Implementing a Drop Rule
We now have four separate rules that explicitly accept packets based on certain criteria. However, our firewall currently is not blocking anything.
If a packet enters the INPUT chain and doesn't match one of the four rules that we made, it is being passed to our default policy, which is to accept the packet anyways. We need to change this.
There are two different ways that we can do this, with some pretty important differences.
The first way we could do this is to modify the default policy of our INPUT chain. We can do this by typing:
· sudo iptables -P INPUT DROP
This will catch any packets that fall through our INPUT chain, and drop them. This is what we call a default drop policy. One of the implications of this type of a design is that it falls back on dropping packets if the rules are flushed.
This may be more secure, but also can have serious consequences if you don't have another way of accessing your server. With DigitalOcean, you can log in through our web console to get access to your server if this happens. The web console acts as a virtual local connection, so iptables rules will not affect it.
You may like your server to automatically drop all connections in the event that the rules are dumped. This would prevent your server from being left wide open. This also means that you can easily append rules to the bottom of the chain easily while still dropping packets as you'd like.
The alternative approach is to keep the default policy for the chain as accept and add a rule that drops every remaining packet to the bottom of the chain itself.
If you changed the default policy for the INPUT chain above, you can set it back to follow along by typing:
· sudo iptables -P INPUT ACCEPT
Now, you can add a rule to the bottom of the chain that will drop any remaining packets:
· sudo iptables -A INPUT -j DROP
The result under normal operating conditions is exactly the same as a default drop policy. This rule works by matching every remaining packet that reaches it. This prevents a packet from ever dropping all of the way through the chain to reach the default policy.
Basically, this is used to keep the default policy to accept traffic. That way, if there are any problems and the rules are flushed, you will still be able to access the machine over the network. This is a way of implementing a default action without altering the policy that will be applied to an empty chain.
Of course, this also means that any rule that any additional rule that you wish to add to the end of the chain will have to be added before the drop rule. You can do this either by temporarily removing the drop rule:
· sudo iptables -D INPUT -j DROP
· sudo iptables -A INPUT new_rule_here
· sudo iptables -A INPUT -j DROP
Or, you can insert rules that you need at the end of the chain (but prior to the drop) by specifying the line number. To insert a rule at line number 4, you could type:
· sudo iptables -I INPUT 4 new_rule_here
If you are having trouble knowing which line number each rule is, you can tell iptables to number the rules by typing:
· sudo iptables -L --line-numbers
Output:
Chain INPUT (policy DROP)
num target prot opt source destination
1 ACCEPT all -- anywhere anywhere
2 ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
3 ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
4 ACCEPT tcp -- anywhere anywhere tcp dpt:http
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
This can be helpful to make sure you are adding your rule at the appropriate position.
Listing and Deleting Iptables Rules
If you want to learn the details about listing and deleting iptables rules, check out this tutorial: How To List and Delete Iptables Firewall Rules.
Saving your Iptables Configuration
By default, the rules that you add to iptables are ephemeral. This means that when you restart your server, your iptables rules will be gone.
This is actually a feature for some user because it gives them an avenue to get back in if they have accidentally locked themselves out of the server. However, most users will want a way to automatically save the rules you have created and to load them when the server starts.
There are a few ways to do this, but the easiest way is with the iptables-persistent package. You can download this from Ubuntu's default repositories:
· sudo apt-get update
· sudo apt-get install iptables-persistent
During the installation, you will be asked if you would like to save your current rules to be automatically loaded. If you are happy with your current configuration (and you have tested your ability to create independent SSH connections, you can select to save your current rules.
It will also ask you if you want to save the IPv6 rules that you have configured. These are configured through a separate utility called ip6tables which controls the flow of IPv6 packets in almost the same way.
Once the installation is complete, you will have a new service called iptables-persistent that is configured to run at boot. This service will load in your rules and apply them when the server is started.
Saving Updates
If you ever update your firewall and want to preserve the changes, you must save your iptables rules for them to be persistent.
Save your firewall rules with this command:
· sudo invoke-rc.d iptables-persistent save
Labels:
JARINGAN KOMPUTER,
PROXY SERVER,
UBUNTU
Thanks for reading Set Up Firewall Using Iptables On Ubuntu Part 3 (Finished). Please share...!
0 Komentar untuk "Set Up Firewall Using Iptables On Ubuntu Part 3 (Finished)"