Linux Firewalls

IPtables
The command used to execute packet filtering and NAT tasks is iptables, and the software is commonly referred to as simply IPtables. The IPtables software can be built directly into the kernel or loaded as a kernel module, iptable_filter.o.

Packet Filtering
IPtables is essentially a framework for packet management that can check packets for particular network protocols and notify parts of the kernel listening for them.

Tables
IPtables currently supports three tables: filter, nat, and mangle. Packet filtering is implemented using a filter table that holds rules for dropping or accepting packets. Network address translation operations such as IP masquerading are implemented using the NAT table that holds IP masquerading rules. The mangle table is used for specialized packet changes. You can list the rules you have added at any time with the -L and -n options, as shown below. The -n option says to use only numeric output for both IP addresses and ports, avoiding a DNS lookup for hostnames. # iptables -L -n

Chains
Rules are combined into different chains. The kernel uses chains to manage packets it receives and sends out. A chain is simply a checklist of rules. These rules specify what action to take for packets containing certain headers. The rules operate with an if-then-else structure. If a packet does not match the first rule, the next rule is then checked, and so on. The most important built-in chains are the INPUT, OUTPUT, and FORWARD chains in the filter table. The PREROUTING and POSTROUTING chains in the NAT table.

Matches
Every iptables rule has a set of matches along with a target that tells iptables what to do with a packet that conforms to the rule. --source (-s) --destination (-d) --protocol (-p) Match on a source IP address or network Match on a destination IP address or network Match on an IP value

--in-interface (-i)
--out-interface (-o) --state

Input interface (e.g., eth0)

Output interface Match on a set of connection states

--string

Match on a sequence of application layer data

bytes

--comment

Comment data with a rule within kernel memory

Targets
A target could, in turn, be another chain of rules, even a chain of userdefined rules. A packet could be passed through several chains before finally reaching a target.

Firewall and NAT Chains

The kernel uses three firewall chains: INPUT, OUTPUT, and FORWARD. When a packet is received through an interface, the INPUT chain is used to determine what to do with it. The kernel then uses its routing information to decide where to send it. If the kernel sends the packet to another host, the FORWARD chain is checked. Before the packet is actually sent, the OUTPUT chain is also checked. In addition, two NAT table chains, POSTROUTING and PREROUTING, are implemented to handle masquerading and packet address modifications.

Adding and Changing Rules

You add and modify chain rules using the iptables commands. An iptables command consists of the keyword iptables, followed by an argument denoting the command to execute.

Adding and Changing Rules

IPtables Options

IPtables Options

Accepting and Denying Packets: DROP and ACCEPT

There are two built-in targets, DROP and ACCEPT. Other targets can be either user-defined chains or extensions added on, such as REJECT. Two

special targets are used to manage chains, RETURN and QUEUE. RETURN
indicates the end of a chain and returns to the chain it started from. QUEUE is used to send packets to user space. # iptables -A INPUT -s www.myjunk.com -j DROP # iptables -A INPUT -j ACCEPT ! -s 192.168.0.45 # iptables -A INPUT -s 192.168.0.0/24 -j ACCEPT # iptables -A INPUT -j DROP -i eth0 -s 192.168.0.45

# iptables -A INPUT -j ACCEPT -i lo

User-Defined Chains
A common method for reducing repeated INPUT and FORWARD rules is to create a user chain. You define a user chain with the -N option. # iptables -N incoming # iptables -A incoming -j DROP -i eth0 -s 192.168.0.45 # iptables -A incoming -j ACCEPT -i lo # iptables -A FORWARD -j incoming

# iptables -A INPUT -j incoming

ICMP Packets
Firewalls often block certain Internet Control Message Protocol (ICMP) messages. You need to enable some ICMP messages, however, such as those needed for ping, traceroute, and particularly destinationunreachable operations. You can enable an ICMP type of packet with the -icmp-type option, which takes as its argument a number or a name representing the message. # iptables -A INPUT -j ACCEPT -p icmp -i eth0 --icmp -type echo-reply -d \ 10.0.0.1 # iptables -A INPUT -j ACCEPT -p icmp -i eth0 --icmp-type echo-request -d \ 10.0.0.1 # iptables -A INPUT -j ACCEPT -p icmp -i eth0 --icmp-type destination- \ unreachable -d 10.0.0.1

ICMP Packets

You use the limit module to control the number of matches on the ICMP ping operation. Use -m limit to use the limit module and --limit to specify the number of allowed matches. 1/s will allow one match per second. # iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit \

1/s -j ACCEPT

Packet States: Connection Tracking

One of the more useful extensions is the state extension, which can easily detect tracking information for a packet. Connection tracking maintains information about a connection such as its source, destination, and port.

To use connection tracking, you specify the state module first with -m
state. Then you can use the --state option.

# iptables -A INPUT -m state --state NEW -i eth0 -j DROP # iptables -A INPUT -m state --state NEW ! -i eth0 -j ACCEPT # iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

Network Address Translation (NAT)

NAT is the process whereby a system will change the destination or source of packets as they pass through the system. NAT is used to provide access to systems that may be connected to the Internet through only one IP

address. Networking features such as IP masquerading, support for

multiple servers, and transparent proxying. With IP masquerading, NAT operations will change destination and source of a packet moving through a firewall/gateway linking Internet to computers on a local network. The gateway has a single IP address that other local computers can use through NAT operations. If you have multiple servers but only one IP address, you can use NAT to send packets to the alternate servers. You can also use NAT to have your IP address reference a particular server application such as a Web server (transparent proxy). NAT tables are not implemented for ip6tables.

Adding NAT Rules

To add rules to the NAT table, you have to specify the NAT table with the -t option. # iptables -t nat With the -L option, you can list the rules you have added to the NAT table: # iptables -t nat -L -n

Nat Targets and Chains

There are two types of NAT operations: source NAT, specified as SNAT target, and destination NAT, specified as DNAT target. Three chains in the NAT table are used by the kernel for NAT operations. These are PREROUTING, POSTROUTING, and OUTPUT. PREROUTING is used for destination NAT (DNAT) rules. These are packets that are arriving. POSTROUTING is used for source NAT (SNAT) rules. These are for packets leaving. OUTPUT is used for destination NAT rules for locally generated packets.

Nat Targets and Chains

As with packet filtering, you can specify source (-s) and destination (-d) addresses, as well as the input (-i) and output (-o) devices. The -j option will specify a target such as MASQUERADE. You would implement IP masquerading by adding a MASQUERADE rule to the POSTROUTING chain: # iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE To change the source address of a packet leaving your system, you would use the POSTROUTING rule with the SNAT target. For the SNAT target, you use the --to-source option to specify the source address: # iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 192.168.0.4

Nat Targets and Chains

To change the destination address of packets arriving on your system, you would use the PREROUTING rule with the DNAT target and the --to-destination option:

# iptables -t nat -A PRETROUTING -i eth0 -j DNAT --to-destination 192.168.0.3

You implement port forwarding. In the next example, every packet arriving on port 80 (the Web service port) is redirected to 10.0.0.3, which in this case would be a system running a Web server. # iptables -t nat -A PRETROUTING -i eth0 -dport 80 -j DNAT --to-destination 10.0.0.3

Nat Redirection: Transparent Proxies

NAT tables can be used to implement any kind of packet redirection, a process transparent to the user. With transparent proxies, packets received can be automatically redirected to a proxy server. For example, packets arriving on the Web service port, 80, can be redirected to the Squid Proxy service port, usually 3128. # iptables -t nat -A PREROUTING -i eth1 --dport 80 -j REDIRECT --to-port 3128

Packet Mangling: the Mangle Table

The packet mangling table is used to actually modify packet information. Rules applied specifically to this table are often designed to control the mundane behavior of packets, like routing, connection size, and priority.

For example, the TOS target can be used directly in the mangle table to
change the Type of Service field to modifying a packets priority. A TCPMSS target could be set to control the size of a connection. The ECN target lets you work around ECN black holes, and the DSCP target will let you change DSCP bits. Several extensions such as the ROUTE extension will change a packet, in this case, rewriting its destination, rather than just redirecting it.

The mangle table is indicated with the -t mangle option.

# iptables -t mangle -L

Packet Mangling: the Mangle Table

TOS - Type of Service in the Internet Protocol Suite TCPMSS - Maximum segment size (MSS) is a parameter of TCP protocol ENC - Addition of Explicit Congestion Notification (ECN) to IP DSCP - (Differentiated Services Field) marks inside a packet

IPtables Scripts
The following command will list your current rules: # service iptables status The iptables service script with the stop option to clear out any previous rules: # service iptables stop Then run your script, as shown here for the myfilters script: # ./myfilters

Saving IPtables Rules

Once you are satisfied that your IPtables rules are working correctly, you can save your rules to the /etc/sysconfig/iptables file. # service iptables save A backup of the original is saved in /etc/sysconfig/iptables.save, in case you to need to restore the older rules. The service script actually uses iptables-save with the -c option to save rules to the /etc/sysconfig/iptables file. # iptables-save -c > /etc/sysconfig/iptables You can also save your rules to a file of your choosing, such as /etc/iptables.rules. # iptables-save > /etc/iptables.rules Then, to restore the rules, use the iptables-restore script to read the IPtables commands from that saved file: # iptables-restore < /etc/iptables.rules

An IPtables Script Example: IPv4

IP Spoofing
One way to protect a private network from the IP spoofing of any packets is to check for any outside addresses on the Ethernet device dedicated to the private network. IP spoofing, deny any packets on the internal network that has an external source address. # iptables -A INPUT -j LOG -i eth1 \! -s 192.168.0.0/24 # iptables -A INPUT -j DROP -i eth1 \! -s 192.168.0.0/24 # iptables -A FORWARD -j DROP -i eth1 \! -s 192.168.0.0/24 IP spoofing, deny any outside packets (any not on eth1) that have the source address of the internal network # iptables -A INPUT -j DROP \! -i eth1 -s 192.168.0.0/24 # iptables -A FORWARD -j DROP \! -i eth1 -s 192.168.0.0/24 IP spoofing, deny any outside packets with localhost address (packets not on the lo interface (any #on eth0 or eth1) that have the source address of localhost) # iptables -A INPUT -j DROP -i \! lo -s 127.0.0.0/255.0.0.0 # iptables -A FORWARD -j DROP -i \! lo -s 127.0.0.0/255.0.0.0 Allow all packets sent and received within your system (localhost) to pass. # iptables -A INPUT -j ACCEPT -i lo

Server Access
For the Web server, you want to allow access by outside users but block access by anyone attempting to initiate a connection from the Web server into the private network. In the next example, all messages are accepted to the Web server, but the Web server cannot initiate contact with the private network. This prevents anyone from breaking into the local network through the Web server, which is open to outside access. Established connections are allowed, permitting the private network to use the Web server. Allow communication to the Web server (address 10.0.0.2), port www # iptables -A INPUT -j ACCEPT -p tcp -i eth0 --dport www -s 10.0.0.2 Allow established connections from Web servers to internal network # iptables -A INPUT -m state --state ESTABLISHED,RELATED -i eth0 -p tcp -sport www -s 10.0.0.2 -d\ 192.168.0.0/24 -j ACCEPT Prevent new connections from Web servers to internal network # iptables -A OUTPUT -m state --state NEW -o eth0 -p tcp --sport www -d 192.168.0.1.0/24 -j DROP

Firewall Outside Access

To allow access by the firewall to outside networks, you allow input by all packets except for ICMP packets. Allow outside communication to the firewall, except for ICMP packets # iptables -A INPUT -m state --state ESTABLISHED,RELATED -i eth0 -p \! icmp -j ACCEPT

Blocking Outside Initiated Access

To prevent outsiders from initiating any access to your system, create a rule to block access by SYN packets from the outside using the state option with NEW. Prevent outside initiated connections # iptables -A INPUT -m state --state NEW -i eth0 -j DROP # iptables -A FORWARD -m state --state NEW -i eth0 -j DROP

Local Network Access

To allow interaction by the internal network with the firewall, you allow input by all packets on the internal Ethernet connection, eth1. The valid internal network addresses are designated as the input source. # iptables -A INPUT -j ACCEPT -p all -i eth1 -s 192.168.0.0/24

Masquerading Local Networks

To implement masquerading, where systems on the private network can use the gateways Internet address to connect to Internet hosts. # iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Controlling ICMP Packets

In addition, to allow ping and destination-reachable ICMP packets, you enter INPUT rules with the firewall as the destination. To enable ping operations, you use both echo-reply and echo-request ICMP types, and for destination unreachable, you use the destination-unreachable type. # iptables -A INPUT -j ACCEPT -p icmp -i eth0 --icmp-type echo-reply -d 10.0.0.1 # iptables -A INPUT -j ACCEPT -p icmp -i eth0 --icmp-type echo-request -d 10.0.0.1 # iptables -A INPUT -j ACCEPT -p icmp -i eth0 --icmp-type destination-unreachable -d 10.0.0.1

Masquerading Selected Hosts

Instead of masquerading all local hosts as the single IP address of the firewall/gateway host, you could use the NAT table to rewrite addresses for a few selected hosts. # iptables -t nat -A PREROUTING -d 10.0.0.2 --to-destination 192.168.0.5 -j DNAT # iptables -t nat -A POSTROUTING -s 192.168.0.5 --to-source 10.0.0.2 -j SNAT

Linux Demilitarized Zone (DMZ)

Demilitarized zone, used to secure an internal network from external access. You can use Linux firewall to create DMZ easily. There are many different ways to design a network with a DMZ. The basic method is to use a single Linux firewall with 3 Ethernet cards. The following simple example discusses DMZ setup and forwarding public traffic to internal servers.

Sample Example DMZ Setup

Consider the following DMZ host with 3 NIC: [a] eth0 with 192.168.1.1 private IP address - Internal LAN ~ Desktop system

[b] eth1 with 202.54.1.1 public IP address - WAN connected to ISP router
[c] eth2 with 192.168.2.1 private IP address - DMZ connected to Mail / Web / DNS and other private servers

### Start DMZ stuff #### # forward traffic between DMZ and LAN iptables -A FORWARD -i eth0 -o eth2 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i eth2 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT # forward traffic between DMZ and WAN servers SMTP, Mail etc

iptables -A FORWARD -i eth2 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A FORWARD -i eth1 -o eth2 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT # Route incoming SMTP (port 25 ) traffic to DMZ server 192.168.2.2

iptables -t nat -A PREROUTING -p tcp -i eth1 -d 202.54.1.1 --dport 25 -j DNAT --to-destination 192.168.2.2
# Route incoming HTTP (port 80 ) traffic to DMZ server load balancer IP 192.168.2.3 iptables -t nat -A PREROUTING -p tcp -i eth1 -d 202.54.1.1 --dport 80 -j DNAT --to-destination 192.168.2.3

# Route incoming HTTPS (port 443 ) traffic to DMZ server reverse load balancer IP 192.168.2.4
iptables -t nat -A PREROUTING -p tcp -i eth1 -d 202.54.1.1 --dport 443 -j DNAT --to-destination 192.168.2.4 ### End DMZ .. Add other rules ###

Iptables MAC address filtering

Iptables comes with MAC module. this matches packets traveling through the firewall based on their MAC (Ethernet hardware) address. It offers good protection against malicious users who spoof or change their IP address. Remember that mac filtering only

makes sense for packets coming from an Ethernet device and entering the chains:
1. PREROUTING 2. FORWARD 3. INPUT

iptables -A INPUT -m mac --mac-source 00:0F:EA:91:04:08 -j DROP iptables -A INPUT -p tcp --destination-port 22 -m mac --mac-source 00:0F:EA:91:04:07 -j ACCEPT