Iptables
http://www.centos.org/docs/5/html/Deployment_Guide-en-US/ch-iptables.html
http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch14_:_Linux_Firewalls_Using_iptables#Masquerading_.28Many_to_One_NAT.29
Features:
· Firewall for Linux
· Interface to Netfilter, which is loaded by the kernel
· Operates primarily at layer 3&4 of the OSI model
· Modular
· Provides Network Address Translation ( NAT)
· IPTables can also access other layer i.e. MAC addresses
What is iptables:
Tables
· filter -- The default table for handling network packets
· nat -- Used to alter packets that create a new connection and used for Network Address Translation
· mangle -- Used for specific types of packet alternation, TCP packet quality of service bits before routing occurs.
Note: Each table has a group of built-in chains, which correspond to the actions performed on the packet by 'netfilter'
Chains
· INPUT -- Applies to netowrk packets that are targeted for the host
· OUTPUT -- Applies to locally-generated network packets
· FORWARD -- Applies to network packets routed through the host
· PREROUTING -- Alters network packets when they arrive
· POSTROUTING -- Alters network packets before they are sent out
Chains in the tables
· Filter, packet filtering: INPUT, OUTPUT, FORWARD
· Nat,Network Address Translation: PREROUTING, POSTROUTING, OUTPUT
· Mangle, TCP header modification: INPUT, OUTPUT, FORWARD, PREROUTING, POSTROUTING
Understanding iptables
IPTABLES RULES PROCESSING FLOW
· Rules are processed from upper to lower.
· Once rules matched criteria no further processing would be done and it goes to the rules specified in the target (or) executes the special values mentioned in the target.
· If the criterion is not matched, it moves on to the next rule.
· At the end of list default value is ACCEPT so if a packet do not meet any criteria it would pass the packet.
Target Values
Following are the possible special values that you can specify in the target.
· ACCEPT – Firewall will accept the packet. Default value.
· DROP – Firewall will drop the packet. No message would be sent back to packet sender.
· REJECT – Firewall will reject the packet. A Courtesy message would be sent back to packet sender.
Key points to remember
· filter table is the default table.
· table contain chains.
· chains are the group of rules.
· rules have three target values ACCEPT, REJECT,DROP.
· rules in chain are processed from top to bottom.
· in list processing once a criteria matched it goes to rules specified target and no further processing would be done
· in the end of list default value is ACCEPT
Rules and Target:
· Rules contain a criteria and a target
· If the criteria is matched, it goes to the rules specified in the target executes the special values mentioned in the target
· If the criteria is not matched, it moves to the next rule
· Regardless destination, when packets match a particular rule in one of the tables, a 'target' or action is applied to them.
· Every chain has a default policy to ACCEPT, DROP, REJECT, or QUEUE. If none of the rules in the chain apply to the packet, then the packet is dealt with in accordance with the default policy.
· Using 'iptables', each filtered packet is processed using rules from only one chain rather than multiple chains.
· Network interfaces must be associated with the correct chains in firewall rules.
· Incoming interfaces (-i option) can only be used in INPUT or FORWARD chains.
· Similarly, outgoing interfaces (-o option) can only be used in FORWARD or OUTPUT chains.
Usage/How To:
Commands/Options
-t <-table->, by default the filter table is assumed. Tables include: filter, nat, mangle
-j <target>, Jump to the specified target chain when the packet matches the current rule.
-A Append rule to end of a chain
-F Flush. Deletes all the rules in the selected table
-p <protocol-type>, Match protocol. Types include, icmp, tcp, udp, and all
-s <ip-address>, Match source IP address
-d <ip-address>, Match destination IP address
-i <interface-name>, Match "input" interface on which the packet enters.
-o <interface-name>, Match "output" interface on which the packet exits
TCP/UDP/ICMP match critira
-p tcp --sport <port>
TCP source port. Can be a single value or a range in the format: start-port-number:end-port-number
-p tcp --dport <port>
TCP destination port. Can be a single value or a range in the format: starting-port:ending-port
-p tcp –syn
Used to identify a new TCP connection request. ! --syn means, not a new connection request
-p udp --sport <port>
UDP source port. Can be a single value or a range in the format: starting-port:ending-port
-p udp --dport <port>
UDP destination port. Can be a single value or a range in the format: starting-port:ending-port
Extended match critira
-m multiport --sports <port, port>
A variety of TCP/UDP source ports separated by commas. Unlike when -m isn't used, they do not have to be within a range.
-m multiport --dports <port, port>
A variety of TCP/UDP destination ports separated by commas. Unlike when -m isn't used, they do not have to be within a range.
-m multiport --ports <port, port>
A variety of TCP/UDP ports separated by commas. Source and destination ports are assumed to be the same and they do not have to be within a range.
-m --state <state>
The most frequently tested states are:
ESTABLISHED: The packet is part of a connection that has seen packets in both directions
NEW: The packet is the start of a new connection
RELATED: The packet is starting a new secondary connection. This is a common feature of such protocols such as an FTP data transfer, or an ICMP error.
INVALID: The packet couldn't be identified. Could be due to insufficient system resources, or ICMP errors that don't match an existing data flow.
-A INPUT -i eth0 -p tcp -m state --state NEW --dport ssh -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state NEW --dport smtp -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state NEW --dport http -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state NEW --dport https -j ACCEPT
We can summary above to one single line like:
-A INPUT -i eth0 -p tcp -m state --state NEW,ESTABLISHED -m multiport --dports ssh,smtp,http,https -j ACCEPT
Examples
NAT with Firewall Configuration:
ifconfig
eth0 Link encap:Ethernet HWaddr 00:15:5d:73:00:15
inet addr:x.x.x.x Bcast:255.255.255.255 Mask:255.255.240.0
UP BROADCAST RUNNING MULTICAST MTU:576 Metric:1
RX packets:1180753 errors:0 dropped:0 overruns:0 frame:0
TX packets:344192 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:152324146 (152.3 MB) TX bytes:92361223 (92.3 MB)
eth1 Link encap:Ethernet HWaddr 00:15:5d:75:01:15
inet addr:192.168.117.9 Bcast:192.168.117.255 Mask:255.255.255.0
inet6 addr: fe80::215:5dff:fe75:115/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:17565 errors:0 dropped:423 overruns:0 frame:0
TX packets:471 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1203485 (1.2 MB) TX bytes:80713 (80.7 KB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:149 errors:0 dropped:0 overruns:0 frame:0
TX packets:149 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:9012 (9.0 KB) TX bytes:9012 (9.0 KB)
1. NAT
a. /etc/sysctl.conf
Enable IPv4 packet forwarding by kernel, uncomment the following line in the file ‘/etc/sysctl.conf’
net.ipv4.ip_forward=1 Enables packet forwarding by kernel:
b. echo 1 > /proc/sys/net/ipv4/ip_forward
c. iptables commands
iptables -t nat -F #Flush the nat table first (option)
iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables --append FORWARD --in-interface eth1 -j ACCEPT
2. Rules planned
· Change default chain policy from ACCEPT to DROP
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
· Allow new connects to internet facing interface(eth0) for following protocol
Ssh,smtp,http,https,dns
-A INPUT -i eth0 -p tcp -m state --state NEW,ESTABLISHED -m multiport --dports 22,25,80,443 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m state --state RELATED,ESTABLISHED -m multiport --sports 22,25,80,443 -j ACCEPT
· Allow the firewall to access the internet
iptables -A OUTPUT -j ACCEPT -m state --state NEW,ESTABLISHED,RELATED -o eth0 -p tcp -m multiport --dports 80,443
iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED -i eth0 -p tcp
· Accept any LAN traffic to get in and out (eth1)
-A OUTPUT -o eth1 -m state --state ESTABLISHED -j ACCEPT
-A INPUT -i eth1 -j ACCEPT
· Limit SYN segments
iptables -A INPUT -p tcp --syn -m limit --limit 5/s -i eth0 -j ACCEPT
A defence of SYN flood attacks to limit the acceptance of TCP segments with the SYN bit set to no more than five per second.
· Allow DNS access
iptables -A OUTPUT -p udp -o eth0 --dport 53 --sport 1024:65535 -j ACCEPT
iptables -A INPUT -p udp -i eth0 --sport 53 --dport 1024:65535 -j ACCEPT
3. Drop
If INPUT is the interface facing internet (eth0), then drop the following
iptables -N valid-src #DROP valid-src
iptables -N valid-dst # DROP Multicust
iptables -A valid-src -s 10.0.0.0/8 -j DROP
iptables -A valid-src -s 172.16.0.0/12 -j DROP
iptables -A valid-src -s 192.168.0.0/16 -j DROP
iptables -A valid-src -s 224.0.0.0/4 -j DROP
iptables -A valid-src -s 240.0.0.0/5 -j DROP
iptables -A valid-src -s 127.0.0.0/8 -j DROP
iptables -A valid-src -s 0.0.0.0/8 -j DROP
iptables -A valid-src -d 255.255.255.255 -j DROP
iptables -A valid-src -s 169.254.0.0/16 -j DROP
#iptables -A valid-src -s $EXTERNAL_IP -j DROP --
#Not so sure how to get eth0 IP dynamicly
iptables -A valid-dst -d 224.0.0.0/4 -j DROP
## Apply the chain.
iptables -A INPUT -i eth0 -j valid-src
iptables -A FORWARD -i eth0 -j valid-src
iptables -A OUTPUT -o eth0 -j valid-dst
iptables -A FORWARD -o eth0 -j valid-dst
4. Iptables –S
1. -A INPUT -i eth1 -j ACCEPT
2. -A INPUT -i eth0 -p tcp -m state --state NEW,ESTABLISHED -m multiport --dports 22,25,80,443 -j ACCEPT
3. -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
4. -A FORWARD -i eth1 -j ACCEPT
5. -A OUTPUT -o eth1 -m state --state ESTABLISHED -j ACCEPT
6. -A OUTPUT -o eth0 -p tcp -m state --state RELATED,ESTABLISHED -m multiport --sports 22,25,80,443 -j ACCEPT
edit /etc/sysconfig/iptables-config and make sure IPTABLES_MODULES_UNLOAD, IPTABLES_SAVE_ON_STOP, and IPTABLES_SAVE_ON_RESTART are all set to 'yes'.
pin4. iptables-save
Scripts for initiating Firewall
#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#
# #
# Define networks: NOTE!! You may want to put these "EXTERNAL" #
# definitions at the top of your script. #
# #
#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#
EXTERNAL_INT="eth0" # External Internet interface
EXTERNAL_IP="97.158.253.25" # Internet Interface IP address
#---------------------------------------------------------------
# Initialize our user-defined chains
#---------------------------------------------------------------
iptables -N valid-src
iptables -N valid-dst
#---------------------------------------------------------------
# Verify valid source and destination addresses for all packets
#---------------------------------------------------------------
iptables -A INPUT -i $EXTERNAL_INT -j valid-src
iptables -A FORWARD -i $EXTERNAL_INT -j valid-src
iptables -A OUTPUT -o $EXTERNAL_INT -j valid-dst
iptables -A FORWARD -o $EXTERNAL_INT -j valid-dst
#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#
#
# Source and Destination Address Sanity Checks
# Drop packets from networks covered in RFC 1918 (private nets)
# Drop packets from external interface IP
#
#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#
iptables -A valid-src -s 10.0.0.0/8 -j DROP
iptables -A valid-src -s 172.16.0.0/12 -j DROP
iptables -A valid-src -s 192.168.0.0/16 -j DROP
iptables -A valid-src -s 224.0.0.0/4 -j DROP
iptables -A valid-src -s 240.0.0.0/5 -j DROP
iptables -A valid-src -s 127.0.0.0/8 -j DROP
iptables -A valid-src -s 0.0.0.0/8 -j DROP
iptables -A valid-src -d 255.255.255.255 -j DROP
iptables -A valid-src -s 169.254.0.0/16 -j DROP
#Most likely you will get a Dynamic IP
#iptables -A valid-src -s $EXTERNAL_IP -j DROP
iptables -A valid-dst -d 224.0.0.0/4 -j DROP
# allow all established and related
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
DNS Access To Firewall
iptables -A OUTPUT -p udp -o $EXTERNAL_INT --dport 53 --sport 1024:65535 -j ACCEPT
iptables -A INPUT -p udp -i $EXTERNAL_INT --sport 53 --dport 1024:65535 -j ACCEPT
www and ssh
iptables -A INPUT -p tcp -i eth0 --dport 22 --sport 1024:65535 -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp -i eth0 --dport 80 --sport 1024:65535 -m state --state NEW -j ACCEPT
Saving IP Tables
apt-get install iptables-persistent
root@userver:/etc# apt-get install iptables-persistent
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
iptables-persistent
0 to upgrade, 1 to newly install, 0 to remove and 89 not to upgrade.
Need to get 8,960 B of archives.
After this operation, 58.4 kB of additional disk space will be used.
Get:1 http://au.archive.ubuntu.com/ubuntu/ precise/universe iptables-persistent all 0.5.3ubuntu2 [8,960 B]
Fetched 8,960 B in 0s (37.8 kB/s)
Preconfiguring packages ...
Selecting previously unselected package iptables-persistent.
(Reading database ... 163273 files and directories currently installed.)
Unpacking iptables-persistent (from .../iptables-persistent_0.5.3ubuntu2_all.deb) ...
Processing triggers for ureadahead ...
ureadahead will be reprofiled on next reboot
Setting up iptables-persistent (0.5.3ubuntu2) ...
* Loading iptables rules... * IPv4... * IPv6... [ OK ]
Save the iptables
sudo iptables-save > /etc/iptables/rules.v4
