The Best Damn Firewall Book Period

Iptables derives its name from the three default tables it uses, which are listed in Table 5.2. Each interface on your system can have its packets managed and modified by the chains contained in each of these tables.

Table 5.1: Default Tables and Chains

Table Name

Default Chains

Description

Filter

INPUTFORWARD OUTPUT

Enables you to filter out packets.

Nat

PREROUTING OUTPUT POSTROUTING

Enables masquerading.

Mangle

PREROUTING OUTPUT

Allows you to further "mangle" packets by changing their contents. This feature, for example, allows you to shape packets so that they are ready for certain VPN clients, such as Microsoft PPTP.

Iptables is an extension of Ipchains, because Iptables adds the nat and mangle tables. Ipchains uses only the three chains listed in the filter table in Table 5.1. Thus, with Ipchains, you have access to only the INPUT, FORWARD, and OUTPUT options. If you want to masquerade using Ipchains, you will use the —masquerading option for the FORWARD chain. In Iptables, if you want to filter out packets using, you will use the filter table, and if you want to masquerade packets, you will use the nat table. In Iptables, if you do not specify a table, it will default to the filter table. Now that you understand tables, it is important to understand the specific chains.

A chain is a series of actions to take on a packet. Whenever you use Ipchains or Iptables to configure a firewall, the proper perspective to adopt is to view all packets from the firewall itself. Even more specifically, you should consider all packets from the perspective of the network interface, the table used, and the specific chains. For example, if you are using the filter table, each interface on your network has three different default chains:

The nat and mangle tables contain two additional chain types. The PREROUTING chain alters packets when they enter the interface. The POSTROUTING chain is used for altering packets when they are ready to leave the host. The POSTROUTING chain is essential to masquerading connections.

Built-In Targets and User-Defined Chains

Ipchains and Iptables use built-in targets to specify the destination of a packet. By far, the most common built-in targets are DROP and ACCEPT. Table 5.2 describes each of these in detail. (Additional targets exist. You can read about them by consulting the Ipchains or Iptables man page.)

Table 5.2: Common Ipchains and Iptables Targets

Target

Description

DROP

The packet is immediately discarded. The target of REJECT is also used.

ACCEPT

Allows the packet to pass through the rest of the chain. By default, all default chains are configured to allow any and all connections.

User-defined chains are often useful if you want to create a large number of rule entries, but do not want a chain to become too long. Chains that become too long can slow down the packet, and are difficult to read and organize. The following is a sequence where a user defined chain is created, modified, and then invoked:

ipchains -N custom ipchains -A custom -s 0/0 -d 0/0 -p icmp -j REJECT ipchains -A input -s 0/0 -d 0/0 -j custom

This is a trivial example, of course. The –A option "appends" a rule, meaning that it is placed at the beginning of a chain. The –I option adds the rule to the end of a chain. The user-defined rule of james is created, and then a rule dropping all ICMP packets is added to this custom chain. Then, a rule is added to the default input chain that all packets are processed by the custom chain. As a result, any and all ICMP packets will be dropped. If you were to make the mistake of forgetting to have the input chain refer to the chain named custom, then the custom chain would never be read.

In Iptables, the equivalent of the preceding command sequence would be very similar (it is possible, of course, to create user-defined chains that are much more ambitious).

ipchains -N custom ipchains -A custom -s 0/0 -d 0/0 -p icmp -j DROP ipchains -A input -s 0/0 -d 0/0 -j custom

Iptables would look like this:

iptables -N custom iptables -A custom -s 0/0/ -d 0/0 -protocol icmp -j DROP iptables -A input -s 0/0 -d 0/0/ -j custom

Specifying Interfaces

If no interface is specified, the first interface (usually eth0) is assumed. If you have multiple interfaces, you must specify the interface you want to be added to the chain. Thus, in a multiple-NIC system, when you use the INPUT chain to deny all ICMP traffic, you must specify the interface. If, for example, you have a system with two interfaces that allowed all traffic, you would have to issue the following commands:

ipchains -A input -i eth0 -s 0/0 -d 0/0 –p icmp –j REJECT ipchains -A input -i eth1 -s 0/0 -d 0/0 –p icmp –j REJECT

Now, this system will not forward ICMP packets on either the eth0 or the eth1 interface. For Iptables, the commands would be as follows:

iptables -A INPUT -i eth0 -s 0/0 -d 0/0 --protocl icmp --icmp-type echo-reply –j REJECT iptables -A INPUT -i eth1 -s 0/0 -d 0/0 --protocl icmp --icmp-type echo-reply –j REJECT

In both Iptables and Ipchains, the FORWARD chain allows you to specify a source and destination interface. This is because the FORWARD chain is used to masquerade connections. Thus, the -i and -o options allow you mark packets passing between interfaces.

Setting Policies

Both Ipchains and Iptables default to accepting all connections. The safest option is to set the default policy to first deny all traffic. You can then create rules to explicitly allow certain traffic types. You can change this default stance using the -P option. For example, the following Ipchains command changes the default policy of the input chain to deny:

ipchains –P input DENY

The following command does the same thing in Iptables:

iptables –P input DROP

To reset the policy to accept, you simply use the ACCEPT target.

Listing Tables and Chains

Once you generate Ipchains or Iptables rules, you can then list them. For example, the following Ipchains command would list all chains and rules:

ipchains -L

Iptables uses the same command:

iptables -L

You can, if you want, list specific chains:

ipchains -L output

Because Iptables allows you to modify three different tables, you can also list specific tables. To list all nat chains, you would issue the following command:

iptables -t nat -L

The following command would view only the POSTROUTING chain in the nat table:

iptables -t nat -L POSTROUTING

Consider the following output from the -L option in Iptables:

iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination custom icmp -- anywhere anywhere Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain LD (0 references) target prot opt source destination Chain custom (1 references) target prot opt source destination DROP icmp -- anywhere anywhere

This output shows that the INPUT chain of the filter table contains one rule. This rule does not block ICMP traffic. Rather, it specifies that all ICMP traffic will be handled by the custom chain. The custom chain, listed last, does the actual dropping of all ICMP packets sent to this host.

The following commands allow you to list all of the rules by number:

ipchains --line-numbers -L iptables --line-numbers -L

Saving, Flushing, and Restoring Rules

Once you have created rules in Ipchains or Iptables, you can save them using the following commands:

/sbin/ipchains-save /sbin/iptables-save

These commands are helpful for two reasons. First, you can save the tables and rules to a text file in order to study them. Second, backing up your rules is important, as it generally takes considerable time to create the "perfect" firewall for your situation, and you should keep a backup in case your firewall configuration somehow gets lost. To save your Iptables information to a text file, for example, you would issue the following command:

/sbin/iptables-save > iptables.txt

Note

You should use a package later than Iptables 1.2.1a or later, because it allows you to use the ipchains-save option. Earlier packages did not have it. Red Hat 7.1 and later have a compatible version installed. To install the RPM package on older systems, you need to use the —nodeps option:

rpm —ivh —nodeps iptables-1.2.1a-1.i386.rpm

To flush any existing rules, you can use the –F option:

ipchains -F iptables -F

Used without arguments, this command will erase the contents of all rules in Ipchains, and all rules in the filter table of Iptables. To flush a specific chain, you would issue the following command(s):

ipchains -F input iptables -F INPUT

Warning

Many times, the -F option is used as a safety measure in firewall scripts. When used at the beginning of a script, it can ensure that the firewall begins its configuration from "ground zero," rather than being appended to an existing firewall configuration.

When creating a firewall script, make sure that you flush all of the necessary chains and tables. Otherwise, you may end up combining your configuration with an existing one, which could lead to connectivity or security problems.

The -F option does not delete rules from either the nat or mangle tables in Ipchains, however. To delete information from a specific table, you have to specify the table as follows:

iptables -t nat -F

The –F function does not change a policy from DROP to ACCEPT, either. You must use the –P option, discussed earlier.

In case you need to restore your backup information, you can use the following commands:

ipchains-restore iptables-restore

For example, to restore the Iptables rules database using the iptables.txt file created earlier, you would issue the following command:

/sbin/iptables-restore iptables.txt

By default, Ipchains-restore will append any restore information to any existing rules. You can use the –f option to flush out any existing rules, if you want.

However, the Iptables-restore command automatically erases any existing Iptables rules whenever it is used. However, you can use the –n option, which appends the contents of the restore file to any existing rules.

Using Ipchains to Masquerade Connections

The Ipchains command has only one table, and three chains (INPUT, FORWARD, and OUTPUT). Using the FORWARD chain and the MASQ target, you can masquerade any IP address you want. Suppose, for example, that you have a router that connects the 192.168.1.0/24 network and the 10.100.100.0/24 network. Suppose further that this firewall's eth0 interface contains the Internet-addressable IP address of 66.1.5.1/8. The following Ipchains command issued on the router would enable both private-IP networks to communicate via the Internet:

ipchains –A forward –I eth0 –s 192.168.1.0/24 –j MASQUERADE ipchains –A forward –I eth0 –s 10.100.100.0/24 –j MASQUERADE

This rule specifies that any connection from the 192.168.1.0/24 and 10.100.100.0/24 networks will be masqueraded as 66.1.5.1/8 on eth0. The –A option adds the rule to the forward chain, and the –I option specifies the eth0 interface. The –s option specifies the networks in question.

This particular configuration actually exposes the network. Any remote host would be able to use your masquerading firewall to access your host. The following additions to the FORWARD chain of the filter table ensures that your masquerading router masquerades only for your internal network:

ipchains –A forward –s 192.168.1.0/24 –j ACCEPT ipchains –A forward –d 192.168.1.0/24 –j ACCEPT ipchains –A forward –s 10.100.100.0/24 –j ACCEPT ipchains –A forward –d 10.100.100.0/24 –j ACCEPT ipchains –A forward –j DROP

Iptables Masquerading Modules

Many of the protocols you want to use on the Internet, such as FTP or RealAudio, require additional support. Iptables provides several modules that allow masqueraded clients to access these resources. Some of these are described in Table 5.3.

Table 5.3: Ipchains Masquerading Modules

Module

Description

ip_masq_ftp

Module for masquerading FTP connections

ip_masq_raudio

RealAudio

ip_masq_irc

IRC

ip_masq_vdolive

For VDO Live

ip_masq_cuseeme

CU-See-Me

Enabling these options requires that you use the /sbin/insmod command. For example, to enable the ip_masq_ftp and ip_masq_raudio modules, you would issue the following command:

/sbin/insmod ip_masq_ftp /sbin/insmod ip_masq_raudio

To automate this process, you can place these entries into a script, or into /etc/rc.local.

Using Iptables to Masquerade Connections

Using the same example of the 192.168.1.0/24 network and the 10.100.100.0/24 network connected by the firewall with the IP address of 66.1.5.1/8, you would use the following command:

iptables –t nat –A POSTROUTING –d ! 192.168.1.0/22 –j MASQUERADE iptables –t nat –A POSTROUTING –d ! 10.100.100.0/24 –j MASQUERADE

This rule is added to the nat table (-t), and is added to the POSTROUTING chain (-a). The ! mark tells netfilter/Iptables to masquerade all packets not destined for the internal networks. Specifically, it stipulates that if the packet is not sent to either the 192.168.1.0/22 or 10.100.100.0/24 network, then the packet needs to be modified so that it masquerades as the 66.1.5.1/8 IP address. Consequently, any packet that leaves the interface will be rewritten with the 66.1.5.1/8 address, but packets that stay on the internal network will not be rewritten. The eth0 interface is assumed by default. If, for some reason, you had to specify a different interface that has the Internet-routable address, you would use the –o option:

iptables –t nat –o eth1 –A POSTROUTING –d ! 192.168.1.0/22 –j MASQUERADE iptables –t nat –o eth1 –A POSTROUTING –d ! 10.100.100.0/24 –j MASQUERADE

As with Ipchains, this particular configuration leaves the network wide open. The following additions to the FORWARD chain of the filter table ensure that your masquerading router masquerades only for your internal network:

iptables –A FORWARD –s 192.168.1.0/24 –j ACCEPT iptables –A FORWARD –d 192.168.1.0/24 –j ACCEPT iptables –A FORWARD –s 10.100.100.0/24 –j ACCEPT iptables –A FORWARD –d 10.100.100.0/24 –j ACCEPT iptables –A FORWARD –j DROP

Notice the order of these entries. Both Ipchains and Iptables consider rules in strict order, which is why the preceding rules first accept certain packets and then drop the rest. If the final entry (iptables –A FORWARD –j DROP) were listed first, then all packets would be denied.

Note

Because both Ipchains and Iptables default to allowing any and all input, it is quite easy to create rules that inadvertently allow unwanted traffic to pass through. Some systems administrators prefer to first change the policy of all rules in all tables to deny. Doing so, however, will require you to add explicit rules to all affected chains so that your masquerading will work properly.

Warning

One of the easiest ways to avoid a firewall is to find and exploit improperly configured modem banks. Many times, modems are configured to allow access to all areas of the network, and are often not protected or monitored very closely. As you establish your firewall, consider inspecting any and all systems for modems. You should approach your modem bank with the same care and consideration as you would your firewall.

Even modems not configured to receive incoming calls can be a danger. Consider also that an end user who connects to another network through a modem may be opening up a security breach. For example, suppose that a user has mapped several drives mapped to a file server that contains sensitive information. If an end user connects regularly to a remote dial-up server, it is possible for a malicious user to discover this connection and gain access to the mapped drives, and hence to the sensitive information.

Iptables Modules

Table 5.4 lists some of the most commonly used modules for Iptables.

Table 5.4: Iptables Masquerading Modules

Module

Description

ipt_tables

The module for Iptables support. As with all of these modules, it is possible to compile the kernel so that all of these modules are included.

ipt_LOG

Support for advanced logging, which includes the ability to log only initial bursts of traffic, and capture an certain amount of traffic over a period of time.

ipt_mangle

The IP masquerading module.

ipt_nat

The NAT module.

You can load these modules using insmod. Iptables masquerades the FTP, RealAudio, and IRC protocols by default.

Exercise: Masquerading Connections Using Ipchains or Iptables

  1. Configure your Linux system with at least two NICs.

  2. Enable IP forwarding using the instructions given earlier in this chapter.

  3. Using either Ipchains or Iptables, invoke masquerading for your IP addresses using the instructions given earlier in this chapter.

  4. Now, configure the FORWARD chain in the filter table (or just the FORWARD chain in Ipchains) so that it will masquerade only your internal hosts.

  5. If necessary, load the modules necessary to support FTP, IRC, and additional protocols.

  6. You will likely have to adjust your masquerading settings. Make sure that you save your settings using the /sbin/ipchains-save command.

Категории