IPTABLES

IPTABLES

Packet filtering is performed at the following file levels:

PREROUTING - filters packets upon arrival (nat,mangle,raw)
FORWARD - for packets being routed through the box provided /proc/sys/net/ipv4/ip_forward is set to 1 (mangle, filter)
INPUT - for packets destined to local sockets (filter, mangle)
OUTPUT - alters locally-generated packets prior to POSTROUTING and after leaving the sending process (nat, mangle, filter, raw)
POSTROUTING - alters packets immediately before they leave the system (nat, mangle)
 

The tables are as follows:

filter:This is the default table (if no -t option is passed). Itcontains the built-in chains INPUT (for packets destined tolocal sockets), FORWARD (for packets being routed throughthe box), and OUTPUT (for locally-generated packets).
nat:This table is consulted when a packet that creates a newconnection is encountered. It consists of three built-ins:PREROUTING (for altering packets as soon as they come in),OUTPUT (for altering locally-generated packets before rout-ing), and POSTROUTING (for altering packets as they areabout to go out).
mangle:This table is used for specialized packet alteration. Untilkernel 2.4.17 it had two built-in chains: PREROUTING (foraltering incoming packets before routing) and OUTPUT (foraltering locally-generated packets before routing). Sincekernel 2.4.18, three other built-in chains are also sup-ported: INPUT (for packets coming into the box itself), FOR-WARD (for altering packets being routed through the box),and POSTROUTING (for altering packets as they are about togo out).
raw:This table is used mainly for configuring exemptions fromconnection tracking in combination with the NOTRACK target.It registers at the netfilter hooks with higher priority andis thus called before ip_conntrack, or any other IP tables.It provides the following built-in chains: PREROUTING (forpackets arriving via any network interface) OUTPUT (forpackets generated by local processes)
 

TARGETS

A firewall rule specifies criteria for a packet, and a target. If thepacket does not match, the next rule in the chain is the examined; ifit does match, then the next rule is specified by the value of the tar-get, which can be the name of a user-defined chain or one of the spe-cial values ACCEPT, DROP, QUEUE, or RETURN.ACCEPT means to let the packet through. DROP means to drop the packeton the floor. QUEUE means to pass the packet to userspace. (How thepacket can be received by a userspace process differs by the particularqueue handler. 2.4.x and 2.6.x kernels up to 2.6.13 include theip_queue queue handler. Kernels 2.6.14 and later additionally includethe nfnetlink_queue queue handler. Packets with a target of QUEUE willbe sent to queue number ’0’ in this case. RETURN means stoptraversing this chain and resume at the next rule in the previous(calling) chain. If the end of a built-in chain is reached or a rulein a built-in chain with target RETURN is matched, the target specifiedby the chain policy determines the fate of the packet.

COMMANDS

-A --append chain rule-specification
-D --delete chain rule-specification
-D --delete chain rulenum
-I --insert chain [rulenum] rule-specification
-R --replace chain rulenum rule-specification
-L --list [chain] i.e. for nat rules use iptables
-t nat
-n -L (note that filter is the default with no -t specified)
-F --flush [chain]
-Z --zero [chain] to zero the packet and byte counters (may be used with -L to see list just prior to zeroing out)
-N --new-chain chain
-P --policy chain target
-E --rename-chain old-chain new-chain

RULES are matched in an ordered list fashion starting from the top and working downward until there is a match. If there is no match then the default policy applies.
Example /etc/sysconfig/iptables with descriptive comments:
 
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
### DEFAULT CHAINS with default policy of ACCEPT ####
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
### CUSTOM CHAINS ####
:Firewall-INPUT - [0:0]
:NETBACKUP - [0:0]
### (-A) Append to the INPUT chain a rule that (-j) jumps to the Custom Chain "Firewall-INPUT" #####
### in essence all traffic destined to the local sytem are handled by the rules in the Firewall-INPUT chain ###
-A INPUT -j Firewall-INPUT
 
### Same as above except for packets being forwarded through this server, 
### typically moot because we disable forwarding on our hosts   ###
-A FORWARD -j Firewall-INPUT
 
### Default rule to allow all traffic on the loopback interface through the chain (-i) in-interface in this case 
### is loopback and -j ACCEPT means to jump to the target ACCEPT which allows the packet through
### without any further checks ###
-A Firewall-INPUT -i lo -j ACCEPT
 
### Rule that allows any type of icmp traffice through to the server
### -p icmp means layer 4 protocol icmp
-A Firewall-INPUT -p icmp --icmp-type any -j ACCEPT

### Rules to allow allow protocol 50 and 51 traffic  ESP and AH for IPSEC ###
-A Firewall-INPUT -p 50 -j ACCEPT
-A Firewall-INPUT -p 51 -j ACCEPT

### Rule to allow udp protocol with destination port of 5353 and destination multicast address 
### 224.0.0.251 - port 5353 is associated with Multicast DNS
-A Firewall-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
 
### cupsd printing daemon rule ###
-A Firewall-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A Firewall-INPUT -p tcp -m tcp --dport 631 -j ACCEPT

### DNS RULES ###
-A Firewall-INPUT -p udp -m udp --dport 53 -j ACCEPT
-A Firewall-INPUT -p tcp -m tcp --dport 53 -j ACCEPT

### all packets with a state of Established or Related ###
-A Firewall-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

### all SSH traffic with a state of NEW ###
-A Firewall-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
 
#### ENABLE THESE ON ORACLE OR VNC Server ONLY
# FTP Rule
#-A Firewall-INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
# VNC RULES
#-A Firewall-INPUT -m state --state NEW -m tcp -p tcp --dport 5901 -j ACCEPT
#-A Firewall-INPUT -m state --state NEW -m tcp -p tcp --dport 5902 -j ACCEPT
# Oracle Rule
#-A Firewall-INPUT -m state --state NEW -m tcp -p tcp --dport 1521 -j ACCEPT
#### END OF ORACLE ENTRIES

### Netbackup ports get filtered to the NETBACKUP chain
### all traffic to or from the 13xxx ports defined below is -j jumped to the NETBACKUP chain
-A Firewall-INPUT -p tcp -m tcp --sport 13701 -j NETBACKUP
-A Firewall-INPUT -p tcp -m tcp --sport 13711 -j NETBACKUP
-A Firewall-INPUT -p tcp -m tcp --sport 13720:13724 -j NETBACKUP
-A Firewall-INPUT -p tcp -m tcp --sport 13782:13783 -j NETBACKUP
-A Firewall-INPUT -p tcp -m tcp --dport 13701 -j NETBACKUP
-A Firewall-INPUT -p tcp -m tcp --dport 13711 -j NETBACKUP
-A Firewall-INPUT -p tcp -m tcp --dport 13720:13724 -j NETBACKUP
-A Firewall-INPUT -p tcp -m tcp --dport 13782:13783 -j NETBACKUP

### Catch all to block any traffic that hasn't matched a rule up to this point ###
-A Firewall-INPUT -j LOG
-A Firewall-INPUT -j REJECT --reject-with icmp-host-prohibited
##### End of Firewall-INPUT definitions #####

### Netbackup chain -- only allow netbackup ports to/from netbackup servers
### Traffic forwarded from Firewall-INPUT above is only allowed to the source and destination 
### addresses below
-A NETBACKUP -s 10.3.1.30 -j ACCEPT
-A NETBACKUP -s 10.4.1.20 -j ACCEPT
-A NETBACKUP -d 10.3.1.30 -j ACCEPT
-A NETBACKUP -d 10.4.1.20 -j ACCEPT
### Catch all rules to log and make sure no packets get forwarded that do not match any rules in this chain
-A NETBACKUP -j LOG
-A NETBACKUP -j REJECT --reject-with icmp-port-unreachable

COMMIT
 

Rate Limit Ping example:

# Allow pings, but only 1/sec tops

-A INPUT -m icmp -p icmp --icmp-type 8 -i eth0 -m limit --limit 10/min --limit-burst 3 -j ACCEPT

-A INPUT -m icmp -p icmp --icmp-type 8 -i eth0 -j DROP

Rate Limit SSH example:

# Rate limit world SSH new connection attempts

-A INPUT -p tcp -m tcp --dport 1983 -m state --state NEW -m recent --set

-A INPUT -p tcp -m tcp --dport 1983 -m state --state NEW -m recent --update --seconds 60 --hitcount 3 -j REJECT

-A INPUT -p tcp -m tcp --dport 1983 -j ACCEPT

Example Routing Filters:

# Main routing filter

#

# Networks:

# 192.168.1.0/24 - NEAR Trusted

# 192.168.2.0/24 - FAR Trusted

# 192.168.3.0/24 - FAR VPN

# 192.168.4.0/24 - NEAR VPN

# 192.168.5.0/24 - NEAR Media Systems

# 192.168.10.0/24 - NEAR Guest Network

#

*filter

:INPUT ACCEPT [4389:504305]

:FORWARD ACCEPT [135206:133165003]

:OUTPUT ACCEPT [3451:399970]

 

# Filter packets being routed to internal hosts

-A FORWARD -p tcp -m tcp --dport 22 -i eth0 -m state --state NEW -m recent --set

-A FORWARD -p tcp -m tcp --dport 22 -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j REJECT

 

# Allow ping and VPN as only input to this host from the Internet

-A INPUT -m state --state ESTABLISHED,RELATED -i eth0 -j ACCEPT

-A INPUT -m icmp -p icmp --icmp-type 8 -i eth0 -j ACCEPT

-A INPUT -m state --state NEW -m tcp -p tcp --dport 563 -j ACCEPT

-A INPUT -i eth0 -j REJECT

 

# Block impossible packets (source address is on different network than the recieving interface)

-A INPUT -s 127.0.0.0/8 -i ! lo -j DROP

-A INPUT -s 192.168.1.0/24 -i ! eth1 -j REJECT

-A INPUT -s 192.168.3.0/24 -i ! tun+ -j REJECT

-A INPUT -s 192.168.4.0/24 -i ! tun+ -j REJECT

 

-A FORWARD -s 192.168.1.0/24 -i ! eth1 -j REJECT

-A FORWARD -s 192.168.3.0/24 -i ! tun+ -j REJECT

-A FORWARD -s 192.168.4.0/24 -i ! tun+ -j REJECT

 

COMMIT
Enabling connection tracking modules:
Edit /etc/sysconfig/iptables-config by adding a space delimited list of modules you'd like to add to the IPTABLES_MODULES section.
 

Available Modules

  • ip_conntrack_ftp - automatically opens required ports
  • ip_conntrack_tftp
  • ip_conntrack_netbios_ns
  • ip_nat_ftp - for computers behind a nat device
  • ip_nat_tftp

IPTABLES_MODULES="ip_conntrack_ftp ip_conntrack_netbios_ns"

 

NAT

Source NAT (SNAT) translates the source address of outbound packets and the destination address of incoming return packets.  Destination NAT (DNAT) is used to provide selective access to internal resources or to transparently forward traffic to an alternate port.

Example SNAT entries

Specific IP Mapping:

    iptables -t nat -A POSTROUTING -j SNAT --to-source 10.3.1.45

Specific port mapping:

    iptables -t nat -A POSTROUTING -j SNAT --to-source 10.3.1.45:8099

Range of IP mapping (randomly selected IP):

    iptables -t nat -A POSTROUTING -j SNAT --to-source 10.3.1.45-10.3.1.55

Range of Ports mapping (randomly selected Port):

    iptables -t nat -A POSTROUTING -j SNAT --to-source 10.3.1.45:8090-8099

 

Masquerading (Used with DHCP to masquerade as the NAT address of the gateway):

    iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
 
Show the running nat tables
iptables -t nat -L -n -v
 
Flush the running NAT tables
iptables -t nat --flush
 
Save the running Config
iptables-save
 

NAT Example:

# Generated by iptables-save v1.4.1.1 on Tue Apr 28 23:07:42 2009

*nat

:PREROUTING ACCEPT [532:37226]

:POSTROUTING ACCEPT [92:6041]

:OUTPUT ACCEPT [74:5393]

 

# NAT Internet bound traffic

-A POSTROUTING -o eth0 -j MASQUERADE

 

# Services on Webserver

-A PREROUTING -i eth0 -m tcp -p tcp --dport 443 --sport 1024:65535 -j DNAT --to 192.168.1.4

-A PREROUTING -i eth0 -m tcp -p tcp --dport 22 --sport 1024:65535 -j DNAT --to 192.168.1.4

-A PREROUTING -i eth0 -m tcp -p tcp --dport 143 --sport 1034:65535 -j DNAT --to 192.168.1.5

 

# Skype on workstation

-A PREROUTING -i eth0 -m udp -p udp --dport 26474 -j DNAT --to 192.168.1.102

-A PREROUTING -i eth0 -m tcp -p tcp --dport 26474 -j DNAT --to 192.168.1.102

 

# Torrent Flux

-A PREROUTING -i eth0 -m tcp -p tcp --dport 49160:49300 --sport 1024:65535 -j DNAT --to 192.168.1.4

 

COMMIT
Show the running nat tables
iptables -t nat -L -n -v
 
Flush the running NAT tables
iptables -t nat --flush
 
Save the running Config
iptables-save

 

 
Example DNAT entries

Redirect inbound html traffic to an alternate internal server:

    iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-dest 10.3.2.50

 

Forward outbound html traffic to a proxy server on port 3128:

    iptables -t nat -A OUTPUT -p tcp --dport 80 -j DNAT --to-dest 10.3.4.60:3128

 

Redirect to alternate destination port for incoming traffic (2200 will be forwarded to ssh on 10.3.1.45 in this case):

    iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 2200 -j DNAT --to-dest 10.3.1.45:22
Redirect 443 to 8443 example
    iptables -t nat -A PREROUTING -i eth0  -p tcp --dport 443 -j DNAT --to-dest 10.2.16.126:8443
 

Round Robin:

    iptables -t nat -A PREROUTING -i eth2 -p tcp --dport 8080 -j DNAT --to-dest 10.3.1.46 --to-dest 10.3.1.47 --to-dest 10.3.1.48

 

 

Using at to prevent remote lockout when working with IPTABLES

    cd /etc/sysconfig

#Backup config

    cp iptables{,.bak}

 

#Make firewall config changes

    vi iptables and make changes

 

#Schedule a restore for 5min in the future in case your changes lock you out

    echo "mv /etc/sysconfig/iptables-bak /etc/sysconfig/iptables && service iptables restart" | at now+5min

 

#Restart iptables

    service iptables restart

 

#If your changes worked good enough not to need the at job to run and restore config use the following to determine job ID#

    atq

 

    Output: 1     Day    Month    dd  hh:mm:ss  yyyy  a   root 

#If all went well with config changes run: 

    atrm 1

    rm -f iptables-bak

 

    Otherwise just wait for at to run and restore your config within 5 min if you got locked out.

 
Show the running nat tables
iptables -t nat -L -n -v
 
Flush the running NAT tables
iptables -t nat --flush
 
Save the running Config
iptables-save
 
 
 

No comments: