Firewall Setup:A brief overview of Iptables in Ubuntu Linux

Wednesday, January 11, 2017


Iptables is a user space application program that allows a system administrator to configure the tables provided by the Linux kernel firewall (implemented as different Netfilter modules) and the chains and rules it stores. Different kernel modules and programs are currently used for different protocols; iptables applies to IPv4, ip6tables to IPv6, arptables to AP, and ebtables for Ethernet frames.
Iptables requires elevated privileges to operate and must be executed by user root, otherwise it fails to function. On most Linux systems, iptables is installed as /usr/sbin/iptables and documented in its man page , which can be opened using man iptables when installed. It may also be found in /sbin/iptables, but since iptables is not an “essential binary”, but more like a service, the preferred location remains /usr/sbin.
All packets inspected by iptables pass through a sequence of built-in tables (queues) for processing. Each of these queues is dedicated to a particular type of packet activity and is controlled by an associated packet transformation/filtering chain. There are three tables in total, every table contains chains. Those chains are default. User is able to define new chains and link from default chains to those user defined chains iptables tables

iptables contains 3 tables:

• filter table
• nat table
• mangling table
filter table: This table is used to filter packets that pass the firewall. Its purpose is only packet filtering, and will filter packets that comes to the machine (incoming), packets that goes out (outgoing) and packets that are forwarded between network cards (filtering), in case that machine has two or more network cards.
That table contains 3 chains: INPUT chain, OUTPUT chain and FORWARD chain.
INPUT chain – used to filter incoming packets
OUTPUT chain – used to filter outgoing packets
FORWARD chain – used to filter forwarded packets (between network cards).
nat table: This table is used to change source of the IP.
PREROUTING chain – used to change IP before forwarding take place
POSTROUTING chain – used to change IP after forwarding take place
OUTPUT chain – used to filter on outgoing
mangle table: This tables is used to modify packets.

Some Iptables commands and example:

Syntax of iptable command:
iptables -A CHAIN
Chain: INPUT, OUTPUT, FORWARD, PREROUTING, POSTROUTING
Judgement: ACCEPT, DROP, REJECT,QUEUE
Expression:
-s Source_IP
-d Destination_IP
–source-port Source_port
–destination-port Destination_port
-i incoming network_interface
-o outgoing network_interface
! expression = NOT logic gate
–syn =SYN flag set
IPTables Extensions:
–tcp-flags used to check active flags
-m state –state STATE1, STATE2 where STATE x = NEW, ESTABLISHED, RELATED, INVALID
–icmp-type type/code
-m mac –mac-source i.e. 00:60:08:91:CC:B7
iptables Examples:
iptables -A INPUT -s 192.168.0.1 -j DROP
The above will drop all packets that comes from IP 192.168.0.1
Chain management
iptables -L
The command will list all rules from all chains from filter table
iptables -L -v #It will list all rules from all chains from filtering table, in verbose mode, showing also
packets and bytes that matched that rules
iptables -L -v –line-numbers
It will show above and also rule numbers
iptables -L INPUT
It will show all rules from INPUT chain from filter table
iptables -L -t nat
It will show all rules from all chains from nat table
iptables -t nat -L PREROUTING
It will show all rules from PREROUTING chain from nat table
iptables -L -t mangle
It will show all rules from all chains from mangle table
Adding rules to chains:
To add a rule to a chain use:
iptables -A INPUT -s 192.168.0.1 -j ACCEPT
This command will add add the rule to INPUT chain of Filter table. It will allow traffic from source IP 192.168.0.1
iptables -A INPUT -p tcp –dport 22 -j DROP
The rule will drop all traffic to destination port 22 (our ssh port)
iptables -A will append rule at the end of rules list in your specified chain. if you want to insert a rule on a specific position in your chain, then you must use -I.
iptables -I INPUT 1 -s 192.168.0.1 -j ACCEPT # will add rule in position 1 in your INPUT chain
iptables -I INPUT 10 -p tcp –dport 22 -j DROP # will add a rule in position 10 of your INPUT chain.
Rules are evaluated from first to last rule. On ACCEPT or DROP rules, if a rule is matched, it will not be evaluated to next rules.
Note: if you want to block traffic that comes to your machine you must add rule on INPUT chain. If you want to block traffic to a destination IP from your machine you must add rule in OUTPUT chain.
Delete all rules from all chains:
iptables -F # will delete all rules from filter table
iptables -F -t nat # will delete all rules from nat table
iptables -F -t mangle # will delete all rules from mangle table
Deleting a rule from a chain:
To delete a rule from a chain you have two posibilities: to delete a rule using rule number or to delete using syntax used when rule was added:
iptables -D INPUT 10 # will delete rule 10 from INPUT chain
iptables -D PREROUTING 10 -t nat # will delete rule 10 from PREROUTING chain from nat table
iptables -D INPUT -s 192.168.0.1 -j ACCEPT # will delete rule that was added with iptables -A
INPUT -s 192.168.0.1 -j ACCEPT
Note: On our previous example, the first rule that match that syntax will be deleted. If are many similar rules, only first will be deleted. To delete all rules that match that syntax, you must use previous command multiple times until you delete all rules.
Example of a Firewall
iptables -F
iptables -A INPUT -i lo -p all -j ACCEPT
iptables -A OUTPUT -o lo -p all -j ACCEPT # Allow self access by loopback interface
iptables -A INPUT -i eth0 -m state –state ESTABLISHED,RELATED -j ACCEPT # Accept
established connections
iptables -A INPUT -p tcp –tcp-option ! 2 -j REJECT # reject-with tcp-reset
iptables -A INPUT -p tcp -i eth0 –dport 21 -j ACCEPT
iptables -A INPUT -p udp -i eth0 –dport 21 -j ACCEPT # Open ftp port
iptables -A INPUT -p tcp -i eth0 –dport 22 -j ACCEPT
iptables -A INPUT -p udp -i eth0 –dport 22 -j ACCEPT # Open secure shell port
iptables -A INPUT -p tcp -i eth0 –dport 80 -j ACCEPT
iptables -A INPUT -p udp -i eth0 –dport 80 -j ACCEPT # Open HTTP port
iptables -A INPUT -p tcp –syn -s 192.168.10.0/24 –destination-port 139 -j ACCEPT # Accept local network Samba connection
iptables -A INPUT -p tcp –syn -s trancas –destination-port 139 -j ACCEPT
iptables -P INPUT DROP
The above rule will drop all other connection attempts. Only connections defined
above are allowed.

Post a Comment

No comments

Subscribe to: Post Comments ( Atom )
anu$mii@2010.copyright.com. Powered by Blogger.