JMU
Frame/Packet Filtering
A Very Brief Introduction


Prof. David Bernstein
James Madison University

Computer Science Department
bernstdh@jmu.edu


Packet Filter
Why Filter Packets?
Packet Filtering in Linux
Packet Filtering in Linux (cont.)

An Example

unixexamples/security/filtering.txt
        #---------------------------------------------------------------
# If a packet doesn't match one of the built-in chains, then
# the policy should be to drop it
#---------------------------------------------------------------
iptables --policy INPUT DROP
iptables --policy OUTPUT DROP

#---------------------------------------------------------------
# The loopback interface should accept all traffic necessary for
# X-Windows and other socket based services
#---------------------------------------------------------------
iptables -A OUTPUT -o lo -j ACCEPT

#---------------------------------------------------------------
# We’ll allow incoming icmp (ping) messages for now although we 
# might want to disable this later
#---------------------------------------------------------------
iptables -A INPUT -p icmp -j ACCEPT 

#---------------------------------------------------------------
# Allow DNS traffic
#---------------------------------------------------------------
iptables -A INPUT -p tcp --dport 53 -j ACCEPT 
iptables -A INPUT -p udp --dport 53 -j ACCEPT 

#---------------------------------------------------------------
# Log and reject non-local access to MySQL
#---------------------------------------------------------------
iptables -A INPUT -p tcp --dport 3306 -j LOG 
iptables -A INPUT -p tcp --dport 3306 -j REJECT 
iptables -A INPUT -p udp --dport 3306 -j LOG 
iptables -A INPUT -p udp --dport 3306 -j REJECT 

#---------------------------------------------------------------
# Disallow access to low ports with SYN bit set
# Note: ! is used for negation
#---------------------------------------------------------------
iptables -A INPUT -p tcp  ! --syn --dport  :1023 -j ACCEPT

#---------------------------------------------------------------
# Open up access to high ports (necessary for web browsing)
#---------------------------------------------------------------
iptables -A INPUT -p tcp --dport 1024: -J ACCEPT
iptables -A INPUT -p udp --dport 1024: -J ACCEPT
        
TCP Wrapper