IP TABLES
IP tables is a user space application program that allows a system administrator to configure the tables provided by Linux Kernel firewall and the chains and rules it stores. IP tables is also commonly used to inclusively refer to the Kernel-Level components. X_tables is the name of the Kernel module carrying the shared code portion used by all four modules .These four modules are listed below.
1. iptables to IPV4.
2. ip6tables to IPV6
3. arptables to ARP
4. ebtables to Ethernet Frames.
IP Tables modules are called iptable_filter.0, which should be automatically loaded when we first run iptables.It can also be built into the Kernel permanently.
Main configuration files for iptables:
1. /etc/init.d/iptables (init script for start/stop/restart the services and save the rules.)
2. /etc/sysconfig/iptables (iptables-save conter files.)
3. /sbin/iptables (The administration utility and the binary.)
For check the current status of iptables in system.
#rpm -qa | grep iptables (For check the required packages installed or not)
# iptables - -list (To see what rules are currently implemented in iptables.)
Some basic terms of iptables:
1. INPUT: Holds rules for traffic directed at this server.
2. FORWARD: Holds rules for traffic that will be forwarding on to an IP behind this server .(i.e If the box serves as a firewall for other servers)
3. OUTPUT: Holds rules for traffic that is coming from this server out to the Internet .
4. ACCEPT: Traffic is accepted for delivery.
5. REJECT: Traffic is rejected, sending a packet back to the sending host.
6. DROP: The traffic is dropped and nothing is sent back to the sending host.
7. NEW: Server 1.connects to Server2 issuing a synchronize packet.
8. RELATED: Server2 receives the SYN packet and then responds with a SYN-ACK (i.e Synchronize Acknowledgment packet).
9. ESTABLISHED: Server1 receives the SYN-ACK packet and then responds with the final ACK (Acknowledgment Packet.)
IP Tables Configuration:
■ First install the required rpm and check it for install:
# rpm –ivh iptables-1.3.5-4.el5
# rpm –ivh iptables-ipv6-1.3.5-4.el5
# rpm -qa | grep iptables (For check installed rpms)
■ Start the services
# service iptables start
# service iptables stop
# service iptables restart
■ Start the iptables at various run levels
#chkconfig –list iptables
# chkconfig iptables on
# service iptables status
■ Current Iptables Status
# iptables - - list or,
# iptables –L
■ Remove All Entries from Iptables
# iptables –flush or,
# iptables -F
Examples:
# iptables -A INPUT -s 192.168.1.10 -d 10.1.15.1 -p tcp - - dport 22 -j ACCEPT
Its means that iptables is being configured to allow the firewall to accept tcp packets coming in from source 192.168.1.10 to destination 10.1.15.21.
Description:
-A: tells iptables to appened the rules to the INPUT chain. It makes changes in the iptables list but in the last line.
-s: Source address, this rule only pertains to traffic coming from this IP.
-d: Destination address, this rule only pertains to traffic going to this IP.
-p: Protocol, specifying traffic which is either TCP/UDP or if anyone else.
--dport: Destination port specifying traffic which is for TCP/UDP port (Here port 22 is used for ssh if we want to smtp put –dport25)
-j: Jump, if everything in this rule are correct.
Apart from then two more terms are used:
1. Pre-routing: NAT's packet when the destination address of the packet needs to be changed.
2. Post-routing: NAT's packet when the source address of the packets needs to be changed.
SOME WORKING RELATED EXAMPLES:
1. Set Default Chain Policies: The default chain policy is ACCEPT.
# iptables -P INPUT DROP
# iptables -P FORWARD DROP
# iptables -P OUTPUT DROP
2. To accept the Packet from any particular IP on particular Ethernet.
# iptables -A INPUT -s 0/0 -i eth0 -d 192.168.0.200 -p TCP -j ACCEPT
# service iptables save
(This rule allow to the accept any packet from the IP 192.168.0.200 only on interface eth0)
3. To block the incoming packet from any particular IP.
# iptables -A INPUT -s 192.168.0.200 -j DROP
# service iptables save
(This rule stops the pinging from the particular IP 192.168.0.200)
4. To delete any particular RULE from the iptables.
# iptables -D INPUT -s 192.168.0.200 -j DROP
# service iptables save .
(This rule delete the entry of pinging restriction from IP 192.168.0.200 and start the pinging as usual).
5. To Block any particular websites on the system.
# iptables -A INPUT -s www.gmail.com -j DROP
# service iptables save
(This rule block the particular site www.gmail.com to open on the system to reopen same as step3)
6. Block a Specific ip-address.
# iptables -A INPUT -s 192.168.2.100 -j DROP
# iptables -A INPUT -i eth0 -s 192.168.2.100 -j DROP
# iptables -A INPUT -i eth0 -p tcp -s 192.168.2.100 -j DROP
7. Allow ALL Incoming SSH on eth0 interface.
# iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
# iptables -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
8. Allow Incoming SSH only from a Sepcific Network.
# iptables -A INPUT -i eth0 -p tcp -s 192.168.2.0/24 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
# iptables -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
9. Allow Incoming HTTP and HTTPS.
# iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
# iptables -A OUTPUT -o eth0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
# iptables -A INPUT -i eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
# iptables -A OUTPUT -o eth0 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT
7. Combine Multiple Rules together using Multi Ports
# iptables -A INPUT -i eth0 -p tcp -m multiport --dports 22,80,443 -m state --state NEW,ESTABLISHED -j ACCEPT
# iptables -A OUTPUT -o eth0 -p tcp -m multiport --sports 22,80,443 -m state --state ESTABLISHED -j ACCEPT
8. Allow Outgoing SSH
# iptables -A OUTPUT -o eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
# iptables -A INPUT -i eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
9. Allow Outgoing SSH only to a Specific Network
# iptables -A OUTPUT -o eth0 -p tcp -d 192.168.100.0/24 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
# iptables -A INPUT -i eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
10. Allow Outgoing HTTPS
# iptables -A OUTPUT -o eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
# iptables -A INPUT -i eth0 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT
11. Load Balance Incoming Web Traffic
# iptables -A PREROUTING -i eth0 -p tcp --dport 443 -m state --state NEW -m nth --counter 0 --every 3 --packet 0 -j DNAT --to-destination 192.168.1.101:443
# iptables -A PREROUTING -i eth0 -p tcp --dport 443 -m state --state NEW -m nth --counter 0 --every 3 --packet 1 -j DNAT --to-destination 192.168.1.102:443
# iptables -A PREROUTING -i eth0 -p tcp --dport 443 -m state --state NEW -m nth --counter 0 --every 3 --packet 2 -j DNAT --to-destination 192.168.1.103:443
12. Allow Ping from Outside to Inside
# iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
# iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
13. Allow Ping from Inside to Outside
# iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
# iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
14. Allow Loopback Access
# iptables -A INPUT -i lo -j ACCEPT
# iptables -A OUTPUT -o lo -j ACCEPT
15. Allow Internal Network to External network.
# iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT
16. Allow outbound DNS
# iptables -A OUTPUT -p udp -o eth0 --dport 53 -j ACCEPT
# iptables -A INPUT -p udp -i eth0 --sport 53 -j ACCEPT
17. Allow NIS Connections
If NIS to manage our user accounts, we should allow the NIS connections. Even when the SSH connection is allowed, if we don't allow the NIS related ypbind connections, users will not be able to login.
The NIS ports are dynamic. i.e When the ypbind starts it allocates the ports.
First do a rpcinfo -p as shown below and get the port numbers. In this example, it was using port 853 and 850.
# rpcinfo -p | grep ypbind
Now allow incoming connection to the port 111, and the ports that were used by ypbind.
# iptables -A INPUT -p tcp --dport 111 -j ACCEPT
# iptables -A INPUT -p udp --dport 111 -j ACCEPT
# iptables -A INPUT -p tcp --dport 853 -j ACCEPT
# iptables -A INPUT -p udp --dport 853 -j ACCEPT
# iptables -A INPUT -p tcp --dport 850 -j ACCEPT
# iptables -A INPUT -p udp --dport 850 -j ACCEPT
The above will not work when you restart the ypbind, as it will have different port numbers that time.
There are two solutions to this: 1) Use static ip-address for your NIS, or 2) Use some clever shell scripting techniques to automatically grab the dynamic port number from the "rpcinfo -p" command output, and use those in the above iptables rules.
18. Allow Rsync From a Specific Network
# iptables -A INPUT -i eth0 -p tcp -s 192.168.101.0/24 --dport 873 -m state --state NEW,ESTABLISHED -j ACCEPT
# iptables -A OUTPUT -o eth0 -p tcp --sport 873 -m state --state ESTABLISHED -j ACCEPT
19. Allow MySQL connection only from a specific network
If you are running MySQL, typically you don't want to allow direct connection from outside. In most cases, you might have web server running on the same server where the MySQL database runs.
However DBA and developers might need to login directly to the MySQL from their laptop and desktop using MySQL client. In those case, you might want to allow your internal network to talk to the MySQL directly as shown below.
# iptables -A INPUT -i eth0 -p tcp -s 192.168.100.0/24 --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT
# iptables -A OUTPUT -o eth0 -p tcp --sport 3306 -m state --state ESTABLISHED -j ACCEPT
20. Allow Sendmail or Postfix Traffic
# iptables -A INPUT -i eth0 -p tcp --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT
# iptables -A OUTPUT -o eth0 -p tcp --sport 25 -m state --state ESTABLISHED -j ACCEPT
21. Allow IMAP and IMAPS
# iptables -A INPUT -i eth0 -p tcp --dport 143 -m state --state NEW,ESTABLISHED -j ACCEPT
# iptables -A OUTPUT -o eth0 -p tcp --sport 143 -m state --state ESTABLISHED -j ACCEPT
The following rules allow IMAPS traffic.
# iptables -A INPUT -i eth0 -p tcp --dport 993 -m state --state NEW,ESTABLISHED -j ACCEPT
# iptables -A OUTPUT -o eth0 -p tcp --sport 993 -m state --state ESTABLISHED -j ACCEPT
22. Allow POP3 and POP3S
# iptables -A INPUT -i eth0 -p tcp --dport 110 -m state --state NEW,ESTABLISHED -j ACCEPT
# iptables -A OUTPUT -o eth0 -p tcp --sport 110 -m state --state ESTABLISHED -j ACCEPT
The following rules allow POP3S access.
# iptables -A INPUT -i eth0 -p tcp --dport 995 -m state --state NEW,ESTABLISHED -j ACCEPT
# iptables -A OUTPUT -o eth0 -p tcp --sport 995 -m state --state ESTABLISHED -j ACCEPT
23. Prevent DoS (Denial of Service) Attack
# iptables -A INPUT -p tcp --dport 80 -m limit --limit 25/minute --limit-burst 100 -j ACCEPT
In the above example:
-m limit: This uses the limit iptables extension
-limit 25/minute: This limits only maximum of 25 connection per minute. Change this value based on your specific requirement
-limit-burst 100: This value indicates that the limit/minute will be enforced only after the total number of connection have reached the limit-burst level.
24. Port Forwarding
The following example routes all traffic that comes to the port 442 to 22. This means that the incoming ssh connection can come from both port 22 and 422.
# iptables -t nat -A PREROUTING -p tcp -d 192.168.102.37 --dport 422 -j DNAT --to 192.168.102.37:22
If you do the above, you also need to explicitly allow incoming connection on the port 422.
# iptables -A INPUT -i eth0 -p tcp --dport 422 -m state --state NEW,ESTABLISHED -j ACCEPT
# iptables -A OUTPUT -o eth0 -p tcp --sport 422 -m state --state ESTABLISHED -j ACCEPT
25. Log Dropped Packets
You might also want to log all the dropped packets. These rules should be at the bottom.
First, create a new chain called LOGGING.
# iptables -N LOGGING
Next, make sure all the remaining incoming connections jump to the LOGGING chain as shown below.
# iptables -A INPUT -j LOGGING
Next, log these packets by specifying a custom "log-prefix".
# iptables -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables Packet Dropped: " --log-level 7
Finally, drop these packets.
# iptables -A LOGGING -j DROP
IP Tables NAT:
It is responsible for network address translation. It has two built-in chains.
PREROUTING: Address translation occurs before routing. Facilitates the transformation of the destination IP address to be compatible with the firewall's routing table. Used with NAT of the destination IP address, also known as destination NAT or DNAT.
POSTROUTING: Address translation occurs after routing. This implies that there was no need to modify the destination IP address of the packet as in pre-routing. Used with NAT of the source IP address using either one-to-one or many-to-one NAT. This is known as source NAT, or SNAT.
Configure NAT:
Step 1: First need to tell the kernel that we want to allow IP forwarding. For this do the following.
# echo 1 > /proc/sys/net/ipv4/ip_forward
Step 2:
# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
# iptables -A FORWARD -i eth0 -o eth1 -m state - -state RELATED,ESTABLISHED -j ACCEPT
# iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
Forward a packet from our internal network “/dev/eth1” to your external network on “/dev/eth0”.
Step 3: For checking this we can ping on external hosts from one of any internal hosts.
Step 4:
# vim /etc/sysctl.conf
Change in the line no. 7 “net.ipv4.ip_forward = 0” to “net.ipv4.ip_forward = 1”. After change this no need to re-boot for kernel update.
Step 5:
# service iptables save
# service iptables restart
Step 6:
# vim /etc/sysconfig/iptables-config
IPTABLES_MODULES_UNLOAD=“yes”
IPTABLES_SAVE_ON_STOP=“yes”
IPTABLES_SAVE_ON_RESTART=“yes”
Routing traffic between two networks with iptables
Actually, you don't really need iptables for basic routing - iptables helps you with filtering and NAT (and other things too).
You can activate packet forwarding with:
sysctl -w net.ipv4.conf.all.forwarding=1
Add net.ipv4.conf.all.forwarding=1 to /etc/sysctl.conf to make the setting stick.
In case you are filtering on the server (you can check this with iptables -nvL - if the FORWARD chain has policy ACCEPT you're not filtering), you need to add rules to allow the packets to be forwarded between networks:
iptables -I FORWARD -i eth0 -o wlan0 -s wi.red.net.work/24 -d wire.less.net.work/24 -j ACCEPT
iptables -I FORWARD -i wlan0 -o eth0 -s wire.less.net.work/24 -d wi.red.net.work/24 -j ACCEPT
If you aren't filtering but want to (you should too, by the way - see @Red Tux's comment, it's good practice to filter by default and allow only the minimum) add the previous rules plus this one:
iptables -P FORWARD DROP
This changes the policy so all packets not matching any rules are discarded.
Also, if you're going for real security, you should probably filter on the INPUT chain as well. This chain processes requests coming to your router with a destination IP that matches one of its own - that is, incoming connections (for example SSH). A sensible default would be:
iptables -I INPUT -i eth0 -s allowed.admin.ip.here -p tcp --dport 22 -j ACCEPT
iptables -I INPUT -i lo -j ACCEPT
iptables -P INPUT DROP
# make sure you've put your IP on the first rule before running this
# or you'll lock you out of the server
This allows SSH only from a designed host in the wired network (take note of the warning), allows all traffic on the loop back interface (required by some software) and discards all the rest.
As you can see you can allow only some ports through using -p tcp|udp --dport N. You should consider doing this on the FORWARD chain too for increased security.
No comments:
Post a Comment