The Best Damn Firewall Book Period
|
As discussed earlier, the Iptables –l option allows you to log matching packets. You can insert –l into any rule, as long as you do not interrupt a particular option. For example, the following command logs all matching TCP packets that are rejected:
ipchains –I input –i eth0 –p tcp –s 0.0.0.0/0 –y –l –j REJECT
However, the following command would be a mistake, because Ipchains would think that –l is an argument for the source of a packet:
ipchains –I input –i eth0 –p tcp –s –l 0.0.0.0/0 –y –j REJECT
Once you establish logging, you can view Ipchains output in the /var/log/messages file.
Iptables allows you to log packets, as well, but in a much more sophisticated way. This is because Iptables uses the LOG target, which you specify just like DROP or ACCEPT. For example, to reject and also log all initial TCP traffic, you would issue the following two commands:
iptables –A INPUT –i eth0 –p tcp –s 0.0.0.0/0 –syn –j LOG iptables –A INPUT –i eth0 –p tcp –s 0.0.0.0/0 –syn –j DROP
As with Iptables, you can view the results of your logging in the /var/log/messages file.
Setting Log Limits
By default, Iptables will limit logging of packets. The default limit rate is three logging instances an hour. Each time a logging instance starts, only the first five packets will be logged by default. This behavior is meant to ensure that log files do not get too large. You can change the default logging rate by specifying the –limit and –limit-burst flags. The –limit flag allows you to determine the limit rate by second, minute, hour, or day. The –limit-burst figure allows you to determine how many initial packets will be logged. For example, to log ICMP packets at a rate of two per minute, you would issue the following command:
iptables –A INPUT –i eth0 –p icmp –s 0.0.0.0/0 –limit 2/min –limit-burst 2 –j LOG
Notice also that the limit-burst value is set to 2.
Note | Be careful not to log too many packets. You will quickly consume hard drive space if you log all packets passing through your firewall interfaces. |
Adding and Removing Packet Filtering Rules
Thus far, you have created a masquerading router. However, you have not yet invoked any packet filtering. Following are some examples of packet-filtering rules you may want to create on your system. First, consider the following Ipchains and Iptables commands:
ipchains –P input DENY ipchains –A input –I eth0 –p tcp -s 0/0 –d 0/0 22 –j ACCEPT
Now, consider the equivalent series of Iptables commands:
iptables –P INPUT DROP iptables –P FORWARD DROP iptables –A FORWARD –i eth0 –p tcp –dport 22 –j ACCEPT
These commands effectively prohibit every service from entering your firewall, except for SSH, which uses port 22. No other service can access your network. Notice that Ipchains refers to the input chain in lowercase, whereas Iptables uses the FORWARD chain in uppercase. Iptables always refers to chains in uppercase. In addition, Iptables does not use the INPUT chain for packets destined for the internal network. In Iptables, the INPUT chain refers only to packets destined for the local system. Thus, in Iptables, you should explicitly drop all packets to the INPUT interface, unless you want to allow access to your firewall, say by SSH or another relatively secure administration method. Your firewall will still forward packets on the nat table using the FORWARD, POSTROUTING, and PREROUTING chains.
Notice also that Ipchains uses DENY as a target name, whereas Iptables uses DROP. The difference is in the way source and destination are specified. This difference is actually not necessary; both Ipchains and Iptables can use –s and –d, or the –dport option. When using –dport or –sport, if you do not specify a source or destination, both Iptables and Ipchains assume the first local interface. The –I option in Ipchains specifies a particular interface (in this case, the eth0 interface), whereas in Iptables, the –I option specifies the incoming interface.
The preceding configuration is both extremely simple and restrictive. It allows outside hosts to access SSH users to access only SSH, and will not allow any user interactively logged in to the system to check e-mail or any other Internet-based service. This is because the rule is designed to lock down the firewall as much as possible.
ICMP Types
Notice that with Iptables, you can reject specific ICMP types. Table 5.5 explains some of the additional types, including the numbers assigned in RFC792, which is the document that defines the parameters for all ICMP messages.
Iptables/Ipchains ICMP Message Name | RFC Name and Number | Description |
---|---|---|
echo-request | 8 Echo | The packet sent out by the common ping command |
echo-reply | 0 Echo Reply | The reply a host gives to the ping command. |
destination-unreachable | 3 Destination Unreachable | Informs an echo request packet that there is a problem reaching the intended host. |
source-quence | 4 Source Quench | If a router is too busy and cannot fulfill a client request, it will send back this message to a client. |
Redirect | 5 Redirect | Sent by a router that has, essentially, discovered a more direct route to the destination than originally found in the network packet sent by the network host. |
time-exceeded | 11 Time Exceeded | If a datagram is held too long by a router, its Time-To-Live (TTL) field expires. When this occurs, the router is supposed to send a message back to the host informing it of the drop. |
parameter-problem | 12 Parameter Problem | Sent by either standard hosts or routers, this message informs other hosts that a packet cannot be processed. |
You can learn about additional arguments by typing iptables –p icmp –h at any terminal.
A Personal Firewall Example
Suppose that you want to create a personal firewall for a system that you use as a desktop. You would modify the previous Ipchains commands as follows:
ipchains –P input DENY ipchains –A input –I eth0 –p tcp -s 0/0 –d 0/0 22 –j ACCEPT
To create a personal firewall system using Iptables, you would issue the following commands:
iptables –P INPUT DROP iptables –A INPUT –I eth0 –p tcp –dport 22 –j ACCEPT iptables –A INPUT –I eth0 –p tcp –dport 1023 –j ACCEPT iptables –A INPUT –I eth0 –p udp –dport 1023 –j ACCEPT
The preceding commands allow SSH, but no other service. However, now a user can browse the Web, contact DNS servers, and so forth, and use the system with a reasonable degree of security. This system now cannot even be pinged, which helps to protect it against distributed DoS and ping scanning attacks.
Exercise: Creating a Personal Firewall and Creating a User-Defined Chain
-
Using either Ipchains or Iptables, add the following rules to your INPUT table to create a personal firewall:
-
Deny all incoming ICMP traffic, and make sure the denial is logged
-
Deny all incoming FTP traffic
-
Deny all incoming DNS traffic
-
Deny Telnet
-
Deny SMTP and POP3
-
-
If you are using Iptables on a standard system with one interface, you would issue the following commands:
iptables –A INPUT –s 0/0 –d 0/0 –p icmp –j DROP iptables –A INPUT –s 0/0 –d 0/0 –p icmp –j LOG iptables –A INPUT –s 0/0 –d 0/0 –p tcp –dport 20 –j DROP iptables –A INPUT –s 0/0 –d 0/0 –p tcp –dport 21 –j DROP iptables –A INPUT –s 0/0 –d 0/0 –p tcp –dport 53 –j DROP iptables –A INPUT –s 0/0 –d 0/0 –p udp –dport 53 –j DROP iptables –A INPUT –s 0/0 –d 0/0 –p tcp –dport 21 –j DROP iptables –A INPUT –s 0/0 –d 0/0 –p tcp –dport 25 –j DROP iptables –A INPUT –s 0/0 –d 0/0 –p tcp –dport 110 –j DROP
Of course, there is more than one way to do this. For example, you could create a user-defined chain and handle all SMTP and POP3 there:
iptables –N icmptraffic iptables –A icmptraffic –s 0/0 –d 0/0 –p icmp –j DROP iptables –A icmptraffic –s 0/0 –d 0/0 –p icmp –j LOG iptables –A INPUT –s 0/0 –d 0/0 –p icmp –j icmp
-
List the INPUT chain. If you created a user-defined chain, list this as well.
-
Save your configuration for the sake of backup. If you are using Iptables, use the following command:
iptables-save > iptables.txt
-
Flush all of the rules you created. If you are using Iptables, issue the following command:
iptables –F
-
List the INPUT chain (and any other) to verify that you have in fact flushed this chain.
-
Use the iptables-restore (or ipchains-restore) command along with the text file you created to restore your Iptables chains:
iptables-restore iptables.txt
-
List your tables and chains again to verify that your rules have been restored.
-
Thus far, you have created a personal firewall that starts with a "wide open" policy, and then proceeds to lock down ports. Now, use the –P option to block all traffic, and then allow only SSH, or any other protocol(s) of your choice. If, for example, you are using Iptables, issue the following commands:
iptables –P INPUT DROP iptables –A INPUT–p tcp --dport 22 –j ACCEPT iptables –A INPUT–p tcp --dport 1023: –j ACCEPT iptables –A INPUT–p udp --dport 1023: –j ACCEPT
You can specify –i eth0, if you wish. However, if you only have one interface, both Ipchains and Iptables will default to using this interface. Remember, you should open up the ephemeral TCP and UDP ports so that you can still do things like checking your e-mail, and so forth. If, of course, you do not want any services open on your network, you could omit the —dport 22 line altogether.
-
Now, log all traffic that attempts to connect to your system. If you are using Iptables, issue the following command:
iptables –A INPUT–p udp --dport 1023: –j LOG iptables –A INPUT–p tcp --dport 1023: –j LOG
This feature may log too much information for your server, depending on your system's activity. Make sure you check your log files regularly.
-
Log all attempts to scan the standard ports for Microsoft networking. If you are using Iptables, issue the following command:
iptables –A INPUT–p tcp --multiport --destination-port 135,137,138,139 –j LOG iptables –A INPUT–p udp --multiport --destination-port 137,138,139 –j LOG
The —multiport —destination-port option allows you to specify a range of ports. You can read more about these options in the Iptables man page.
-
If your server needs to support additional protocols, experiment with adding them.
Redirecting Ports in Ipchains and Iptables
Port redirection is where a packet destined for a certain port (say, port 80) is received by an interface, and is then sent to another port. Redirecting ports is common in networks that use proxy servers. To redirect a port in Ipchains to the local system's eth0 interface, you could issue the following command:
ipchains –A input –i eth1 –s 0/0 –d 0/0 –p tcp 80 –j REDIRECT 8080 ipchains –A input –i eth1 –s 0/0 –d 0/0 –p tcp 443 –j REDIRECT 8080
In Iptables, you must use the REDIRECT target from the nat table:
iptables –t nat -A PREROUTING -i eth1 -s 0/0 -d 0/0 –p tcp 80 –j REDIRECT / --to-ports 8080 iptables –t nat -A PREROUTING -i eth1 -s 0/0 -d 0/0 –p tcp 443 –j REDIRECT / --to-ports 8080
These rules ensure that any hosts that try to bypass your proxy server by specifying your firewall are redirected to a proxy server on the firewall. Another strategy is to deny all requests to ports 80 and 443, and then make sure that all Web clients are configured to access your proxy server.
|