Iptables

2016-04-24

Functions of a Firewall

  • Protects the host system from unauthorized connections.
  • Rewrite packet headers to route packets between networks.
    • Enables the machine to function as a netwrok router

Advaced Firewall Functions

Firewalls may implement additional features

  • Nework Address Translation(NAT)
  • Quality of Service(QoS)

Iptables

  • Userspace interface to the Linux kernel’s Netfilter system.
  • Netfilter implements fire wall and routing capabilities within the kernel, enabling any Linux machine or device to act as a firewall and/or router.

The structure is: iptables -> Tables -> Chains -> Rules.

Netfilter Hooks

As you can see, the names of the built-in chains mirror the names of the netfilter hooks they are associated with:

  • PREROUTING: Triggered by the NF_IP_PRE_ROUTING hook.
  • INPUT: Triggered by the NF_IP_LOCAL_IN hook.
  • FORWARD: Triggered by the NF_IP_FORWARD hook.
  • OUTPUT: Triggered by the NF_IP_LOCAL_OUT hook.
  • POSTROUTING: Triggered by the NF_IP_POST_ROUTING hook.

Terms of Iptables

  • Tables(Contain Chains)
  • Chains(Contain Rules)
  • Rules(A Line of Command)

Tables

The Filter Table.

Filter is the default MAIN table, if you don’t specify a table, the filter table will be applied. Its function is to do packet filtering. The filter table is one of the most widely used tables in iptables. The filter table is used to make decisions about whether to let a packet continue to its intended destination or to deny its request. In firewall parlance, this is known as “filtering” packets. This table provides the bulk of functionality that people think of when discussing firewalls.

  • INPUT chain – Incoming to firewall. For packets coming to the local server.
  • OUTPUT chain – Outgoing from firewall. For packets generated locally and going out of the local server.
  • FORWARD chain – Packet for another NIC on the local server. For packets routed through the local server.

The NAT Table

For network address translation. The nat table is used to implement network address translation rules. As packets enter the network stack, rules in this table will determine whether and how to modify the packet’s source or destination addresses in order to impact the way that the packet and any response traffic are routed. This is often used to route packets to networks when direct access is not possible.

  • PREROUTING chain – Alters packets before routing. i.e Packet translation happens immediately after the packet comes to the system (and before routing). This helps to translate the destination ip address of the packets to something that matches the routing on the local server. This is used for DNAT (destination NAT).

  • POSTROUTING chain – Alters packets after routing. i.e Packet translation happens when the packets are leaving the system. This helps to translate the source ip address of the packets to something that might match the routing on the desintation server. This is used for SNAT (source NAT).

  • OUTPUT chain – NAT for locally generated packets on the firewall.

The Mangle Table

Iptables’s Mangle table is for specialized packet alteration. This alters QOS bits in the TCP header. Mangle table has the following built-in chains.

  • PREROUTING chain
  • OUTPUT chain
  • FORWARD chain
  • INPUT chain
  • POSTROUTING chain

The Raw Table

For connection tracking. Raw table is for configuration excemptions. Raw table has the following built-in chains.

  • PREROUTING chain
  • OUTPUT chain

The Security Table

To set SELinux security context marks on packets.

Chains

Chains are like points in the

  1. PREROUTING
    PREROUTING is applied to any incoming packet very sonn after entering the network stack. Packets will enter this chain before a routing decision is made.

  2. INPUT
    Packet is going to be locally delivered. It does not have anything to do with processes having an opened socket; local delivery is controlled by the “local-delivery” routing table: ip route show table local.

  3. FORWARD
    All packets that have been routed and were not for local delivery will traverse this chain.

  4. OUTPUT
    Going out. Packets sent from the machine itself will be visiting this chain.

  5. POSTROUTING
    Routing decision has been made. Packets enter this chain just before handing them off to the hardware.

Traversal Order

PREROUTING -> INPUT -> FORWARD -> OUTPUT
  • Incoming packets destined for the local system: PREROUTING -> INPUT
  • Incoming packets destined to another host: PREROUTING -> FORWARD -> POSTROUTING
  • Locally generated packets: OUTPUT -> POSTROUTING

Rules

Rules are user-defined commands to manuplate the network traffic.

Configuration of iptables

Various front-ends

  • firewalld(default on CentOS 7)
  • Shorewall
  • Firestarter
  • ufw(ubuntu)
  • many others

Next generation is nf-tables.

A Basic Router

Overview

  • Description of the basic router example
  • Whole iptables configuration for the basic router
  • Conditional

Network Environment

This example is designed for virtual machine, which routes traffic from the private LAN with IPv4 address range 172.16.0.1 through 172.0.255.

The WAN side of the router uses network inter face enp0s3 and connects to the VirtualBox NAT engine with a dynamic address supplied by DHCP.(think about 3 is open/outside)

The LAN side of the router uses network interface enp0s8 and has static IP address 172.16.0.1.(think about 8 is closed/inside)

Network Topology

{ Linux 172.16.0.1 } -> 
{ Router [enp0s9 LAN 172.16.0.1(as gateway)] [enp0s3 WAN public_IP] }
 -> { Internet }

iptables rules on router

*nat
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o enp0s3 -j MASQUERADE
COMMIT

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT

-A INPUT -s 172.16.0.0/24 -i enp0s8 -j REJECT --reject-with icmp-host-prohibited
-A INPUT -j DROP

-A FORWARD -d 172.16.0.0/24 -i enp0s8 -j DROP
-A FORWARD -s 172.16.0.0/24 -i enp0s8 -j ACCEPT
-A FORWARD -d 172.16.0.0/24 -i enp0s3 -j ACCEPT
-A FORWARD -i enp0s8 -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j DROP
COMMIT

NAT table

*nat
-A POSTROUTING -o enp0s3 -j MASQUERADE
COMMIT

Causing all packets leaving this machine to have their source IP addresses changed to the address of enp0s3 netwrok interface.

Packet Forwarding Rule details
Consider the rule:

-A FORWARD -d 172.16.0.0/24 -i enp0s8 -j DROP

This rule DROPs packets arriving on the LAN side network interface, which have a destination somewhere on the LAN.

  • We don’t want to route packets from the LAN to the LAN onto the WAN, so we drop them instead.
  • IP uses ARP to resolve addresses within the LAN, so the route doesn’t need to do any work for the LAN side here.

Consider the rules:

-A FORWARD -s 172.16.0.0/24 -i enp0s8 -j ACCEPT
-A FORWARD -d 172.16.0.0/24 -i enp0s3 -j ACCEPT

The first rule is to forward the package from the LAN, and it source address is in the LAN.
The second rule is to forward the package which are coming from the WAN, and its destination address is in the LAN.

Beware of IP adress spoofing! Always check that packets are arriving on the correct interface before forwarding them.

Bastion Firewalls

Our simple firewall is example of a bastion firewall.

  • It restricts the types of packages permitted through the router, giving us some security for the connected LAN
  • Due to NAT, an attacker cannot simply connect directly from the WAN side into a system on the LAN side

Bastion security does NOT protect against all types of attacks! Each host on the LAN should have its own firewall.

A shorter way to config iptables as a router

To set a linux machine as a router you need the following

  1. Enable forwarding on the box with
echo 1 > /proc/sys/net/ipv4/ip_forward

vim /etc/sysctl.conf

# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1

enable the config

sysctl -p

Assuming your public interface is eth1 and local interface is eth0

  1. Set natting the natting rule with:
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
  1. Accept traffic from eth0:
iptables -A INPUT -i eth0 -j ACCEPT
  1. Allow established connections from the public interface.
iptables -A INPUT -i eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
  1. Allow outgoing connections:
iptables -A OUTPUT -j ACCEPT

Commands

list filter chain

iptables -L -n 
# or
iptables -t filter -L -n

list NAT chain

iptables -t nat -L -n

Syntax of iptables

iptables -t [table] -OPTIONS[CHAIN] [matching component] [Action component]
Tables↓/Chains→ PREROUTING INPUT FORWARD OUTPUT POSTROUTING
(routing decision)
raw
(connection tracking enabled)
mangle
nat (DNAT)
(routing decision)
filter
security
nat (SNAT)

Options:
A: Append
D: Delete
I: Insert
R: Repalce
Z: Zero Counters L: List
P: Policy
R: rename
F: Flush
N: New User defined Chain
X: Delete Chain

Matching Component

  • Generic
    p - protocol
    s - source ip
    d - dest ip
    i - In interface
    o - out interface

  • Implicit
    TCP
    -sport
    -dport
    –tcp-flags

  • Explicit
    match extensions: -m
    conntrack, dscp, ecn, iprange, etc

Action
-j (for jump)

  • ACCEPT – Firewall will accept the packet.
  • DROP – Firewall will drop the packet.
  • QUEUE – Firewall will pass the packet to the userspace.
  • RETURN – Firewall will stop executing the next set of rules in the current chain for this packet. The control will be returned to the calling chain.

Command Examples

block a webside

iptables -A INPUT -s abc.com -j DROP

delete the first line in INPUT

iptables -D INPUT 1

Change default policy on FORWARD Chain to DROP

iptables -P FORWARD DROP

References