IPTABLESIPTABLES

The Linux FirewallThe Linux Firewall

Presented By Presented By

Emin Asif A SEmin Asif A S

IntroductionIntroduction

● Network security is a primary consideration in any decision to host a Network security is a primary consideration in any decision to host a website as the threats are becoming more widespread and persistent website as the threats are becoming more widespread and persistent every day.every day.

● We can convert a Linux server into:We can convert a Linux server into:

A firewall while simultaneously being our home website's mail, A firewall while simultaneously being our home website's mail, web and DNS server.web and DNS server.

A router that will use NAT and port forwarding to both protect A router that will use NAT and port forwarding to both protect your home network and have another web server on your home network your home network and have another web server on your home network while sharing the public IP address of ourfirewall.while sharing the public IP address of ourfirewall.

A

WhatWhat Is Iptables? Is Iptables?

Originally, the most popular firewall/NAT package running on Linux was Originally, the most popular firewall/NAT package running on Linux was ipchains, but it had a number of shortcomings. To rectify this, the Netfilter ipchains, but it had a number of shortcomings. To rectify this, the Netfilter organization decided to create a new product called iptables, giving it organization decided to create a new product called iptables, giving it such improvements as:such improvements as:

● Better integration with the Linux kernel.Better integration with the Linux kernel.

● Stateful packet inspection.Stateful packet inspection.

● Filtering packets.Filtering packets.

● System logging.System logging.

● Better network address translation. Better network address translation.

Considered a faster and more secure alternative to ipchains, iptables has Considered a faster and more secure alternative to ipchains, iptables has become the default firewall package installed under RedHat and Fedora become the default firewall package installed under RedHat and Fedora Linux. Linux.

Managing the iptables ServerManaging the iptables Server

Different Linux distributions use different daemon management Different Linux distributions use different daemon management systems.systems.

● The most commonly used daemon management systems are SysV The most commonly used daemon management systems are SysV and Systemd.and Systemd.

● The daemon is The daemon is iptablesiptables..

Armed with this information we can know how to: Armed with this information we can know how to:

● Start the daemons automatically on booting Start the daemons automatically on booting

● Stop, start and restart them later on during troubleshooting or when a Stop, start and restart them later on during troubleshooting or when a configuration file change needs to be applied. configuration file change needs to be applied.

Packet Processing In iptablesPacket Processing In iptablesAll packets inspected by iptables pass through a sequence of built-in tables All packets inspected by iptables pass through a sequence of built-in tables (queues) for processing.There are three tables in total. (queues) for processing.There are three tables in total.

➢ The first is the mangle table which is responsible for the alteration of quality The first is the mangle table which is responsible for the alteration of quality of service bits in the TCP header. of service bits in the TCP header.

➢ The second table is the filter queue which is responsible for packet filtering. The second table is the filter queue which is responsible for packet filtering. It has three built-in chains in which you can place your firewall policy rules. It has three built-in chains in which you can place your firewall policy rules. These are the:These are the:

Forward chain: Filters packets to servers protected by the firewall. Forward chain: Filters packets to servers protected by the firewall.

Input chain: Filters packets destined for the firewall. Input chain: Filters packets destined for the firewall.

Output chain: Filters packets originating from the firewall. Output chain: Filters packets originating from the firewall.

➢ The third table is the nat queue which is responsible for network address The third table is the nat queue which is responsible for network address translation. It has two built-in chains; these are: translation. It has two built-in chains; these are:

Pre-routing chain: NATs packets when the destination address of the packet Pre-routing chain: NATs packets when the destination address of the packet needs to be changed. needs to be changed.

Post-routing chain: NATs packets when the source address of the packet Post-routing chain: NATs packets when the source address of the packet needs to be changedneeds to be changed

Check if iptables installedCheck if iptables installed

● $ rpm -q iptables$ rpm -q iptables

iptables-1.4.7-5.1.el6_2.x86_64iptables-1.4.7-5.1.el6_2.x86_64● use the -L switch to inspect the currently loaded use the -L switch to inspect the currently loaded

rules: rules:

# iptables -L# iptables -L● If iptables is not running, you can enable it by If iptables is not running, you can enable it by

running:running:

# system-config-securitylevel# system-config-securitylevel

Switch OperationsSwitch Operations

-t <-table->-t <-table-> tables include: filter, nat, mangle tables include: filter, nat, mangle

-j <target>-j <target> Jump to the specified target chain when the packet matches Jump to the specified target chain when the packet matches the current rule. the current rule.

-A-A Append rule to end of a chain Append rule to end of a chain

-F-F Flush. Deletes all the rules in the selected table Flush. Deletes all the rules in the selected table

-p <protocol-type>-p <protocol-type> icmp, tcp, udp, and all icmp, tcp, udp, and all

-s <ip-address>-s <ip-address> source IP address source IP address

-d <ip-address>-d <ip-address> destination IP address destination IP address

-i <interface-name>-i <interface-name> "input" interface on which the packet enters. "input" interface on which the packet enters.

-o <interface-name>-o <interface-name> "output" interface on which the packet exits "output" interface on which the packet exits

Targets And JumpsTargets And Jumps● ACCEPTACCEPT iptables stops further processing. The packet is iptables stops further processing. The packet is handed overhanded over to to

the end application or the operating system for processing.the end application or the operating system for processing.

● DROPDROP iptables iptables stopsstops further processing. The packet is further processing. The packet is blockedblocked..

● LOGLOG The packet information is sent to the syslog daemon for logging The packet information is sent to the syslog daemon for logging iptables continues processing with the next rule in the table. iptables continues processing with the next rule in the table.

● REJECTREJECT Works like the Works like the DROPDROP target, but will also target, but will also return an error return an error messagemessage to the host sending the packet that the packet was blocked. to the host sending the packet that the packet was blocked.

● DNATDNAT Used to do Used to do destination network address translationdestination network address translation. ie. rewriting . ie. rewriting the destination IP address of the packet.the destination IP address of the packet.

● SNATSNAT Used to do Used to do source network address translationsource network address translation rewriting the source rewriting the source IP address of the packet. The source IP address is user definedIP address of the packet. The source IP address is user defined

● MASQUERADEMASQUERADE Used to do Used to do Source Network Address TranslationSource Network Address Translation. By default . By default the source IP address is the same as that used by the firewall's interface the source IP address is the same as that used by the firewall's interface

InterfacesInterfaces

#iptables -A INPUT -i #iptables -A INPUT -i lolo -j ACCEPT -j ACCEPT

/*allows localhost /*allows localhost interfaceinterface 127.0.0.1*/ 127.0.0.1*/

#iptables -A INPUT -i #iptables -A INPUT -i eth0eth0 -j ACCEPT -j ACCEPT

/*allows eth0 which is our internal LAN connection, (eth0 and eth1 are ethernet /*allows eth0 which is our internal LAN connection, (eth0 and eth1 are ethernet interfaces, they can be either internet or private network interfaces)*/interfaces, they can be either internet or private network interfaces)*/

#iptables -A INPUT -i #iptables -A INPUT -i ppp0ppp0 -j ACCEPT -j ACCEPT

/*allows ppp0 dialup modem which is our external internet connection*//*allows ppp0 dialup modem which is our external internet connection*/

Common Extended Match CriteriaCommon Extended Match Criteria-m multiport --sports <port, port>-m multiport --sports <port, port>

A variety of TCP/UDP source ports separated by commas. Unlike when A variety of TCP/UDP source ports separated by commas. Unlike when -m-m isn't used, they do not isn't used, they do not have to be within a range. have to be within a range.

-m multiport --dports <port, port>-m multiport --dports <port, port>

A variety of TCP/UDP destination ports separated by commas. Unlike when A variety of TCP/UDP destination ports separated by commas. Unlike when -m-m isn't used, they do isn't used, they do not have to be within a range. not have to be within a range.

-m multiport --ports <port, port>-m multiport --ports <port, port>

A variety of TCP/UDP ports separated by commas. Source and destination ports are assumed to be A variety of TCP/UDP ports separated by commas. Source and destination ports are assumed to be the same and they do not have to be within a range. the same and they do not have to be within a range.

-m --state <state>-m --state <state>

The most frequently tested states are: The most frequently tested states are:

ESTABLISHED:ESTABLISHED: The packet is part of a connection that has seen packets in both The packet is part of a connection that has seen packets in both directions directions

NEW:NEW: The packet is the start of a new connection The packet is the start of a new connection

RELATED:RELATED: The packet is starting a new secondary connection. This is a common The packet is starting a new secondary connection. This is a common

feature of such protocols such as an FTP data transfer, or an ICMP error.feature of such protocols such as an FTP data transfer, or an ICMP error.

Accept packets from trusted IP Accept packets from trusted IP addressesaddresses

● To allow the packets from a single IPTo allow the packets from a single IP

iptables -A INPUT -iptables -A INPUT -ss 192.168.0.4 - 192.168.0.4 -jj ACCEPT ACCEPT

[-s source -j jump to the target action (here ACCEPT) ][-s source -j jump to the target action (here ACCEPT) ]

● To allow incoming packets from a range of IP addressesTo allow incoming packets from a range of IP addresses

iptables -A INPUT -s 192.168.0.0/24 -j ACCEPTiptables -A INPUT -s 192.168.0.0/24 -j ACCEPT

or or

iptables -A INPUT -s 192.168.0.0/255.255.255.0 -j ACCEPTiptables -A INPUT -s 192.168.0.0/255.255.255.0 -j ACCEPT

Ports and ProtocolsPorts and Protocols

[ -p[ -p protocol (tcp,udp,icmp,all) ] protocol (tcp,udp,icmp,all) ]

[ -[ --dport-dport destination portdestination port ]] [--sport source port ][--sport source port ]

● Accept tcp packets on destination port 6881 (bittorrent)Accept tcp packets on destination port 6881 (bittorrent)

#iptables -A INPUT -#iptables -A INPUT -pp tcp -- tcp --dportdport 6881 -j ACCEPT 6881 -j ACCEPT

● To include a port rangeTo include a port range

Accept tcp packets on destination ports 6881-6890Accept tcp packets on destination ports 6881-6890

#iptables -A INPUT -p tcp --dport 6881:6890 -j ACCEPT#iptables -A INPUT -p tcp --dport 6881:6890 -j ACCEPT

Writing a Simple Rule SetWriting a Simple Rule Set

# iptables -# iptables -PP INPUT ACCEPTINPUT ACCEPT

//If connecting remotely we must first temporarily set the default //If connecting remotely we must first temporarily set the default policypolicy on the on the INPUT chain to ACCEPT,otherwise we will be locked out of our server once we INPUT chain to ACCEPT,otherwise we will be locked out of our server once we flush the current rules.flush the current rules.

# iptables -# iptables -FF

//to //to flushflush all existing rules so we start with a clean state from which to add new all existing rules so we start with a clean state from which to add new rules. rules.

# iptables -A INPUT -i # iptables -A INPUT -i lolo -j ACCEPT //to communicate with the localhost -j ACCEPT //to communicate with the localhost adaptor.adaptor.

# iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT# iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

//to allow only the incoming packets that are part of an already established connection or //to allow only the incoming packets that are part of an already established connection or related to and already established connection.related to and already established connection.

Writing a Simple Rule Set (Contd.)Writing a Simple Rule Set (Contd.)

# iptables -A INPUT -p tcp --dport 22 -j ACCEPT # iptables -A INPUT -p tcp --dport 22 -j ACCEPT // to prevent accidental lockouts // to prevent accidental lockouts when working on remote systems over an SSH connection.when working on remote systems over an SSH connection.

# iptables -P INPUT DROP # iptables -P INPUT DROP //if an incoming packet does not match one of the //if an incoming packet does not match one of the following rules it will be dropped.following rules it will be dropped.

# iptables -P FORWARD DROP # iptables -P FORWARD DROP //set the default policy on the FORWARD chain to //set the default policy on the FORWARD chain to DROP as we're not using our computer as a router so there should not be any packets DROP as we're not using our computer as a router so there should not be any packets passing through our computer.passing through our computer.

# iptables -P OUTPUT ACCEPT # iptables -P OUTPUT ACCEPT //set the default policy on the OUTPUT chain to //set the default policy on the OUTPUT chain to ACCEPT as we want to allow all outgoing traffic (as we trust our users). ACCEPT as we want to allow all outgoing traffic (as we trust our users).

# iptables -L -v # iptables -L -v //we can list (-L) the rules we've just added to check they've been //we can list (-L) the rules we've just added to check they've been loaded correctly.loaded correctly.

# /sbin/service iptables save # /sbin/service iptables save //to save our rules so that next time we reboot our //to save our rules so that next time we reboot our computer our rules are automatically reloaded computer our rules are automatically reloaded

Masquerading (Many to One NAT)Masquerading (Many to One NAT)Traffic from all devices on one or more protected networks will appear as if it Traffic from all devices on one or more protected networks will appear as if it originated from a single IP address on the Internet side of the firewall.originated from a single IP address on the Internet side of the firewall.

echo 1 > /proc/sys/net/ipv4/ip_forward //to enable routing between internet echo 1 > /proc/sys/net/ipv4/ip_forward //to enable routing between internet & private network interfaces of the firewall.& private network interfaces of the firewall.

Masquerading has been achieved using the POSTROUTING chain of the nat Masquerading has been achieved using the POSTROUTING chain of the nat table, table,

#iptables -A POSTROUTING -t nat -o eth0 -s 192.168.1.0/24 -d 0/0 -j #iptables -A POSTROUTING -t nat -o eth0 -s 192.168.1.0/24 -d 0/0 -j MASQUERADEMASQUERADE

Use the FORWARD chain of the filter table. NEW and ESTABLISHED Use the FORWARD chain of the filter table. NEW and ESTABLISHED connections will be allowed outbound to the Internet, connections will be allowed outbound to the Internet,

#iptables -A FORWARD -t filter -o eth0 -m state --state #iptables -A FORWARD -t filter -o eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPTNEW,ESTABLISHED,RELATED -j ACCEPT

But only packets related to ESTABLISHED connections will be allowed inbound. But only packets related to ESTABLISHED connections will be allowed inbound.

#iptables -A FORWARD -t filter -i eth0 -m state --state #iptables -A FORWARD -t filter -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPTESTABLISHED,RELATED -j ACCEPT

This helps to protect the home network from anyone trying to initiate This helps to protect the home network from anyone trying to initiate connections from the Internetconnections from the Internet

Recovering From A Lost ScriptRecovering From A Lost Script

Sometimes the script you created to generate iptables rules may get Sometimes the script you created to generate iptables rules may get corrupted or lost, To recover:corrupted or lost, To recover:

Export the iptables-save output to a text file named firewall-configExport the iptables-save output to a text file named firewall-config

[root@bigboy tmp]# iptables-save > firewall-config [root@bigboy tmp]# iptables-save > firewall-config

[root@bigboy tmp]# cat firewall-config[root@bigboy tmp]# cat firewall-config

We can reload it into the active firewall rule set with the iptables-restore We can reload it into the active firewall rule set with the iptables-restore command.command.

[root@bigboy tmp]# iptables-restore < firewall-config[root@bigboy tmp]# iptables-restore < firewall-config

[root@bigboy tmp]# service iptables save[root@bigboy tmp]# service iptables save

TroubleshootingTroubleshooting iptablesiptables

● Checking The Firewall LogsChecking The Firewall Logs

LoLog and drop packets to the /var/log/messages file.g and drop packets to the /var/log/messages file.

iptables -A OUTPUT -j LOGiptables -A OUTPUT -j LOG

iptables -A INPUT -j LOGiptables -A INPUT -j LOG

iptables -A FORWARD -j LOGiptables -A FORWARD -j LOG

iptables -A OUTPUT -j DROPiptables -A OUTPUT -j DROP

iptables -A INPUT -j DROPiptables -A INPUT -j DROP

iptables -A FORWARD -j DROPiptables -A FORWARD -j DROP

Allowing DNS Access To Your FirewallAllowing DNS Access To Your Firewall

#iptables -A OUTPUT -p udp -o eth0 --dport 53 --sport 1024:65535 \#iptables -A OUTPUT -p udp -o eth0 --dport 53 --sport 1024:65535 \

-j ACCEPT-j ACCEPT

#iptables -A INPUT -p udp -i eth0 --sport 53 --dport 1024:65535 \#iptables -A INPUT -p udp -i eth0 --sport 53 --dport 1024:65535 \

-j ACCEPT-j ACCEPT

Allowing WWW And SSH Access To Allowing WWW And SSH Access To Your FirewallYour Firewall

● Interface eth0 is the internet interfaceInterface eth0 is the internet interface

#iptables -A OUTPUT -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT#iptables -A OUTPUT -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

● Allow port 80 (www) and 22 (SSH) connections to the firewallAllow port 80 (www) and 22 (SSH) connections to the firewall

#iptables -A INPUT -p tcp -i eth0 --dport 22 --sport 1024:65535 #iptables -A INPUT -p tcp -i eth0 --dport 22 --sport 1024:65535

-m state --state NEW -j ACCEPT-m state --state NEW -j ACCEPT

#iptables -A INPUT -p tcp -i eth0 --dport 80 --sport 1024:65535 #iptables -A INPUT -p tcp -i eth0 --dport 80 --sport 1024:65535

-m state --state NEW -j ACCEPT-m state --state NEW -j ACCEPT

Allowing Your Firewall To Access The Allowing Your Firewall To Access The InternetInternet

● Allow port 80 (www) and 443 (https) connections from the firewallAllow port 80 (www) and 443 (https) connections from the firewall

#iptables -A OUTPUT -j ACCEPT -m state --state NEW,ESTABLISHED,RELATED #iptables -A OUTPUT -j ACCEPT -m state --state NEW,ESTABLISHED,RELATED -o eth0 -p tcp -m multiport --dports 80,443 --sport 1024:65535 -o eth0 -p tcp -m multiport --dports 80,443 --sport 1024:65535

● Allow previously established connectionsAllow previously established connections

Interface eth0 is the internet interfaceInterface eth0 is the internet interface

#iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED -i eth0 #iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED -i eth0 -p tcp -p tcp

Allow Your Home Network To Access Allow Your Home Network To Access The FirewallThe Firewall

Allow all bidirectional traffic from your firewall to the protected networkAllow all bidirectional traffic from your firewall to the protected network

Interface eth1 is the private network interfaceInterface eth1 is the private network interface

#iptables -A INPUT -j ACCEPT -p all -s 192.168.1.0/24 -i eth1#iptables -A INPUT -j ACCEPT -p all -s 192.168.1.0/24 -i eth1

#iptables -A OUTPUT -j ACCEPT -p all -d 192.168.1.0/24 -o eth1#iptables -A OUTPUT -j ACCEPT -p all -d 192.168.1.0/24 -o eth1

THANK YOUTHANK YOU