10.4. Implementation

The default iptables rules only allow SSH connections to be made to the node.

10.4.1. Generic Functions

The iptables module distributes a file to /etc/iptables/ called iptables-functions. This file contains a set of (bash) function definitions, of which some are general functions, others are specific (shortcut) functions, and yet other functions are for internal use only.

The following is a list of generic functions:

allow_standard_protocol()
This function takes a set of parameters, 5 at most, in order to allow a standard protocol through the firewall. A 6th parameter is considered an environment variable, called CURRENT_PREFERRED_TARGET.
Note that allow_standard_protocol() is used by most of the functions described in Section 10.4.3, “Shortcut Functions”.
The 5 parameters that allow_standard_protocol takes are, in order of appearence:
1. The port. This parameter is the only mandatory parameter.
2. The protocol (tcp, udp or all)
3. The source IP address or network (default: 0/0)
4. The destination IP address or network (default: 0/0)
5. The chain this rule should be in (default: INPUT)
The additional parameter, environment variable CURRENT_PREFERRED_TARGET allows you to influence the jump target, despite the definition of any additional parameters. By default, the jump target is ACCEPT.
Example Use
Suppose you wanted to allow MySQL connections to the node.
Suppose you do not really care about the source or destination IP address or network. The call to allow_standard_protocol() would look as follows:
```
allow_standard_protocol "3306" "tcp"
```
Now suppose you do in fact care about the source or destination IP address or network. Suppose you want to allow network 192.168.1.0/24, and only to IP address 10.0.0.10, which is the IP address the MySQL server is listening on. The call to allow_standard_protocol() would look as follows:
```
allow_standard_protocol "3306" "tcp" "192.168.1.0/24" "10.0.0.10"
```
In addition, you could blacklist one of the IP addresses in network 192.168.1.0/24, such as 192.168.1.10, by prepending the following line:
```
env CURRENT_PREFERRED_TARGET=DROP allow_standard_protocol \
    "3306" "tcp" "192.168.1.10" "10.0.0.10"
```

`myhosts_chain()`

The myhosts_chain() function populates a myhosts chain in the filter table, to allow filtering based on a list of host IP addresses.

The myhosts_chain() function uses the command getent hosts to obtain a list of hosts. As such, in order to use the myhosts_chain() function, your nameservice switching needs to be properly configured, including /etc/hosts. This function though creates the opportunity to take a list from NIS(+) or LDAP, and as such allows you to centrally administer your list of hosts and reuse that list in iptables.

At the end of the myhosts chain, a rule is appended to reject all other traffic.

Example Use

Suppose you administer a list of hosts through LDAP, and the system has been configured (through /etc/nsswitch.conf) to obtain hosts from LDAP as well (besides files and dns, for example).

The command getent hosts will return a list of all entries in /etc/hosts and LDAP, and the myhosts_chain() function populates the myhosts chain with IP address of hosts you know and care about.

Now suppose that you want your webserver to only be available for hosts you know. You would use a set of lines similar to:

export CURRENT_PREFERRED_TARGET=myhosts
allow_http
allow_https
unset CURRENT_PREFERRED_TARGET

The result will be similar to:

# iptables -L -n
Chain INPUT (policy DROP 0 packets, 0 bytes)
target     prot opt in     out     source               destination
ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
whitelist  all  --  *      *       0.0.0.0/0            0.0.0.0/0
blacklist  all  --  *      *       0.0.0.0/0            0.0.0.0/0
tcpflags   all  --  *      *       0.0.0.0/0            0.0.0.0/0
ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0    \
                                        tcp dpt:22 state NEW,ESTABLISHED
myhosts    all  --  *      *       0.0.0.0/0            0.0.0.0/0     \
                                        tcp dpt:80 state NEW,ESTABLISHED
myhosts    all  --  *      *       0.0.0.0/0            0.0.0.0/0     \
                                        tcp dpt:443 state NEW,ESTABLISHED
ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0     \
                                        tcp state RELATED,ESTABLISHED
ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0     \
                                        udp state RELATED,ESTABLISHED
ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0

Chain myhosts (2 references)
target     prot opt in     out     source               destination
ACCEPT     all  --  *      *       myhost1              0.0.0.0/0
ACCEPT     all  --  *      *       myhost2              0.0.0.0/0
REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

(more output abbreviated)

`mysubnets_chain()`

The mysubnets_chain() function populates a mysubnets chain in the filter table, to allow filtering based on a list of IP networks.

The mysubnets_chain() function uses the command getent networks to obtain a list of networks. As such, in order to use the mysubnets_chain() function, your nameservice switching needs to be properly configured, including /etc/networks. This function though creates the opportunity to take a list from NIS(+) or LDAP, and as such allows you to centrally administer your list of networks and reuse that list in iptables.

At the end of the myhosts chain, a rule is appended to reject all other traffic.

Example Use

Suppose you administer a list of networks through LDAP, and the system has been configured (through /etc/nsswitch.conf) to obtain networks from LDAP as well (besides just files, for example).

The command getent networks will return a list of all entries in /etc/networks and LDAP, and the mysubnets_chain() function populates the mysubnets chain with IP address of networks you know and care about.

Now suppose that you want your webserver to only be available for networks you know. You would use a set of lines similar to:

export CURRENT_PREFERRED_TARGET=mysubnets
allow_http
allow_https
unset CURRENT_PREFERRED_TARGET

The result will be similar to:

# iptables -L -n
Chain INPUT (policy DROP 0 packets, 0 bytes)
target     prot opt in     out     source               destination
ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
whitelist  all  --  *      *       0.0.0.0/0            0.0.0.0/0
blacklist  all  --  *      *       0.0.0.0/0            0.0.0.0/0
tcpflags   all  --  *      *       0.0.0.0/0            0.0.0.0/0
ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0    \
                                        tcp dpt:22 state NEW,ESTABLISHED
mysubnets  all  --  *      *       0.0.0.0/0            0.0.0.0/0     \
                                        tcp dpt:80 state NEW,ESTABLISHED
mysubnets  all  --  *      *       0.0.0.0/0            0.0.0.0/0     \
                                        tcp dpt:443 state NEW,ESTABLISHED
ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0     \
                                        tcp state RELATED,ESTABLISHED
ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0     \
                                        udp state RELATED,ESTABLISHED
ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0

Chain mysubnets (2 references)
target     prot opt in     out     source               destination
ACCEPT     all  --  *      *       mynetwork1           0.0.0.0/0
ACCEPT     all  --  *      *       mynetwork2           0.0.0.0/0
REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

(more output abbreviated)