Search LinuxSupport

Firewalling with IPTables

By Kurt Seifried kurt@seifried.org

NETFILTER is the next generation of packet firewalling for Linux. It should make a variety of activities easier, such as firewalling, IPSec, anything to do with packet management really. The HOWTO is available http://netfilter.samba.org/. New features in IPTables include the ability to do string matching, so you can block things if they contain the string "foo.exe" for example. Of course attackers can trivially obfuscate data using unicode for example to avoid rules that would block "foo.exe".

You can do incredibly complex things with IPTables. The HOWTO at: http://netfilter.samba.org/unreliable-guides/packet-filtering-HOWTO/packet-filtering-HOWTO.linuxdoc.html covers many of the details.

A basic example

For those of you that just want to get on with it here is a simple iptables firewall script I use that is suitable for machines with one interface:

************ this example sucks. need to add rules to flush and clear chains first

#
# These rules block a number of reserved networks.
# For example 10.* is used for non routable internal networks
# For example 224.* and up is used for multi-cast
# We use drop since these networks are not active and the response
# will go nowhere
#
-A INPUT -s 0.0.0.0/255.0.0.0 -d 0.0.0.0/0.0.0.0 -i eth0 -j DROP
-A INPUT -s 1.0.0.0/255.0.0.0 -d 0.0.0.0/0.0.0.0 -i eth0 -j DROP
-A INPUT -s 2.0.0.0/255.0.0.0 -d 0.0.0.0/0.0.0.0 -i eth0 -j DROP
-A INPUT -s 5.0.0.0/255.0.0.0 -d 0.0.0.0/0.0.0.0 -i eth0 -j DROP
-A INPUT -s 7.0.0.0/255.0.0.0 -d 0.0.0.0/0.0.0.0 -i eth0 -j DROP
-A INPUT -s 10.0.0.0/255.0.0.0 -d 0.0.0.0/0.0.0.0 -i eth0 -j DROP
-A INPUT -s 23.0.0.0/255.0.0.0 -d 0.0.0.0/0.0.0.0 -i eth0 -j DROP
-A INPUT -s 27.0.0.0/255.0.0.0 -d 0.0.0.0/0.0.0.0 -i eth0 -j DROP
-A INPUT -s 31.0.0.0/255.0.0.0 -d 0.0.0.0/0.0.0.0 -i eth0 -j DROP
-A INPUT -s 36.0.0.0/254.0.0.0 -d 0.0.0.0/0.0.0.0 -i eth0 -j DROP
-A INPUT -s 39.0.0.0/255.0.0.0 -d 0.0.0.0/0.0.0.0 -i eth0 -j DROP
-A INPUT -s 41.0.0.0/255.0.0.0 -d 0.0.0.0/0.0.0.0 -i eth0 -j DROP
-A INPUT -s 42.0.0.0/255.0.0.0 -d 0.0.0.0/0.0.0.0 -i eth0 -j DROP
-A INPUT -s 58.0.0.0/254.0.0.0 -d 0.0.0.0/0.0.0.0 -i eth0 -j DROP
-A INPUT -s 60.0.0.0/255.0.0.0 -d 0.0.0.0/0.0.0.0 -i eth0 -j DROP
-A INPUT -s 68.0.0.0/252.0.0.0 -d 0.0.0.0/0.0.0.0 -i eth0 -j DROP
-A INPUT -s 72.0.0.0/248.0.0.0 -d 0.0.0.0/0.0.0.0 -i eth0 -j DROP
-A INPUT -s 82.0.0.0/254.0.0.0 -d 0.0.0.0/0.0.0.0 -i eth0 -j DROP
-A INPUT -s 84.0.0.0/252.0.0.0 -d 0.0.0.0/0.0.0.0 -i eth0 -j DROP
-A INPUT -s 88.0.0.0/248.0.0.0 -d 0.0.0.0/0.0.0.0 -i eth0 -j DROP
-A INPUT -s 96.0.0.0/224.0.0.0 -d 0.0.0.0/0.0.0.0 -i eth0 -j DROP
-A INPUT -s 197.0.0.0/255.0.0.0 -d 0.0.0.0/0.0.0.0 -i eth0 -j DROP
-A INPUT -s 219.0.0.0/255.0.0.0 -d 0.0.0.0/0.0.0.0 -i eth0 -j DROP
-A INPUT -s 220.0.0.0/252.0.0.0 -d 0.0.0.0/0.0.0.0 -i eth0 -j DROP
-A INPUT -s 224.0.0.0/224.0.0.0 -d 0.0.0.0/0.0.0.0 -i eth0 -j DROP
#
# Then we allow SSH, SMTP and DNS
#
-A INPUT -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 -i eth0 -p tcp -m tcp --dport 22:22 -j ACCEPT 
-A INPUT -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 -i eth0 -p tcp -m tcp --dport 25:25 -j ACCEPT
-A INPUT -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 -i eth0 -p udp -m udp --dport 53:53 -j ACCEPT
-A INPUT -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 -i eth0 -p tcp -m tcp --dport 53:53 -j ACCEPT
#
# Packets destined to port 80 (HTTP) get bounced to another chain since 
# we want to do more selective firewalling
#
-A INPUT -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 -i eth0 -p tcp -m tcp --dport 80:80 -j INHTTP
#
# Now we block all incoming traffic to ports between 1 and 59999. For your system
# to behave it is suggested you modify ip_local_port_range in /proc
#
-A INPUT -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 -i eth0 -p tcp -m tcp --dport 1:59999 -j REJECT
-A INPUT -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 -i eth0 -p udp -m udp --dport 1:59999 -j REJECT
#
# A  for our http chain
#
-A INHTTP -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 -i eth0 -p tcp -m tcp --dport 80:80 -j ACCEPT

The logic behind this is that with 25 rules I block over 100 reserved A classes that are commonly used for spoofing attacks/etc. Then I allow several services, and then I block the majority of ports. The reason for port 80 going to it's own rule chain is because I have several hundred rules to block various abusers of my web site that I do not want to clutter up the main list with.

if you use send rct make sure you are not firewalling those outgoing rct's.

How IPTables processes rules and configuration files

Rule processing

unlike IPF blahblah (every rule takes the action), mention chains

append verses insert

iptables-save and iptables-restore

examples of the file

Basic rule targets

User defined targets and chains

Specification of interfaces, addresses, packet types and so on

you can specify so many things, also using the ! makes it easier

Protocols

Interfaces

basics on interface specifiction and -i / --in-interface (!) and -o --out-interface (!)

Addresses and networks

Netmasks and hosts

IP Ports and options

IP Options

IP Fragments

TCP/UDP Ports

ICMP type/code

TCP Flags (established)

Responding to a BAD packet

IP Security Classes ??

Packet state filtering

NAT and IPMasquerading

Network Address Translation (NAT)

Transparent Proxy Support

Transparent routing ??

Logging with IPTables

Logging packets to network devices

Logging What Happens; The "log" Keyword
Complete Bi-Directional Filtering By Interface
Controlling Specific Protocols; The "proto" Keyword
Filtering ICMP with the "icmp-type" Keyword; Merging Rulesets
TCP and UDP Ports; The "port" Keyword
Advanced Firewalling Introduction
Rampant Paranoia; or The Default-Deny Stance
Implicit Allow; The "keep state" Rule
Stateful UDP
Stateful ICMP
FIN Scan Detection; "flags" Keyword, "keep frags" Keyword
Responding To a Blocked Packet
Fancy Logging Techniques
Putting It All Together
Improving Performance With Rule Groups
"Fastroute"; The Keyword of Stealthiness
NAT and Proxies
Mapping Many Addresses Into One Address
Mapping Many Addresses Into a Pool of Addresses
One to One Mappings
Spoofing Services
Transparent Proxy Support; Redirection Made Useful
Filtering Redirected Services
Magic Hidden Within NAT; Application Proxies
Loading and Manipulating Filter Rules; The ipf Utility
Loading and Manipulating NAT Rules; The ipnat Utility
Monitoring and Debugging
The ipfstat utility
The ipmon utility
Keep State With Servers and Flags.
Coping With FTP
Running an FTP Server
Running an FTP Client
Assorted Kernel Variables
Fun with ipf!
Localhost Filtering
What Firewall? Transparent filtering.
Using Transparent Filtering to Fix Network Design Mistakes
Drop-Safe Logging With dup-to and to.
The dup-to Method
The to Method
Bogus Network Filtering, the ultimate in current anti-spoofing technology.

http://coombs.anu.edu.au/~avalon/examples.html

One of the nicest things about IPTables is that it is stateful, and there are several options for state: NEW, ESTABLISHED, RELATED and INVALID. INVALID is especially interesting as it will:

A packet which could not be identified for some reason: this includes running out of memory and ICMP errors which don't correspond to any known connection. Generally these packets should be dropped.

Putting this rule first in your list may be a wise decision since it will prevent mangled packets from traversing your chains and additionally it may help with survivability of your server if someone attacks it.

-A INPUT -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 -m state --state INVALID -j DROP

To list current NAT tables:

iptables -t nat -L -v -n

Back

LinuxSupport.org.uk was designed and built by Paul Vigay. In Pauls absence this site has now been taken over and updated by Bob Ruskin. Latest Updates | Copyright | Disclaimer | Privacy policy