Linux Firewall Administration | Imran Afzal | Skillshare

Linux Firewall Administration

Imran Afzal, Systems Manager / Instructor

Linux Firewall Administration

Imran Afzal, Systems Manager / Instructor

Play Speed
  • 0.5x
  • 1x (Normal)
  • 1.25x
  • 1.5x
  • 2x
6 Lessons (1h 17m)
    • 1. Introduction to Firewall

    • 2. Firewall (firewalld)

    • 3. Firewall (firewalld – Practical Examples)

    • 4. Firewall (iptables – tables, chains and targets)

    • 5. Linux Firewall (iptables – practical examples)

    • 6. Firewall (firewalld GUI)

  • --
  • Beginner level
  • Intermediate level
  • Advanced level
  • All levels
  • Beg/Int level
  • Int/Adv level

Community Generated

The level is determined by a majority opinion of students who have reviewed this class. The teacher's recommendation is shown until at least 5 student responses are collected.





About This Class

Learn everything about Linux firewall including iptables and firewalld

Meet Your Teacher

Teacher Profile Image

Imran Afzal

Systems Manager / Instructor




Hello, I'm Imran Afzal and here is my education and experience:



About Me:

Imran Afzal



Bachelors in Computer Information Systems (Baruch College, City University of New York)

Master of Business Administration (New York Institute of Technolgy)



- Over 20 Years of IT Infrastructure experience

- 7 years of training experience in Linux, VMWare, Windows and many other IT technologies

- 5 years of IT Infrastructure management experience



- Linux Systems Management (New York University, NY)

- UNIX Operating Systems

- Linux System Administration and System Internals<... See full profile

Class Ratings

Expectations Met?
  • Exceeded!
  • Yes
  • Somewhat
  • Not really
Reviews Archive

In October 2018, we updated our review system to improve the way we collect feedback. Below are the reviews written before that update.

Your creative journey starts here.

  • Unlimited access to every class
  • Supportive online creative community
  • Learn offline with Skillshare’s app

Why Join Skillshare?

Take award-winning Skillshare Original Classes

Each class has short lessons, hands-on projects

Your membership supports Skillshare teachers

Learn From Anywhere

Take classes on the go with the Skillshare app. Stream or download to watch on the plane, the subway, or wherever you learn best.



1. Introduction to Firewall: Hello and welcome to the lecture. Introduction to Firewall when you need to secure your system for wall should be the number one things to be discussed as well. So let's start with what exactly the firewall has. Ah, firewall as what it reads it. It's actually like a wall that prevents the spread off fire. So anything that you put it up, that's not gonna let the fire end. That's actually the firewall. That's how they got there. This name. When data moves in and out off a server, it's packet Information is tested against the firewall rules, and that firewall rules is actually something that reside on the firewall. So when that is tested against a fire, were rules to see if it should be allowed or not. In my words, the way I want to describe it is that Ah, firewood is like a watchman or a bouncer or a shield that has a set off rules given and based on door rules. They decide who can enter and hoca leave. There are two types off firewalls in i t. The 1st 1 is the software firewall, which is actually the firewall there runs on an operating system. So you have a firewall there runs on the next, you probably have a firewall that runs on Windows or any operating system. It has a little software that is called Firewall. Another type of firewall is, ah, hardware for I walk. Now that firewall is is actually a dedicated appliance, like a hardware plants with, of course, the firewall software running on it. Now that type of appliance more often found on the network side, the network team are the one who actually maintains that type off Fire one. But anyway, our focus is what our focus is. The software side of the far wall, which actually runs on operating system. All right, so let me put in in a picture so it will be easier to understand. So we have a server. Eight. It's that simple. It wants to go to several B. Now when it goes to sever, be it, send some kind off protocol or connection request, and in this case, let's say it. The server A wants to connect to server be with through ssh and poor 22. But when there is a far wall in the middle, it will check. It's a rule, and I will say, Hey, let me check the rule. If server is allowed to come in on Port 22 and that rules is yes, this over can come in then several BCE's okay, I have made that clear and connection is established. An example would be into the server. Wants to go to sober be and they want to connect to server. Be to FTP and FTP, as we all know, runs on Port 21. Now before goes to an established connection to server Be. It goes to the firewall and firewall rules say's on server. Be that a server A is not allowed to come in is using protocol or service FTP. Then what happened is several BCE's. Sorry, dude, I cannot let you come in because my firewall rules say's that you are not allowed to enter into my operating system through FTP service. Now you may see this fire was sitting in the middle and you're probably thinking we exactly sitting. But in reality, this y wall is sitting on server A as well as there's another firewall is also sitting on server. Be said, both servers A and B do half our walls as well. So a who wants to connect to server be could also have a rule whether this service is even allowed to leave the server A or not. And then when it goes to server, be the server be has this one firewall, which would say, even though it came in. But let me see if this service is allowed to be accepted to serve toe my server. So that's how the firewall works. 2. Firewall (firewalld): Okay, so now it's time to work on firewall. Specifically, the tool firewall D Fire Will D works the same way as I p Table, but of course it has its own commands. And the commander? It starts with his firewall dash. CMD. Make sure the command firewall the first part of the first war does not have D in it says just firewalled Dash CMD. It has a few pre defined service rules that are very easy to turn on and off. And those services such as NFS, anti Ph. D. P. D. They are already there in an XML format. All you have to do is add those services into the firewall de table and the rules. We'll cover that in the later lecture, of course, and I'll show you how, exactly the XML fireworks, then the fire oldie also has the following table. Chains, rules and targets. The table change rules targets you guys already know Table is the one that has all information about change. Rules and target chains are the ones that has outgoing, incoming or forward traffic information, and the rules are associated to those chains like if incoming traffic is matches or does match this rule than what to do. Then comes the target. That target would be either drop, reject or accept the traffic. So again, as I said, it works similarly as I p tables. And if you need to refresh all these different table change rules and target information, you could go back to I p tables to find more information about them. Okay, so you can run one or the other. Meaning either I p tables or firewall deep. It is not recommended it to run a both at the same time. Make sure I p tables is stopped disabled and mask before you start firewall D. And, of course, to stop at usual system CTL stop I p tables, then a systems detail to disable it so it won't start a boot. And to mask it so you won't started accidentally or any other programs on started. Then, after this stop now you need to check a better firewalled service that you're trying to start Has the package or required package installed in your system? But as I said, if you're using cento us seven red hat seven or four door, seven above by default, it would have far wall de installed. Um, by the way, I just checked. Um, in the third line, you see, I file Wall D. It's just a mistake I instead of l actually have. Or anyway, it's just a low, honest mistake. Um, then to check if the package install, you'll run rpm dash Qiwei and grow for firewall D. If you don't find it, then you will run Jump Command to install firewall D. And once it is installed, you will start the far wall De but using the command system CTL start and then firewall deed. The next command would be system CTL enable firewalled. You cannot run all that in one command. I just put it in one to save some space, then to check the rule off our Waldy what's inside and what is defined. You will run firewall dash CMD tax specialist Daschle It would tell you what services are unable. What rules are in place? What type of chains in place getting the list of all the services for baldies wear off. That's the services I talked to you about in the previous slide that there are services pre defined by fire Will d and they already an XML format, and you could simply add those services and remove it in one single command. And to get the listing off all the services, you run the bar. Will the command Sorry. Firewall dash command, get services to make firewall de Reload the configuration at it. Meaning if you added a rule in firewall D, you will always have to run the command. Firewalled are cmd dash, dash reload. So your firewall process would know about the new rule or new information that you added into the table. All right, so now I'm gonna go into the linens machine and we'll try all that. So first thing first is first, make sure the I p table is not running system CTL status. I p tables and you'll see it is running. It is active right now, so you would have to stop it up a barrel key and replace status would stop. It has stopped now disabled it. So it does not start at boot time and then mask it. So you don't or any of the program started by mistake. You could check the status again, and you will see right now it is masked and it is inactive. Perfect. Now it's time to check if we have firewall de package installed. So rpm dash Qiwei and great for firewall deep. Okay, so it does have this is a package were concerned about. Make sure this package is there, And if there are more fireable d on the system five system level, you could also in Seoul that but, um, most likely it will get installed with it if you just type John, install firewall deep. Okay, so now it is installed. Now, the next step is to start that firewall system. CTL start firewall T. It's a zoo. Um, the June it is mask, which means it is not allowed to start by mistake or by any other programs. So we have to unmask its unmasked. All right? It is unmasked now. You could go ahead and started. It has started. Perfect. Now go had enabled it. So it starts at boot time. Okay, Now go ahead and check the status now. Okay. It is running. It is. The current status is active. Nice. Clear this green. And now I am going to check what's inside off my firewall rules. What comes out of the box. And for that I will do Dash dash, list Daschle and you'll see this is the table. It's a public table. It's active and it has the services by default. Ssh DCP v six Client Thes two services are already enabled. That's firewall D services. Every time I start up and by default, ssh is allowed to come in. And if you see you could divine ports here, any Pacific rules that you have, you guys, you could put them in their rituals, which will cover in the later lecture. If you add something, um, you could run the command firewall dash cmd followed by the correct Centex to add a service report to get the listing off all the services that firewall D is a wear off. You'll type far wall cmd get services. Okay, so these are the list of services I was talking to you guys earlier. Thes are the pre defined services and all of them are separated by a space and they are written in alphabetical order. So a b c. And if you're looking for let's ssh, you'll see in SS in s section and see as the SAGES here as some tp services here. If you're looking for FTP, you go into F sections. F is this is F and you see FTP. So all these services are actually pre defined in there. Doesn't mean that it is already poor of the firewall rules that it will allow all these services by default be enabled. It's not that it's it's telling Firewall D. Hey, you had the service all you have to do. Run a command. Tell me this is the service you want to enable and I'll go to his configuration file. I'll find out reported runs on, and I'll enable it for you. So I'll cover that XML file in the later lectures. So for now, just make sure you're starting off our will. D. It's up and running, and it has the services listed as right here, too pre defined to off the services 3. Firewall (firewalld – Practical Examples): Let's get into some practical examples on firewall D. The fire will. These had multiple zones To get a list off all zones. You have to run the command, firewalled their cmd dash dash, get zone. So let's go into their Lennox machine and we'll run it here and we'll see how many's zones and the listing of zones. If you could get so tight. Firewall CMD dash dish zones and you will see it will give you the list of zones. Block the empty drop external home In her internal public trusted work. You could use any, um, zone that is required by your company or you are your policies. Most of the time that I've seen is the public is the zone that is used most of time. So our focus, um, on this lecture will remain on public. So that's how you get the listing of zones to get a list off active zone. Not to see we have, although zones and which one is the active one. And for that will will run the command far wall CMD and get dash active dash zones. This is listing that zona that is active and that is active in terms of in firewall where firewall is getting all its rules, configuration is public. And then to face that is attached to the zone is our of default. Ah, interface. You might have a different one If you're using a different type of Lennox Ah, with the physical or virtual, the next one we will talk about is how to get firewall rules for public zone. So now we know that we were the public is the zone that is active now how to get a list off that zone. You could run a command if I world I cmd Tash Tash Zone equal Public dash That's list zone . But if you notice when you ran the command, get active zones, it only gave us the public zone. So when you only have one zone active, then you really don't have to specify the zone name, but just to practice. If let's suppose you had multiple zone, then you would have to specialize. Only called public. Let's see, In that case, will do choir Will cmd dash zone equal public and list. All this is the zone which has by default out of the box. If you are running your firewall D For the first time, this is what you're gonna see and you'll see. The main thing that you're going to see is the sown is public and it's active, and the services that is default service that you get is ssh. D. C P V six incline. These are the services that are enabled by default again. What I meant was, if you're public zone is already active and it's the only one that you don't have to specify, you could just from simply run the command without specifying the zonal, get the same result now you could also, as I said, you could do without so as well. So all services are pre defined by Far Wall. As explained previously, Um, you have a list of all those services Now? The question is, I do have the list of all the services I could go in and enable and disable it and turn it on. But what if I want to add 1/3 party service in desk A well taken example. Let's say if you want, if you installed S a P application and you Olynyk server and you want to allow that application to be on and off. Then you have to go into User Libre Firewall D services. And all those services that are pre defined are in that directory, Andy. All you have to do is simply copy any dot xml file and change the service and its port number. Now, when you open that file that XML fall, this is how it's gonna look like. By the way, this is a smaller version. There are many the files XML files in that directory that have a longer description. So the shorter description is a test I am showing you is when you cat that file any of the fall in that directory that ends without XML, you'll see it's worsened on the first and the second you'll see that service entire information about the service and you'll see that the service what type of service it's that you'll see is ssh and what description that you want to put it. What exactly this service will dio And of course, the port information and the service and name, which is in this one is as TCP and Port number is 22. This is how it looks like, but in the next light. We are going to make a customize service, which I just mentioned as a p dot xml and I will show you how you could make it firewall de aware. So let's go into the next lied and let's see if he wanted to add a service. Let's say, Http, in your firewall for that you have to run the command firewall die CMD dash, dash, add dash service equal. Http. So right now when you run this command, you'll see there is no http service in services. So if you have, um, Firefox and you could open it up and you could try to access your http service, you will see that it will not be accessible. But of course, in order to check that first, you need to make sure you http d services running. So let's see. System CTL Status http D Okay. It says this mask is inactive, so we have to activate it in order to test our firewall rules. When we adamant. So we will do is first I will unmask it. Then I will start the service services started. Let's check the status. It is active now. I will go ahead and open my browser to make sure I could access my Apache server using http protocol or service. So my Okay, so now my i p address on my machine. The Lennox that I'm using is one i to 1 $61.1 62. So when I reload, you will see it is saying problem loading page, and it is spending. It means it will connection. Will say that's timed out. As you see, it's taking too long. This is the message will get. So in order to your in order to get to your server through that http service, you have to enable it. So let's go to are firewall D and let's add that. So let's clear the screen. Fly wall di cmd dash, dash. Add what service you want to add, http. Okay, that services added. And when you do list again, you will see in the service section. There's this last survey that's been added. Now let's go ahead and verified by going into our Firefox machine and then refresh the screen and you got the splash pages, a meaning we could get into our Splash Beach and it works perfectly fine. Good Now, one more thing is, if you I want to remove that, you could simply hit a parochial. Go back to the same command and type. Remove and it will remove it. You could check the status whether it's gone or not by looking at your list all and you'll see it is gone now. So that's what to remove. The service is about then to reload the firewall configuration, meaning, Let's say, if you added some service and now you just want to clear the entire firewall de configuration, whatever that you added. And for that you have to type firewall de reloaded. So before I do that, I'll show you first when we added that HDP service is added. Now, if you do list, you'll see it is there. But now when you go in and reload, reload and check that firewall. You'll see that http service every edit it's gone, so it's kind of like a way off firewood. Ito flush whatever the temporary rules are in there, So if you want to add any rule permanently, you have to specify permanent in the end. So to add or remove a service permanently, you'll run the command firewall. Darcy M D dash dash. Add that services should be equal permanent, and that will add it permanently to that zone, which is the public. So, of course, to remove it for permanently will run the same command with Ramo and Dash Dash Permanent option. Now let's talk about the third party obligation we talked about in the last light. What if there are There are services that you wanted to add? It's not. It didn't come pre divine or as a default service in firewall deep. So what we have to do with first thing is, you have to go into this direct treasures aerbin Firewall D services. You could just simply copy any dot xml file and make the name of the new service fall and change the service and port number inside of the file. Then you have to restart the far Wall de and then simply add a firewall, um, and then simply get the, ah, get the listing off the services to confirm to verify that services there. And if it's there, it's working. Then you could run the firewall de command to add that serves so we'll go. We'll go through that exercise now and let's see. And as it said, we'll use the as an example was use the service s A P and a sippy, I believe runs on port 32. So I'll go into user lib Firewall de services. And by the way, if you're doing that for the first time, I recommend you do take a snapshot off your version machine in case things go wrong. Okay, Now, in this services, there are a bunch of services. If you run Alice minus l, you'll see all those services that you get when you run the command. But command, you run firewall, dash, cmd dash, dash, get services. All these services that you see are actually fire. Will these pulling them from the these files? Now, again, we want to add us as a P. I'm going to go ahead and take any fall. So in this case, I'm gonna do copy. Ssh XML file and I'm gonna copy it to s a P XML. Okay. Verified its there. I'm gonna do it. It's my cell to your It's there all the way to the end. Now. I will go ahead and modify that fall. B i s a p dot XML and you see it has that version service. The short description is a cessation all remove it to s a p. Okay, Now, this is a description of removed everything that is listed for ssh service description, and I will put the third party description whatever this service will do. This is 1/3 party application service. Okay, Good. Now the parole call is TCP or whatever that you want to specify. And you could choose the port 32. So of course you need to know these things, but it's a TCP udp What port number it is. What service? Now, you could go ahead and save that file, Father save. You could verify as sapi dot xml And you see it is there with all the settings that you have specified. Now, if you want to see, that s a P in your listing, Meaning when you run this command and you want to see it there, then you would have to restart the firewall. D the system CTL restored firewall de it. ISS restarted. Now, when you gonna run that gets services, you should be able to see your s a P service. So, um, the me. What I will do is I will for world. I seem to get services. I'll just simply do crap s a p. And there you go. So see, it's highlighted for us. It's easier for us to know where exactly it ended. So now this s a piece ever since is in there Nice. Now we could go ahead and add it as a service to the firewall. Um, configuration. So two added simply firewall. That's the M D ad dash service equal the name of the service, you'll added, And then you do list. You will see. It added. That s a P service. Now, if you trying to add any other services that is not in that dot XML file, it will just simply fail. It's not gonna work. So, for example, if I'm trying to add service, call Imron, it says invalid service in run because it went into that. The user lib A Firewall D services directory. It looked for the imran dot xml file and it didn't It doesn't exist. That's why it's not able to add that. So it's a good feature off our wall deed. This where you could just simply have to add or remove services that are defined in that directory. All right, moving on. By the way, let me remove the service. So this way I have everything cleaned up. Or I could just simply do what? Reload if I have not added it permanently. Success. Let's verify it is. It's there. It's gone. Good. Moving on now. Now what? If you want to add a port to your firewall de configuration simply, you run the command, which is far wall. That's CMD dash, dash, add dash port equal. I picked this 1101110 as a random port nickel pick, which a report that you want to open and the protocol hit. Enter. Verify that, and you will see it is going to show up under ports. TCP tenants added. Now again, if you do not specify, Dash Dash permanent, then it will go away. That moment you do firewall CMD dash, dash, reload. Okay, so that's how you add a port. And, of course, to remove a poured you would do remove port, so let's go ahead and remove port at port. I will do remove port zero dash TCP. It is gone Let's verify it and it's no longer there. Beautiful. Okay, Now to reject incoming traffic from an I p. Address again it This is kind of a scenario where you have someone coming in to your machine with an I p address. And you don't like that person or you don't like the machine. Whatever the reason, you just want to block any traffic coming in from that I p address. So you'll run this as a rule. It's ah, it's a little long rule, but it is added in the rich rule, um, space all the way at the bottom. So let's go into a rule. You see, when you run firewalls cmd dash, dash all you see rituals all the way the bottom. This is where you have to add this rule. So I'm gonna do is I'm gonna make this smaller so I could grab this up and read the whole command that I will just make this bigger as well so I could be able to type everything in one line. So firewall dash cmd dash, dash ad You adding a rich rule and that ritual Saiz equal what is a rule about family within I P V four and which, um I p address are you trying to block? It is a source and the address off that source Equal coat 1 90 to 1 68.0 dot 25. And then what you want to do is remember the target thing that we talked about. You want to reject and coat closed. It has been successful. Let's verify it is there and you will see this rule is added as a rich rule, although with the bottom which will reject all incoming traffic if they matches this I p address now to block and unblock ICMP traffic. What if you do not want people to paying you so you could run simply dis command. So let me go back in and let me go ahead and remove that ritual that I added. So instead of just add, I will do remove Or I could have just do firewall. Cmd reload Anyway, it's gone. That's verified. Yep, it's gone now. I want to block all incoming traffic firewall. I si m d I mean all incoming ping traffic. Not all traffic Add a dash icmp As you know, the pain comes on the particle, ICMP dash block and in version that is added. Lis verified, and you will see ICMP block inversion is set to Yes. Now if I go into my any other machine, let's say I go into my windows machine and have a DOS prompt open, and I try to paint my Lennox machine where I have enabled this rule went to 1 61.1 60 to this, the I p upon machine and you'll see it's his host unreachable now if I go ahead and remove that rule, meaning instead of add all just to remove. And now if I try to ping it, I should be able Tow Ping, that's how. Use block or unblock and ICMP traffic. Now just remove now to block outgoing traffic to a Pacific website sash i p. Address as an example, I'm going to use that example again. What if you want to block all the traffic that's good, that goes outside to Facebook. You just don't want your kids or whoever Um, you're dealing with. You just don't want the person to go outside to Facebook page or any paid for that matter. But for that you have to find out what is the I p address off the page. And to find that you have to run the command host Dashti a Then the girl will find that I p address. I have already found that I p address and the I P addresses 31 13 17 36. And to block that out. Going traffic. This is the command you will run. So let's run that command. So I have this Lennox machine right here and again to find the name off. The host started to find the i p. Address off dubbed upped up dot facebook dot com. You'll see. That's the I. P. Address is already there. Confirmed. Now I need to block that firewall. But before I blocked that, let me pink that I p address just for now. Just make sure that I could go out. Yes, I could go out. I could get a response. Now, I'm gonna go ahead. Block that direct. Add a rule I p v four filter the output. Remember, the output is that outgoing traffic is to disable to going to the source. 3 31 13 71 and 36 is the I. P. what he wanted to do. You want to just do the target, which is dropped. It is successful now. You could go ahead and ping that I p address and you will see it would tell you the operation is not permitted because you're not allowed to go outside now if I go ahead and reload my entire foot firewall D And now, if I pink it, I still cannot. Ping, let me see if I, uh, what's inside my lists Rule it is still there was not there, But I cannot paying that. I guess I have to restart my service here. So that would be system CTL restored the firewall de restarted the striping ghetto. And now I'm able to Pinkett Maybe it wasn't cashed. We have to just restored the entire firewalled. But that's OK. So now this is how you could block outgoing incoming traffic. And these are few commands that we have co word. And this is pretty much very close to what? The commands we ran in I p tables. Hopefully this entire ah viol D lecture that was exploding too actually served its purpose . And you are able to understand how firewall D works 4. Firewall (iptables – tables, chains and targets): Hello again and welcome to the lecture off firewall and more specifically, I p tables. There are two tools to manage firewall in most of the Linux distributions. One is the I p tables, and that is mostly used in all the linens distributions. And the other one is firewall DE, which has been introduced not long ago to the newer versions off red hats and tow us or fedora and maybe some of the limits distribution as well. But, as I said again, still most most off the top of most of the tool the firewall tool is I. P tables is used in all of the links exhibitions. Now you could run one or the other. Ah, so you cannot run both tools at the same time. So in this lecture, we will work with I P tables to manage the firewall. It doesn't mean that I will not cover firewall D. I will cover five oldie in the later lectures before working with I P tables. Make sure fire oldie is not running and it has disabled it. To stop the service, you have to do system CTL stop firewall deep or service command. If you're using the older version off red hat or are are Lennix um Santo s. But of course, if you're using the older words in the most likely, you don't have five all city in it anyway. Ah, to the disabled, it you run system CTL disabled firewall D, And to mask it, you run system CTL mass firewall de ah, you will need Max. So other programs cannot run that or you don't start that service by accident. That's why you mask a service. Now check if you have I beatable service package installed. Nice. Because you before you start the service whatever it says, Hey, what service your tractor stalled. So you need to make sure you have the service install and to check if that service has the package installed to your do rpm dash, Qiwei and grip for I p tables their services. And if it's not there, you will use the jump utility to install I p table services. Once you have it installed, you'll start that service by the start, I p tables command and then you enable it to check I p table rules. You'll do I p table stash l. And to flush the I p tables. You do I p table stash f. Meaning if you wanted to start from clean from scratch, you don't want to pre defined rules in the i p table. You do. I p tables that f to flush it. Now let me go into my linens machine right here, and we'll try. Um, all the things that we have court right here. So first thing first is we need to start I p tables. But do we really have I p tables? First check rpm Qiwei. Um, I p tables dash services. No, we don't. But of course, people reinstall it or downloaded Lemi fa stop the firewall D. So to check if I will de is running because our focus is the only i p tables you do status for wall deep. Yes. You see, it is active and it is running. So let me go ahead and stop that service first before I even work on I p tables it is. Stop. Now go ahead and disable it so it won't start at reboot. Okay, Now go ahead and mask it so you don't started by accident. Now go ahead and check the status. You will see. Right? Hey, Loaded mask and current status inactive and instead beautiful. Okay, we're falling. Are our instructions along. And now we are Next step is to install the I P table. Remember, we checked. It is not installed. So the command is Yum install I P tables dash services. Now make sure if you want to install it your machine can go out on the internet and go to the reports that needs or that has the I p table service package. It found it. And it tells you the size not go ahead. And yes, I'm sure you're familiar with the jump utility. And now you could go ahead in install it again. Once it is installed, you will see a complete message installed message It is there now go ahead and start the service system. CTL start I p tables. It has started and I'll go ahead. Enable it It is enable. Now go ahead and check the status If it is up without any Arab messages. Yes. You see it? It stays active status with the process. I d awesome. Now the next step is that you want to check what inside of the I p tables that come out of the box, which is I p tables, dash uppercase l. And by default. It has few rules already in place to allow as a sage except and also ICMP to the host hours prohibited and some of the rules in there. We want to start from scratch. So I want you to flush everything out by typing I p t f. It is flushed less, verify everything is gone and then you run it. You're gonna see after these three different chains one chances input, the other say's change forward and the third chances output. Know what is a chain or what is this whole thing? And what is Each column means story. I am going to code that next the function of I b table tool is packet filtering the packet filtering mechanisms organized into three different kind of structure. And those structure is table, which I just showed you. It has chains and it has targets. Now what are those? Let's get into the details tables. Table is something that allows you to process packets in Pacific ways. There are four different type of tables filter mangled nat and roll. Now I have bowled id the filter and underline that one because our primary focus here is filter. And that's the one that is mostly used in the linens operating system, so each table has chains attached to it. The's change allow you to inspect traffic at various points. There are three main change using I P tables. One is input that is a rule associate to it that saves income for incoming traffic forward going toe a router and then from one device to another, which is rarely used again. And the 3rd 1 is output is outgoing traffic. So focus on disease to input and output, meaning incoming traffic and outgoing traffic. Now, all non these three chains that you see has a rules associated with it changed allow you to filter traffic by adding rules to them. And the rule example is if a traffic is coming from this I p then go ahead and define the target. Now, okay, I have a table. I have a chain and these three chains are there, and chain have a rules. Define Now what happens when the rule is met that I did find that I p address coming in now what you want me to do with that I p address. Then you come in and define the target. And there are three different type of target. One is accepted, of course, to accept the connection. If the rule matches second is reject meaning don't accept it. But do send a response that Hey, I'm rejecting it. I'm not accepting your request. Maybe some off the responses, some meaningful information. But anyway, the 3rd 1 is dropping, which is meaning like ah, harsh drop. I don't want to tell you why I'm not accepting it. Just you are not allowed at all. These three are the simple Tarkett. So again, three clap up I p tables has tables. It has chains each chain has in put forward in an output. And then, based on those rules, define into those chains. There are targets and those three targets are accept, reject and drop. If you're still having a problem understanding it, let me draw it out for you. The table looks like this, but of course, it's not exactly looks like this, but I'm just I just put in a graphical Wait. This is a table. The table has what chains and those three chains are and put forward and output. And all these chains have rules associated with it. Meaning if the I p addresses this are poor. Is this and so on? Then what do you want to do then? I want you to accept it. No, Drop it. No, it reject it. Whatever the target is, you will define at the target level. Now you will run I p tables Ash l to actually see the table and to run that And you see the table which is like this, as I have seen, showed you a few minutes ago. As you see this, there are three chances you could see chain and put change forward and change output. This whole thing is called a chain Now each chain has in put forward and output. Then it has a target. We all know up until now I'm sure you are. You exporting this? You know all these drinks Now let's get into a little more detail which is on the rule level. This field that you see see here it means protocols such as TCP udp, ICMP are all any type of protocol that you want to define it will be defined right under it , then optional. This is rarely used, is called him. Indicates I p options source. Meaning which I p is it coming from it and then destination. Where is it going to? So when you see a rule right underneath off this, you could easily translated. Okay, this is the meaning off this rule. Meaning it. This this protocol coming from this source and going to dis destination. And the target is drop it. And that is for incoming a chain or incoming traffic because it is associated with chain and put. So anyway, guys, this is all about this whole lecture. I I covered it. So explain you how you could download install the I P tables, how you could run it. And what does I p table dash output looks like. So you need to understand before you even do the administration on the I P tables, which we will cover in the next lecture to do certain practice to draw in certain commands , to stay tuned 5. Linux Firewall (iptables – practical examples): hello again. And this is where we are going to actually do some practical work. Some practical examples, like real life examples. This is where we're going to get our hands dirty. So first thing is, I What if you want to drop all traffic coming from a Pacific I P address using the I P tables, it's very easy. You could just specify their rule to drop that traffic and the rule would be is to the command Would be is I p tables space dash a dash a means upend. It will add that rule at the bottom off. If there are more rules will add to the bottom off it. And the input would be the chain, meaning you are dealing with all incoming traffic. So that is why you put an input and minus lower case as meaning. It's coming from this I p, which is a source, and J would be what target you want to define with that. If that rule matches, then you should drop it. Okay, it's just that simple. So I am going to bring up my Lennox machine right here, and I want to add that rule before I add their rule. I make sure my I P tables is all clean and empty. Yes, it is empty. If it was not, then what would you will have to do is to flush it. Okay, so you flushed it. It's good. It's all cleaned this creative screen. And now let's go ahead and add that rule I p tables dash a input dash s 19 to 1 68 does earn 25 dash J Drop. I could also put that an example that let's say I have a someone from the marketing group of whatever the marketing company is. That guy's calling me or sending me a message to my server. And I don't want to hear from this guy because I'm tired of his all this market call so I could drop his traffic by specifying his I p address. And that's the way you would specify. You go ahead and hit enter to verify it. You do. I P tables dash l and you will see right here, which is the input chain, because we use input in our command and the targeted defined drop and for all protocols and no options used. And the source we specified is Ah, this I p address and destination meaning coming from to me or anywhere that comes to our network or wherever this fire Wallace sitting, that's the destination. So that's how a rule looks like again. This rule is under this entire table and in this chain and with associated target and this rule, if it meets, it will kick off that target. So now any traffic coming from this I p boom, it's gone now, next one is what if you want to drop all incoming traffic from a range of I p. Meaning Okay. This guy who was from the marketing company, he found out that I have blocked his i P address. Now he goes to his colleague and says, Hey, Centam seven cinema message from your computer because your computer is not blocked here and block your computer. So then I start getting emails from the other guy, but same company. So what have to do is I will block the entire range of that eyepiece from that network. I could do that by easily special specifying the subject the network arrange, which is slashed 24. So let me go back into my Lennox machine, and I will specify that exactly as is by running the command and replacing 25.0 slash 24. And when you do, I p table sesh l you're going to see now I have two rolls in there now, the entire marketing company who ever tried to contact me send me an email. They're not gonna be able to send me any emails because I have a firewall rule in place and no incoming traffic that matches that I p address would be able to reach out to me. It will drop the connection right away without even sending any rejection messages. Awesome. Now, the next thing is list all rules in a table by line numbers. So as you notice we have added tools, we could also list those rules, but checking which line numbers they are associated with. So I'll go back in there and I'll run the command I p tables that uppercase l dash dash line dash numbers and you will see be added to rules. And each rule has a number associated with it. See, right here. Is it adding a number column now? Why did I show you that number column. The reason is, if you wanted to delete anything here, If you want to delete a rule, you do not have to specify the entire rule. All you have to specify is the number and how you specify the leader. Pacific rule by line number. And this is how you run the command. So let me go back in and you see if I want to. Let's say I want to delete rule number one, so I p tables Dasha d for delete. And which chain am I going to? How am I going to forward chain? I'm are going to ah, put chain or input chain. Now these rules are defined under and put chain, so I will go to and put chain. So I'm telling I pt was go to input chain and delete wrong number one. It is okay. Yes, sir. Done. Now let me confirm if you have or not and you'll see the first rule that did not have the 24 which was this one. My older output is no longer there. That's how you could get rid off a rule in a table or in the chain. Next one is to flush the entire chain, which we have already. Co word that is always handy. If you don't want to deal with all the bunch of information, simply flush it. Okay? To block a Pacific Perot call over the rejection. Now, what if you don't want people to paying you so as you know and you wanted to connect toe one server to another? You try to Ping if that serves up or not. So that Ping is is actually a protocol off icmp. You want to remove or reject all the pangs coming in from whatever source is coming from to ? Just don't ping me. Don't bother me. So let's try that high works I will do I p tables dash a again to upend our ad input. Why? We're putting it in the input chain. Five You putting here because when someone pings you, that's a incoming traffic to you minus P. What is a P for P is for protocol. If you wanted to know more options about I P tables of course, you could run man on I p tables to find out more options then my ah, what is the protocol? Icmp Okay now what do you want to do with that protocol? When something. But if someone comes in with that protocol, you want to reject it. Let's try reject meaning you want. You don't want them to come in, but send them a message, some kind of message, whatever makes you want to send and don't allow them to come in. All right, I have added that. Let's make sure I our rulers added yes, our rulers right here. You say that long line. This is the rule. Now, at my I P address on my machine is let's check host name minus I is 1 90 to 1 68 dot wanda on 62. This is I p address. The other one is a British network adapter. Don't focus on that one. This is the one. Now, if I want to paying this machine this Lennox machine for my Windows machine can I do that? Let me see if I am able to do that. Ping 1 92 Dewon 68 dot Wanna died 1 62 Oh, I cannot see the message coming back saying destination poured unreachable, and it's getting their message from my machine, which has a far were running. OK, Nice. No. What if I want to block a Pacific portal called my daughter? Rejection? Meaning? Just drop it. Don't even send a message. I'll do the same thing but would drop. So let me go back to my Lennox machine right here. And before I do that, let's first flush everything. Everything is flushed, less verified. Yes, nothing is in there, not I P tables dash a input because it's an incoming traffic minus p. What? Pearl Cole I CMP What do you want to do with Ivan? It matches your simply Teligent drop dead. Okay, now let's verified. Yes, it is there, as you could see it say's I p icmp coming from anywhere going to anywhere I don't care, Just simply drop it. So now let's go to our DOS prompt and let's try to ping it again. Now when you pick it now, as you see, you're not getting that destination port unreachable. It is just simply saying request timed out and that request time off messages. Windows own message is not coming from that server not coming from the Lennox machine, So that's how you could stop the ICMP or any Ah, service or any protocol that you want to drop. Let's go ahead and flush that rule. So it will be all clear. Yes, it is all clear now. Let's try to ping it. They go see? And I'm able to ping it. I'm getting a response. Nice. Everything is working the way I wanted toe work. OK, now I'm going on you. What? If you want to block a Pacific port, for example Http. Port 80 for to do that is I p table stash A of course still coming. Input with the P, which is the protocol TCP TCP. And to define a port you have to use dash, dash, deport the port number. And what do you want to do with it? Drop it. Okay, so let's go. And to Lennox machine again. Um But before I do that, how would be know it actually working or not? So let me start my Apache server here, So system CTL restored or star doesn't matter HDP d it is started and now check the status . Okay, status is up and active is working. And how do we know we could just simply go to our fire flocks and I could put in the I p address 1 90 to 1 68.1 dot 1 62 That's I p. Right. And there you go. This is a ah, splash page. Ah, default Splash page off Apache so I could get to it. That's perfectly fine. Now, what if I wanted to block that port so no one could can get to my http server again? I would always start fresh. So flush the table, verify the table. Nothing in there. Now, let's add the rule I p tables, dash a input the ash p for protocol. TCP dash, Dash, Deport 80 dash J Would you want to do with it? Just simply drop, Okay. Now, when I go to that, um, website and I refresh my ah browser and you see the top left hand corner, You see, right here it is loading. Meaning it is trying to get to it. But it can't, and it gives your messages in. Connection has timed out. If you had used the reject, it would have given some message saying the connection cannot be established. And so and so. But since we use drop, it is saying connection has timed out. That's how you could block a port. Now if you just flush out all the rules flush, very flight, everything is gone. Now. If you go back to that browser hit, reload, there goes a splash. Pages back. That's how you could stop a port. Okay, moving on a few more practical examples. What if you want to block connection toe a network interface? So if you have two or three never going to faces on your linens machine and each never interface as a different I p assigned, you want to block traffic coming into a Pacific Network interface? You could do that as well, by putting in the I P tables, Dash a two at Upend Dash, a space input dash I for interface, the interface name the Source and Dash J and Drop. It's just that simple. The only thing that I have added in there is minus I for interface. I will not run that command. I'm sure you could run it, and you will know how it works. So leave that to you. Next one is is a good one. What if you want to drop all your traffic going out now, let's say you're learn running Lennox, your people in your home. Your Children loves Lennox and they use Lennox Gooey and Web browser all the time, and they go to facebook dot com now Facebook okay is good. But now you're tired. You see your Children going to Facebook every day and every hour, and you're tired and you want as as to to give them a punishment and ground them you want. You don't want them to go to Facebook for a day or two. Whatever the number days that you what you decide to took to ground them. You could do that by putting that rule. End up I p tables. But before you do that, you need to know the I P address or Facebook because you cannot add dub dub dub dot facebook dot com. You have to know the i p. Address. So to know the I P address, you could run the command host dash T space a the girl and that will find the I P address. Once you know the I P address, then you will run the command I P tables dash egg and to add or penned. Now you see, I'm using a different chain, and that chain is I'll put because now we're going outside off our server. And now instead, off Dash s using dash D because we're going to a destination now, and I p address off the destination. And once that rule matches what he wanted to do, drop it. Drop a dead nice. Okay, let's try that. Okay, so we have are Lennox machine right here. Let's check if our length machine I p tables is clean. It is. So I want to block the traffic again to block the traffic. I need to type host dash T dash a dot, dot dot facebook dot com and it gives me the i P. Address and that i p address if you notice. I have already in there. Um, that is something that I I got it earlier just to make sure I have the correct i p address . Okay, Good. Now if before I block it, I you I want to run Ping 31. That 13. That 71 of that 36. And you'll see your you're getting a response back. That's the one that you want to disable. Now. To do that, you would do. I p tables dash a put destination Is this I p address. And you what you want to do with that destination? Just simply drop it. That's verify that pool is in there and use notice. The rule came in in this chain now, which is at the bottom. It didn't stay in this chain because that was for incoming. Now we dealing with outgoing. So that's why they're rule is defined right here. Now, I want you to go ahead and paying of that I p address and you will see it says the operation is not permitted. That's how you could stop you going to a Pacific Port or I P address. Let's flush it and let's make sure we're back on cleaning the entire to change table. Okay, Next one is blocked. All are going traffic toe a network range. Same way that I did it for incoming. You'd specify slash 24 the whole syntax of the command states the same. Our next one is blocked. All incoming traffic except ssh. Okay, this is nice. So what If you want to block everything except ssh Before you do that, if you're running this command right here. I p tables dash p and put a drop of first. Then it will drop everything right away. It won't even go to the second command. So that is why I'm telling you right here, that you should always run the first command to add their rule, that exception and then drop everything. So again, the sequence matter in table. That and then when the rules are ready, it goes to one rule toe another rule. So make sure you allow the poor 22 before you block anything. So let's go into the Lennox machine and we'll add that in I p tables dash a input desh p for protocol TCP and we are adding poured Deport 22 and what we want to do with it we want to accept it. Now run I p tables dash l and you'll see the policy right here is to accept. And it is accepting the TCP traffic coming from anywhere, going to anywhere or for a call as a sitch. Okay, uh, protocol assists age, of course. The services. Sorry again. Protocols TCP and the services message. Okay. Now go ahead and add that other rule. I p tables, dash minus p Input drop now you, When you run I p tables dash l Now what it will Do you notice The chain itself has that last command that you run has been applied here. It say's any incoming traffic. See, here policy is just simply drop c by default for other policy were except and accept. But now since I changed it Now the policy just by default for any income coming traffic is just drop. Except now I have that exception right here to accept all the ssh connection Now, remember this As soon as you flush this it will flush this rule. It will not flush the chain the policy if you if I do I p tables Dash f What would happen is I will lose my putty connection. You see, I'm logged in his buddy because what would happen is my exception Rule will will go away will be flushed but the input chain will still be in effect. So if you wanted to go to the default behavior then you have to restart the I p table service So it will be system CTL Restart. Hi, Pete Tables It has restarted now, if you do, I pt was desk l. Ah, Let's flush it again. One more time. And l And now you see, the policy is accepted, Accepted, accepted by default. There aren't any rules in place. Okay, Next one is after making all these changes saved the i P. Tables again. Make sure firewalled he's not running. Yes, we will make sure. And how do you save the I P tables? You type the command i p tables that saved every time. Any type of changes that you make any type of rules that you add will be lost when your system is rebooted. So before you wanted to make that these rules permanent make sure you run the command I p tables that save. Um, again, Um, for that I will show you just now how to say works. But for before that, I will need to add a rule and tow. Add a rule. I'll pick the first rules, which is the C I. P tables and the first rule. I did hear ivy tables, input and drop connection from that I p address it is there now type. I'd be tables dash l You see that rule. Now you don't want their rule to go away when the system reboots or service restarts. That's where you type I p tables, dash save and you will notice when it saved it, it says. Generated by pitiable save filter is the table. Input is except forward it except up would accept and the rule that I just added. It's there. That's how it is saved and by default, this file that is saved it is the find name is I p tables and it is an at ceases conflict. If you don't define it able by default, save it in there now. You could also restore the I saved I p table by typing I P tables, dash restore and the location of the file by default. Everything is logged in war log messages and one important thing. I want to remind you again his i p table is ready the rules or read the rules in sequence. If drop first, then it will drop all without going to the next one. So if you want all the connection to drop and that will be the 1st 1 that it won't go to the second line to the exception one. So make sure your exception, which is to accept, is in the first line. So what if you wanted to add that So instead of using minus a option, which is which is to add or a panda you would use minus I option minus I option If you're running I p tables dash, I uppercase with that rule that you want to specify it always put that rule at the top off all the rules. So keep that in mind, So don't lock yourself out. Always take a snapshot. Always do a backup. And if worst case wars to make sure you have access to your council so you could undo any changes Yes, you have done. I hope this Ah, I p tables lecture and all the commands that we covered serves its purpose. And if again, if you have any questions or if you want to add a rule that I did not cover, you could go online and type the rule that you are looking for. And trust me, you're gonna find tons off articles, tons of commands that will help you add those rules into your I P tables. Good luck 6. Firewall (firewalld GUI): firewall D through gooey Well, do you know you could actually manage the firewall D through the GUI as long as you have the genome or gooey desktop installed in your linens distribution. So at this intersection, proud, primarily focused on center where center A specifically 5 75 or 76 around those versions. If you have that installing, that's what you're using to follow this lecture, then you could actually do the management off firewall D through gooey. You don't have to run the commands. You don't have to remember the commands. But of course, as I always say, as a system administrator, you should really know all the commands that are needed in Lenox to, of course, managed firewall or I p tables. But again, I am going through this lecture just as an add on in case someone really interested in finding out higher firewall D works in a green environment, feel gooey. You goto a council and you go to application and then the sun dry, followed by the firewall option. So let me go straight into my counsel and I'll show you how firewall D works. And I wanted to keep this lecture really short. This is just a quick Ah, over your reference off. Aldi management agreed. So I have my qui right here. This is my Linux Cento us Gulyas. You could see it Say's center s right here. If I wanted to manage my firewall, I will go applications sun dry and firewall. And again, you just have to make sure your firewall d is running. And I'm sure by now you should. You know how to check the part, Waldy. If it's not running, you should drawn system CTL command with restarted firewall D and Onley. Then at this, this window that you see, firewall configuration will show up. Otherwise it will not load that configuration. So anyway, um so let's suppose you do have the fire will be running and you go to the firewall and you find out on the left side right here as you see this thes out the zones. And remember, we talked about zones and the one that we deal with zones that as enable that is the public zone. There are other zones as well home internal, but they are not enabled. Only public one is enable and that's why it's bold. It in this public zone. We have all the services that are pre defined by firewall deep and these services listed. So if you wanted to enable any services, so let's egg white enable FTP. All you really have to do is click as soon as you click in here. You'll see the bottom says change is applied. Nice. So let's find out if our links machine when we run the command firewall cmd dash dash list dash all to make sure I just enabled FTP True, gooey, and it shows up there you see it is showing up there. It's just a matter off simple click. If you want to disable it or removed, what do you do? You just simply uncheck that. And it says change is applied running again, and the fire and FTP won't see any more again any services that you want enabled. The Here is a list of all the service. Simply check on check would work the same way. If you want to enable any poured, let's say you want to have a port. A port Range 32 is the port that you wanted to apply, so you would just type 32 hit Enter, and that is added changes applied Now when you type is the same thing, Um and you also see the port. It's added right here. It's just that simple. You could go ahead and remove it by simply removing it protocols. Any protocols you want to use, source ports A mass According, um, I'm not too familiar with this, but anyway, I don't use it that often. Ah, port forwarding ICMP filter. If you want to block ICMP pinging traffic rich rules any rules that you want to define. For example, if you wanted to block one Pacific I p going to go out or to come back and you could specify and rich rules. If you want to specify rules based on the interface, you could do it here. And these are the sources and which source if it's coming from, you could specify all that, um, rules in here. So basically, as I said initially, I just want to keep it very simple and short, um, on this lecture, because qui is something not everybody uses. And Gui is something that not preferred in corporate environment. But again, if you are lucky, you have going in your corporate environment, and you do want to manage your firewall. D to the Gui. This is hair. There's a quick overview where you could manage your firewalls.