What is Iptables & How to Implement on Linux - Cloud Network

Networking | Support | Tricks | Troubleshoot | Tips

Buymecoffe

Buy Me A Coffee

Tuesday, September 2, 2014

What is Iptables & How to Implement on Linux

Iptables

How To Start iptables
You can start, stop, and restart iptables after booting by using the commands:
[root@bigboy tmp]# service iptables start
[root@bigboy tmp]# service iptables stop
[root@bigboy tmp]# service iptables restart
To get iptables configured to start at boot, use the chkconfig command:.
[root@bigboy tmp]# chkconfig iptables on

Determining The Status of iptables
You can determine whether iptables is running or not via the service iptables status command. Fedora Core will give a simple status message. For example
[root@bigboy tmp]# service iptables status
Firewall is stopped.
[root@bigboy tmp]#

Table 14-1 Processing For Packets Routed By The Firewall
Queue Type
Queue Function
Packet Transformation Chain in Queue
Chain Function
Filter Packet filtering FORWARD Filters packets to servers accessible by another NIC on the firewall.
INPUT Filters packets destined to the firewall.
OUTPUT Filters packets originating from the firewall
Nat Network Address Translation PREROUTING Address translation occurs before routing. Facilitates the transformation of the destination IP address to be compatible with the firewall's routing table. Used with NAT of the destination IP address, also known as destination NAT or DNAT.
POSTROUTING Address translation occurs after routing. This implies that there was no need to modify the destination IP address of the packet as in pre-routing. Used with NAT of the source IP address using either one-to-one or many-to-one NAT. This is known as source NAT, or SNAT.
OUTPUT Network address translation for packets generated by the firewall. (Rarely used in SOHO environments)
Mangle TCP header modification
PREROUTING
POSTROUTING
OUTPUT
INPUT
FORWARD
Modification of the TCP packet quality of service bits before routing occurs. (Rarely used in SOHO environments)

Targets And Jumps
target
Desciption
Most Common Options
ACCEPT
  • iptables stops further processing.
  • The packet is handed over to the end application or the operating system for processing
N/A
DROP
  • iptables stops further processing.
  • The packet is blocked
N/A
LOG
  • The packet information is sent to the syslog daemon for logging
  • iptables continues processing with the next rule in the table
  • As you can't log and drop at the same time, it is common to have two similar rules in sequence. The first will log the packet, the second will drop it.
--log-prefix "string"
Tells iptables to prefix all log messages with a user defined string. Frequently used to tell why the logged packet was dropped
REJECT
  • Works like the DROP target, but will also return an error message to the host sending the packet that the packet was blocked
--reject-with qualifier
The qualifier tells what type of reject message is returned. Qualifiers include:
icmp-port-unreachable (default)
icmp-net-unreachable
icmp-host-unreachable
icmp-proto-unreachable
icmp-net-prohibited
icmp-host-prohibited
tcp-reset
echo-reply
DNAT
  • Used to do destination network address translation. ie. rewriting the destination IP address of the packet
--to-destination ipaddress
Tells iptables what the destination IP address should be
SNAT
  • Used to do source network address translation rewriting the source IP address of the packet
  • The source IP address is user defined
--to-source <address>[-<address>][:<port>-<port>]
Specifies the source IP address and ports to be used by SNAT.
MASQUERADE
  • Used to do Source Network Address Translation.
  • By default the source IP address is the same as that used by the firewall's interface
[--to-ports <port>[-<port>]]
Specifies the range of source ports to which the original source port can be mapped.

Table 14-2 General Iptables Match Criteria
iptables command Switch
Desciption
-t <-table-> If you don't specify a table, then the filter table is assumed. As discussed before, the possible built-in tables include: filter, nat, mangle
-j <target> Jump to the specified target chain when the packet matches the current rule.
-A Append rule to end of a chain
-F Flush. Deletes all the rules in the selected table
-p <protocol-type> Match protocol. Types include, icmp, tcp, udp, and all
-s <ip-address> Match source IP address
-d <ip-address> Match destination IP address
-i <interface-name> Match "input" interface on which the packet enters.
-o <interface-name> Match "output" interface on which the packet exits

In this command switches example
iptables -A INPUT -s 0/0 -i eth0 -d 192.168.1.1 -p TCP -j ACCEPT
iptables is being configured to allow the firewall to accept TCP packets coming in on interface eth0 from any IP address destined for the firewall's IP address of 192.168.1.1. The 0/0 representation of an IP address means any.

In this example:
iptables -A FORWARD -s 0/0 -i eth0 -d 192.168.1.58 -o eth1 -p TCP \

In this example:

iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT

iptables -A INPUT -p tcp --syn -m limit --limit 5/s -i eth0 -j ACCEPT

This is an expansion on the previous example:
iptables -A FORWARD -s 0/0 -i eth0 -d 192.168.1.58 -o eth1 -p TCP \ --sport 1024:65535 -m multiport --dports 80,443 -j ACCEPT iptables -A FORWARD -d 0/0 -o eth0 -s 192.168.1.58 -i eth1 -p TCP \ -m state --state ESTABLISHED -j ACCEPT
Using User Defined Chains

iptables -A INPUT -i eth0 -d 206.229.110.2 -j fast-input-queue
iptables -A OUTPUT -o eth0 -s 206.229.110.2 -j fast-output-queue

iptables -A fast-input-queue -p icmp -j icmp-queue-in
iptables -A fast-output-queue -p icmp -j icmp-queue-out

iptables -A icmp-queue-out -p icmp --icmp-type echo-request \
-m state --state NEW -j ACCEPT

Custom Queues Example Listing
Chain
Desciption
INPUT The regular built-in INPUT chain in iptables
OUTPUT The regular built-in OUTPUT chain in iptables
fast-input-queue Input chain dedicated to identifying specific protocols and shunting the packets to protocol specific chains.
fast-output-queue Output chain dedicated to identifying specific protocols and shunting the packets to protocol specific chains.
icmp-queue-out Output queue dedicated to ICMP
icmp-queue-in Input queue dedicated to ICMP

Saving Your iptables Scripts

[root@bigboy tmp]# cat /etc/sysconfig/iptables
# Generated by iptables-save v1.2.9 on Mon Nov 8 11:00:07 2004
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [144:12748]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type 255 -j ACCEPT
-A RH-Firewall-1-INPUT -p esp -j ACCEPT
-A RH-Firewall-1-INPUT -p ah -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Mon Nov 8 11:00:07 2004
This example exports the iptables-save output to a text file named firewall-config.
[root@bigboy tmp]# iptables-save > firewall-config 
[root@bigboy tmp]# cat firewall-config 
                              # Generated by iptables-save v1.2.9 on Mon Nov 8 11:00:07 2004 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [144:12748] :RH-Firewall-1-INPUT - [0:0] -A INPUT -j RH-Firewall-1-INPUT -A FORWARD -j RH-Firewall-1-INPUT -A RH-Firewall-1-INPUT -i lo -j ACCEPT -A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type 255 -j ACCEPT -A RH-Firewall-1-INPUT -p esp -j ACCEPT -A RH-Firewall-1-INPUT -p ah -j ACCEPT -A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited COMMIT 
[root@bigboy tmp]# iptables-restore < firewall-config
Finally, you should permanently save the active configuration so that it will be loaded automatically when the system reboots:
[root@bigboy tmp]# service iptables save

Loading Kernel Modules Needed By iptables
# File: /etc/rc.local

# Module to track the state of connections
modprobe ip_conntrack

# Load the iptables active FTP module, requires ip_conntrack
modprobe ip_conntrack_ftp
# Load iptables NAT module when required
modprobe iptable_nat
# Module required for active an FTP server using NAT

Allowing DNS Access To Your Firewall
You'll almost certainly want your firewall to make DNS queries to the Internet. This is not because it is required for the basic functionality of the firewall, but because of Fedora Linux's yum RPM updater which will help to keep the server up to date with the latest security patches. The following statements will apply not only for firewalls acting as DNS clients but also for firewalls working in a caching or regular DNS server role.
#---------------------------------------------------------------
# Allow outbound DNS queries from the FW and the replies too
#
# - Interface eth0 is the internet interface
#
# Zone transfers use TCP and not UDP. Most home networks
# / websites using a single DNS server won't require TCP statements
#
#---------------------------------------------------------------
iptables -A OUTPUT -p udp -o eth0 --dport 53 --sport 1024:65535 \
-j ACCEPT
iptables -A INPUT -p udp -i eth0 --sport 53 --dport 1024:65535 \

Allowing WWW And SSH Access To Your Firewall
This sample snippet is for a firewall that doubles as a web server that is managed remotely by its system administrator via secure shell (SSH) sessions. Inbound packets destined for ports 80 and 22 are allowed thereby making the first steps in establishing a connection. It isn't necessary to specify these ports for the return leg as outbound packets for all established connections are allowed. Connections initiated by persons logged into the Web server will be denied as outbound NEW connection packets aren't allowed.
#--------------------------------------------------------------- # Allow previously established connections # - Interface eth0 is the internet interface #--------------------------------------------------------------- iptables -A OUTPUT -o eth0 -m state --state ESTABLISHED,RELATED \ -j ACCEPT #--------------------------------------------------------------- # Allow port 80 (www) and 22 (SSH) connections to the firewall #--------------------------------------------------------------- iptables -A INPUT -p tcp -i eth0 --dport 22 --sport 1024:65535 \ -m state --state NEW -j ACCEPT iptables -A INPUT -p tcp -i eth0 --dport 80 --sport 1024:65535 \ -m state --state NEW -j ACCEPT
Allowing Your Firewall To Access The Internet
This iptables script enables a user on the firewall to use a Web browser to surf the Internet. HTTP traffic uses TCP port 80, and HTTPS uses port 443.
Note: HTTPS (secure HTTP) is used for credit card transactions frequently, as well as by RedHat Linux servers running up2date. FTP and HTTP are frequently used with yum.
#--------------------------------------------------------------- # Allow port 80 (www) and 443 (https) connections from the firewall #--------------------------------------------------------------- iptables -A OUTPUT -j ACCEPT -m state \ --state NEW,ESTABLISHED,RELATED -o eth0 -p tcp \ -m multiport --dports 80,443 --sport 1024:65535 #--------------------------------------------------------------- # Allow previously established connections # - Interface eth0 is the internet interface #--------------------------------------------------------------- iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED \ -i eth0 -p tcp
If you want all TCP traffic originating from the firewall to be accepted, then remove the line:
-m multiport --dports 80,443 --sport 1024:65535
Allow Your Home Network To Access The Firewall
In this example, eth1 is directly connected to a home network using IP addresses from the 192.168.1.0 network. All traffic between this network and the firewall is simplistically assumed to be trusted and allowed.
Further rules will be needed for the interface connected to the Internet to allow only specific ports, types of connections and possibly even remote servers to have access to your firewall and home network.
#--------------------------------------------------------------- # Allow all bidirectional traffic from your firewall to the # protected network # - Interface eth1 is the private network interface #--------------------------------------------------------------- iptables -A INPUT -j ACCEPT -p all -s 192.168.1.0/24 -i eth1 iptables -A OUTPUT -j ACCEPT -p all -d 192.168.1.0/24 -o eth1
Checking The Firewall Logs

#---------------------------------------------------------------
# Log and drop all other packets to file /var/log/messages
# Without this we could be crawling around in the dark
#---------------------------------------------------------------
iptables -A OUTPUT -j LOG
iptables -A INPUT -j LOG
iptables -A FORWARD -j LOG
iptables -A OUTPUT -j DROP
iptables -A INPUT -j DROP
iptables -A FORWARD -j DROP

iptables Won't Start

oot@bigboy tmp]# service iptables start
[root@bigboy tmp]#

[root@bigboy tmp]# touch /etc/sysconfig/iptables
[root@bigboy tmp]# chmod 600 /etc/sysconfig/iptables

[root@bigboy tmp]# service iptables start
Applying iptables firewall rules: [ OK ]
[root@bigboy tmp]#

Here are some examples of the output of this file:
  • Firewall denies replies to DNS queries (UDP port 53) destined to server 192.168.1.102 on the home network.
Feb 23 20:33:50 bigboy kernel: IN=wlan0 OUT= MAC=00:06:25:09:69:80:00:a0:c5:e1:3e:88:08:00 SRC=192.42.93.30 DST=192.168.1.102 LEN=220 TOS=0x00 PREC=0x00 TTL=54 ID=30485 PROTO=UDP SPT=53 DPT=32820 LEN=200
  • Firewall denies Windows NetBIOS traffic (UDP port 138)
Feb 23 20:43:08 bigboy kernel: IN=wlan0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:06:25:09:6a:b5:08:00 SRC=192.168.1.100 DST=192.168.1.255 LEN=241 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=138 DPT=138 LEN=221
  • Firewall denies Network Time Protocol (NTP UDP port 123)
Feb 23 20:58:48 bigboy kernel: IN= OUT=wlan0 SRC=192.168.1.102 DST=207.200.81.113 LEN=76 TOS=0x10 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=123 DPT=123 LEN=56

-j ACCEPT

modprobe ip_nat_ftp

[root@bigboy tmp]#


iptables -A icmp-queue-in -p icmp --icmp-type echo-reply -j ACCEPT


iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT

iptables is being configured to allow the firewall to send ICMP echo-requests (pings) and in turn, accept the expected ICMP echo-replies.
Consider another example
iptables -A INPUT -p icmp --icmp-type echo-request \ -m limit --limit 1/s -i eth0 -j ACCEPT
--sport 1024:65535 --dport 80 -j ACCEPT


###IPTables###
Features:
 1. Firewall for Linux
 2. Interface to Netfilter, which is loaded by the kernel
 3. Operates primarily @ layers 3 & 4 of the OSI model
 4. Modular
 5. Provides Network Address Translation (NAT)
 6. IPTables can also access other layers (2, 5-7), with modules

1. grep -i config_netfilter /boot/config*

Note: Save rules in: /etc/sysconfig/iptables so that when IPTables is restarted, the rules will be applied OR, update /etc/sysconfig/iptables-config to save the rules automatically

/sbin/iptables - primary ACL modifier utility
/sbin/iptables-restore - restores rules to current IPTables instance
/sbin/iptables-save - saves rules to STDOUT, by default, or to a file


IPTables includes 3 default tables, which you cannot remove:
 1. NAT
 2. Mangle
 3. Filter (Default) - filters inbound/outbound traffic

Note: Each table, includes chains, which include Access Control Entries (ACEs)

Usage:
 1. iptables -L

Note: The Filter table includes 3 chains:
 1. INPUT - applies to traffic destined to a service that our system is bound to

 2. FORWARD - applies to traffic being routed through the system

 3. OUTPUT - applies to traffic sourced from our system, heading outbound


Tasks:
 1. Filter inbound traffic to remote RH5 system to SSH
  a. iptables -A INPUT -p tcp --dport 22 -j ACCEPT
  b. iptables -A INPUT -j DROP

 2. Filter outbound traffic to ANY remote SSH port
  a. iptables -A OUTPUT -p tcp --dport 22 -j DROP

 3. Flush ALL rules from OUTPUT chain of the Filter table 
  a. iptables -F OUTPUT

 4. Save rules to file, then flush rules
  a. iptables-save > iptables.rules.1

 5. Reinstate flushed rules
  a. iptables-restore iptables.rules.1


###IPv6 IPTables###
Features:
 1. Firewall for IPv6

/etc/rc.d/init.d/ip6tables - run-script
/etc/sysconfig/ip6tables-config - system-wide config file

/sbin/ip6tables - primary tool for administering IP6Tables
/sbin/ip6tables-restore
/sbin/ip6tables-save

 2. Maintains 3 default tables:
  a. Filter - matches IPTables(IPv4)
  b. Mangle - matches IPTables(IPv4)
  c. Raw

 
Usage:
 1. ip6tables -L

Note: IPv6 firewall rules are administered independently of IPv4 rules

Tasks:
1. Filter inbound traffic to remote RH5 system to SSH
  a. ip6tables -A INPUT -p tcp --dport 22 -j ACCEPT
  b. ip6tables -A INPUT -j DROP

 2. Filter outbound traffic to ANY remote SSH port
  a. ip6tables -A OUTPUT -p tcp --dport 22 -j DROP

 3. Flush ALL rules from OUTPUT chain of the Filter table 
  a. ip6tables -F OUTPUT

 4. Save rules to file, then flush rules
  a. ip6tables-save > ip6tables.rules.1

 5. Reinstate flushed rules
  a. ip6tables-restore ip6tables.rules.1

Thanking you
Hope U Like it.......

Fedora 20 in Virtual box

Roboform in linux

Ubuntu server 12.04

Nagios 4.0.7

Oracle Linux 7
Free BSD 10