Tuesday, April 5, 2011

IpTables - The Linux Firewall

Introduction :
IpTables is the user space program , which is used create rules for packet filtering. IpTables used for create Firewall rules in Linux System. Before going to IpTables , first we want to get some knowledge about Firewall.

A firewall is a device or set of devices designed to permit or deny network transmissions based upon a set of rules and is frequently used to protect networks from unauthorized access. Many personal computer operating systems (windows, linux, mac, etc) include software-based firewalls to protect against threats from the public Internet. Many routers that pass data between networks contain firewall components and, conversely, many firewalls can perform basic routing functions.

Installation on linux:

Before going to installation , we need to check whether our kernel was compiled with iptables support. Follwoing steps are used to check.

# cat /boot/config-your.kernel.version.here | grep -i "CONFIG_IP_NF_IPTABLES"

If we get the display as CONFIG_IP_NF_IPTABLES=m , Our Kernel was compiled with iptables support. '=m' means iptables was compiled as a module.

First we need to check whether the iptables installed already. Here i'm using redhat enterprice linux. So using the command as follows,

# rpm -qa | grep iptables.

If you get output like iptables-INSTALLED-VERSION , Or you need to install iptables.

For installation, download iptables file from internet , or install using yum.

# rpm -qa | grep iptables
# rpm -Uvh iptables-downloaded.version.rpm

Importent files for iptables

/etc/init.d/iptables is the INIT script which is used to start, stop the service and/or to save the rulesets.
/etc/sysconfig/iptables this is the file that holds the saved rulesets.
/sbin/iptables and this is the iptables binary.

Checking current configuration

#iptables -L

There are 3 default chains avaliable. INPUT, OUTPUT, FORWARD.
INPUT - Rules for incoming traffic to server.
OUTPUT - Rules for outgoing traffic from server to Internet.
FORWARD - Rules for traffic forward to chients or server on network (LAN...).

When traffic moves through Linux kernel, a TARGET is determined by whether the packet matches a rule in the rulesets or not. There are three main targets are avaliable.

ACCEPT - Traffic is allowed to pass through linux server to its destination.
REJECT - Traffic is blocked from its destination and a packet is sent back to the sending host with a explanation by linux server.
DROP - Traffic is blocked with no explanation (Like closing connection).

Before going to configure new ruleset , following things are very importent.

Should know the order of rules going to add in ruleset. If order changes , It will give very bad results sometime. If your first rule is to deny everything... then no matter what you specifically allow, it will be denied.

Rule set is not active till you save rule. It will be done by seprate command.

If you are using ssh for configure iptables on remote server, first you shoud allow yourself.

Basic Iptables Options

Here are some of the iptables options.

-A - Append this rule to a rule chain. Valid chains for what we're doing are INPUT, FORWARD and OUTPUT, but we mostly deal with INPUT in this tutorial, which affects only incoming traffic.

-L - List the current filter rules.

-m conntrack - Allow filter rules to match based on connection state. Permits the use of the --ctstate option.
   --ctstate - Define the list of states for the rule to match on. Valid states are:
         NEW - The connection has not yet been seen.
         RELATED - The connection is new, but is related to another connection already permitted.
         ESTABLISHED - The connection is already established.
         INVALID - The traffic couldn't be identified for some reason.

-m limit - Require the rule to match only a limited number of times. Allows the use of the --limit option. Useful for limiting logging rules.
   --limit - The maximum matching rate, given as a number followed by "/second", "/minute", "/hour", or "/day" depending on how often you want the rule to match. If this option is not used and -m limit is used, the default is "3/hour".

-p - The connection protocol used.
   --dport - The destination port(s) required for this rule. A single port may be given, or a range may be given as start:end, which will match all ports from start to end, inclusive.

-j - Jump to the specified target. By default, iptables allows four targets:
        ACCEPT - Accept the packet and stop processing rules in this chain.
        REJECT - Reject the packet and notify the sender that we did so, and stop processing rules in this chain.
        DROP - Silently ignore the packet, and stop processing rules in this chain.
        LOG - Log the packet, and continue processing more rules in this chain. Allows the use of the --log-prefix and --log-level options.
--log-prefix - When logging, put this text before the log message. Use double quotes around the text to use.

--log-level - Log using the specified syslog level. 7 is a good choice unless you specifically need something else.

-i - Only match if the packet is coming in on the specified interface.

-I - Inserts a rule. Takes two options, the chain to insert the rule into, and the rule number it should be.
     -I INPUT 5 would insert the rule into the INPUT chain and make it the 5th rule in the list.

-v - Display more information in the output. Useful for if you have rules that look similar without using -v.

-s --source - address[/mask] source specification

-d --destination - address[/mask] destination specification

-o --out-interface - output name[+] network interface name ([+] for wildcard)

Allowing connections

We want to use some standard rules for general network traffic. The 3 way handshake between two hosts when transmitting data.

  • NEW => Server1 connects to Server2 issuing a SYN (Synchronize) packet.
  • RELATED => Server 2 receives the SYN packet, and then responds with a SYN-ACK (Synchronize Acknowledgment) packet.
  • ESTABLISHED => Server 1 receives the SYN-ACK packet and then responds with the final ACK (Acknowledgment) packet.
After this 3 way handshake is complete, the traffic is now ESTABLISHED. In order for this type of TCP communication, something similar to these three rules are necessary:

# iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# iptables -A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
# iptables -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

The last rule obviously allows any traffic the leave the server.

Now that we have our basics set in place, lets see what iptables lists for our rulesets:
# iptables --list
Chain INPUT (policy ACCEPT) target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED

Chain FORWARD (policy ACCEPT) target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED

Chain OUTPUT (policy ACCEPT) target prot opt source destination
ACCEPT all -- anywhere anywhere state NEW,RELATED,ESTABLISHED

Allowing Incoming Traffic on Specific Ports
You could start by blocking traffic, but you might be working over SSH, where you would need to allow SSH before blocking everything else.

To allow incoming traffic on the default SSH port (22), you could tell iptables to allow all TCP traffic on that port to come in.

# iptables -A INPUT -p tcp --dport ssh -j ACCEPT

Referring back to the list above, you can see that this tells iptables:
• append this rule to the input chain (-A INPUT) so we look at incoming traffic
• check to see if it is TCP (-p tcp).
• if so, check to see if the input goes to the SSH port (--dport ssh).
• if so, accept the input (-j ACCEPT).

Lets check the rules: (only the first few lines shown, you will see more)

# iptables -L
Chain INPUT (policy ACCEPT) target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh

Allow all incoming web traffic
# iptables -A INPUT -p tcp --dport 80 -j ACCEPT

Checking our rules, we have 

# iptables -L
Chain INPUT (policy ACCEPT)target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:www

Some more ruleset for iptables, For easy understanding

Individual REJECTS First:

BAD GUYS (Block Source IP Address):
# iptables -A INPUT -s -j DROP

NO SPAMMERS (notice the use of FQDN):
# iptables -A INPUT -s mail.spammer.org -d -p tcp --dport 25 -j REJECT

Then Open it up

MYSQL (Allow Remote Access To Particular IP):
# iptables -A INPUT -s -d -p tcp --dport 3306 -j ACCEPT

# iptables -A INPUT -d -p tcp --dport 22 -j ACCEPT

# iptables -A INPUT -d -p tcp --dport 25 -j ACCEPT

FTP: (Notice how you can specify a range of ports 20-21)
# iptables -A INPUT -d -p tcp --dport 20:21 -j ACCEPT

Passive FTP Ports Maybe: (Again, specifying ports 50000 through 50050 in one rule)
# iptables -A INPUT -d -p tcp --dport 50000:50050 -j ACCEPT

# iptables -A INPUT -d -p tcp --dport 80 -j ACCEPT

# iptables -A INPUT -d -p tcp --dport 443 -j ACCEPT

# iptables -A INPUT -d -p tcp --dport 143 -j ACCEPT

# iptables -A INPUT -d -p tcp --dport 993 -j ACCEPT

# iptables -A INPUT -d -p tcp --dport 110 -j ACCEPT

# iptables -A INPUT -d -p tcp --dport 995 -j ACCEPT

Any Traffic From Localhost:
# iptables -A INPUT -d -s -j ACCEPT

# iptables -A INPUT -d -p icmp -j ACCEPT

Global REJECTS Last:
Reject everything else to that IP:

# iptables -A INPUT -d -j REJECT

Or, reject everything else coming through to any IP:
# iptables -A INPUT -j REJECT
# iptables -A FORWARD -j REJECT

Saving rules in iptables

For save active rules:
# /etc/init.d/iptables save This will save rules to '/etc/sysconfig/iptables'.

If start iptables, the rules are read from '/etc/sysconfig/iptables'
# /etc/init.d/iptables startStarting iptables [OK]

If you stop iptables, all rules are flushed
# /etc/init.d/iptables stopStopping iptables [OK]

Export and importing rulesets to file

# iptables-save > /root/iptables-save.out This will save rules to iptables-save.out file

# iptables-restore -c /root/iptables-save.out
The -c tells iptables-restore that this is file was created using iptables-save to ruleset.

This is a basic tutorial about iptables. We can do lot of things by iptables. I hope good practice on iptables only give better knowledge. Keep practicing.

      Reference : Lot of articles from internet. Thanks to all. 

1 comment:

outbound filtering said...

This is a complete list of references for the security feature.