= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
Originally, the most popular firewall / NAT package running on Linux was ipchains but it had a number of shortcomings. The Netfilter organization decided to create a new product called iptables in order to rectify this and developed these improvements and more:
As a result of this, iptables is considered a faster and more secure alternative to ipchains. iptables has now become the default firewall package installed under RedHat and Fedora Linux.
Most RedHat and Fedora Linux software products are available in the RPM format. Downloading and installing RPMs isn't hard. If you need a refresher, Chapter 6, on RPMs, covers how to do this in detail.
To get iptables configured to start at boot you can use the chkconfig command.
Firewall is stopped.
All packets inspected by iptables pass through a sequence of built-in tables (queues) for processing. Each of these queues is dedicated to a particular type of packet activity and is controlled by an associated packet transformation / filtering chain.
There are three tables in total. The first is the mangle table which is responsible for the alteration of "quality of service" bits in the TCP header. This is hardly used in a home / SOHO environment.
You need to specify the table and the chain for each firewall rule you create. There is an exception, most rules are related to filtering and therefore iptables assumes that any chain that's defined without an associated table will be a part of the filter table. The filter table is therefore the default.
If the packet is destined for a protected network, then it is filtered by the rules in the FORWARD chain of the filter table and, if necessary, the packet will undergo SNAT before arriving at Network "B". When the destination server decides to reply, the packet will undergo the same sequence of steps.
If the packet is destined for the firewall itself, then it is filtered by the rules in the INPUT chain of the filter table before being processed by the intended application on the firewall. At some point the firewall will need to reply. This will be inspected by your rules in the OUTPUT chain of the mangle table, if any. The rules in the OUTPUT chain of the nat table will determine whether address translation is required and the rules in the OUTPUT chain of the filter table will then be inspected before the packet is routed back to the Internet.
It is now time to discuss the ways in which you add rules to these chains.
Each firewall rule inspects each IP packet and then tries to identify it as the "target" of some sort of operation. Once a target is identified, the packet needs to "jump" over to it for further processing. There are a number of built-in targets that iptables uses. These are listed in Table 14-2.
Important Iptables Command Switch Operations
Each line of an iptables script not only has a "jump", but they also have a number of command line options that are used to append rules to chains that match your defined packet characteristics, such the source IP address and TCP port. There are also options that can be used to just clear a chain so you can start all over again. The most common options can be seen in Tables 14-2 through 14-6.
|
iptables
command
Switch |
Description |
|
-t <table> |
If you don't specify a table, then the filter table is assumed. As discussed before, the possible built-in tables include: filter, nat, mangle |
|
-j <target> |
Jump to the specified target chain when the packet matches the current rule. |
|
-A |
Append rule to end of a chain |
|
-F |
Flush. Deletes all the rules in the selected table |
|
-p <protocol-type> |
Match protocol. Types include, icmp, tcp, udp, all |
|
-s <ip-address> |
Match source IP address |
|
-d <ip-address> |
Match destination IP address |
|
-i <interface-name> |
Match "input" interface on which the packet enters. |
|
-o <interface-name> |
Match "output" interface on which the packet exits |
Example:
iptables -A INPUT -s 0/0 -i eth0 -d 192.168.1.1 -p TCP -j ACCEPT
In this example, iptables is being configured to allow the firewall to accept TCP packets coming in on interface eth0 from any IP address destined for the firewall's IP address of 192.168.1.1. The "0/0" representation of an IP address means "any".
|
switches used with
-p tcp |
Description |
|
switches used with
-p udp |
Description
|
|
--sport <port> |
TCP source port
Can be a single value or a range in the format:
start-port-number:end-port-number |
|
--sport <port> |
TCP source port
Can be a single value or a range in the format:
starting-port:ending-port |
|
--dport <port> |
TCP destination port
Can be a single value or a range in the format:
starting-port:ending-port |
|
--dport <port> |
TCP destination port
Can be a single value or a range in the format:
starting-port:ending-port |
|
--syn |
Used to identify a new connection request
! --syn means, not a new connection request |
|
|
|
Example:
iptables -A FORWARD -s 0/0 -i eth0 -d 192.168.1.58 -o eth1 -p TCP \
--sport 1024:65535 --dport 80 -j ACCEPT
In this example iptables is being configured to allow the firewall to accept TCP packets for routing when they enter on interface eth0 from any IP address and are destined for an IP address of 192.168.1.58 that is reachable via interface eth1. The source port is in the range 1024 to 65535 and the destination port is port 80 (www/http)
|
Matches
used with
---icmp-type |
Description |
|
--icmp-type <type> |
The most commonly used types are
echo-reply and echo-request |
Example:
iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
In this example iptables is being configured to allow the firewall send ICMP echo-requests (pings) and in turn, accept the expected ICMP echo-replies.
Example:
iptables -A INPUT -p icmp --icmp-type echo-request \
-m limit --limit 1/s -i eth0 -j ACCEPT
The "limit" feature in iptables specifies the maximum average number of matches to allow per second. You can specify time intervals such as "/second", "/minute", "/hour" or "/day", or abbreviations of them so that "3/second" is the same as "3/s".
In this example ICMP echo requests are restricted to no more than one per second. When tuned correctly, this feature allows you to filter unusually high volumes of traffic that characterize denial of service (DOS) attacks and Internet worms.
Example:
iptables -A INPUT -p tcp --syn -m limit --limit 5/s -i eth0 -j ACCEPT
You can expand on the limit feature of iptables to reduce your vulnerability to certain types of denial of service attack. In this example a defense for SYN flood attacks has been created by limiting the acceptance of TCP segments with the SYN bit set to no more than five per second.
|
TCP/UDP match
extensions used with
-m multiport |
Description |
|
--sport <port, port> |
A variety of TCP/UDP source ports separated by commas |
|
--dport <port, port> |
A variety of TCP/UDP destination ports separated by commas |
|
--ports <port, port> |
A variety of TCP/UDP ports separated by commas. Source and destination ports are assumed to be the same. |
|
Match extensions
used with
-m state |
Description |
|
--state <state> |
The most frequently tested states are:
ESTABLISHED
The packet is part of a connection which has seen packets in both directions
NEW
The packet is the start of a new connection
RELATED
The packet is starting a new secondary connection. This is a common feature of protocols such as an FTP data transfer, or an ICMP error.
INVALID
The packet couldn't be identified. Could be due to insufficient system resources, or ICMP errors that don't match an existing data flow. |
Example:
iptables -A FORWARD -s 0/0 -i eth0 -d 192.168.1.58 -o eth1 -p TCP \
--sport 1024:65535 -m multiport --dport 80,443 -j ACCEPT
iptables -A FORWARD -d 0/0 -o eth0 -s 192.168.1.58 -i eth1 -p TCP \
-m state --state ESTABLISHED -j ACCEPT
This is an expansion on the previous example. Here iptables is being configured to allow the firewall to accept TCP packets to be routed when they enter on interface eth0 from any IP address destined for IP address of 192.168.1.58 that is reachable via interface eth1. The source port is in the range 1024 to 65535 and the destination ports are port 80 (www/http) and 443 (https).
We are also allowing the return packets from 192.168.1.58 to be accepted too. Instead of stating the source and destination ports, it is sufficient to allow packets related to established connections using the -m state and --state ESTABLISHED options.
Using User Defined Chains
As stated in the introduction, iptables can be configured to have user-defined chains. This feature is frequently used to help streamline the processing of packets. For example, instead of using a single built-in chain for all protocols, it is possible to use the chain to determine the protocol type for the packet and then hands off the actual final processing to a user defined protocol specific chain in the filter table. In other words, you can replace a long chain with a main stubby main chain pointing to multiple stubby chains thereby shortening the total length of all chains the packet has to pass through.
Example:
iptables -A INPUT -i eth0 -d 206.229.110.2 -j fast-input-queue
iptables -A OUTPUT -o eth0 -s 206.229.110.2 -j fast-output-queue
iptables -A fast-input-queue -p icmp -j icmp-queue-in
iptables -A fast-output-queue -p icmp -j icmp-queue-out
iptables -A icmp-queue-out -p icmp --icmp-type echo-request \
-m state --state NEW -j ACCEPT
iptables -A icmp-queue-in -p icmp --icmp-type echo-reply -j ACCEPT
In this example we have six queues with the following characteristics to help assist in processing speed a summary of each of their functions can be seen in Table 14-8.
|
Chain |
Description |
|
INPUT |
The regular built-in INPUT chain in iptables |
|
OUTPUT |
The regular built-in OUTPUT chain in iptables |
|
fast-input-queue |
Input chain dedicated to identifying specific protocols and shunting the packets to protocol specific chains. |
|
fast-output-queue |
Output chain dedicated to identifying specific protocols and shunting the packets to protocol specific chains. |
|
icmp-queue-out |
Output queue dedicated to ICMP |
|
icmp-queue-in |
Input queue dedicated to ICMP |
Saving Your iptables Scripts
The "service iptables save" command will permanently save the iptables configuration in the /etc/sysconfig/iptables file. When the system reboots, the iptables-restore program reads the configuration and makes it the active configuration.
The format of the /etc/sysconfig/iptables file is slightly different from that of the scripts shown in this chapter. The initialization of built in chains is automatic and the string "iptables" is omitted from the rule statements.
Here is a sample /etc/sysconfig/iptables configuration that allows ICMP, IPSec (ESP and AH packets), already established connections and inbound SSH.
[root@AS3 tmp]# cat /etc/sysconfig/iptables
# Generated by iptables-save v1.2.9 on Mon Nov 8 11:00:07 2004
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [144:12748]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type 255 -j ACCEPT
-A RH-Firewall-1-INPUT -p esp -j ACCEPT
-A RH-Firewall-1-INPUT -p ah -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Mon Nov 8 11:00:07 2004
[root@AS3 tmp]#
It is never a good idea to edit this script directly as it is always overwritten by the "save" command and it doesn't save any comments at all, which can also make it extremely difficult to follow.
For these reasons, it is best to write and apply a customized script and then using the "service iptables save" command to make the changes permanent.
Fedora's iptables Rule Generator
Fedora comes with a program called "lokkit" which you can use to generate a very rudimentary firewall rule set. It prompts for the level of security and then gives you the option of doing simple customizations. It is a good place for beginners to start on a test system so that they can see a general rule structure.
Like the "service iptables save" command, lokkit saves the firewall rules in a new /etc/sysconfig/iptables file for use on the next reboot.
Once you have become familiar with the iptables syntax, it's best to write scripts which you can comment and then save it to /etc/sysconfig/iptables. It makes them much more manageable and readable.
Recovering From A Lost Script
Sometimes the script you created to generate iptables may get corrupted or lost. There are also times when you inherit a new system from an administer and cannot find the original script used to protect it. In these situations you can use the iptables-save and iptables-restore commands to assist you with the continued management of the server.
Unlike the "service iptables save" command which actually saves a permanent copy of the firewall's active configuration in the /etc/sysconfig/iptables file, iptables-save displays the active configuration to the screen in /etc/sysconfig/iptables format. If you redirect the iptables-save screen output to a file with the ">" symbol, then you can edit the output and reload the updated rules when they meet your new criteria with the iptables-restore command.
The example below exports the iptables-save output to a text file named firewall-config.
[root@AS3 tmp]# iptables-save > firewall-config
[root@AS3 tmp]# cat firewall-config
# Generated by iptables-save v1.2.9 on Mon Nov 8 11:00:07 2004
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [144:12748]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type 255 -j ACCEPT
-A RH-Firewall-1-INPUT -p esp -j ACCEPT
-A RH-Firewall-1-INPUT -p ah -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Mon Nov 8 11:00:07 2004
[root@AS3 tmp]#
After editing the file firewall-config with the commands you need, you can and reload it into the active firewall rule set with the iptables-restore command as seen below.
[root@AS3 tmp]# iptables-restore < firewall-config
Finally, you should permanently save the active configuration so that it will be loaded automatically when the system reboots.
[root@AS3 tmp]# service iptables save
If desired, you can eventually convert this firewall-config file into a regular iptables script so that it becomes more easily recognizable and manageable.
Loading Kernel Modules Needed By iptables
The iptables application requires you to load certain kernel modules in order to activate some of its functions. Whenever any type of NAT is required, the iptable_nat module needs to be loaded. The ip_conntrack_ftp module needs to be added for FTP support and should always be loaded with the ip_conntrack module which tracks TCP connection states. As most scripts will probably keep track of connection states, the ip_conntrack module will be needed in any case. The ip_nat_ftp module also needs to be loaded for FTP servers behind a NAT firewall.
Unfortunately, the /etc/sysconfig/iptables file doesn't support the loading of modules, so you'll have to add the statements to your /etc/rc.local file which is run at the end of every reboot.
The script samples in this chapter include these statements only as a reminder to place them in the /etc/rc.local file
# File: /etc/rc.local
# Module to track the state of connections
modprobe ip_conntrack
# Load the iptables active FTP module, requires ip_conntrack
modprobe ip_conntrack_ftp
# Load iptables NAT module when required
modprobe iptable_nat
# Module required for active an FTP server using NAT
modprobe ip_nat_ftp
Sample iptables Scripts
Here are some sample scripts you can use to get iptables working for you. Pay special attention to the logging example at the end.
The "basic initialization" script snippet should also be included in all your scripts to ensure the correct initialization of your chains should you decide to restart your script after startup. This chapter also includes other snippets that will help you get basic functionality. It should be a good guide to get you started.
You then can use Appendix II to find a detailed script once you feel more confident. It shows you how to allow your firewall to:
> Be used as a Linux Web / Mail / DNS server
> Be the NAT router for your home network
> Prevent various types of attacks using corrupted TCP, UDP and ICMP packets.
> Outbound passive FTP access from the firewall
There are also simpler code snippets in the Appendix II for Inbound and outbound FTP connections to / from your firewall
Basic Operating System Defense
There are a number of things you can do before employing your firewall script to improve the resilience of your firewall to attack.
The Linux operating system has a number of built in protection mechanisms that you should activate by modifying the system kernel parameters in the /proc filesystem via the /etc/sysctl.conf file. The use of the /etc/sysctl.conf to modify kernel parameters is explained in more detail in Appendix I.
Here is a sample configuration:
# File: /etc/sysctl.conf
#---------------------------------------------------------------
# Disable routing triangulation. Respond to queries out
# the same interface, not another. Helps to maintain state
# Also protects against IP spoofing
#---------------------------------------------------------------
net/ipv4/conf/all/rp_filter = 1
#---------------------------------------------------------------
# Enable logging of packets with malformed IP addresses
#---------------------------------------------------------------
net/ipv4/conf/all/log_martians = 1
#---------------------------------------------------------------
# Disable redirects
#---------------------------------------------------------------
net/ipv4/conf/all/send_redirects = 0
#---------------------------------------------------------------
# Disable source routed packets
#---------------------------------------------------------------
net/ipv4/conf/all/accept_source_route = 0
#---------------------------------------------------------------
# Disable acceptance of ICMP redirects
#---------------------------------------------------------------
net/ipv4/conf/all/accept_redirects = 0
#---------------------------------------------------------------
# Turn on protection from Denial of Service (DOS) attacks
#---------------------------------------------------------------
net/ipv4/tcp_syncookies = 1
#---------------------------------------------------------------
# Disable responding to ping broadcasts
#---------------------------------------------------------------
net/ipv4/icmp_echo_ignore_broadcasts = 1
#---------------------------------------------------------------
# Enable IP routing. Required if your firewall is protecting a
# network, NAT included
#---------------------------------------------------------------
net/ipv4/ip_forward = 1
This configuration will become active after the next reboot, but changes won't become active in the current boot session until you run the "sysctl -p" command.
[root@AS3 tmp]# sysctl -p
...
...
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.tcp_syncookies = 1
net.ipv4.icmp_echo_ignore_broadcasts = 1
[root@AS3 tmp]#
Basic iptables Initialization
It is a good policy, in any iptables script you write, to initialize your chain and table settings with known values. The "filter" table's INPUT, FORWARD and OUTPUT chains should DROP packets by default for the best security. However, it is not good policy to make your "nat" and "mangle" tables DROP packets by default. This is because these tables are queried before the "filter" table, and if all packets that don't match the "nat" and "mangle" rules are DROP-ped, then they will not reach the INPUT, FORWARD and OUTPUT chains and won't be processed.
Additional ALLOW rules should be added to the end of this script snippet.
#---------------------------------------------------------------
# Load modules for FTP connection tracking and NAT - You may need
# them later
#
# Note: It is best to use the /etc/rc.local example in this
# chapter. This value will not be retained in the
# /etc/sysconfig/iptables file. Included only as a reminder.
#---------------------------------------------------------------
modprobe ip_conntrack
modprobe ip_nat_ftp
modprobe ip_conntrack_ftp
modprobe iptable_nat
#---------------------------------------------------------------
# Initialize all the chains by removing all the rules
# tied to them
#---------------------------------------------------------------
iptables --flush
iptables -t nat --flush
iptables -t mangle --flush
#---------------------------------------------------------------
# Now that the chains have been initialized, the user defined
# chains should be deleted. We'll recreate them in the next step
#---------------------------------------------------------------
iptables --delete-chain
iptables -t nat --delete-chain
iptables -t mangle --delete-chain
#---------------------------------------------------------------
# If a packet doesn't match one of the built in chains, then
# The policy should be to drop it
#---------------------------------------------------------------
iptables --policy INPUT -j DROP
iptables --policy OUTPUT -j DROP
iptables --policy FORWARD -j DROP
iptables -t nat --policy POSTROUTING ACCEPT
iptables -t nat --policy PREROUTING ACCEPT
#---------------------------------------------------------------
# The loopback interface should accept all traffic
# Necessary for X-Windows and other socket based services
#---------------------------------------------------------------
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
Advanced iptables Initialization
There are more advanced initialization steps you may also want to add to your script. These include checks for invalid TCP flags and Internet traffic from RFC1918 private addresses. The sample script snippets below outline how to do this.
The script also uses multiple user defined chains to make the script shorter and faster as the chains can be repeatedly accessed. This removes the need to repeat the same statements over and over again.
You can take even more precautions to further protect your network. The complete firewall script in the appendix outlines most of them.
#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=
#
# Define networks: NOTE!! You may want to put these four "EXTERNAL"
# definitions at the top of your script.
#
#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=
EXTERNAL_INT="eth0" # Internet-connected
# interface
EXTERNAL_IP="97.158.253.25" # your IP address
EXTERNAL_SUBNET_BASE="97.158.253.24" # ISP network segment
# base address
EXTERNAL_SUBNET_BROADCAST="97.158.253.31" # network segment
# broadcast address
#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=
#
# The variables below should not normally be changed as they
# are not site specific
#
#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=
LOOPBACK="127.0.0.0/8" # reserved for
# loopback address
RESERVED_IP_172_SPACE="172.16.0.0/12" # RFC1918 172 space
# class B private networks
RESERVED_IP_192_SPACE="192.168.0.111/16" # RFC1918 192 space
# class C private networks
RESERVED_IP_10_SPACE="10.0.0.0/8" # RFC1918 10 space
# class A private networks
RESERVED_IP_MULTICAST="224.0.0.0/4" # Multicast addresses
RESERVED_IP_FUTURE="240.0.0.0/5" # IP addresses reserved
# for future use
#---------------------------------------------------------------
# Define our own user-defined chains
#---------------------------------------------------------------
ADDITIONAL_CHAINS="valid-tcp-flags \
valid-source-address \
valid-destination-address \
LOG-and-drop"
#---------------------------------------------------------------
# Initialize our user-defined chains
#---------------------------------------------------------------
for i in $ADDITIONAL_CHAINS; do
iptables -N $i
done
#---------------------------------------------------------------
# Check TCP packets for invalid state flag combinations
#---------------------------------------------------------------
iptables -A INPUT -p tcp -j valid-tcp-flags
iptables -A OUTPUT -p tcp -j valid-tcp-flags
iptables -A FORWARD -p tcp -j valid-tcp-flags
#---------------------------------------------------------------
# Verify valid source and destination addresses for all packets
#---------------------------------------------------------------
iptables -A INPUT -i $EXTERNAL_INT -p ! tcp \
-j valid-source-address
iptables -A INPUT -i $EXTERNAL_INT -p tcp --syn \
-j valid-source-address
iptables -A FORWARD -i $EXTERNAL_INT -p ! tcp \
-j valid-source-address
iptables -A FORWARD -i $EXTERNAL_INT -p tcp --syn \
-j valid-source-address
iptables -A OUTPUT -o $EXTERNAL_INT \
-j valid-destination-address
iptables -A FORWARD -o $EXTERNAL_INT \
-j valid-destination-address
#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#
#
# Check for incorrect TCP state flags
#
# All state bits zeroed
# FIN set ACK cleared
# PSH set ACK cleared
# URG set ACK cleared
# SYN and FIN set
# SYN and RST set
# FIN and RST set
#
#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#
iptables -A valid-tcp-flags -p tcp --tcp-flags ALL NONE \
-j LOG-and-drop
iptables -A valid-tcp-flags -p tcp --tcp-flags ACK,FIN FIN \
-j LOG-and-drop
iptables -A valid-tcp-flags -p tcp --tcp-flags ACK,PSH PSH \
-j LOG-and-drop
iptables -A valid-tcp-flags -p tcp --tcp-flags ACK,URG URG \
-j LOG-and-drop
iptables -A valid-tcp-flags -p tcp --tcp-flags SYN,FIN SYN,FIN \
-j LOG-and-drop
iptables -A valid-tcp-flags -p tcp --tcp-flags SYN,RST SYN,RST \
-j LOG-and-drop
iptables -A valid-tcp-flags -p tcp --tcp-flags FIN,RST FIN,RST \
-j LOG-and-drop
#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#
#
# Source and Destination Address Sanity Checks
#
# Drop packets from networks covered in RFC 1918 (private nets)
# Drop packets from external interface IP
# Drop directed broadcast packets
#
#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#
iptables -A valid-source-address -s $RESERVED_IP_10_SPACE -j DROP
iptables -A valid-source-address -s $RESERVED_IP_172_SPACE -j DROP
iptables -A valid-source-address -s $RESERVED_IP_192_SPACE -j DROP
iptables -A valid-source-address -s $RESERVED_IP_MULTICAST -j DROP
iptables -A valid-source-address -s $RESERVED_IP_FUTURE -j DROP
iptables -A valid-source-address -s $LOOPBACK -j DROP
iptables -A valid-source-address -s 0.0.0.0/8 -j DROP
iptables -A valid-source-address -d 255.255.255.255 -j DROP
iptables -A valid-source-address -s 169.254.0.0/16 -j DROP
iptables -A valid-source-address -s 192.0.2.0/24 -j DROP
iptables -A valid-source-address -s $EXTERNAL_IP -j DROP
iptables -A valid-destination-address -d $EXTERNAL_SUBNET_BASE \
-j DROP
iptables -A valid-destination-address -d $EXTERNAL_SUBNET_BROADCAST \
-j DROP
iptables -A valid-destination-address -d $RESERVED_IP_MULTICAST \
-j DROP
#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#
#
# Log and drop chain
#
#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#
iptables -A LOG-and-drop -j LOG --log-ip-options --log-tcp-options \
--log-level debug
iptables -A LOG-and-drop -j DROP
Allowing DNS Access To Your Firewall
You'll almost certainly want your firewall to make DNS queries to the Internet. This is not because it is required for the basic functionality of the firewall, but because of Fedora Linux's yum RPM updater which will help to keep the server up to date with the latest security patches. The following statements will apply not only for firewalls acting as DNS clients but also for firewalls working in a caching or regular DNS server role.
#---------------------------------------------------------------
# Allow outbound DNS queries from the FW and the replies too
#
# - Interface eth0 is the internet interface
#
# Zone transfers use TCP and not UDP. Most home networks
# / websites using a single DNS server won't require TCP statements
#
#---------------------------------------------------------------
iptables -A OUTPUT -p udp -o eth0 --dport 53 --sport 1024:65535 \
-j ACCEPT
iptables -A INPUT -p udp -i eth0 --sport 53 --dport 1024:65535 \
-j ACCEPT
Allowing WWW And SSH Access To Your Firewall
This sample snippet is for a firewall that doubles as a web server that is managed remotely by its system administrator via secure shell (SSH) sessions. Inbound packets destined for ports 80 and 22 are allowed thereby making the first steps in establishing a connection. It isn't necessary to specify these ports for the return leg as outbound packets for all established connections are allowed. Connections initiated by persons logged into the webserver will be denied as outbound NEW connection packets aren't allowed.
#---------------------------------------------------------------
# Allow previously established connections
# - Interface eth0 is the internet interface
#---------------------------------------------------------------
iptables -A OUTPUT -o eth0 -m state --state ESTABLISHED,RELATED \
-j ACCEPT
#---------------------------------------------------------------
# Allow port 80 (www) and 22 (SSH) connections to the firewall
#---------------------------------------------------------------
iptables -A INPUT -p tcp -i eth0 --dport 22 --sport 1024:65535 \
-m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp -i eth0 --dport 80 --sport 1024:65535 \
-m state --state NEW -j ACCEPT
Allowing Your Firewall To Access The Internet
The following iptables sample script allows a user on the firewall to use a web browser to surf the Internet. TCP port 80 is used for HTTP traffic and port 443 is used for HTTPS (secure HTTP frequently used for credit card transactions).
Note: HTTPS is also used by RedHat Linux servers using up2date. FTP & HTTP are frequently used with yum.
#---------------------------------------------------------------
# Allow port 80 (www) and 443 (https) connections from the firewall
#---------------------------------------------------------------
iptables -A OUTPUT -j ACCEPT -m state --state NEW \
-o eth0 -p tcp -m multiport --dport 80,443 -m multiport \
--sport 1024:65535
#---------------------------------------------------------------
# Allow previously established connections
# - Interface eth0 is the internet interface
#---------------------------------------------------------------
iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED \
-i eth0 -p tcp
If you want all TCP traffic originating from the firewall to be accepted then you can remove the following section from the snippet above:
-m multiport --dport 80,443 --sport 1024:65535
Allow Your Home Network To Access The Firewall
In this example, eth1 is directly connected to a home network using IP addresses from the 192.168.1.0 network. All traffic between this network and the firewall is simplistically assumed to be trusted and allowed.
Further rules will be needed for the interface connected to the Internet to allow only specific ports, types of connections and possibly even remote servers to have access to your firewall and home network.
#---------------------------------------------------------------
# Allow all bidirectional traffic from your firewall to the
# protected network
# - Interface eth1 is the private network interface
#---------------------------------------------------------------
iptables -A INPUT -j ACCEPT -p all -s 192.168.1.0/24 -i eth1
iptables -A OUTPUT -j ACCEPT -p all -d 192.168.1.0/24 -o eth1
Masquerading (Many to One NAT)
As explained in Chapter 2, masquerading is another word for what many call "many to one" NAT. In other words, traffic from all devices on one or more protected networks will appear as if it originated from a single IP address on the Internet side of the firewall.
Note: The masquerade IP address always defaults to the IP address of the firewall's main interface. The advantage of this is that you never have to specify the NAT IP address. This makes it much easier to configure iptables NAT with DHCP.
You can configure many to one NAT to an IP alias, using the POSTROUTING and not the MASQUERADE statement. An example of this can be seen in the static NAT section below.
iptables requires the iptables_nat module to be loaded with the "modprobe" command for the masquerade feature to work. Masquerading also depends on the Linux operating system being configured to support routing between the internet and private network interfaces of the firewall. This is done by enabling "IP forwarding" or routing by giving the file /proc/sys/net/ipv4/ip_forward the value "1" as opposed to the default disabled value of "0".
Once masquerading has been achieved using the POSTROUTING chain of the "nat" table, iptables will have to be configured to allow packets to flow between the two interfaces. This is done using the FORWARD chain of the "filter" table. More specifically, packets related to NEW and ESTABLISHED connections will be allowed outbound to the Internet, while only packets related to ESTABLISHED connections will be allowed inbound. This helps to protect the home network from persons trying to initiate connections from the Internet. An example follows:
#---------------------------------------------------------------
# Load the NAT module
#
# Note: It is best to use the /etc/rc.local example in this
# chapter. This value will not be retained in the
# /etc/sysconfig/iptables file. Included only as a reminder.
#---------------------------------------------------------------
modprobe iptable_nat
#---------------------------------------------------------------
# Enable routing by modifying the ip_forward /proc filesystem file
#
# Note: It is best to use the /etc/sysctl.conf example in this
# chapter. This value will not be retained in the
# /etc/sysconfig/iptables file. Included only as a reminder.
#---------------------------------------------------------------
echo 1 > /proc/sys/net/ipv4/ip_forward
#---------------------------------------------------------------
# Allow masquerading
# - Interface eth0 is the internet interface
# - Interface eth1 is the private network interface
#---------------------------------------------------------------
iptables -A POSTROUTING -t nat -o eth0 -s 192.168.1.0/24 -d 0/0 \
-j MASQUERADE
#---------------------------------------------------------------
# Prior to masquerading, the packets are routed via the filter
# table's FORWARD chain.
# Allowed outbound: New, established and related connections
# Allowed inbound : Established and related connections
#---------------------------------------------------------------
iptables -A FORWARD -t filter -o eth0 -m state \
--state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -t filter -i eth1 -m state \
--state ESTABLISHED,RELATED -j ACCEPT
Note: If you configure your firewall to do masquerading, then if should be the used as the default gateway for all your servers on the network.
Port Forwarding Type NAT (DHCP DSL)
In many cases home users may get a single DHCP public IP address from their ISP. If their Linux firewall is their interface to the Internet and they want to host a website on one of the NAT protected home servers then they will have to use the "port forwarding" technique.
Here the combination of the firewall's single IP address, the remote server's IP address and the source/destination port of the traffic can be used to uniquely identify a traffic flow. All traffic that matches a particular combination of these factors may then be forwarded to a single server on the private network.
Port forwarding is handled by the PREROUTING chain of the "nat" table. As in masquerading, the iptables_nat module will have to be loaded and routing enabled for port forwarding to work. Routing too will have to be allowed in iptables with the FORWARD chain, this would include all NEW inbound connections from the Internet matching the port forwarding port plus all future packets related to the ESTABLISHED connection in both directions. An example follows:
#---------------------------------------------------------------
# Load the NAT module
#
# Note: It is best to use the /etc/rc.local example in this
# chapter. This value will not be retained in the
# /etc/sysconfig/iptables file. Included only as a reminder.
#---------------------------------------------------------------
modprobe iptable_nat
#---------------------------------------------------------------
# Get the IP address of the Internet interface eth0 (linux only)
#
# You'll have to use a different expression to get the IP address
# for other operating systems which have a different ifconfig output
# or enter the IP address manually in the PREROUTING statement
#
# This is best when your firewall gets its IP address using DHCP.
# The external IP address could just be hard coded ("typed in
# normally")
#---------------------------------------------------------------
external_int="eth0"
external_ip="`ifconfig $external_int | grep 'inet addr' | \
awk '{print $2}' | sed -e 's/.*://'`"
#---------------------------------------------------------------
# Enable routing by modifying the ip_forward /proc filesystem file
#
# Note: It is best to use the /etc/sysctl.conf example in this
# chapter. This value will not be retained in the
# /etc/sysconfig/iptables file. Included only as a reminder.
#---------------------------------------------------------------
echo 1 > /proc/sys/net/ipv4/ip_forward
#---------------------------------------------------------------
# Allow port forwarding for traffic destined to port 80 of the
# firewall's IP address to be forwarded to port 8080 on server
# 192.168.1.200
#
# - Interface eth0 is the internet interface
# - Interface eth1 is the private network interface
#---------------------------------------------------------------
iptables -t nat -A PREROUTING -p tcp -i eth0 -d $external_ip \
--dport 80 --sport 1024:65535 -j DNAT --to 192.168.1.200:8080
#---------------------------------------------------------------
# After DNAT, the packets are routed via the filter table's
# FORWARD chain.
# Connections on port 80 to the target machine on the private
# network must be allowed.
#---------------------------------------------------------------
iptables -A FORWARD -p tcp -i eth0 -o eth1 -d 192.168.1.200 \
--dport 8080 --sport 1024:65535 -m state --state NEW -j ACCEPT
iptables -A FORWARD -t filter -i eth1 -m state \
--state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -t filter -i eth0 -m state \
--state ESTABLISHED,RELATED -j ACCEPT
Static NAT
In this example, all traffic to a particular public IP address, not just to a particular port, is NAT-ted to a single server on the protected subnet. As the firewall has more than one IP address, MASQUERADE isn't recommended to be used as it will force masquerading as the IP address of the primary interface and not any of the alias IP addresses the firewall may have. SNAT is therefore used to specify the alias IP address to be used for connections initiated by all other servers in the protected net.
Note: Though the "nat" table NATs all traffic to the target servers (192.168.1.100 to 102), only connections on ports 80,443 and 22 are allowed through by the FORWARD chain. Also notice how you have to specify a separate "-m multiport" option whenever you need to match multiple non-sequential ports for both source and destination.
Note: In this example the firewall:
Uses 1:1 NAT to make the server 192.168.1.111 on your home network appear on the Internet as IP addresses 97.158.253.26.
Creates a Many to 1 NAT for the 192.168.1.0 home network in which all the servers appear on the Internet as IP address 97.158.253.29. This is different from masquerading
You will have to create alias IP addresses for each of these Internet IPs for 1:1 NAT to work.
#---------------------------------------------------------------
# Load the NAT module
#
# Note: It is best to use the /etc/rc.local example in this
# chapter. This value will not be retained in the
# /etc/sysconfig/iptables file. Included only as a reminder.
#---------------------------------------------------------------
modprobe iptable_nat
#---------------------------------------------------------------
# Enable routing by modifying the ip_forward /proc filesystem file
#
# Note: It is best to use the /etc/sysctl.conf example in this
# chapter. This value will not be retained in the
# /etc/sysconfig/iptables file. Included only as a reminder.
#---------------------------------------------------------------
echo 1 > /proc/sys/net/ipv4/ip_forward
#---------------------------------------------------------------
# NAT ALL traffic:
###########
# REMEMBER to create aliases for all the internet IP addresses below
###########
#
# TO: FROM: MAP TO SERVER:
# 97.158.253.26 Anywhere 192.168.1.100 (1:1 NAT - Inbound)
# Anywhere 192.168.1.100 97.158.253.26 (1:1 NAT - Outbound)
# Anywhere 192.168.1.0/24 97.158.253.29 (FW IP)
#
# SNAT is used to NAT all other outbound connections initiated
# from the protected network to appear to come from
# IP address 97.158.253.29
#
# POSTROUTING:
# NATs source IP addresses. Frequently used to NAT connections from
# your home network to the Internet
#
# PREROUTING:
# NATs destination IP addresses. Frequently used to NAT
# connections from the Internet to your home network
#
# - Interface eth0 is the internet interface
# - Interface eth1 is the private network interface
#---------------------------------------------------------------
# PREROUTING statements for 1:1 NAT
# (Connections originating from the Internet)
iptables -t nat -A PREROUTING -d 97.158.253.26 -i eth0 \
-j DNAT --to-destination 192.168.1.100
# POSTROUTING statements for 1:1 NAT
# (Connections originating from the home network servers)
iptables -t nat -A POSTROUTING -s 192.168.1.100 -o eth0 \
-j SNAT --to-source 97.158.253.26
# POSTROUTING statements for Many:1 NAT
# (Connections originating from the entire home network)
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 \
-j SNAT -o eth1 --to-source 97.158.253.29
# Allow forwarding to each of the servers configured for 1:1 NAT
# (For connections originating from the Internet. Notice how you
# use the real IP addresses here)
iptables -A FORWARD -p tcp -i eth0 -o eth1 -d 192.168.1.100 \
-m multiport --dport 80,443,22 \
-m state --state NEW -j ACCEPT
# Allow forwarding for all New and Established SNAT connections
# originating on the home network AND already established
# DNAT connections
iptables -A FORWARD -t filter -i eth1 -m state \
--state NEW,ESTABLISHED,RELATED -j ACCEPT
# Allow forwarding for all 1:1 NAT connections originating on
# the Internet that have already passed through the NEW forwarding
# statements above
iptables -A FORWARD -t filter -i eth0 -m state \
--state ESTABLISHED,RELATED -j ACCEPT
Troubleshooting iptables
There are a number of tools at your disposal that you can use to troubleshoot iptables firewall scripts. One of the best methods is to log all dropped packets to the /var/log/messages file.
Checking The Firewall Logs
You track packets passing through the iptables list of rules using the LOG target. You should be aware that the LOG target:
o will log all traffic that matches the iptables rule in which it is located.
o automatically writes an entry to the /var/log/messages file and then executes the next rule.
Therefore if you want to log only unwanted traffic then you have to add a matching rule with a DROP target immediately after the LOG rule. If you don't, you'll find yourself logging both desired and unwanted traffic with no way of discerning between the two as by default iptables doesn't state why the packet was logged in its log message.
This example logs a summary of failed packets to the file /var/log/messages. You can use the contents of this file to determine what TCP/UDP ports you need to open to provide access to specific traffic that is currently stopped.
#---------------------------------------------------------------
# Log and drop all other packets to file /var/log/messages
# Without this we could be crawling around in the dark
#---------------------------------------------------------------
iptables -A OUTPUT -j LOG
iptables -A INPUT -j LOG
iptables -A FORWARD -j LOG
iptables -A OUTPUT -j DROP
iptables -A INPUT -j DROP
iptables -A FORWARD -j DROP
Feb 23 20:33:50 bigboy kernel: IN=wlan0 OUT= MAC=00:06:25:09:69:80:00:a0:c5:e1:3e:88:08:00 SRC=192.42.93.30 DST=192.168.1.102 LEN=220 TOS=0x00 PREC=0x00 TTL=54 ID=30485 PROTO=UDP SPT=53 DPT=32820 LEN=200
Feb 23 20:43:08 bigboy kernel: IN=wlan0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:06:25:09:6a:b5:08:00 SRC=192.168.1.100 DST=192.168.1.255 LEN=241 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=138 DPT=138 LEN=221
Feb 23 20:58:48 bigboy kernel: IN= OUT=wlan0 SRC=192.168.1.102 DST=207.200.81.113 LEN=76 TOS=0x10 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=123 DPT=123 LEN=56
If you have just installed iptables and have never applied a policy then you will face this problem. Unfortunately, running the "service iptables save" command before restarting won't help either. You have to create the file as seen below.
A firewall is a critical part of any establishment that connects to an unprotected network like the Internet, but a firewall will never be sufficient. Website security involves not just protection from corrupted packets or maliciously overwhelming volumes of traffic, but also involves daily data backups to help recovery from device failures; regular application patching; enforced password policies; restricted and monitored physical access to your servers; reliable power and cooling; secured cabling; redundant hardware; and probably most importantly, well trained and/or motivated employees. Security should be viewed as anything that contributes to the desired risk free functioning of your site and it is well worth the money to invest in and learn from a text that specializes in the topic.
本类阅读TOP10