1
00:00:00,000 --> 00:00:11,240
In this lesson, you will learn about IP tables firewalls. So IP tables is a classic tool

2
00:00:11,240 --> 00:00:17,680
for managing advanced firewalls. The fun thing is that at some point IP tables got deprecated,

3
00:00:17,680 --> 00:00:24,440
but there's a lot of people that like it. So now it's living a revival. So IP tables

4
00:00:24,440 --> 00:00:30,000
has been rebranded and you can use it to write firewall rules that are compatible to the

5
00:00:30,000 --> 00:00:35,639
current syntax. Why would you want to do that? Because it offers advanced features for configuring

6
00:00:35,639 --> 00:00:42,040
very specific firewall rules. So if you are a powerful firewall user, IP tables is a very

7
00:00:42,040 --> 00:00:48,799
nice utility. In modern Red Hat, NFT is provided as a standard solution to manage advanced

8
00:00:48,799 --> 00:00:54,560
firewalling. And as I just mentioned, the IP tables tool has been reworked to generate NF

9
00:00:54,560 --> 00:01:00,880
tables firewall rules. And what is the reason behind that? Well, NF tables is quite complex,

10
00:01:00,880 --> 00:01:07,160
and the rules are not as easily written as IP tables rules. So that is why you might want to

11
00:01:07,160 --> 00:01:14,080
use IP tables instead of NF tables. Now when you work with IP tables, you should understand the

12
00:01:14,080 --> 00:01:22,919
command anatomy. So how does it work? Well, IP tables first has either a minus A or a minus I.

13
00:01:22,919 --> 00:01:32,120
Minus A is for append and minus I is for insert. Minus A appends to the end of the chain. Now the

14
00:01:32,120 --> 00:01:39,120
fact is that in an IP tables firewall, the position of your rules does matter. Because if you first

15
00:01:39,120 --> 00:01:46,360
are going to allow all SSH traffic, and then you are going to deny all SSH traffic for a specific

16
00:01:46,360 --> 00:01:53,120
host, well, that's not going to work. Because the allow rule matches the incoming traffic also for

17
00:01:53,120 --> 00:01:59,800
the denied host before you meet the deny rule. And that is why generically, you want more specific

18
00:01:59,800 --> 00:02:08,600
exceptions first and the generic rules to the end. Next component is minus I or minus O ifname. So

19
00:02:08,759 --> 00:02:14,880
that is the input or output interface name, which is optional, by the way. If you don't specify an

20
00:02:14,880 --> 00:02:20,880
interface name, it just applies to all interfaces. Now we have minus S or minus D for source or

21
00:02:20,880 --> 00:02:29,279
destination followed by an IP address with a CIDR subnet mask. Next, you get minus P, UDP, or TCP,

22
00:02:29,479 --> 00:02:37,119
which is always followed with by a minus minus D port or a minus minus S port for the destination

23
00:02:37,119 --> 00:02:45,039
port or the source port. And the final component is minus J. Minus J is specifying what exactly you

24
00:02:45,039 --> 00:02:51,559
want to do. And your options are log and accept and reject and drop. Well, log is writing to the

25
00:02:51,559 --> 00:02:59,240
logs, accept is obviously accepting it, reject will reject while sending an error message so that the

26
00:02:59,240 --> 00:03:05,639
initiator of the traffic can know what was going wrong, and drop will silently drop it. Let me

27
00:03:05,639 --> 00:03:12,440
demonstrate. So I'm going to do this on my CentOS 10 host. And in order to do so, I need systemctl

28
00:03:12,440 --> 00:03:25,240
disable, minus minus now, firewalld. And then I'm going to use IP tables minus L, which is listing.

29
00:03:25,399 --> 00:03:30,880
And I can see that I have an input chain and a forward chain and an output chain. And the policy is

30
00:03:30,880 --> 00:03:38,160
set to accept. So input is for incoming packets, output is for outcoming packets, and forward is a

31
00:03:38,160 --> 00:03:44,880
chain that I'm going to ignore here. The policy is set to accept if you want a decent firewall that is

32
00:03:44,880 --> 00:03:52,039
really holding off everything, then it's a good idea to use policy first. So minus P, output, must be

33
00:03:52,039 --> 00:04:00,399
in uppercase, by the way, drop. And I'm also going to set the policy on input to drop. And now let's

34
00:04:00,399 --> 00:04:07,520
try to ping google.com. And what do we get? We get a name or service not known. A name or service not

35
00:04:07,520 --> 00:04:12,639
known, that's a DNS message. And that is right, because the very first thing that is happening,

36
00:04:12,880 --> 00:04:19,679
where you are pinging google.com, you need to connect to DNS to find the IP address, and DNS cannot be

37
00:04:19,679 --> 00:04:26,399
reached. So we need to make sure that this is going to happen. And how do we do that? Well, by using IP

38
00:04:26,399 --> 00:04:35,119
tables, minus A, output. So I'm working on the output chain. Minus P for protocol, ICMP, for the

39
00:04:35,119 --> 00:04:41,600
internet core message protocol. That's a protocol that is used by the ping command. And minus J,

40
00:04:41,640 --> 00:04:49,440
accept. So I want to accept outgoing ping. Now, this is not going to be any better, because we still

41
00:04:49,440 --> 00:04:58,000
have two problems. And problem number one is that I do accept ping now, but I still cannot reach out to

42
00:04:58,040 --> 00:05:05,200
DNS. Second problem is the return traffic. I'll show you in a bit. But first, IP tables, minus A,

43
00:05:05,519 --> 00:05:16,279
output, minus P, TCP, minus minus D, port is 53, minus J, accept. Port 53, that's your DNS port. And

44
00:05:16,279 --> 00:05:22,799
that is now accepted. In case you are not too sure about the port, well, remember ETC services, you can

45
00:05:22,799 --> 00:05:31,440
find it in ETC services. I'm going to do almost exactly the same, but this time, minus P, UDP, also

46
00:05:31,440 --> 00:05:39,079
accept. And that is because DNS traffic can go over TCP, as well as over UDP. Now, what do you think?

47
00:05:39,079 --> 00:05:46,399
Are we all right at this moment? Well, when we ping google.com, we still don't get anything. So that doesn't

48
00:05:46,399 --> 00:05:54,399
work. And that is because of the return packets. Look, IP tables minus L is showing that we now have some

49
00:05:54,399 --> 00:06:01,600
traffic that we allow in the output chain, but nothing is allowed back. And to take care of that, I'm using IP

50
00:06:01,600 --> 00:06:11,079
tables, minus A, input, minus M, state. This minus M command is to call a kernel module. And we are calling the

51
00:06:11,079 --> 00:06:19,600
state kernel module, which is tracking packet state. And I'm going to look for state is established or

52
00:06:19,640 --> 00:06:28,880
related, minus J, accept. And what does that mean? That means that we are going to accept incoming traffic only

53
00:06:28,920 --> 00:06:37,480
if it's an answer to a state that was already existing. So only if it's an answer to authorized outgoing traffic. And

54
00:06:37,480 --> 00:06:44,640
you can see that that is now listed in the firewall rules. And we can try to ping google.com again. And now it

55
00:06:44,640 --> 00:06:54,399
works. Now let's do one more thing, Control C first to interrupt the ping. I'm going to use IP tables, minus A,

56
00:06:54,399 --> 00:07:09,640
output. There we go. And minus T, minus P, TCP. And minus minus D port is 80 comma 443. And oh boy, what do we see

57
00:07:09,679 --> 00:07:18,119
doesn't work with a comma separated list. Okay, then we need to do it one by one. So port 80 as well as port 443.

58
00:07:18,799 --> 00:07:27,160
Because you probably want to allow some web traffic to go out as well. And at this point, we have a pretty decent IP

59
00:07:27,160 --> 00:07:37,640
tables firewall configuration. Now, I am going to reboot this system to get rid of all the IP tables configuration. I

60
00:07:37,640 --> 00:07:42,160
don't want to make it persistent. I just wanted to explain how it works.