Netfilter iptables -...
Transcript of Netfilter iptables -...
1
1
Netfilter
iptables
Implementação de Firewall
• Routers
– ACLs
• GNU / Linux
– Ipchains
– Netfilter
• Iptables
• nftables
2
2
Firewalls history
• ipfw, BSD
• ipfwadm, Linux kernel 2.0.x
• ipchains, Linux kernel 2.2.x
• netfilter
– iptables, ip6table, arptables, …
– nftables (nft)
3
IPChains
ipchains: Linux IP Firewalling Chains
• Sucessor do ipfwadm
• Incluido no Linux a partir do kernel 2.1.102
• Estável e seguro
• Stateless
– Não faz statefull packet inspection
3
IPChains
• Regras organizadas em listas (chains)
• Podem ser criadas novas listas
• Cada lista tem uma política default
– ACCEPT, REJECT, DENY
• Cada regra tem um dos seguintes alvos
– ACCEPT, REJECT, DENY
– MASQ
IPChains
Architecture:
R INPUT FORWARD OUTPUT
Local Processes
IF IF
4
IPChains
• Referências
– Firewall and Proxy Server HOWTO
– Linux IPCHAINS-HOWTO
– Linux IP Masquerade HOWTO
– todos podem ser encontrados em
http://www.linuxdoc.org
NetFilter
• Sucessor do IPChains
• Incluído no Linux a partir do kernel 2.4.x
– compatível com ipchains e ipfwadm
• Statefull Packet Inspection
• Tabelas (tables)
• Listas de Regras (chains)
5
netfilter / iptables
• netfilter is a framework, implemented as kernel modules
(or build statically in the kernel).
• iptables is a user-level program that controls netfilter.
Page 9
iptables
Linux Kernel
Netfilter Manipulations
netfilter tools
• iptables
– Manage IPv4 packet filter rules
• ip6tables
– Manage IPv6 packet filter rules
• arptables
– Manage ARP packet filter rules
10
6
iptables
3/9/2017 •CSC4430 - Lab on iptables Page 11
[student@vm1]$ sudo iptables -t filter -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP icmp -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[student@vm1]$ _
Table name: filter The command: list
Chain name: INPUT
Rule in the
INPUT chain.
Other two
chains.
The rule in the INPUT chain means:
When a packet with ICMP payload passes through the INPUT hook,
DROP that packets, no matter it is from anywhere and to anywhere. Tables
Each function is presented in a table.
Page 12
Tables filter nat mangle
netfilter
This table is in charge of
filtering packets.
This table is in charge of
translating IP addresses
of the packets.
This table is in charge of
changing packet content.
…
7
Chains
Under each table, there is a set of chains.
Each chain can store a set of rules.
3/9/2017 Page 13
filter nat mangle
netfilter
INPUT
OUTPUT
FORWARD
PREROUTING
POSTROUTING
OUTPUT
INPUT
OUTPUT
FORWARD
PREROUTING
POSTROUTING
Tables
Chains
Filter Table
• Chains
• Input
• Output
• Forward
• Actions
• DROP,
• ACCEPT,
• REJECT,
• LOG
8
Filter Table
FORWARD IF IF
INPUT OUTPUT
R
Local Processes
NAT Table
Should only be used for NAT (Network Address Translation)
• Chains
• Prerouting
• Postrouting
• Output
• Targets
• DNAT (Destination NAT): change the destination address
• SNAT (Source NAT): changing the source address
• MASQUERADE: like SNAT, but works with dynamic IPs
9
NAT Table
D-NAT
D-NAT
S-NAT
R PREROUTING FORWARD POSTROUTING IF IF
Local Processes
LOCAL INPUT OUTPUT
Mangle Table
• Não deve ser usada para filtragem ou NAT
• Uso: manipulação de campos
• Exemplo típico: alteração de TTL e TOS
10
Mangle Table
This table is used for specialized packet alteration.
• Chains:
PREROUTING for altering incoming packets before routing.
OUTPUT for altering locally-generated packets before routing.
INPUT for packets coming into the box itself.
FORWARD for altering packets being routed through the box.
POSTROUTING for altering packets as they are about to go out.
Mangle Table
R PREROUTING FORWARD POST_ROUTING IF IF
LOCAL INPUT OUTPUT
Local Processes
11
iptables command
iptables [-t table] command [match] [target/jump]
• table: mangle, filter, nat, …
• command: append (A), delete (D), replace (R), insert
(I), list (L), flush (F), policy (P), etc
• match: a que pacotes se aplica.
• target/jump: o que fazer / para onde desviar
Matches
-p tcp protocolo = tcp
-s 192.168.10.0/24 ip de origem = 192.168.10.x
-d !192.168.0.1 ip de destino distinto de 192.168.0.1
-i eth0 interface de entrada = eth0
-o eth1 interface de saída = eth1
-p tcp --sport 22:80 porta de origem entre 22 e 80
-p tcp --dport 1024 porta de destino de 1024 a 65535
-p tcp --tcp-flags SYN,FIN,ACK SYN
testa por syn=1, fin=0 e ack=0
-p tcp --syn testa por syn=1, rst=0, e ack=0
-p udp -dport 53 porta de destino 53
12
Matches
-p icmp --icmp-type 8
-m limit --limit 3/hour
-m mac --mac-source 00:00:00:00:00:01
-p tcp -m multiport --source-port 22,53,80,110
-p tcp -m multiport --port 22,53,80,110
-m owner --uid-owner 500
-m state --state RELATED,ESTABLISHED
-p tcp -m tos --tos 0x16
-m ttl --ttl 60
iptables Targets
• ACCEPT – let the packet through
• DROP – drop the packet
• REJECT – deny access and send icmp-error reply
• QUEUE – pass the packet to the userspace
• RETURN – stop traversing this chain and resume the calling chain
• LOG – Register notification
13
Targets exemples (1)
iptables -A INPUT -p tcp -j tcp_packets
desvia o processamento para a cadeia tcp_packets
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
aceita pacotes tcp para a porta 80
iptables -A INPUT -p tcp --dport 23 -j DROP
descarta pacotes tcp para a porta 23
Targets examples (2)
iptables -t nat -A PREROUTING -p tcp -d 15.45.23.67 --dport 80
-j DNAT --to-destination 192.168.1.1-192.168.1.10
iptables -A FORWARD -p tcp
-j LOG --log-tcp-options
iptables -t nat -A POSTROUTING -p TCP
-j MASQUERADE --to-ports 1024-31000
iptables -t nat -A PREROUTING -p tcp --dport 80
-j REDIRECT --to-ports 8080
14
Targets examples (3)
iptables -A FORWARD -p TCP --dport 22
-j REJECT --reject-with tcp-reset
iptables -t nat -A POSTROUTING -p tcp -o eth0
-j SNAT --to-source 194.236.50.155-194.236.50.160:1024-32000
iptables -t mangle -A PREROUTING -i eth0 -j TTL --ttl-inc 1
iptables example
iptables -I INPUT -i eth1 -p tcp -s 192.168.56.1 \
--sport 1024:65535 -d 192.168.56.2 --dport 22 \
-j ACCEPT
iptables -I OUTPUT -o eth1 -p tcp ! --syn \
-s 192.168.56.2 --sport 22 -d 192.168.56.1 \
--dport 1024:65535 -j ACCEPT
15
NetFilter - States
• A aplicação de uma regra a um pacote pode depender
do estado da ligação a que o pacote pertence.
• Estados de uma ligação
• New: o primeiro pacote de uma ligação
• Established: tráfego de uma ligação nos dois sentidos
• Related: tráfego relacionado a uma outra ligação já
estabelecida (established)
• Invalid: tráfego não identificado ou não pertencente a
nenhum outro estado
Forwarding Packets
iptables -A FORWARD -i <internal interface> \
-o <external interface> -s 192.168.56.1/32 \
--sport 1024:65535 -m state \
--state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i <external interface> \
-o <internal interface> -m state \
--state ESTABLISHED,RELATED -j ACCEPT
Forward also depends on /proc/sys/net/ipv4/ip_forward.
16
iptables -L -v -n
Chain INPUT (policy DROP 280 packets, 32685 bytes) pkts bytes target prot opt in out source destination 3300 136K ACCEPT tcp -- eth1 * 192.168.56.1 192.168.56.2 tcp dpt:22 140 51297 LOG all -- eth0 * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 378K 46M LOG all -- eth1 * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 140 10220 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 304 35676 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 4435 1275K LOG all -- eth1 eth0 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 4717 882K LOG all -- eth0 eth1 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 13 624 ACCEPT tcp -- eth0 eth1 0.0.0.0/0 192.168.56.1 tcp dpt:22 state NEW 4379 1214K ACCEPT all -- eth1 eth0 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 4609 877K ACCEPT all -- eth0 eth1 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 9 396 ACCEPT tcp -- eth1 eth0 0.0.0.0/0 10.10.90.10 tcp dpt:22 state NEW 40 1832 ACCEPT tcp -- eth0 eth1 0.0.0.0/0 192.168.56.10 tcp dpt:22 state NEW Chain OUTPUT (policy DROP 7 packets, 588 bytes) pkts bytes target prot opt in out source destination 5687 6275K ACCEPT tcp -- * eth1 192.168.56.2 192.168.56.1 tcp spt:22 102 48836 LOG all -- * eth4 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 78904 8127K LOG all -- * eth1 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 140 10220 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
LOG - Target Extension
• LOG options
--log-level
--log-prefix
--log-tcp-sequence
--log-tcp-options
--log-ip-options
• Examples
iptables -A OUTPUT -o eth0 -j LOG
iptables -A INPUT -m state --state INVALID
-j LOG --log-prefix "INVALID input: "
17
iptables log output
Jun 25 09:05:11 hebe kernel: IN=eth1 OUT= MAC=00:00:92:a7:df:05:02:07:01:23:5e:29:08:00 SRC=10.90.10.112 DST=10.90.10.116
LEN=44 TOS=0x00 PREC=0x00 TTL=60 ID=7276 PROTO=TCP SPT=47785 DPT=10003 WINDOW=16384 RES=0x00 SYN URGP=0
Jun 25 09:05:11 hebe kernel: IN=eth1 OUT= MAC=00:00:92:a7:df:05:02:07:01:23:5e:29:08:00 SRC=10.90.10.112 DST=10.90.10.116
LEN=44 TOS=0x00 PREC=0x00 TTL=60 ID=7276 PROTO=TCP SPT=47785 DPT=10003 WINDOW=16384 RES=0x00 SYN URGP=0
Jun 25 09:05:12 hebe kernel: IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:06:5b:d1:24:bb:08:00 SRC=10.90.50.251 DST=10.90.255.255 LEN=241
TOS=0x00 PREC=0x00 TTL=128 ID=547 PROTO=UDP SPT=138 DPT=138 LEN=221
Jun 25 09:05:12 hebe kernel: IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:06:5b:d1:24:bb:08:00 SRC=10.90.50.251 DST=10.90.255.255 LEN=241
TOS=0x00 PREC=0x00 TTL=128 ID=547 PROTO=UDP SPT=138 DPT=138 LEN=221
Jun 25 09:05:12 hebe kernel: IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:04:74:0b:81:08:00 SRC=10.90.10.6 DST=10.90.255.255 LEN=78
TOS=0x00 PREC=0x00 TTL=64 ID=44852 PROTO=UDP SPT=137 DPT=137 LEN=58
Jun 25 09:05:12 hebe kernel: IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:04:74:0b:81:08:00 SRC=10.90.10.6 DST=10.90.255.255 LEN=78
TOS=0x00 PREC=0x00 TTL=64 ID=44852 PROTO=UDP SPT=137 DPT=137 LEN=58
Jun 25 09:05:15 hebe kernel: IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:60:cf:20:2d:37:08:00 SRC=10.90.10.104 DST=10.90.255.255 LEN=78
TOS=0x00 PREC=0x00 TTL=1 ID=60733 DF PROTO=UDP SPT=137 DPT=137 LEN=58
Jun 25 09:05:15 hebe kernel: IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:60:cf:20:2d:37:08:00 SRC=10.90.10.104 DST=10.90.255.255 LEN=78
TOS=0x00 PREC=0x00 TTL=1 ID=60733 DF PROTO=UDP SPT=137 DPT=137 LEN=58
Jun 25 09:05:23 hebe kernel: IN=eth1 OUT= MAC=00:00:92:a7:df:05:02:07:01:23:5e:29:08:00 SRC=10.90.10.112 DST=10.90.10.116
LEN=44 TOS=0x00 PREC=0x00 TTL=60 ID=11698 PROTO=TCP SPT=4778
log_analysis output
3 Chain: input Interface: eth0 >> 211.39.225.244 1559 => 192.168.56.2 TCP 27374
4 Chain: input Interface: eth0 >> 211.44.96.76 1659 => 192.168.56.2 TCP 27374
4 Chain: input Interface: eth0 >> 24.209.129.7 2846 => 192.168.56.2 TCP 27374
4 Chain: input Interface: eth0 >> 4.41.13.124 1537 => 192.168.56.2 TCP 27374
3 Chain: input Interface: eth0 >> 61.255.229.7 3714 => 192.168.56.2 TCP 27374
3 Chain: input Interface: eth0 >> 64.231.21.254 2361 => 192.168.56.2 TCP 27374
4 Chain: input Interface: eth0 >> 65.24.46.200 1992 => 192.168.56.2 TCP 27374
4 Chain: input Interface: eth0 >> 65.33.176.170 1328 => 192.168.56.2 TCP 27374
4 Chain: input Interface: eth0 >> 65.43.103.123 3672 => 192.168.56.2 TCP 27374
4 Chain: input Interface: eth0 >> 66.188.158.191 3064 => 192.168.56.2 TCP 27374
3 Chain: input Interface: eth0 >> 80.224.203.178 4697 => 192.168.56.2 TCP 27374
3 Chain: input Interface: eth0 >> 12.220.98.42 1380 => 192.168.56.2 TCP 27374
3 Chain: input Interface: eth0 >> 193.205.135.94 2498 => 192.168.56.2 TCP 1433
3 Chain: input Interface: eth0 >> 198.83.120.42 1711 => 192.168.56.2 TCP 1433
3 Chain: input Interface: eth0 >> 202.108.234.155 3877 => 192.168.56.2 TCP 1433
3 Chain: input Interface: eth0 >> 202.140.162.42 19914 => 192.168.56.2 TCP 1433
3 Chain: input Interface: eth0 >> 205.158.95.87 1367 => 192.168.56.2 TCP 1433
3 Chain: input Interface: eth0 >> 208.2.225.43 3818 => 192.168.56.2 TCP 1433
3 Chain: input Interface: eth0 >> 212.118.71.3 1429 => 192.168.56.2 TCP 1433
4 Chain: input Interface: eth0 >> 61.85.33.8 2113 => 192.168.56.2 TCP 27374
4 Chain: input Interface: eth0 >> 61.99.45.198 4515 => 192.168.56.2 TCP 27374
3 Chain: input Interface: eth0 >> 62.90.204.2 3798 => 192.168.56.2 TCP 1433
3 Chain: input Interface: eth0 >> 63.231.101.56 61428 => 192.168.56.2 TCP 1433
3 Chain: input Interface: eth0 >> 66.28.45.209 4268 => 192.168.56.2 TCP 1433
18
NAT Overview
• Source NAT
– The source address of the initial packet is modified.
– Performed on the POSTROUTING Chain.
– Includes MASQUERADE functionality.
• Destination NAT
– The destination address of the initial packet is modified.
– Performed on the PREROUTING or OUTPUT chain.
37
filter + nat
Incomingdatagram
filterINPUT
Destinationis local?
filterFORWARD
natOUTPUT
To application From application
Outgoingdatagram
natPOSTROUTING
(SNAT)
No
Yes filterOUTPUT
natPREROUTING
(DNAT)
19
Standard SNAT Example
iptables -t nat -A POSTROUTING -o <external interface> \
-j SNAT --to-source <external address>
iptables -A FORWARD -i <internal interface> \
-o <external interface> -m state \
--state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -o <internal interface> \
-m state --state ESTABLISHED,RELATED -j ACCEPT
DNAT - Host Forwarding
iptables -t nat -A PREROUTING -i <external interface> \
-p tcp --sport 1024:65535 -d <external address> --dport 80 \
-j DNAT --to-destination <local server>
iptables -A FORWARD -i <external interface> \
-o <internal interface> -p tcp --sport 1024:65535 \
-d <local server> --dport 80 -m state \
--state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i <internal interface> \
-m state --state ESTABLISHED,RELATED -j ACCEPT
20
Advanced DNAT
Port Redirection:
iptables -t nat -A PREROUTING -i <external interface> \
-p tcp --sport 1024:65535 -d <external address> --dport 80 \
-j DNAT --to-destination <local server>:81
Server Farms:
iptables -t nat -A PREROUTING -i <external interface> \
-p tcp --sport 1024:65535 -d <external WEB address> \
--dport 80 -j DNAT \
--to-destination 192.168.56.10-192.168.56.15
42
Configuring NAT with iptables
• First example: iptables –t nat –A POSTROUTING –s 10.0.1.2
–j SNAT --to-source 128.143.71.21
• Pool of IP addresses: iptables –t nat –A POSTROUTING –s 10.0.1.0/24
–j SNAT --to-source 128.128.71.0–128.143.71.30
• ISP migration:
iptables –t nat –R POSTROUTING –s 10.0.1.0/24
–j SNAT --to-source 128.195.4.0–128.195.4.254
• IP masquerading:
iptables –t nat –A POSTROUTING –s 10.0.1.0/24
–o eth1 –j MASQUERADE
• Load balancing:
iptables -t nat -A PREROUTING -i eth1 -j DNAT
--to-destination 10.0.1.2-10.0.1.4
21
Filter + NAT + Mangle
R NAT
PREROUTING
IF IF
Local Processes
MANGLE
PREROUTING
FILTER
INPUT
MANGLE
INPUT
MANGLE
OUTPUT
NAT
OUTPUT
FILTER
OUTPUT
MANGLE
POSTROUTING
NAT
POSTROUTING
FILTER
FORWARD
MANGLE
FORWARD
User Defined Chains
iptables -A INPUT -i $INTERNET -d <public address>
-j EXT-input
iptables -A EXT-input -p udp --sport 53 --dport 53 -j EXT
-dns-server-in
iptables -A EXT-input -p tcp ! --syn --sport 53
--dport 1024:65535 -j EXT-dns-server-in
iptables -A EXT-dns-server-in -s $NAMESERVER_1
-j ACCEPT
22
Port knocking
45
iptables -A KNOCKING -m recent --rcheck --seconds 30 --name AUTH3 -j PASSED
iptables -A KNOCKING -m recent --rcheck --seconds 10 --name AUTH2 -j GATE3
iptables -A KNOCKING -m recent --rcheck --seconds 10 --name AUTH1 -j GATE2
iptables -A KNOCKING -j GATE1
Port knocking
iptables -A GATE1 -p tcp --dport 2222 -m recent --name AUTH1 --set -j DROP
iptables -A GATE1 -j DROP
46
23
Port knocking
iptables -A GATE2 -m recent --name AUTH1 –remove
iptables -A GATE2 -p tcp --dport 3333 -m recent --name AUTH2 --set -j DROP
iptables -A GATE2 -j GATE1
47
Port knocking
iptables -A GATE3 -m recent --name AUTH2 --remove
iptables -A GATE3 -p tcp --dport 4444 -m recent --name AUTH3 --set -j DROP
iptables -A GATE3 -j GATE1
48
24
Firewall Optimization
• Place loopback rules as early as possible.
• Use the state and connection-tracking modules to
bypass the firewall for established connections.
• Place forwarding rules as early as possible.
• Combine rules to standard TCP client-server
connections into a single rule using port lists.
• Place rules for heavy traffic services as early as
possible.
firewalld
• provides a dynamically
managed firewall
• Supports zones
• Supports multiple
backends.
• Provides an interface
for direct addition of
firewall rules.
50
25
firewall-config
• GUI tool to configure firewalld
51