Transcript from the "Firewall configurations: iptables" Lesson
>> Jem Young: Let's talk about more server security. So we learned a bit that a firewall stops you from connecting a port. It only leaves open the ports you want. But an iptable, an iptable is a network. It's an interface into the network layer of Linux kernel. Their pretty gnarly.
[00:00:18] They're not fun to work with but we're gonna learn what iptables are briefly and then we're gonna learn a better way to do it. Then we're gonna learn an even better way to do it. By better I mean, easier. The best way to do things. So what an iptable is just a list of rules to follow for any connections coming into your server.
[00:00:38] So if I want to add a new server or I want to add a new rule, I say append the rules to the input. So any connections coming in, what's the protocol? TCP, it could be ICMP too. But for now TCP. The port, 22. And then we're gonna say, for all connections that match this, we're gonna let it in.
[00:00:59] Yeah, it's not pretty, right? It's kind of annoying. Is there a better way to do this, yes. You should know what an iptable is, yes. So we are gonna over some quick configuration tables for iptables. Now mind you, these are just theoretical exercises, don't actually do this. Cuz if you mess with iptables, things will go bad for you very very quickly.
[00:01:20] Jim, I can't log into my server. Nobody has asked that yet. But if you do this, you can lock yourself out very easily, and I'll show you the better way of doing it. So, knowing what we do, so we know there's an input, there's an accept, there's protocols and there's ports.
[00:01:34] Kind of straight forward. So can we create an iptable rule to block all outgoing HTTP connections? Mm-hm.
>> Jem Young: iptables that's a output, so everything going out. The protocal, port is 80, hP is always 80 for the most part. And we're just gonna say REJECT. Everybody with me so far?
[00:01:59] You don't have to memorize this nomenclature, but this is for the future so that if you ever see it, or if someone says iptable rules, you understand what they're talking about. Now if you're thinking why REJECT? Cuz there's drop as well. One, you're pretty smart if you know that drop and REJECT, there's two ways two kinds deny a request going out or coming in.
[00:02:17] You can REJECT, you can drop. Drop means, if I try to connect it just won't connect. It won't tell me why. It just, it will pretend like the port's not there. So my rookie mistake is always saying, like, drop, but that's not useful at all. Let's say you close a port and you try to connect to it later, and you're trying to connect and it's just not doing anything.
[00:02:36] How are you going to debug that? Cuz you're just dropping the connection. And 71 rejects. We wanna actually say, no, you're not allowed in, and that's just more helpful for debugging. If you look in the speaker comment, add to the link to really smart person and they said, they explained everything drop and reject and why you wanna do that.
[00:02:54] But I just wanna save you all some trouble. Don't drop things, reject them. If you're thinking server security, if I just drop them, people will know I'm there. Well they're gonna know you're there anyways. So it's really not much help to drop things. All right, a lot of iptables.
[00:03:12] I know it's tedious. These are the basics though. Till we create an iptable, we would only allow icmp connections on port 892 from the IP address 192.0.0.1. That's all so ugly. Yes, we can though. We can do it. IT tables. The inputs. So all incoming connections, -s saying from this IP address -p, the protocol, icmp dport, 892.
[00:03:41] And we're just gonna say accept that. And if you go back you say, this looks weird, then you see this. The more you do it, the more the rules just makes sense in your head. They're easy to reason about, and even iptables, as kind of ugly as they are, they make sense.
[00:03:56] They follow the same pattern all the time.