The idea is simple, we want to limit the number and destinations of requests the Pi can make, and it should only receive data from trusted source(s), also the Pi should not act as an IP server.
Meanwhile, because we need to run a dashboard application on the Pi which requires access to various systems, the obvious option is to blackout all inessential network traffic by only allowing requests and responses between Pi and the listed systems.
It is a Linux distribution likely to have been pre-installed, you can always use the following command otherwise.
Just to quickly get a flavour of what
iptables is capable of, try this command,
which should yield results like,
A Bit of Background
From the output listed above, you can see there are three different type of chains:
Inputchain is used to control the behavior for incoming connections. A good use case would be managing
Forwardchain is used for incoming connections that aren’t actually being delivered locally. This is used in the case of a router, the iptables will take care of the data sent to this server by forwarding it to the target destination.
Outputchain is used for outgoing connections. Before making any network request, such as
ping, iptalbes will establish a check on the output to decide whether to turn down the connection or not.
Policy and Connection-Specific
For each type of chain, you can define rules on two different levels:
connection-specific. It is not hard to guess a policy is what is applied to the whole chain. While connection-specific rules can either be used as exceptions to policy rules or individually.
As part of the rule, there are three target options to choose from:
Acceptwill allow the connection.
Dropwill drop the connection and act like as if nothing happened. This is great for the purpose of hiding the server from any source that tries to connect to it.
Rejectwill turn down the connection and send back an error message. This can be used to reject the connection and notify the source that the server’s firewall has actively blocked the connection.
Command to Shut Down All Connections
With the definitions explained, the purposes of following commands should be pretty much self-explanatory,
This is the first step of the network configuration, which I later find should in fact be the
last step of what I try to achive. The reason is simple, I need to setup connection exceptions before shut everything out using the almighty policy rules.
Command to Make Exceptions
With iptables command switches listed here, I will only list an example of how to use it to create connection exceptions,
In the command, there are few bits worth explaining,
-Imeans inserting the rule, and you can even insert the rule to a specific position in the rule chain with
-I INPUT 5. While using
-Awill append the rule to the end of a rule chain.
-sdefines source specification, and
-ddefines destination information. Configure them in the right rule chain.
example.comconfiguration can either be target
IP. iptables is clever enough to resolve a hostname when it is executed, so always use a hostname if possible.
Debugging and Tracing
To able to tell whether the rules work is important, an easy option for debugging is
A happy connection should give updates of data packages received from target.
When outbound policy is set to
-P OUTPUT DROP, you will see,
For inbound policy set to
-P INPUT DROP, you should expect the same message after a short period of time, due to timeout whilst receiving data.
The convoluted nature of enterprise systems means the configuration is never as simple as in the example, where a simple request would bounce between different domains before it reaches the true server and gives the data back.
A more sophisticated way to trace what happens after a request is made is via
An example of informaion trace from
dig example.com is,
What is interesting is not the manually anonymised time, but the
ANSWER SECTION and
SERVER, which give you a good idea of how many places your request has been or possibly has been.
As part of exception rules setup, you will need to white list these IPs or Hostnames (preferred) in the rules, so that the information can reach whereever it needs to go.
I am so glad you think about this, because this has caused me an unspeakable amount of pain.
Despite the fact that I’ve got the rules working. Funny enough, the application (runs locally from 127.0.0.1) just couldn’t give me anything. By that I mean no network requests in the debug console, either does the website loads. I think I should have figured it out a bit earlier giving how obvious it is, but just to give you a hint. Yes, my localhost is still blocked!
By doing this, you will be able to take back the control and launch application from local. Another way to do this is by using loopback, but I couldn’t get it working in the way people suggested, so I am just listing it out for argument sake.
Yes, you probably have figured, it is easier to put the commands together in a script, not only for reusability sake, but also streamlines the process. So here you go,
And yes, you are more than just right. Not only you need a script to configure things, but also you need one to revert things when it goes south.
Persist the Changes
The changes will only stay as long as you don’t restart the iptalbes service. To avoid the holocaust of being sent back to stone age, here’s what you can to do to keep the changes safe and restore it if needed.
Here are some more topics I’d like to cover over time when I get more experienced in this area.
- Block/Allow Traffic by Port
- iptables for IPv6
http://www.cyberciti.biz/faq/linux-iptables-multiport-range/ https://www.linode.com/docs/security/firewalls/control-network-traffic-with-iptables http://serverfault.com/questions/218707/iptables-rules-to-allow-http-traffic-to-one-domain-only