Upload
kvsrvzm
View
223
Download
0
Embed Size (px)
Citation preview
8/12/2019 UNIT V firewalls
1/19
UNIT V
IPTABLES
8/12/2019 UNIT V firewalls
2/19
1. iptables basics
What is iptables:
Iptables is in short a Linux based packet filteringfirewall.
Iptables interfaces to the Linux netfilter module to
perform filtering of network packets.This can be to deny/allow traffic filter or perform
Network Address Translation (NAT).
With careful configuration iptables can be a very cost
effective, powerful and flexible firewall or gatewaysolution.
Iptables is available from http://www.netfilter.org/orvia your Linux distribution.
http://www.netfilter.org/http://www.netfilter.org/http://www.netfilter.org/http://www.netfilter.org/8/12/2019 UNIT V firewalls
3/19
iptables terms and syntax Drop/Deny- When a packet is dropped or denied, it is simply deleted, and
no further actions are taken. No reply to tell the host it was dropped, noris the receiving host of the packet notified in any way. The packet simplydisappears.
Reject- This is basically the same as a drop or deny target or policy, exceptthat we also send a reply to the host sending the packet that was dropped.The reply may be specified, or automatically calculated to some value. (To
this date, there is unfortunately no iptables functionality to also send apacket notifying the receiving host of the rejected packet what happened(i.e., doing the reverse of the Reject target). This would be very good incertain circumstances, since the receiving host has no ability to stopDenial of Service attacks from happening.)
State - A specific state of a packet in comparison to a whole stream ofpackets. For example, if the packet is the first that the firewall sees orknows about, it is considered new (the SYN packet in a TCP connection), orif it is part of an already established connection that the firewall knowsabout, it is considered to be established. States are known through theconnection tracking system, which keeps track of all the sessions.
8/12/2019 UNIT V firewalls
4/19
Chain- A chain contains a ruleset of rules that are applied on packets thattraverses the chain. Each chain has a specific purpose (e.g., which table itis connected to, which specifies what this chain is able to do), as well as a
specific application area (e.g., only forwarded packets, or only packetsdestined for this host).
Table - Each table has a specific purpose, and in iptables there are 4tables. The raw, nat, mangle and filter tables. For example, the filter tableis specifically designed to filter packets, while the nat table is specifically
designed to NAT (Network Address Translation) packets.
Match- This word can have two different meanings when it comes to IPfiltering. The first meaning would be a single match that tells a rule thatthis header must contain this and this information. For example, the --source match tells us that the source address must be a specific network
range or host address. The second meaning is if a whole rule is a match. Ifthe packet matches the whole rule, the jump or target instructions will becarried out (e.g., the packet will be dropped.)
8/12/2019 UNIT V firewalls
5/19
Target - There is generally a target set for each rule in a ruleset. If the rulehas matched fully, the target specification tells us what to do with thepacket. For example, if we should drop or accept it, or NAT it, etc. There isalso something called a jump specification, for more information see the
jump description in this list. As a last note, there might not be a target orjump for each rule, but there may be.
Rule - A rule is a set of a match or several matches together with a singletarget in most implementations of IP filters, including the iptablesimplementation. There are some implementations which let you useseveral targets/actions per rule.
Ruleset - A ruleset is the complete set of rules that are put into a whole IPfilter implementation. In the case of iptables, this includes all of the rulesset in the filter, nat, raw and mangle tables, and in all of the subsequentchains. Most of the time, they are written down in a configuration file ofsome sort.
Jump - The jump instruction is closely related to a target. A jump
instruction is written exactly the same as a target in iptables, with theexception that instead of writing a target name, you write the name ofanother chain. If the rule matches, the packet will hence be sent to thissecond chain and be processed as usual in that chain
8/12/2019 UNIT V firewalls
6/19
Connection tracking - A firewall which implements connection tracking is
able to track connections/streams simply put. The ability to do so is often
done at the impact of lots of processor and memory usage. This is
unfortunately true in iptables as well, but much work has been done to
work on this. However, the good side is that the firewall will be much
more secure with connection tracking properly used by the implementer
of the firewall policies.
Accept - To accept a packet and to let it through the firewall rules. This is
the opposite of the drop or deny targets, as well as the reject target.
Policy - There are two kinds of policies that we speak about most of the
time when implementing a firewall.
First we have the chain policies, which tell the firewall implementation the
default behavior to take on a packet if there was no rule that matched it. This
is the main usage of the word that we will use in this book.
The second type of policy is the security policy that we may have written
documentation on, for example for the whole company or for this specific
network segment. Security policies are very good documents to have thought
through properly and to study properly before starting to actually implement
the firewall.
8/12/2019 UNIT V firewalls
7/19
Target Description Most common options
ACCEPT iptables stops furtherprocessing.
The packet is handed over to the
end application or the operatingsystem for processing
N/A
DROP iptables stops further
processing.
The packet is blocked
N/A
LOG The packet information is sent to
the syslog daemon for logging
iptables continues processing
with the next rule in the table
As you can't LOG and DROP at the
same time, it is common to have
two similar rules in sequence. The
first will LOG the packet, the
second will DROP it.
--log-prefix "string"
Tells iptables to prefix all log
messages with a user defined
string. Frequently used to tell why
the logged packet was dropped
Descriptions Of The Most Commonly Used Targets
8/12/2019 UNIT V firewalls
8/19
Target Description Most common options
DNAT Used to do Destination Network
Address Translation. i.e., rewriting
the destination IP address of the
packet
--to-destination ipaddress
Tells iptables what the destination
IP address should be
SNAT Used to do Source Network
Address Translation. i.e., rewriting
the source IP addressof the packet
The source IP address is userdefined
--to-source [-
][:-]
Specifies the source IP address and
ports to be used by SNAT.
MASQUE
RADE
Used to do Source NetworkAddress Translation. i.e., rewritingthe source IP address of the packet
By default the source IPaddress is the same as that
used by the firewall's interface
[--to-ports [-]]
Specifies the range of source ports
the original source port can be
mapped to.
8/12/2019 UNIT V firewalls
9/19
General iptables Match Criteria
iptables command
Switch
Description
-t If you don't specify a table, then the filter table is
assumed. As discussed before, the possible built-in
tables include: filter, nat, mangle
-A Append rule to end of a chain
-F Flush. Deletes all the rules in the selected table
-p Match protocol. Types include, icmp, tcp, udp, all
-s Match source IP address-d Match destination IP address
-i Match "input" interface on which the packet enters.
-o Match "output" interface on which the packet exits
8/12/2019 UNIT V firewalls
10/19
Example:
iptables -A INPUT -s 0/0 -i eth0 -d 192.168.1.1 -p TCP -j ACCEPT
In this example iptables is being configured to allow the firewall to accept TCP
packets coming in on interface eth0 from any IP address destined for the
firewall's IP address of 192.168.1.1
8/12/2019 UNIT V firewalls
11/19
Common TCP and UDP Match Criteria
switches used
with -p tcp
Description switches used
with -p udp
Description
--sport
TCP source port Can be a single
value or a range in the format:
start-port- number:end-port-
number
--sport UDP source port
Can be a single value or a
range in the format:starting- port:ending-port
--dport
TCP destination port
Can be a single value or a range
in the format:
starting- port:ending-port
--dport UDP destination port
Can be a single value or a
range in the format:
starting- port:ending-port
--syn Used to identify a new
connection request
! --syn means, not a new
connection request
8/12/2019 UNIT V firewalls
12/19
Example:
iptables -A FORWARD -s 0/0 -i eth0 -d 192.168.1.58
-o eth1 -p TCP -sport 1024:65535 -d port 80 -j ACCEPT
In this example iptables is being configured to allow the
firewall to accept TCP packets to be routed when they enter
on interface eth0 from any IP address destined for IP address
of 192.168.1.58 that is reachable via interface eth1. The
source port is in the range 1024 to 65535 and the destination
port is port 80 (www/http)
8/12/2019 UNIT V firewalls
13/19
Common ICMP (Ping) Match Criteria
Matches used with ---icmp-type Description
--icmp-type The most commonly used types are
echo-reply and echo-request
iptables -A OUTPUT -p icmp --icmp -type echo-request -j ACCEPT
iptables -A INPUT -p icmp --icmp -type echo-reply -j ACCEPT
In this example iptables is being configured to allow the firewall send ICMP
echo- requests (pings) and in turn, accept the expected ICMP echo-replies.
Example:
Common Match Extensions Criteria
TCP/UDP match extensions used
with -m multiport
Description
--sport A variety of TCP/UDP source ports
separated by commas
--dport A variety of TCP/UDP destination ports
separated by commas
8/12/2019 UNIT V firewalls
14/19
Match extensions used
with -m state
Description
--state
The most frequently tested states are:
ESTABLISHED
The packet is part of a connection which has seen
packets in both directions
NEW
The packet is the start of a new connection
RELATED
The packet is starting a new secondary connection.
This is a common feature of protocols such as an
FTP data transfer, or an ICMP error.
8/12/2019 UNIT V firewalls
15/19
Example:
iptables -A FORWARD -s 0/0 -i eth0 -d 192.168.1.58 -o eth1 -p TCP
-sport 1024:65535 -m multiport -dport 80,443 -j ACCEPT
Iptables -A FORWARD -d 0/0 -o eth0 -s 192.168.1.58 -i eth1 -p TCP
-m state --state ESTABLISHED -j ACCEPT
This is an expansion on the previous example. Here iptables is being
configured to allow the firewall to accept TCP packets to be routed when they
enter on interface eth0 from any IP address destined for IP address of
192.168.1.58 that is reachable via interface eth1. The source port is in the
range 1024 to 65535 and the destination ports are port 80 (www/http) and
443 (https).
We are also allowing the return packets from 192.168.1.58 to be accepted
too. Instead of stating the source and destination ports, it is sufficient to
allow packets related to established connections using the -m state and --
state ESTABLISHED options.
8/12/2019 UNIT V firewalls
16/19
Using User Defined Chains
iptables can be configured to have user-defined chains. This feature is
frequently used to help streamline the processing of packets. For example,
instead of having a single chain for all protocols, it is possible to have achain that determines the protocol type for the packet and then hands off
the actual final processing to a protocol specific chain. In other words, you
can replace a long chain with a main stubby chain pointing to multiple
stubby chains thereby shortening the total length of all chains the packet
has to pass through.
Example:
iptables -A INPUT -i eth0 -d 206.229.110.2 -j fast-input-queue iptables -A OUTPUT -o
eth0 -s 206.229.110.2 -j fast-output-queue
iptables -A fast-input-queue -p icmp -j icmp-queue-in iptables -A fast-output-queue -p icmp-j icmp-queue-out
iptables -A icmp-queue-out -p icmp --icmp-type echo-request -m state --state NEW -j
ACCEPT
iptables -A icmp-queue-in -p icmp --icmp-type echo-reply
j ACCEPT
8/12/2019 UNIT V firewalls
17/19
In this example we have six queues with the following
characteristics to help assist in processing speed:
Chain DescriptionINPUT The regular built-in INPUT chain in
iptables
OUTPUT The regular built-in OUTPUT chain in
iptables
fast-input-queue Input chain dedicated to specific
protocols
fast-output-queue Output chain dedicated to specificprotocols
icmp-queue-out Output queue dedicated to ICMP
icmp-queue-in Intput queue dedicated to ICMP
8/12/2019 UNIT V firewalls
18/19
Traversing table and chains.
1. When a packet comes in (say, through the Ethernet card) the kernel first looks
at the destination of the packet: this is called `routing'.
2. If it's destined for this box, the packet passes downwards in the diagram, to
the INPUT chain. If it passes this, any processes waiting for that packet will
receive it. Incoming to a host
3. Otherwise, if the kernel does not have forwarding enabled, or it doesn't know
how to forward the packet, the packet is dropped. If forwarding is enabled,
and the packet is destined for another network interface (if you have another
one), then the packet goes rightwards on our diagram to the FORWARD
chain. If it is ACCEPTed, it will be sent out.
4. Finally, a program running on the box can send network packets. These
packets pass through the OUTPUT chain immediately: if it says ACCEPT, thenthe packet continues out to whatever interfaces it is destined for.
8/12/2019 UNIT V firewalls
19/19