a LAN should be protected from
malicious remote users through the use of stringent firewall rules.
However, with a default policy set to block all incoming, outgoing,
and forwarded packets, it is impossible for the firewall/gateway
and internal LAN users to communicate with each other or with
external resources. To allow users to perform network-related
functions and use networking applications, administrators must open
certain ports for communication.
For example, to allow access to port 80 on
the firewall, append the following rule:
iptables -A INPUT -p tcp -m tcp --sport 80 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT
This allows regular Web browsing from websites that communicate
via port 80. To allow access to secure websites (such as
https://www.example.com/), you must open port 443, as well.
iptables -A INPUT -p tcp -m tcp --sport 443 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT
When creating an iptables ruleset, it
is critical to remember that order is important. For example, if
one chain that specifies that any packets from the local
192.168.100.0/24 subnet be dropped, and then another chain is
appended (-A) to allow packets from
192.168.100.13 (which is within the dropped restricted subnet),
then the appended rule is ignored. You must set a rule to allow
192.168.100.13 first, and then set a drop rule on the subnet.
To arbitrarily insert a rule in an existing chain of rules, use
-I, followed by the chain in
which to insert the rule, and a rule number (1,2,3,...,n) for where
the rule should reside. For example:
iptables -I INPUT 1 -i lo -p all -j ACCEPT
The rule is inserted as the first rule in the INPUT chain to
allow local loopback device traffic.
There may be times when you require remote access to the LAN
from outside the LAN. Secure services such as SSH, can be used for
encrypted remote connection to LAN services. For administrators
with PPP-based resources (such as modem banks or bulk ISP
accounts), dial-up access can be used to circumvent firewall
barriers securely, as modem connections are typically behind a
firewall/gateway because they are direct connections. However, for
remote users with broadband connections, special cases can be made.
You can configure iptables to accept
connections from remote SSH clients. For example, to allow remote
SSH access, the following rules may be used:
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A OUTPUT -p udp --sport 22 -j ACCEPT
There are other services for which you may need to define rules.
Refer to the Red Hat Enterprise Linux
Reference Guide for comprehensive information on iptables and its various options.
These rules allow incoming and outbound access for an individual
system, such as a single PC directly connected to the Internet or a
firewall/gateway. However, they do not allow nodes behind the
firewall/gateway to access these services. To allow LAN access to
these services, you can use NAT with iptables filtering rules.