Iptables Firewall Mastery: Configuring Rules for Enhanced Linux Security
 |
| Iptables Firewall Mastery: Configuring Rules for Enhanced Linux Security |
Iptables Firewall Mastery: Configuring Rules for Enhanced Linux Security - This chapter provides an overview of firewall rules and their configuration using iptables in Linux. Iptables is a tool that enables users to set up and manage firewall functionalities integrated into the Linux kernel.
iptables tables
The kernel contains three default tables - filter, nat, and mangle, each serving specific rule sets. The filter table manages packet filtering, the nat table handles address translation, and the mangle table is employed for special-purpose packet processing.
root@debian6~# iptables -t filter -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination
The nat table is used for address translation.
root@debian6~# iptables -t nat -L Chain PREROUTING (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination
The mangle table can be used for special-purpose processing of packets.
The series of rules in each table is called a chain. We will discuss chains and the nat table later in this chapter.
starting and stopping iptables
Demonstrating how to start and stop iptables on Linux Red Hat/Fedora/CentOS distributions using service commands. Debian and Ubuntu distributions provide the option to uninstall iptables.
[root@centos6 ~]# service iptables stop [root@centos6 ~]# service iptables start iptables: Applying firewall rules [ ok ] [root@centos6 ~]#
Debian and Ubuntu distributions do not have this script but allow for an uninstall.
root@debian6~# aptitude purge iptables
the filter table
Exploring packet filtering within the filter table. The filter table consists of three chains: INPUT (incoming packets), OUTPUT (outgoing packets), and FORWARD (routed packets).
about packet filtering
Packet filtering is a bit more than packet forwarding. While packet forwarding uses only a routing table to make decisions, packet filtering also uses a list of rules. The kernel will inspect packets and decide based on these rules what to do with each packet.
Packet filtering involves more than forwarding; it uses rules to inspect and decide the fate of each packet based on predefined criteria.
filter table
The filter table in iptables has three chains (sets of rules). The INPUT chain is used for any packet coming into the system. The OUTPUT chain is for any packet leaving the system. And the FORWARD chain is for packets that are forwarded (routed) through the system.
 |
| filter table |
The screenshot below shows how to list the filter table and all its rules.
[root@RHEL5 ~]# iptables -t filter -nL Chain INPUT (policy ACCEPT) target prot opt source destination
Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination [root@RHEL5 ~]#
As you can see, all three chains in the filter table are set to ACCEPT everything. ACCEPT is the default behavior.
setting default rules
The default for the default rule is indeed to ACCEPT everything. This is not the most secure firewall.
Setting default rules to DROP everything, enhances security. These commands establish a strict policy to drop all packets unless explicitly allowed.
The below commands lock down a computer. Do not execute these commands inside a remote ssh shell.
root@debianpaul~# iptables -P INPUT DROP root@debianpaul~# iptables -P OUTPUT DROP root@debianpaul~# iptables -P FORWARD DROP root@debianpaul~# iptables -L Chain INPUT (policy DROP) target prot opt source destination Chain FORWARD (policy DROP) target prot opt source destination Chain OUTPUT (policy DROP) target prot opt source destination
changing policy rules
To start, let's set the default policy for all three chains to drop everything. Note that you might lose your connection when typing this over ssh ;-).
[root@RHEL5 ~]# iptables -P INPUT DROP [root@RHEL5 ~]# iptables -P FORWARD DROP [root@RHEL5 ~]# iptables -P OUTPUT DROP
Next, we allow the server to use its own loopback device (this allows the server to access its services running on localhost). We first append a rule to the INPUT chain to allow (ACCEPT) traffic from the lo (loopback) interface, and then we do the same to allow packets to leave the system through the loopback interface.
[root@RHEL5 ~]# iptables -A INPUT -i lo -j ACCEPT [root@RHEL5 ~]# iptables -A OUTPUT -o lo -j ACCEPT
Review the filter table again (omitting the -t filter because it is the default table).
[root@RHEL5 ~]# iptables -nL Chain INPUT (policy DROP) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy DROP) target prot opt source destination Chain OUTPUT (policy DROP) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
Allowing ssh over eth0
Illustrating how to permit SSH access to the system from outside by adding rules to the filter table.
This example shows how to add two rules to allow ssh access to your system from outside.
[root@RHEL5 ~]# iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT [root@RHEL5 ~]# iptables -A OUTPUT -o eth0 -p tcp --sport 22 -j ACCEPT
The filter table will look something like this screenshot (note that -v is added for more verbose output).
[root@RHEL5 ~]# iptables -nvL Chain INPUT (policy DROP 7 packets, 609 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy DROP 3 packets, 228 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT tcp -- * eth0 0.0.0.0/0 0.0.0.0/0 tcp spt:22 [root@RHEL5 ~]#
Allowing access from a subnet
Allowing access from the 10.1.1.0/24 network through eth1. Expanding policies with additional rules.
This example shows how to allow access from any computer in the 10.1.1.0/24 network, but only through eth1. There is no port (application) limitation here.
[root@RHEL5 ~]# iptables -A INPUT -i eth1 -s 10.1.1.0/24 -p tcp -j ACCEPT [root@RHEL5 ~]# iptables -A OUTPUT -o eth1 -d 10.1.1.0/24 -p tcp -j ACCEPT
Together with the previous examples, the policy is expanding.
[root@RHEL5 ~]# iptables -nvL Chain INPUT (policy DROP 7 packets, 609 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 0 0 ACCEPT tcp -- eth1 * 10.1.1.0/24 0.0.0.0/0 Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy DROP 3 packets, 228 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT tcp -- * eth0 0.0.0.0/0 0.0.0.0/0 tcp spt:22 0 0 ACCEPT tcp -- * eth1 0.0.0.0/0 10.1.1.0/24
iptables save
Allowing access from the 10.1.1.0/24 network through eth1. Expanding policies with additional rules.
Use iptables save to automatically implement these rules when the firewall is (re)started.
[root@RHEL5 ~]# /etc/init.d/iptables save Saving firewall rules to /etc/sysconfig/iptables: [ OK ] [root@RHEL5 ~]#
scripting example
Providing a sample script that sets up iptables rules, including default policies, loopback device allowance, SSH access, and access from specific networks.
You can write a simple script for these rules. Below is an example script that implements the firewall rules that you saw before in this chapter.
#!/bin/bash # first cleanup everything iptables -t filter -F iptables -t filter -X iptables -t nat -F iptables -t nat -X # default drop iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP # allow loopback device iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT # allow ssh over eth0 from outside to system iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp --sport 22 -j ACCEPT # allow any traffic from 10.1.1.0/24 to system iptables -A INPUT -i eth1 -s 10.1.1.0/24 -p tcp -j ACCEPT iptables -A OUTPUT -o eth1 -d 10.1.1.0/24 -p tcp -j ACCEPT
Allowing ICMP(ping)
Addressing the 'Operation not permitted' issue when pinging other hosts by allowing ICMP traffic.
When you enable iptables, you will get an 'Operation not permitted' message when trying to ping other hosts.
[root@RHEL5 ~# ping 192.168.187.130 PING 192.168.187.130 (192.168.187.130) 56(84) bytes of data. ping: sendmsg: Operation not permitted ping: sendmsg: Operation not permitted
The screenshot below shows you how to set up iptables to allow ping from or to your machine.
[root@RHEL5 ~]# iptables -A INPUT -p icmp --icmp-type any -j ACCEPT [root@RHEL5 ~]# iptables -A OUTPUT -p icmp --icmp-type any -j ACCEPT
The previous two lines do not allow other computers to route ping messages through your router, because it only handles INPUT and OUTPUT. For routing of ping, you will need to enable it on the FORWARD chain. The following command enables the routing of ICMP messages between networks.
[root@RHEL5 ~]# iptables -A FORWARD -p icmp --icmp-type any -j ACCEPT
practice: packet filtering
Presenting a set of practice tasks involving SSH and ping, defining internal and external networks, and configuring the router to allow specific traffic.
- Make sure you can ssh to your router system when iptables is active.
- Make sure you can ping your router system when iptables is active.
- Define one of your networks as 'internal' and the other as 'external'. Configure the router to allow visits to a website (HTTP) to go from the internal network to the external network (but not in the other direction).
- Make sure the internal network can ssh to the external, but not the other way around.
solution: packet filtering
Offering a possible solution script with explanations for the practice tasks, including SSH, ICMP, HTTP, and RPC rules.
A possible solution is where leftnet is the internal and rightnet is the external network.
#!/bin/bash # first cleanup everything iptables -t filter -F iptables -t filter -X iptables -t nat -F iptables -t nat -X # default drop iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP # allow loopback device iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT # question 1: allow ssh over eth0 iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp --sport 22 -j ACCEPT # question 2: Allow icmp(ping) anywhere iptables -A INPUT -p icmp --icmp-type any -j ACCEPT iptables -A FORWARD -p icmp --icmp-type any -j ACCEPT iptables -A OUTPUT -p icmp --icmp-type any -j ACCEPT # question 3: allow http from internal(leftnet) to external(rightnet) iptables -A FORWARD -i eth1 -o eth2 -p tcp --dport 80 -j ACCEPT iptables -A FORWARD -i eth2 -o eth1 -p tcp --sport 80 -j ACCEPT # question 4: allow ssh from internal(leftnet) to external(rightnet) iptables -A FORWARD -i eth1 -o eth2 -p tcp --dport 22 -j ACCEPT iptables -A FORWARD -i eth2 -o eth1 -p tcp --sport 22 -j ACCEPT # allow http from external(rightnet) to internal(leftnet) # iptables -A FORWARD -i eth2 -o eth1 -p tcp --dport 80 -j ACCEPT # iptables -A FORWARD -i eth1 -o eth2 -p tcp --sport 80 -j ACCEPT # allow rpcinfo over eth0 from outside to system # iptables -A INPUT -i eth2 -p tcp --dport 111 -j ACCEPT # iptables -A OUTPUT -o eth2 -p tcp --sport 111 -j ACCEPT
network address translation
Introducing network address translation (NAT), a router function that modifies source/target IP addresses in packets.
about NAT
Detailing the purpose of NAT enables connecting private networks to the internet and concealing internal details.
A NAT device is a router changing the source and/or target IP address in packets. It is typically used to connect multiple computers in a private address range with the (public) internet. A NAT can hide private addresses from the internet.
NAT was developed to mitigate the use of real IP addresses, to allow private address ranges to reach the internet and back, and to not disclose details about internal networks to the outside.
The nat table in iptables adds two new chains. PREROUTING allows the altering of packets before they reach the INPUT chain. POSTROUTING allows altering packets after they exit the OUTPUT chain.
 |
| about nat |
Use iptables -t nat -nvL to look at the NAT table. The screenshot below shows an empty NAT table.
[root@RHEL5 ~]# iptables -t nat -nL Chain PREROUTING (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination [root@RHEL5 ~]#
SNAT (Source NAT)
Explaining Source NAT and providing an example rule for changing source addresses in packets leaving the system.
The goal of source nat is to change the source address inside a packet before it leaves the system (e.g. to the internet). The destination will return the packet to the NAT device. This means our NAT device will need to keep a table in memory of all the packets it changed, so it can deliver the packet to the original source (e.g. in the private network).
Because SNAT is about packets leaving the system, it uses the POSTROUTING chain.
Here is an example SNAT rule. The rule says that packets coming from the 10.1.1.0/24 network and exiting via eth1 will get the source IP address set to 11.12.13.14. (Note that this is a one-line command!)
iptables -t nat -A POSTROUTING -o eth1 -s 10.1.1.0/24 -j SNAT \ --to-source 11.12.13.14
Of course, there must exist a proper iptables filter set up to allow the packet to traverse from one network to the other.
SNAT example setup
A script example showcasing a typical NAT setup for internal network access to external web servers.
This example script uses a typical nat setup. The internal (eth0) network has access via SNAT to external (eth1) webservers (port 80).
#!/bin/bash # # iptables script for simple classic nat websurfing # eth0 is internal network, eth1 is internet # echo 0 > /proc/sys/net/ipv4/ip_forward iptables -P INPUT ACCEPT iptables -P OUTPUT ACCEPT iptables -P FORWARD DROP iptables -A FORWARD -i eth0 -o eth1 -s 10.1.1.0/24 -p tcp \ --dport 80 -j ACCEPT iptables -A FORWARD -i eth1 -o eth0 -d 10.1.1.0/24 -p tcp \ --sport 80 -j ACCEPT iptables -t nat -A POSTROUTING -o eth1 -s 10.1.1.0/24 -j SNAT \ --to-source 11.12.13.14 echo 1 > /proc/sys/net/ipv4/ip_forward
IP masquerading
Highlighting IP masquerading, a variation of SNAT suitable for dynamic interfaces, like broadband routers.
IP masquerading is very similar to SNAT but is meant for dynamic interfaces. Typical examples are broadband 'routers/modems' connected to the internet and receiving a different IP address from the ISP, each time they are cold-booted.
The only change needed to convert the SNAT script to a masquerading is one line.
iptables -t nat -A POSTROUTING -o eth1 -s 10.1.1.0/24 -j MASQUERADE
DNAT (Destination NAT)
Introducing Destination NAT, used for redirecting packets from the internet to internal servers, illustrated with an SSH example.
DNAT is typically used to allow packets from the internet to be redirected to an internal server (in your DMZ) and in a private address range that is inaccessible directly from the internet.
This example script allows internet users to reach your internal (192.168.1.99) server via ssh (port 22).
#!/bin/bash # # iptables script for DNAT # eth0 is internal network, eth1 is internet # echo 0 > /proc/sys/net/ipv4/ip_forward iptables -P INPUT ACCEPT iptables -P OUTPUT ACCEPT iptables -P FORWARD DROP iptables -A FORWARD -i eth0 -o eth1 -s 10.1.1.0/24 -j ACCEPT iptables -A FORWARD -i eth1 -o eth0 -p tcp --dport 22 -j ACCEPT iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 22 \ -j DNAT --to-destination 10.1.1.99 echo 1 > /proc/sys/net/ipv4/ip_forward
Example: DNAT with Port Forwarding
DNAT (Destination NAT) can also be used to forward specific ports from the router to internal servers, allowing external access to services running on those servers.
In this example scenario, let's assume you have a web server running on an internal machine with IP address 192.168.1.100, and you want to allow external users to access this web server on port 80.
The following script demonstrates how to set up DNAT for port forwarding:
#!/bin/bash # # iptables script for DNAT with port forwarding # eth0 is internal network, eth1 is internet # echo 0 > /proc/sys/net/ipv4/ip_forward iptables -P INPUT ACCEPT iptables -P OUTPUT ACCEPT iptables -P FORWARD DROP iptables -A FORWARD -i eth0 -o eth1 -s 10.1.1.0/24 -j ACCEPT iptables -A FORWARD -i eth1 -o eth0 -p tcp --dport 80 -j ACCEPT iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 \ -j DNAT --to-destination 192.168.1.100:80 echo 1 > /proc/sys/net/ipv4/ip_forward
This script forwards incoming traffic on port 80 from the router's external interface (eth1) to the internal web server (192.168.1.100) on the same port. Now, external users can access the web server hosted internally by accessing the public IP address of the router.
Conclusion
In conclusion, this chapter has provided an extensive overview of firewall rules and their configuration using iptables in Linux. We have explored the default tables in the kernel - filter, nat, and mangle - and discussed their respective functions.
Additionally, we have covered starting and stopping iptables, setting default rules, allowing specific types of traffic, and practicing packet filtering scenarios. Furthermore, the concept of network address translation (NAT) was introduced, along with its variants such as SNAT and DNAT.
By following the examples and explanations provided in this chapter, users can gain a comprehensive understanding of iptables and effectively manage firewall functionalities within their Linux systems.
Post a Comment for "Iptables Firewall Mastery: Configuring Rules for Enhanced Linux Security"
Post a Comment