IPtables

Objectives
to learn the basics of iptables

Contents
Start and stop IPtables Checking IPtables status Input and Output chain Pre and Post routing Forward of address and port Firewall standard rules Lading/Unloading kernel driver modules Connection tracking modules

Practicals
working with iptables

Summary

What Is iptables?
Stateful packet inspection.
The firewall keeps track of each connection passing through it, This is an important feature in the support of active FTP and VoIP.

Filtering packets based on a MAC address IPv4 / IPv6

Very important in WLANs and similar enviroments.

Filtering packets based the values of the flags in the TCP header
Helpful in preventing attacks using malformed packets and in restricting access.

Network address translation and Port translating NAT/NAPT

Building DMZ and more flexible NAT enviroments to increase security.

Source and stateful routing and failover functions

Route traffic more efficiant and faster than regular IP routers.

System logging of network activities

Provides the option of adjusting the level of detail of the reporting

A rate limiting feature

Helps to block some types of denial of service (DoS) attacks.

Packet manipulation (mangling) like altering the TOS/DSCP/ECN bits of the IP header
Mark and classify packets dependent on rules. First step in QoS.

Download And Install The Iptables Package

Most Linux dialects already have iptables
Usally iptables is classified by and dependent on kernel versions: Pre 2.4 lack some modern functionality, still popular in soho routers 2.4 mainstream of iptables, most popular and well tested 2.6 latest versions

Download from:
http://www.netfilter.org/downloads.html

Documentation:
http://www.netfilter.org/documentation/index.html

Install from sources or rpm:

# rpm ivh iptables-1.2.9-1.0.i386.rpm # tar xvfz iptables-1.2.9.tar.gz ; ./configure ; make ; make install

Modules to add functionallity to IPtables:

Variour proxy modules, for example ftp and h323 Modules must be loaded into kernel # modprobe module # insmod module

Patch-o-Matic (updated and modules)

http://ftp.netfilter.org/pub/patch-o-matic-ng/snapshot/

How To Start iptables

You can start, stop, and restart iptables after booting by using the commands:
Starting IP tables service iptables start Stopping IP tables service iptables stop Restaring IP tables service iptables restart Checking IP tables status (rulechains) service iptables status

To get iptables configured to start at boot, use the chkconfig command:

chkconfig iptables on

iptables itself is a command which we will see soon. To show all current rule chains:
iptables -list

To drop all current rule chains:

iptables -flush

Packet Processing In iptables

IP tables is complex for the beginner. Three builtin tables (queues) for processing:
1. MANGLE: manipulate QoS bits in TCP header 2. FILTER: packet filtering, has three builtin chains (your firewall policy rules) Forward chain: filters packets to servers protected by firewall Input chain: filters packets destinated for the firewall Output chain: filters packets orginating from the firewall 3. NAT: network adress translation, has two builtin chains Pre-routing: NAT packets when destination address need changes Post-routing: NAT packets when source address need changes

Processing For Packets Routed By The Firewall 1/2

Processing For Packets Routed By The Firewall 2/2

Targets And Jumps 1/2

ACCEPT
iptables stops further processing. The packet is handed over to the end application or the operating system for processing

DROP
iptables stops further processing. The packet is blocked.

LOG
The packet information is sent to the syslog daemon for logging. iptables continues processing with the next rule in the table. You can't log and drop at the same time ->use two rules. --log-prefix reason"

REJECT
Works like the DROP target, but will also return an error message to the host sending the packet that the packet was blocked --reject-with qualifier Qualifier is an ICMP message

Targets And Jumps 2/2

SNAT
Used to do source network address translation rewriting the source IP address of the packet The source IP address is user defined --to-source <address>[-<address>][:<port>-<port>]

DNAT
Used to do destination network address translation. ie. rewriting the destination IP address of the packet --to-destination ipaddress

MASQUERADE
Used to do Source Network Address Translation. By default the source IP address is the same as that used by the firewall's interface [--to-ports <port>[-<port>]]

Important Iptables Command Switch Operations 1/2

Important Iptables Command Switch Operations 2/2

We try to define a rule that will accept all packages on interface eth0 that uses TCP and has destination address 192.168.1.1. We first define the MATCH criterias:
Use default filter table (absense of t ) Append a rule to end of INPUT chain (-A INPUT ) Match on source address can be any 0/0 address (-s 0/0 ) Input interface used is eth0 (-i eth0 ) Match on destination address 192.168.1.1 (-d 192.168.1.1) Match Protocol TCP (-p TCP ) If all matches is fulfilled, then jump to ACCEPT chain. (-j ACCEPT )

iptables -A INPUT -s 0/0 -i eth0 -d 192.168.1.1 -p TCP -j ACCEPT

Common TCP and UDP Match Criteria

Common ICMP (Ping) Match Criteria

Allow ping request and reply

iptables is being configured to allow the firewall to send ICMP echo-requests (pings) and in turn, accept the expected ICMP echo-replies. iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT

Put limit on ping to prevent flood pings

iptables -A INPUT -p icmp --icmp-type echo-request \ -m limit --limit 1/s -i eth0 -j ACCEPT

Defense for SYN flood attacks

m limit sets maximum number of SYN packets
iptables is being configured to allow the firewall to accept maxim 5 TCP/SYN packeds per second on interface eth0. iptables -A INPUT -p tcp --syn -m limit --limit 5/s -i eth0 -j ACCEPT If more than 5 SYN packets per second, the packets are dropped. If source/destination sence dropped packets, it will resend three times If drops continue after 3 reset packets, source will reduce packet speed.

Common Extended Match Criteria 1/2

Common Extended Match Criteria 2/2

Allow both port 80 and 443 for the webserver on inside:
iptables -A FORWARD -s 0/0 -i eth0 -d 192.168.1.58 -o eth1 -p TCP \ --sport 1024:65535 -m multiport --dport 80,443 -j ACCEPT

The return traffic from webbserver is allowed, but only of sessions are opened:
iptables -A FORWARD -d 0/0 -o eth0 -s 192.168.1.58 -i eth1 -p TCP \ -m state --state ESTABLISHED -j ACCEPT

If sessions are used, you can reduce an attack called half open
Half open is known to consume server all free sockets (tcp stack memory) and is senced as a denial of service attack, but it is not. Sessions are usally waiting 3 minutes.

Using User Defined Chains

Define fast input queue:
iptables -A INPUT -i eth0 -d 206.229.110.2 -j fast-input-queue

Define fast output queue:

iptables -A OUTPUT -o eth0 -s 206.229.110.2 -j fast-output-queue

Use defined queues and define two icmp queues:

iptables -A fast-input-queue -p icmp -j icmp-queue-in iptables -A fast-output-queue -p icmp -j icmp-queue-out

Finally we use the queues to define a two rules:

iptables -A icmp-queue-out -p icmp --icmp-type echo-request \ -m state --state NEW -j ACCEPT iptables -A icmp-queue-in -p icmp --icmp-type echo-reply -j ACCEPT

Saving Your iptables Scripts

RedHat based distributions:
/etc/sysconfig/iptables

Other distributions uses:

There is no specific favourite place, one is: /etc/rc.d/rc.firewall And maby this is the most common is: /etc/init.d/rc.firewall

RedHat/Fedora's iptables Rule Generator:

lokkit

There are three iptable commands:

iptables (The kernel insert rule command) iptables-save > rc.firewall.backup iptables-restore < rc.firewall.backup

In RedHat/Fedora you can also:

service iptables save

Loading Kernel Modules Needed By iptables

Loading kernel modules extends it functionallity
Generally kernel modules is like plugins, they add functionallity: /lib/modules/2.4.20-30.9/kernel/net/

Manually loading/unloading modules

modprobe <module> (search for module and dependencies) insmod <module> (force load module, dont care) rmmod <module> (remove module) lsmod (List modules loaded)

Load some common modules:

modprobe modprobe modprobe modprobe ip_conntrack ip_conntrack_ftp iptable_nat ip_nat_ftp (tracking connections) (transparent proxy for active ftp) (for all kind of NAT operations) (for ftp server behind nat)

Basic Firewall settings

Most basic firewall settings
Everything from inside is allowed to pass out Everything from outside is denied to pass in

Optionally firewalls directly offer security levels

More or less protocols are accepted, most common is SSH SMTP WWW VPN FTP DHCP SMB TELNET

Optionally firewalls directly offer security levels

Levels are usally 3: No security Medium High

No Security=Firewall is passing everything or is disables Medium=SMTP, SSH, DHCP, FTP HIGH=SSH

LOKKIT & WEBMIN configuration file

/etc/sysconfig/iptables
*filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [144:12748] :RH-Firewall-1-INPUT - [0:0] -A INPUT -j RH-Firewall-1-INPUT -A FORWARD -j RH-Firewall-1-INPUT -A RH-Firewall-1-INPUT -i lo -j ACCEPT -A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type 255 -j ACCEPT -A RH-Firewall-1-INPUT -p esp -j ACCEPT -A RH-Firewall-1-INPUT -p ah -j ACCEPT -A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited COMMIT

Here we allow ipsec, ah and ssh from outside and everything from inside and out

Basic Operating System Defense

All firewalls must have an operating system The operating system must be hardened by removing all unessesary nitty gritty If your firewall is Unix based, you have to use this settings in /etc/sysctl.conf:
net/ipv4/conf/all/rp_filter = 1 net/ipv4/conf/all/log_martians = 1 net/ipv4/conf/all/send_redirects = 0 net/ipv4/conf/all/accept_source_route = 0 net/ipv4/conf/all/accept_redirects = 0 net/ipv4/tcp_syncookies = 1 net/ipv4/icmp_echo_ignore_broadcasts = 1 net/ipv4/ip_forward = 1

In Windows 2003 server you find the same entries in the registry. You will need to reboot your server after doing the hardening above

Basic iptables Initialization

Load modules for FTP connection tracking and NAT
Most linux based firewalls uses file /etc/rc.local or /etc/init.d/rc.firewall:
modprobe modprobe modprobe modprobe ip_conntrack ip_nat_ftp ip_conntrack_ftp iptable_nat

Initialize all the chains by removing all the rules:

Most linux based firewalls uses the same file as modules are loaded from:
iptables --flush iptables -t nat --flush iptables -t mangle --flush

All user defined chains should be deleted:

iptables --delete-chain iptables -t nat --delete-chain iptables -t mangle --delete-chain

Basic iptables ruleset

If a packet doesn't match one of the built in chains, The policy should iptables --policy INPUT DROP iptables --policy OUTPUT DROP iptables --policy FORWARD DROP be to drop it : The loopback interface should accept all traffic :
iptables -N valid-src iptables -N valid-dst

iptables -t nat --policy POSTROUTING ACCEPT iptables -t nat --policy PREROUTING ACCEPT

Initialize our user-defined chains :

valid-src, valid source valid-dst, valid destination
iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT

Verify valid source and destination addresses for all packets : iptables -A INPUT -i eth0 -j valid-src
iptables -A FORWARD -i eth0 -j valid-src iptables -A OUTPUT -o eth0 -j valid-dst iptables -A FORWARD -o eth0 -j valid-dst

Source and Destination Address Sanity Checks

The loopback interface should accept all traffic :
iptables iptables iptables iptables iptables iptables iptables iptables iptables iptables iptables -A -A -A -A -A -A -A -A -A -A -A valid-src valid-src valid-src valid-src valid-src valid-src valid-src valid-src valid-src valid-src valid-dst -s -s -s -s -s -s -s -d -s -s -d 10.0.0.0/8 -j DROP 172.16.0.0/12 -j DROP 192.168.0.0/16 -j DROP 224.0.0.0/4 -j DROP 240.0.0.0/5 -j DROP 127.0.0.0/8 -j DROP 0.0.0.0/8 -j DROP 255.255.255.255 -j DROP 169.254.0.0/16 -j DROP $EXTERNAL_IP -j DROP 224.0.0.0/4 -j DROP

Drop packets from networks covered in RFC 1918 (private nets) Drop packets from external interface IP address

Allowing fundamental services

Allowing DNS Access To Your Firewall :
iptables -A -j iptables -A -j OUTPUT -p udp -o eth0 --dport 53 --sport 1024:65535 \ ACCEPT INPUT -p udp -i eth0 --sport 53 --dport 1024:65535 \ ACCEPT

Allow previously established connections :

iptables -A OUTPUT -o eth0 -m state --state ESTABLISHED,RELATED \ -j ACCEPT

Allow port 80 (www) and 22 (SSH) connections to the firewall :

iptables -A INPUT -p tcp -i eth0 --dport 22 --sport 1024:65535 \ -m state --state NEW -j ACCEPT iptables -A INPUT -p tcp -i eth0 --dport 80 --sport 1024:65535 \ -m state --state NEW -j ACCEPT

Allowing Your Firewall To Access The Internet

Allow port 80 (www) and 443 (https) connections from the firewall :
iptables -A OUTPUT -j ACCEPT -m state \ --state NEW,ESTABLISHED,RELATED -o eth0 -p tcp \ -m multiport --dport 80,443 -m multiport --sport 1024:65535

Allow previously established connections :

iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED \ -i eth0 -p tcp

Allow Your protected Network To Access The Firewall Allow all bidirectional traffic from your firewall to the protected network :
iptables -A INPUT iptables -A OUTPUT -j ACCEPT -p all -s 192.168.1.0/24 -i eth1 -j ACCEPT -p all -d 192.168.1.0/24 -o eth1

Allow client access based MAC.

iptables -A INPUT i eth1 --mac-source 00:0B:DB:45:56:42 \ j ACCEPT

I outgoing traffic is subject for regulating, there is need to additional rules.

As exercise, allow only users in green network to access webservers Put a limit of 1000 packets per second on incoming webtraffic Lock user clients with MAC address in green network

Masquerading (Many to One NAT) Allow masquerading :

iptables -A POSTROUTING -t nat -o eth0 -s 192.168.1.0/24 -d 0/0 \ -j MASQUERADE

Prior to masquerading, the packets are routed via the filter table's FORWARD chain :
iptables -A FORWARD -t filter -o eth0 -m state \ --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -t filter -i eth0 -m state \ --state ESTABLISHED,RELATED -j ACCEPT

Port Forwarding Type NAT port 80 forwarded to port 8080 on server 192.168.1.200 :
iptables -t nat -A PREROUTING -p tcp -i eth0 -d $external_ip \ --dport 80 --sport 1024:65535 -j DNAT --to 192.168.1.200:8080

After DNAT, the packets are routed via the filter table's FORWARD chain :
iptables -A FORWARD -p tcp -i eth0 -o eth1 -d 192.168.1.200 \ --dport 8080 --sport 1024:65535 -m state --state NEW -j ACCEPT iptables -A FORWARD -t filter -o eth0 -m state \ --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -t filter -i eth0 -m state \ --state ESTABLISHED,RELATED -j ACCE

Connections on port 80 to the target machine on the private network must be allowed.

Static NAT / Source NAT Connections originating from the Internet :

iptables -t nat -A PREROUTING -d 97.158.253.26 -i eth0 \ -j DNAT --to-destination 192.168.1.100

Connections originating from the home network servers :

iptables -t nat -A POSTROUTING -s 192.168.1.100 -o eth0 \ -j SNAT --to-source 97.158.253.26

Connections originating from the entire home network :

iptables -t nat -A POSTROUTING -s 192.168.1.0/24 \ -j SNAT -o eth0 --to-source 97.158.253.29

For connections originating from the Internet. Notice how you use the real IP addresses here :
iptables -A FORWARD -p tcp -i eth0 -o eth1 -d 192.168.1.100 \ -m multiport --dport 80,443,22 \ -m state --state NEW -j ACCEPT

Static NAT / Source NAT Allow forwarding for all New and Established SNAT connections originating on the home network AND already established DNAT connections :
iptables -A FORWARD -t filter -o eth0 -m state \ --state NEW,ESTABLISHED,RELATED -j ACCEPT

Allow forwarding for all NAT connections originating on the Internet that have already passed through the NEW forwarding statements above :
iptables -A FORWARD -t filter -i eth0 -m state \ --state ESTABLISHED,RELATED -j ACCEPT

You will have to create alias IP addresses for each of these public Internet IPs for one to one NAT to work. This is the basic technology of the logical DMZ

Troubleshooting iptables LOG (/var/log/messages) Log and drop all other packets to file /var/log/messages :
iptables -A OUTPUT -j LOG iptables -A INPUT -j LOG iptables -A FORWARD -j LOG iptables -A OUTPUT -j DROP iptables -A INPUT -j DROP iptables -A FORWARD -j DROP

Firewall denies replies to DNS queries (UDP port 53) destined to server 192.168.1.102 on the home network.
Feb 23 20:33:50 bigboy kernel: IN=wlan0 OUT= MAC=00:06:25:09:69:80:00:a0:c5:e1:3e:88:08:00 SRC=192.42.93.30 DST=192.168.1.102 LEN=220 TOS=0x00 PREC=0x00 TTL=54 ID=30485 PROTO=UDP SPT=53 DPT=32820 LEN=200

Firewall denies Windows NetBIOS traffic (UDP port 138)

Feb 23 20:43:08 bigboy kernel: IN=wlan0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:06:25:09:6a:b5:08:00 SRC=192.168.1.100 DST=192.168.1.255 LEN=241 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=138 DPT=138 LEN=221