Iptables and DMZ

Download as pdf or txt
Download as pdf or txt
You are on page 1of 6

Iptables - NAT/ DMZ example

Here is a basic script that acts as a very basic firewall. Note eth0 is the internet connection device.
Eth1 is on the local network.
TYPES of attacks:
Attacks
When ever a server is open to the internet there is a risk of attack. These attacks can never be
prevented with 100% certainty but they can be minimised. One of the best ways to do this is with a
firewall such as the ones shown here. These can be used to limit openings and connections. It is
important to know about these attacks so you can better protect your servers and networks against
theses attacks.
DDoS
DDoS or distributed denial of service attack is an attack were many systems are used to attack a
single target (normally a web server) with a huge amounts of bandwidth. The goal of theses attacks
are to take the server offline or make it unusable for genuine users. These attacks are becoming
more common and are important to guard against since they can be simple to launch and can be
very successful if the proper measures are not taken to secure servers.
ICMP Flood
There are a few different types of ICMP attacks which all rely on miss-configured networks and can
easily be prevented. They tend to rely on the Ping command and are used to overwhelm the target.
For an attack to be successful the attacker needs to have more bandwidth than the victim. These
attacks can easily be launched but can also are easily prevented.
SYN Flood
These are attacks launched were TCP connections are left open. The attacker(s) keep opening more
and more connections without closing them which overwhelms the server. These attacks can be
prevented with SYN cookies or limiting the number of new connections from a single source over a
specified time frame.
Subpage Links:
NATing
DMZ
#---------------------------------------------------------------
# Initialize all the chains by removing all the rules
# tied to them
#---------------------------------------------------------------
iptables --flush
iptables -t nat --flush
iptables -t mangle --flush
#---------------------------------------------------------------
# The loopback interface should accept all traffic
# Necessary for X-Windows and other socket based services
#---------------------------------------------------------------
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
#---------------------------------------------------------------
# Allow outbound DNS queries from the FW and the replies too
#
# - Interface eth0 is the internet interface
#
# Zone transfers use TCP and not UDP. Most home networks
# websites using a single DNS server won't require TCP statements

1
#
#---------------------------------------------------------------
iptables -A OUTPUT -p udp -o eth0 --dport 53 --sport 1024:65535 -j ACCEPT
iptables -A INPUT -p udp -i eth0 --sport 53 --dport 1024:65535 -j ACCEPT
#---------------------------------------------------------------
# Allow previously established connections
# - Interface eth0 is the internet interface
#---------------------------------------------------------------
iptables -A OUTPUT -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
#---------------------------------------------------------------
# Allow port 80 (www) and 22 (SSH) connections to the firewall
#---------------------------------------------------------------
iptables -A INPUT -p tcp -i eth0 --dport 22 --sport 1024:65535 -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp -i eth0 --dport 80 --sport 1024:65535 -m state --state NEW -j ACCEPT
#---------------------------------------------------------------
# Allow port 80 (www) and 443 (https) connections from the firewall
#---------------------------------------------------------------
iptables -A OUTPUT -o eth0 -p tcp --dport 80 --sport 1024:65535 -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --dport 443 --sport 1024:65535 -j ACCEPT
#---------------------------------------------------------------
# Allow previously established connections
# - Interface eth0 is the internet interface
#---------------------------------------------------------------
iptables -A INPUT -m state --state ESTABLISHED,RELATED -i eth0 -p tcp -j ACCEPT
#---------------------------------------------------------------
# If a packet doesn't match one of the built in chains, then
# The policy should be to drop it
#---------------------------------------------------------------
iptables -A INPUT -j DROP
iptables -A OUTPUT -j DROP
iptables -A FORWARD -j DROP
service iptables restart
#---------------------------------------------------------------
Continuing On:
With that out of the wa,y the process of getting NATign to work will comence. NAT is network
address translation which was designed to help with the problem of not enough IP addresses world
wide. In short it allows mulitple computers to sue the same IP address.
Note: the addresses with xxx are the internet addresses and yyy are internal.
vi /etc/sysconfig/network-scripts/ifcfg-eth0
and made it look like this:
DEVICE=eth0
BOOTPROTO=none
BROADCAST=xx.xx.xx.255 # Optional Entry
HWADDR=00:50:BA:88:72:D4 # Optional Entry
IPADDR=xx.xx.xx.xx
NETMASK=255.255.255.0 # Provided by the ISP
NETWORK=xx.xx.xx.0 # Optional
ONBOOT=yes
TYPE=Ethernet
USERCTL=no
IPV6INIT=no
PEERDNS=yes
GATEWAY=xx.xx.xx.1 # Provided by the ISP
vi /etc/sysconfig/network-scripts/ifcfg-eth1
2
BOOTPROTO=none
PEERDNS=yes
HWADDR=00:50:8B:CF:9C:05 # Optional
TYPE=Ethernet
IPV6INIT=no
DEVICE=eth1
NETMASK=255.255.0.0 # Specify based on your requirement
BROADCAST=""
IPADDR=192.168.2.1 # Gateway of the LAN
NETWORK=192.168.0.0 # Optional
USERCTL=no
ONBOOT=yes
Make sure there is something like this:
vi etc/hosts
127.0.0.1 nat localhost.localdomain localhost
DO this:
vi /etc/sysconfig/network
NETWORKING=yes
HOSTNAME=nat
GATEWAY=xx.xx.xx.1 # Internet Gateway, provided by the ISP
Check the following
vi /etc/resolv.conf
nameserver 203.145.184.13 # Primary DNS Server provided by the ISP
nameserver 202.56.250.5 # Secondary DNS Server provided by the ISP
**NOTE: those nameserver addresses will be different for you.
vi /etc/sysctl.conf
Change the following value from:
net.ipv4.ip_forward = 0
TO:
net.ipv4.ip_forward = 1
Change this baby:
vi /etc/sysconfig/iptables-config
IPTABLES_MODULES_UNLOAD, IPTABLES_SAVE_ON_STOP, and
IPTABLES_SAVE_ON_RESTART
and change all of those values to yes, not no's for the above options.
No NATing yet? Add these lines to your code right above the drop section. Cheers.

echo 1 > /proc/sys/net/ipv4/ip_forward


/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
/sbin/iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j
ACCEPT
/sbin/iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
And now you'll be doubling up.

SO what we want is is the following network:


Well What is happening? What we want is a DMZ where a webserver somewhere on the Internet is
asking for some MySQL.
It would be dangerous to have that MySQL machine serving directly on the Internet so what should
we do? Put it behind the firewall is the solution.
OK? So the the webserver hits the firewall and then the request is forwarded to a machine behind it
and then the request is allowed back out.
The FINAL script

3
NOTE: the stuff in bold might mean something. PING packets are already dropped if they hit the
firewall and logs are a definate. Note port 1056 on the firewall forwards you via ssh to the MySQL
machine ;)
#---------------------------------------------------------------
# Initialize all the chains by removing all the rules
# tied to them
#---------------------------------------------------------------
iptables --flush
iptables -t nat --flush
iptables -t mangle --flush
#---------------------------------------------------------------
# The loopback interface should accept all traffic
# Necessary for X-Windows and other socket based services
#---------------------------------------------------------------
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
#---------------------------------------------------------------
# Allow outbound DNS queries from the FW and the replies too
#
# - Interface eth0 is the internet interface
#
# Zone transfers use TCP and not UDP. Most home networks
# websites using a single DNS server won't require TCP statements
#
#---------------------------------------------------------------
iptables -A OUTPUT -p udp -o eth0 --dport 53 --sport 1024:65535 -j ACCEPT
iptables -A INPUT -p udp -i eth0 --sport 53 --dport 1024:65535 -j ACCEPT
#---------------------------------------------------------------
# Allow previously established connections
# - Interface eth0 is the internet interface
#---------------------------------------------------------------
iptables -A OUTPUT -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
#---------------------------------------------------------------
# Allow port 80 (www) and 22 (SSH) connections to the firewall
#---------------------------------------------------------------
iptables -A INPUT -p tcp -i eth0 --dport 22 --sport 1024:65535 -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp -i eth0 --dport 80 --sport 1024:65535 -m state --state NEW -j ACCEPT
#---------------------------------------------------------------
# Allow port 80 (www) and 443 (https) connections from the firewall
#---------------------------------------------------------------
iptables -A OUTPUT -o eth0 -p tcp --dport 80 --sport 1024:65535 -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --dport 443 --sport 1024:65535 -j
ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --dport 3306 --sport 1024:65535 -j
ACCEPT
#---------------------------------------------------------------
# Allow previously established connections
# - Interface eth0 is the internet interface
#---------------------------------------------------------------
iptables -A INPUT -m state --state ESTABLISHED,RELATED -i eth0 -p tcp -j
ACCEPT
#---------------------------------------------------------------
# If a packet doesn't match one of the built in chains, then

4
# The policy should be to drop it
#---------------------------------------------------------------
#######################################################################
# DMZ webserver to mysql
#=====================================================================
echo 1 > /proc/sys/net/ipv4/ip_forward
/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -t nat -A PREROUTING -p tcp -d 142.25.97.89 --dport 80 -j DNAT --to 142.25.97.40
iptables -t nat -A POSTROUTING -d 142.25.97.40 -j MASQUERADE
#=====================================================================
#for MYSQL from DMZ to MYSQL server
#======================================================================
iptables -A INPUT -i eth0 -p tcp -m tcp --dport 3306 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -d 142.25.97.89 --dport 3306 -j DNAT
--to 192.168.9.50
iptables -t nat -A POSTROUTING -d 192.168.9.50 -j MASQUERADE
iptables -A INPUT -p tcp -s 142.25.97.89 --sport 1024:65535 -d
142.25.97.89 --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -s 142.25.97.89 --sport 3306 -d 142.25.97.89 --
dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -s 142.25.97.89 --sport 1024:65535 -d 0/0 --
dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 --sport 3306 -d 142.25.97.89 --dport
1024:65535 -m state --state ESTABLISHED -j ACCEPT
#======================================================================
#forward port 1056 to port 22 on the MYSql Server 9.50
#======================================================================
iptables -t nat -A PREROUTING -p tcp -i eth0 -d 142.25.97.89 --dport 1056
-j DNAT --to 192.168.9.50:22
iptables -A FORWARD -p tcp -i eth0 -d 192.168.9.50 --dport 22 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -i eth0 -d 142.25.97.89 --dport 1200
-j DNAT --to 192.168.9.50:3306
iptables -A FORWARD -p tcp -i eth0 -d 192.168.9.50 --dport 3306 -j ACCEPT
/sbin/iptables -A FORWARD -i eth0 -o eth1 -m state --state
RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
#$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
# ATTACKS AND LOGGING
#$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
#**Pings not allowed anyways
#Allows only 10 connections and 20 burst
#---------------------------------------------------------------------
iptables -t nat -A syn-flood -m limit --limit 10/s --limit-burst 20 -j RETURN
iptables -t nat -A syn-flood -j DROP
#LOGGING
#-------------------------------------------------------------------
/sbin/iptables -A INPUT -m limit --limit 15/minute -j LOG \
--log-level 7 --log-prefix "Dropped by firewall: "
/sbin/iptables -A OUTPUT -m limit --limit 15/minute -j LOG \
--log-level 7 --log-prefix "Dropped by firewall: "
#======================================================================
#DROPPS
#=====================================================================
#illegal packets

5
# Drop illegal packets
iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP# NULL packets
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP #XMAS
iptables -A INPUT -p tcp --tcp-flags FIN,ACK FIN -j DROP # FIN packet
scans
iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
iptables-save
iptables-save -c
iptables -A INPUT -j DROP
iptables -A OUTPUT -j DROP
iptables -A FORWARD -j DROP
service iptables restart
BACKUP and Restore

iptables is set to come back up off of restart


iptables is saved on another device and is a script which can be ran at any time.

Resources:
http://portfolio.itas.ca/~tassellb/firewall/endian.php
http://ubuntuforums.org/showthread.php?t=93420
http://security.maruhn.com/iptables-tutorial/x5017.html
http://www.wellho.net/solutions/general-firewall-fundamentals-linux.html
http://utcc.utoronto.ca/~cks/space/blog/linux/IptablesRedirection
http://morpheus.micc.unifi.it/alisi/2006/12/14/iptables-made-simple

CONCLUSION
Linux has produced something usefull and easy to use. It is easy to configure, easy to understand
and there is lots of documentation once you get past the extra technical jargon. Iptables is a
powerful firewall solution and can be used for a varity of things such as NATing.

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy