Saturday, May 7, 2011

Linux iptables (Best Kernel Firewall ever!) configurations

Hi guys, Just some basic iptables stuff to get with it. Later on I will post about some DDOS (Distributed Denial of service) attack prevention using iptables & Detection of port scans using iptables & similar things.
The Netfilter is Linux kernel Firewall module applying all the rules to the kernel packets. Iptables is rule management for that.

Note - Iptables rules will only apply to kernel stack, not above that. For ex. the iptables rule will not apply to packets generated by Scapy. Scapy packet crafting tool creates the whole packet in its space, hence iptables rule will not hold here. Though the malformed/manipulated packets crafted by scapy will be seen by Kernel, resulting in replies/responses/resets from Kernel. This can be prevented by using iptables, so that kernel will not respond to scapy packets. More about this you find in upcoming Scapy post.

Five pathways implemented by the iptables/netfilter :
a. PREROUTING - Packets arrving on the Network Interface
b. INPUT - Just before they are delivered to the local process
c. FORWARD - Coming in one interface and going right back out another interface likewsie for a Gateway computer
d. POSTROUTING - Just before they leave the Network Interface
e. OUTPUT - Just after they get generated by the local process

Iptables comes with 3 tables :
a. filter - Used to set policies for the traffic entering or leaving the system. By default Iptables respond to this type of table. Three chains involved - FORWARD,INPUT,OUTPUT
b. nat - Used with connection tracking to redirect connections for network address translations. Its built-in chains are: OUTPUT, POSTROUTING, and PREROUTING.
c. mangle - Used for specialized packet alteration, such as stripping off IP options. Its built-in chains are: FORWARD, INPUT, OUTPUT, POSTROUTING, and PREROUTING.

Three kind of operations that can be done for the rule matched packets :
a. DROP - Discard the packet as if it had never received packet.
b. ACCEPT - Accept the packet.
c. REJECT- Discard the packet but tell the source that he did so.

General iptables operations :
a. iptables-save - To make the rules permanent
b. iptables-restore - To restore the previous iptables configuration
c. iptables -L - To list iptables rules on all chains
d. iptables -F - To flush all iptables rules
e. iptables -L INPUT -v - To see a rule on the CHAINS in verbose mode use

Rules are matched for the packets , next rule is matched and if no rule is matched then it looks for chain POLICY, this is usually rule set to drop the packet. Much like the ACL's we implement in Switches/Routers.
-j is used to jump to the POLICY given after the rule matching (for ex. -j DROP = jump to drop)

Manipulation and Chain commands are Capital whereas the -s,-j,etc are in small caps

Iptables configurations & examples :

1. To drop all the incoming packets use this rule
iptables -A INPUT -s 0/0 -j DROP

2. To deny all packets going outside use this
iptables -A OUTPUT -s 0/0 -j DROP 

for example, to apply rules to all packets except from the localhost interface use this
-s ! localhost 

or to exclude UDP for filtering, use this
-p ! UDP 

Lets say to match all the PPP links present
-i ppp+

INPUT chain always have -i i.e. input interface
OUTPUT chain always have -o i.e. output interface
FORWARD chain can have both interfaces i.e. -i & -o

3. To drop all packets originating from local process to the destination IP address use this
iptables -A OUTPUT -d 192.168.56.1 -j DROP 

Now this will give the "operation not permitted response" when you try to ping the destination IP address
iptables -A OUTPUT -d 192.168.56.1 -j REJECT

This will generate "Destination Host Unreachable" response
Hence the type of filtering is different for both as DROP didn't reply back to sender host using ICMP.
REJECT sends back the ICMP message to apprise the Sender

4. To drop the fragmented packets only for the destination IP, use this
iptables -A OUTPUT -f -d 192.168.56.1 -j DROP 

but usually fragments i.e second and third packets are allowed to go through, as the rule matches only to the first packet which is treated as like any other packet

--syn is used when the protocol used is TCP, this is short for --tcp-flags SYN,RST,ACK SYN
in SYN packet FIN,ACK flags are cleared and only SYN is set.

5. To deny all TCP connection attempts from 192.168.56.1,use following pattern
iptables -A OUTPUT -s 192.168.56.1 -p tcp --syn -j DROP

This ruleset is applied to OUTPUT chain & this will REJECT all the syn connection originating from 192.168.56.1
As the chain used is OUTPUT chain the source IP will be the interface IP of the computer on which this rule is applied or the syn intended for this IP address from the system will be droped.
This is useful in event when we do not want the users to initiate an TCP connection.

6. On the destination network
iptables -A INPUT -s 192.168.56.2 -p tcp --syn -j DROP 

This is on the 192.168.56.1 box this will not accept any tcp connection from remote host i.e 192.168.56.2
In this case the kernel with this rule will reject all connections coming from 192.28.56.2 IP for TCP SYN flag connection

To get any kind of help for iptables, use this
iptables -p icmp --help

7. To drop all packets from specific MAC address, use following rule
iptables -A INPUT -m mac --mac-source <mac id> -p icmp -j DROP 

this will drop packets coming from mac id specified.

8. To drop all TCP SYN attempts from specific MAC address, use rule
iptables -A INPUT -m mac --mac-source <mac id> -p tcp --syn -j DROP 

This rule will prevent any tcp connection initiation from specified MAC Address

Source Port or Destination port parameters can also be used for filtering i.e. --sport/--dport

We can also use iptables for routing purpose to send some tyical connections to the specified IP & port i.e. --to-destination ip:port . This is useful in case of Kernel based redirection.

9. To calculate all The packets & Bytes from the system using CHAIN patterns use this
iptables -A FORWARD -i eth1
iptables -A FORWARD -o eth1
iptables -A INPUT -i eth1
iptables -A OUTPUT -o eth1

This is for gateway where the eth0 is for internal network and the eth1 is for Internet. This will provide all the granular details of packets at the interface.
for monitoring use
iptables -L INPUT -v 
iptables -L OUTPUT -v
iptables -L FORWARD -v

10. To drop all connections made to the port 22 from any IP address
iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j DROP

11. To accept connections from single IP address to port 22 for SSH connection from single host only
iptables -I INPUT -i eth0 -p tcp --dport 22 -s 192.168.0.1 -j ACCEPT

This is really good rule for security measures resulting in less SSH attacks. We can also specify IP ranges here.
-m option used in the Iptables is used to do some extra pattern matching using the extension modules that can be loaded.

12. To block the RST packets sent from the box in OUTPUT chain following command can be used. This can be tested by using the Scapy Packet crafting tool.
iptables -A OUTPUT -p tcp -s 10.10.10.2 --tcp-flags RST RST -j DROP

--tcp-flags must have 2 parameters, i.e. RST RST
This will DROP all the RST flag packets generated from the source IP 10.10.10.2 arriving at OUTPUT chain.
More details on Iptables I will be posting in later posts.

No comments:

Post a Comment