UNIT V firewalls

8/12/2019 UNIT V firewalls

1/19

UNIT V

IPTABLES


2/19

1. iptables basics

What is iptables:

Iptables is in short a Linux based packet filteringfirewall.

Iptables interfaces to the Linux netfilter module to

perform filtering of network packets.This can be to deny/allow traffic filter or perform

Network Address Translation (NAT).

With careful configuration iptables can be a very cost

effective, powerful and flexible firewall or gatewaysolution.

Iptables is available from http://www.netfilter.org/orvia your Linux distribution.
http://www.netfilter.org/http://www.netfilter.org/http://www.netfilter.org/http://www.netfilter.org/


3/19

iptables terms and syntax Drop/Deny- When a packet is dropped or denied, it is simply deleted, and

no further actions are taken. No reply to tell the host it was dropped, noris the receiving host of the packet notified in any way. The packet simplydisappears.

Reject- This is basically the same as a drop or deny target or policy, exceptthat we also send a reply to the host sending the packet that was dropped.The reply may be specified, or automatically calculated to some value. (To

this date, there is unfortunately no iptables functionality to also send apacket notifying the receiving host of the rejected packet what happened(i.e., doing the reverse of the Reject target). This would be very good incertain circumstances, since the receiving host has no ability to stopDenial of Service attacks from happening.)

State - A specific state of a packet in comparison to a whole stream ofpackets. For example, if the packet is the first that the firewall sees orknows about, it is considered new (the SYN packet in a TCP connection), orif it is part of an already established connection that the firewall knowsabout, it is considered to be established. States are known through theconnection tracking system, which keeps track of all the sessions.


4/19

Chain- A chain contains a ruleset of rules that are applied on packets thattraverses the chain. Each chain has a specific purpose (e.g., which table itis connected to, which specifies what this chain is able to do), as well as a

specific application area (e.g., only forwarded packets, or only packetsdestined for this host).

Table - Each table has a specific purpose, and in iptables there are 4tables. The raw, nat, mangle and filter tables. For example, the filter tableis specifically designed to filter packets, while the nat table is specifically

designed to NAT (Network Address Translation) packets.

Match- This word can have two different meanings when it comes to IPfiltering. The first meaning would be a single match that tells a rule thatthis header must contain this and this information. For example, the --source match tells us that the source address must be a specific network

range or host address. The second meaning is if a whole rule is a match. Ifthe packet matches the whole rule, the jump or target instructions will becarried out (e.g., the packet will be dropped.)


5/19

Target - There is generally a target set for each rule in a ruleset. If the rulehas matched fully, the target specification tells us what to do with thepacket. For example, if we should drop or accept it, or NAT it, etc. There isalso something called a jump specification, for more information see the

jump description in this list. As a last note, there might not be a target orjump for each rule, but there may be.

Rule - A rule is a set of a match or several matches together with a singletarget in most implementations of IP filters, including the iptablesimplementation. There are some implementations which let you useseveral targets/actions per rule.

Ruleset - A ruleset is the complete set of rules that are put into a whole IPfilter implementation. In the case of iptables, this includes all of the rulesset in the filter, nat, raw and mangle tables, and in all of the subsequentchains. Most of the time, they are written down in a configuration file ofsome sort.

Jump - The jump instruction is closely related to a target. A jump

instruction is written exactly the same as a target in iptables, with theexception that instead of writing a target name, you write the name ofanother chain. If the rule matches, the packet will hence be sent to thissecond chain and be processed as usual in that chain


6/19

Connection tracking - A firewall which implements connection tracking is

able to track connections/streams simply put. The ability to do so is often

done at the impact of lots of processor and memory usage. This is

unfortunately true in iptables as well, but much work has been done to

work on this. However, the good side is that the firewall will be much

more secure with connection tracking properly used by the implementer

of the firewall policies.

Accept - To accept a packet and to let it through the firewall rules. This is

the opposite of the drop or deny targets, as well as the reject target.

Policy - There are two kinds of policies that we speak about most of the

time when implementing a firewall.

First we have the chain policies, which tell the firewall implementation the

default behavior to take on a packet if there was no rule that matched it. This

is the main usage of the word that we will use in this book.

The second type of policy is the security policy that we may have written

documentation on, for example for the whole company or for this specific

network segment. Security policies are very good documents to have thought

through properly and to study properly before starting to actually implement

the firewall.


7/19

Target Description Most common options

ACCEPT iptables stops furtherprocessing.

The packet is handed over to the

end application or the operatingsystem for processing

N/A

DROP iptables stops further

processing.

The packet is blocked

N/A

LOG The packet information is sent to

the syslog daemon for logging

iptables continues processing

with the next rule in the table

As you can't LOG and DROP at the

same time, it is common to have

two similar rules in sequence. The

first will LOG the packet, the

second will DROP it.

--log-prefix "string"

Tells iptables to prefix all log

messages with a user defined

string. Frequently used to tell why

the logged packet was dropped

Descriptions Of The Most Commonly Used Targets


8/19

Target Description Most common options

DNAT Used to do Destination Network

Address Translation. i.e., rewriting

the destination IP address of the

packet

--to-destination ipaddress

Tells iptables what the destination

IP address should be

SNAT Used to do Source Network

Address Translation. i.e., rewriting

the source IP addressof the packet

The source IP address is userdefined

--to-source [-

][:-]

Specifies the source IP address and

ports to be used by SNAT.

MASQUE

RADE

Used to do Source NetworkAddress Translation. i.e., rewritingthe source IP address of the packet

By default the source IPaddress is the same as that

used by the firewall's interface

[--to-ports [-]]

Specifies the range of source ports

the original source port can be

mapped to.


9/19

General iptables Match Criteria

iptables command

Switch

Description

-t If you don't specify a table, then the filter table is

assumed. As discussed before, the possible built-in

tables include: filter, nat, mangle

-A Append rule to end of a chain

-F Flush. Deletes all the rules in the selected table

-p Match protocol. Types include, icmp, tcp, udp, all

-s Match source IP address-d Match destination IP address

-i Match "input" interface on which the packet enters.

-o Match "output" interface on which the packet exits


10/19

Example:

iptables -A INPUT -s 0/0 -i eth0 -d 192.168.1.1 -p TCP -j ACCEPT

In this example iptables is being configured to allow the firewall to accept TCP

packets coming in on interface eth0 from any IP address destined for the

firewall's IP address of 192.168.1.1


11/19

Common TCP and UDP Match Criteria

switches used

with -p tcp

Description switches used

with -p udp

Description

--sport

TCP source port Can be a single

value or a range in the format:

start-port- number:end-port-

number

--sport UDP source port

Can be a single value or a

range in the format:starting- port:ending-port

--dport

TCP destination port

Can be a single value or a range

in the format:

starting- port:ending-port

--dport UDP destination port

Can be a single value or a

range in the format:

starting- port:ending-port

--syn Used to identify a new

connection request

! --syn means, not a new

connection request


12/19

Example:

iptables -A FORWARD -s 0/0 -i eth0 -d 192.168.1.58

-o eth1 -p TCP -sport 1024:65535 -d port 80 -j ACCEPT

In this example iptables is being configured to allow the

firewall to accept TCP packets to be routed when they enter

on interface eth0 from any IP address destined for IP address

of 192.168.1.58 that is reachable via interface eth1. The

source port is in the range 1024 to 65535 and the destination

port is port 80 (www/http)


13/19

Common ICMP (Ping) Match Criteria

Matches used with ---icmp-type Description

--icmp-type The most commonly used types are

echo-reply and echo-request

iptables -A OUTPUT -p icmp --icmp -type echo-request -j ACCEPT

iptables -A INPUT -p icmp --icmp -type echo-reply -j ACCEPT

In this example iptables is being configured to allow the firewall send ICMP

echo- requests (pings) and in turn, accept the expected ICMP echo-replies.

Example:

Common Match Extensions Criteria

TCP/UDP match extensions used

with -m multiport

Description

--sport A variety of TCP/UDP source ports

separated by commas

--dport A variety of TCP/UDP destination ports

separated by commas


14/19

Match extensions used

with -m state

Description

--state

The most frequently tested states are:

ESTABLISHED

The packet is part of a connection which has seen

packets in both directions

NEW

The packet is the start of a new connection

RELATED

The packet is starting a new secondary connection.

This is a common feature of protocols such as an

FTP data transfer, or an ICMP error.


15/19

Example:

iptables -A FORWARD -s 0/0 -i eth0 -d 192.168.1.58 -o eth1 -p TCP

-sport 1024:65535 -m multiport -dport 80,443 -j ACCEPT

Iptables -A FORWARD -d 0/0 -o eth0 -s 192.168.1.58 -i eth1 -p TCP

-m state --state ESTABLISHED -j ACCEPT

This is an expansion on the previous example. Here iptables is being

configured to allow the firewall to accept TCP packets to be routed when they

enter on interface eth0 from any IP address destined for IP address of

192.168.1.58 that is reachable via interface eth1. The source port is in the

range 1024 to 65535 and the destination ports are port 80 (www/http) and

443 (https).

We are also allowing the return packets from 192.168.1.58 to be accepted

too. Instead of stating the source and destination ports, it is sufficient to

allow packets related to established connections using the -m state and --

state ESTABLISHED options.


16/19

Using User Defined Chains

iptables can be configured to have user-defined chains. This feature is

frequently used to help streamline the processing of packets. For example,

instead of having a single chain for all protocols, it is possible to have achain that determines the protocol type for the packet and then hands off

the actual final processing to a protocol specific chain. In other words, you

can replace a long chain with a main stubby chain pointing to multiple

stubby chains thereby shortening the total length of all chains the packet

has to pass through.

Example:

iptables -A INPUT -i eth0 -d 206.229.110.2 -j fast-input-queue iptables -A OUTPUT -o

eth0 -s 206.229.110.2 -j fast-output-queue

iptables -A fast-input-queue -p icmp -j icmp-queue-in iptables -A fast-output-queue -p icmp-j icmp-queue-out

iptables -A icmp-queue-out -p icmp --icmp-type echo-request -m state --state NEW -j

ACCEPT

iptables -A icmp-queue-in -p icmp --icmp-type echo-reply

j ACCEPT


17/19

In this example we have six queues with the following

characteristics to help assist in processing speed:

Chain DescriptionINPUT The regular built-in INPUT chain in

iptables

OUTPUT The regular built-in OUTPUT chain in

iptables

fast-input-queue Input chain dedicated to specific

protocols

fast-output-queue Output chain dedicated to specificprotocols

icmp-queue-out Output queue dedicated to ICMP

icmp-queue-in Intput queue dedicated to ICMP


18/19

Traversing table and chains.

1. When a packet comes in (say, through the Ethernet card) the kernel first looks

at the destination of the packet: this is called `routing'.

2. If it's destined for this box, the packet passes downwards in the diagram, to

the INPUT chain. If it passes this, any processes waiting for that packet will

receive it. Incoming to a host

3. Otherwise, if the kernel does not have forwarding enabled, or it doesn't know

how to forward the packet, the packet is dropped. If forwarding is enabled,

and the packet is destined for another network interface (if you have another

one), then the packet goes rightwards on our diagram to the FORWARD

chain. If it is ACCEPTed, it will be sent out.

4. Finally, a program running on the box can send network packets. These

packets pass through the OUTPUT chain immediately: if it says ACCEPT, thenthe packet continues out to whatever interfaces it is destined for.


19/19

Documents

UNIT V firewalls