Linux Firewalls: Attack Detection and Response with iptables, psad, and fwsnort

It's a good idea to list the rules you've defined, to double-check that they are installed and are in the order you expect. The -L command lists the actual rules for a given chain as they exist in the internal kernel table. Rules are listed in the order in which they are matched against a packet.

The basic format of the iptables list command is as follows:

iptables [-v -n] -L [chain]

or

iptables [-t <table>] [-v -n] -L [chain]

The first format refers to the default filter table. If a specific chain isn't specified, the command lists all rules on the three built-in filter table chains, plus any user-defined chains.

The second format is needed to list the rules on the nat or mangle tables.

Adding the -v option is useful to see the interface to which the rule applies. Adding the -n option is useful if the firewall rules refer to remote or illegal addresses, to avoid the lengthy name-resolution time for those addresses. Remember that if a chain is specified, it must follow the -L command. Also note that -L is a command and -v and -n are options. They cannot be combined as in -Lvn.

Unlike using iptables to define actual rules, using iptables to list existing rules can be done from the command line. The output goes to your terminal or can be redirected into a file.

filter Table Listing Formats

The basic format of the filter table list command to list all rules on all filter table chains is this:

iptables -vn -L INPUT iptables -vn -L OUTPUT iptables -vn -L FORWARD

or

iptables -vn -L

Notice that the preceding list commands show only the rules in the filter table chains.

The next three sections use seven sample rules on the INPUT chain to illustrate the differences among the various listing format options available to you with the filter table and to explain what the output fields mean. Using the different listing format options, the same seven sample rules are listed with varying degrees of detail and readability. The listing format options and fields are the same for the INPUT, OUTPUT, and FORWARD chains.

iptables -L INPUT

Here is an abbreviated list of seven rules from an INPUT chain using the default listing options:

> iptables -L INPUT 1 INPUT (policy DROP) 2 target prot opt source destination 3 ACCEPT all -- anywhere anywhere 4 LOG icmp -f anywhere anywhere \ LOG level warning prefix `Fragmented ICMP: ' 5 DROP tcp -- anywhere anywhere \ tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE 6 ACCEPT all -- anywhere anywhere \ state RELATED,ESTABLISHED 7 ACCEPT udp -- 192.168.1.0/25 my.host.domain \ udp spts:1024:65535 dpt:domain state NEW 8 REJECT tcp -- anywhere my.host.domain2 \ tcp dpt:auth reject-with icmp-port-unreachable 9 ACCEPT tcp -- 192.168.1.0/25 my.host.domain \ multiport dports http,https tcp spts:1024:65535 \ flags:SYN,RST,ACK/SYN state NEW

Line 1 identifies the listing as being for the INPUT chain. The INPUT chain's default policy is DROP.

Line 2 contains these column headings:

• target refers to the target disposition of a packet matching the rule ACCEPT, DROP, LOG, or REJECT.

• prot is an abbreviation for protocol, which can be all, tcp, udp, or icmp, as well as a value from /etc/protocols.

• opt stands for fragmentation options, which would have been set with either the -f or the ! -f option. A ! in the first space indicates the ! -f option, which means to match either unfragmented packets or the first fragment in a series. An f in the second space indicates the -f option, which means to match the second and subsequent fragments.

• source is the source address in the IP packet header.

• destination is the destination address in the IP packet header.

Line 3 illustrates how the simple -L list command, without qualifying arguments, lacks some important detail. The rule appears to accept all incoming packetstcp, udp, and icmpfrom anywhere. The missing detail, in this case, is the interface, lo. This is the rule accepting all input on the loopback interface.

Line 4 is a rule to log any (second and subsequent) fragmented ICMP packets. The default logging level for syslog is warn. The LOG rule has an associated --log-prefix string defined for it.

Line 5 is a rule that drops TCP packets without any state flags set.

Line 6 is a rule that accepts any incoming packet that is part of an ESTABLISHED connection, or a packet RELATED to such a connection (that is, an associated ICMP error or FTP data connection).

Line 7 is a rule that accepts incoming UDP DNS requests from hosts in the local network, 192.168.1.0/25. Notice that the network is divided into two subnets, so the hosts could range from 192.168.1.1 to 192.168.1.126.

Line 8 is a rule that rejects incoming TCP auth requests or queries to the local identd server. The ICMP Type 3 error message returned contains the default port-unreachable code. It isn't evident in the listing that the machine has two network interfaces. Requests are rejected from the "external" network, domain2.

Line 9 accepts incoming TCP connection requests from the local LAN for standard HTTP web connections and HTTPS web connections. A destination port list was defined with the multiport match option.

iptables -n -L INPUT

The -n option reports all fields as numeric values rather than symbolic names. This option can save time if your rules use a lot of specific IP addresses that otherwise would require DNS lookups before being listed. Additionally, a port range is more informative if it is listed as 23:79 rather than as telnet:finger.

Using the same seven sample rules from the INPUT chain, the following shows what the listing output looks like using the -n numeric option:

> iptables -n -L INPUT 1 INPUT (policy DROP) 2 target prot opt source destination 3 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 4 LOG icmp -f 0.0.0.0/0 0.0.0.0/0 \ LOG flags 0 level 4 prefix `Fragmented ICMP: ' 5 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 \ tcp flags:0x023F/0x020 6 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 \ state RELATED,ESTABLISHED 7 ACCEPT udp -- 192.168.1.0/25 192.168.1.2 \ udp spts:1024:65535 dpt:53 state NEW 8 REJECT tcp -- 0.0.0.0/0 192.168.1.254 \ tcp dpt:113 reject-with icmp-port-unreachable 9 ACCEPT tcp -- 192.168.1.0/25 192.168.1.2 \ multiport dports 80,443 tcp spts:1024:65535 flags:0x0216/0x022 state NEW

Line 1 identifies the listing as being for the INPUT chain. The INPUT chain's default policy is DROP.

Line 2 contains these column headings:

• target refers to the target disposition of a packet matching the rule ACCEPT, DROP, LOG, or REJECT.

• prot is an abbreviation for protocol, which can be all, tcp, udp, or icmp, as well as a value from /etc/protocols.

• opt stands for fragmentation options, which would have been set with either the -f or the ! -f option. A ! in the first space indicates the ! -f option, which means to match either unfragmented packets or the first fragment in a series. An f in the second space indicates the -f option, which means to match the second and subsequent fragments.

• source is the source address in the IP packet header.

• destination is the destination address in the IP packet header.

Line 3 illustrates how the simple -L list command, without qualifying arguments, lacks some important detail. The rule appears to accept all incoming packetstcp, udp, and icmpfrom anywhere. The missing detail, in this case, is the interface, lo. This is the rule accepting all input on the loopback interface.

Line 4 is a rule to log any (second and subsequent) fragmented ICMP packets. The default logging level for syslog is warn. The LOG rule has an associated --log-prefix string defined for it. The flags value0, in this caseis an internal value representing which of the logging options was specified, --log-ip-options, --log-tcp-options, or --log-tcp-sequence.

Line 5 is a rule that drops TCP packets without any state flags set. The leading 2 in the mask and comparison fields appears to be a bug in the printing code. It appears that the intent was to define the field as two hexadecimal digits long, with a leading 0, but the length indication (2) was misplaced. So the actual mask value is 0x03F, and the actual comparison value is 0x000.

Line 6 is a rule that accepts any incoming packet that is part of an ESTABLISHED connection, or a packet RELATED to such a connection (that is, an associated ICMP error or FTP data connection).

Line 7 is a rule that accepts incoming UDP DNS requests from hosts in the local network, 192.168.1.0/25. Notice that the network is divided into two subnets, so the hosts could range from 192.168.1.1 to 192.168.1.126.

Line 8 is a rule that rejects incoming TCP auth requests or queries to the local identd server. The ICMP Type 3 error message returned contains the default port-unreachable code. It isn't evident in the listing that the machine has two network interfaces. Requests are rejected from the "external" subnet. Those hosts' IP addresses can range from 129 to 254.

Line 9 accepts incoming TCP connection requests from the local LAN for standard HTTP web connections and HTTPS web connections. A destination port list was defined with the multiport match option. SYN's bit value in the state field is 0x02. (Remember that the leading 2 in both flag fields is a typo in the code.) The 0x016 represents the FIN, SYN, RST, and ACK fields that are being inspected; out of these, only the SYN flag must be set.

iptables -v -L INPUT

The -v option produces more verbose output, including the interface name. Reporting the interface name is especially helpful when the machine has more than one network interface.

Using the same seven sample rules from the INPUT chain, the following shows what the listing output looks like using the -v verbose option:

> iptables -v -L INPUT 1 INPUT (policy DROP 0 packets, 0 bytes) 2 pkts bytes target prot opt in out source \ destination 3 32 3416 ACCEPT all -- lo any anywhere \ anywhere 4 0 0 LOG icmp -f any any anywhere \ anywhere LOG level warning prefix `Fragmented ICMP: ' 5 0 0 DROP tcp -- any any anywhere \ anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE 6 94 6586 ACCEPT all -- any any anywhere \ anywhere state RELATED,ESTABLISHED 7 1 65 ACCEPT udp -- eth0 any 192.168.1.0/25 \ my.host.domain udp spts:1024:65535 dpt:domain state NEW 8 0 0 REJECT tcp -- eth1 any anywhere \ my.host.domain2 tcp dpt:auth reject-with icmp-port-unreachable 9 1 48 ACCEPT tcp -- eth0 any 192.168.1.0/25 \ my.host.domain multiport dports http,https tcp spts:1024:65535\ flags:SYN,RST,ACK/SYN state NEW

Line 1 identifies the listing as being for the INPUT chain. The INPUT chain's default policy is DROP. 0 packets have been dropped by the default policy, accounting for 0 bytes of network traffic.

Line 2 contains the following column headings:

• pkts is the number of packets that have matched the rule.

• bytes is the number of bytes contained in the packets matching the rule.

• target refers to the target disposition of a packet matching the rule ACCEPT, DROP, LOG, or REJECT.

• prot is an abbreviation for protocol, which can be all, tcp, udp, or icmp, as well as a value from /etc/protocols.

• opt stands for fragmentation options, which would have been set with either the -f or the ! -f option. An ! in the first space indicates the ! -f option, which means to match either unfragmented packets or the first fragment in a series. An f in the second space indicates the -f option, which means to match the second and subsequent fragments.

• in is the incoming network interface namesuch as eth0, etH1, lo, or ppp0to which this rule applies. Only packets arriving on this specific network interface will match the rule. This field becomes important if you have a LAN with separate firewall rules for the different interfaces or if you are forwarding traffic between interfaces.

  Because this is the INPUT chain, the in field is relevant. The field is also meaningful for the FORWARD chain. The field is meaningless with the OUTPUT chain.

• out is the outgoing network interface namesuch as eth0, eth1, lo, or ppp0to which this rule applies. Only packets departing from this specific network interface will match the rule. This field becomes important if you have a LAN with separate firewall rules for the different interfaces or if you are forwarding traffic between interfaces.

  Because this is the INPUT chain, the out field is meaningless. The field is meaningful with the OUTPUT chain. The field is also meaningful for the FORWARD chain.

• source is the source address in the IP packet header.

• destination is the destination address in the IP packet header.

Line 3 is more useful with the -v list option. The loopback interface is clearly being referred to. This is the rule accepting all input on the loopback interface.

Line 4 is a rule to log any (second and subsequent) fragmented ICMP packets arriving on any network interface. The default logging level for syslog is warning. The LOG rule has an associated --log-prefix string defined for it.

Line 5 is a rule that drops TCP packets arriving on any network interface that doesn't have any state flags set.

Line 6 is a rule that accepts any incoming packet arriving on any network interface that is part of an ESTABLISHED connection or a packet RELATED to such a connection (such as an associated ICMP error or FTP data connection).

Line 7 is a rule that accepts incoming UDP DNS requests from hosts in the local network, 192.168.1.0/25. Notice that the network is divided into two subnets, so the hosts could range from 192.168.1.1 to 192.168.1.126.

Line 8 is a rule that rejects incoming TCP auth requests, or queries to the local identd server. The ICMP Type 3 error message returned contains the default port-unreachable code. It isn't evident in the listing that the machine has two network interfaces. Requests are rejected from the "external" network, domain2.

Line 9 accepts incoming TCP connection requests from the local LAN for standard HTTP web connections and HTTPS web connections. A destination port list was defined with the multiport match option.

nat Table Listing Formats

The basic format of the nat table list command to list all rules on all nat table chains is shown here:

iptables -t nat -vn -L PREROUTING iptables -t nat -vn -L POSTROUTING iptables -t nat -vn -L OUTPUT

or

iptables -t nat -vn -L

Notice that the preceding list commands show only the rules in the nat table chains.

What follows are four sample NAT rules, two on the PREROUTING chain and two on the POSTROUTING chain. In the interest of brevity, only the -v output is presented:

> iptables -t nat -v -L 1 PREROUTING (policy DROP 0 packets, 0 bytes) 2 pkts bytes target prot opt in out source \ destination 3 0 0 DNAT tcp -- eth1 any 192.168.1.129 \ this.host tcp spts:1020:65535 dpt:ssh to:hostA.lan 4 0 0 REDIRECT tcp -- eth0 any anywhere \ anywhere tcp spts:1024:65535 dpt:http 5 POSTROUTING (policy DROP 0 packets, 0 bytes) 6 pkts bytes target prot opt in out source \ destination 7 0 0 SNAT tcp -- any eth1 hostA.lan \ 192.168.1.129 tcp spts:1024:65535 dpt:21 to:this.host 8 0 0 MASQUERADE all -- any ppp0 lan_network \ anywhere

Line 1 identifies the listing as being for the PREROUTING chain, the point where destination NAT is applied. The PREROUTING chain's default policy is DROP.

Line 2 contains these column headings:

• pkts is the number of packets that have matched the rule.

• bytes is the number of bytes contained in the packets matching the rule.

• target refers to the target disposition of a packet matching the rule DNAT or REDIRECT.

• prot is an abbreviation for protocol, which can be all, tcp, udp, or icmp, as well as a value from /etc/protocols.

• opt stands for fragmentation options, which would have been set with either the -f or the ! -f option. An ! in the first space indicates the ! -f option, which means to match either unfragmented packets or the first fragment in a series. An f in the second space indicates the -f option, which means to match the second and subsequent fragments.

• in is the incoming network interface namesuch as eth0, eth1, lo, or ppp0to which this rule applies. Only packets arriving on this specific network interface will match the rule. This field becomes important if you have a LAN with separate firewall rules for the different interfaces or if you are forwarding traffic between interfaces.

  On the PREROUTING chain, only the in field is relevant. The out field is meaningless with the PREROUTING chain.

• out is the outgoing network interface namesuch as eth0, eth1, lo, or ppp0to which this rule applies. Only packets departing from this specific network interface will match the rule. This field becomes important if you have a LAN with separate firewall rules for the different interfaces or if you are forwarding traffic between interfaces.

  On the POSTROUTING chain, only the out field is relevant. The in field is meaningless with the POSTROUTING chain.

• source is the source address in the IP packet header.

• destination is the destination address in the IP packet header.

Line 3 is a DNAT rule to alter the destination address in incoming SSH packets. SSH client connections from external host 192.168.1.129 addressed to the local host are redirected to host A on the LAN.

Line 4 is an example of the specialized form of DNAT, REDIRECT, which redirects packets to the local host. In this case, any HTTP packets arriving on the eth0 interface, presumably to be forwarded to a remote web server, are redirected to a local proxy server listening on this host's TCP port 80.

Line 5 identifies the next listing as being for the POSTROUTING chain, the point where source NAT is applied. The POSTROUTING chain's default policy is DROP.

Line 6 contains the column headings and is identical to Line 2.

Line 7 is an SNAT rule to alter the source address in outgoing FTP client packets. FTP client connections from Host A on the LAN addressed to host 192.168.1.129 on the external LAN are modified to appear to be originating from this host.

Line 8 is an example of the specialized form of SNAT, MASQUERADE, which is intended for temporary connections with changeable IP addresses. In this case, all outgoing packets on the ppp0 interface are masqueraded as coming from this host. Remember that forward rules are also necessary in these cases.

mangle Table Listing Formats

The basic format of the mangle table list command to list all rules on the mangle table chains is as follows:

iptables -t mangle -vn -L PREROUTING iptables -t mangle -vn -L OUTPUT

or

iptables -t mangle -vn -L

Notice that the preceding list commands show only the rules in the mangle table chains.

What follows are two sample mangle table rules, a MARK rule on the PREROUTING chain and a TOS rule on the OUTPUT chain. In the interest of brevity, only the -v output is presented:

> iptables -t mangle -v L 1 PREROUTING (policy DROP 0 packets, 0 bytes) 2 pkts bytes target prot opt in out source \ destination 3 0 0 MARK tcp -- eth0 any laptop.private.lan \ anywhere tcp spts:1024:65535 dpt:ssh MARK set 0x10070 4 OUTPUT (policy DROP 0 packets, 0 bytes) 5 pkts bytes target prot opt in out source \ destination 6 0 0 TOS tcp -- any eth1 bastion.firewall.lan \ anywhere tcp spts:1024:65535 dpt:ssh TOS set Minimize-Delay

Line 1 identifies the listing as being for the PREROUTING chain, the point where MANGLE is applied. The PREROUTING chain's default policy is DROP.

Line 2 contains these column headings:

• pkts is the number of packets that have matched the rule.

• bytes is the number of bytes contained in the packets matching the rule.

• target refers to the target disposition of a packet matching the rule MARK or TOS.

• prot is an abbreviation for protocol, which can be all, tcp, udp, or icmp, as well as a value from /etc/protocols.

• opt stands for fragmentation options, which would have been set with either the -f or the ! -f option. An ! in the first space indicates the ! -f option, which means to match either unfragmented packets or the first fragment in a series. An f in the second space indicates the -f option, which means to match the second and subsequent fragments.

• in is the incoming network interface namesuch as eth0, eth1, lo, or ppp0to which this rule applies. Only packets arriving on this specific network interface will match the rule. This field becomes important if you have a LAN with separate firewall rules for the different interfaces or if you are forwarding traffic between interfaces.

  On the PREROUTING chain, only the in field is relevant. The out field is meaningless on the PREROUTING chain.

• out is the outgoing network interface namesuch as eth0, eth1, lo, or ppp0to which this rule applies. Only packets departing from this specific network interface will match the rule. This field becomes important if you have a LAN with separate firewall rules for the different interfaces or if you are forwarding traffic between interfaces.

  On the OUTPUT chain, only the out field is relevant. The in field is meaningless on the OUTPUT chain.

• source is the source address in the IP packet header.

• destination is the destination address in the IP packet header.

Line 3 is a MARK rule to alter the mark value that iptables associates with SSH packets arriving on the incoming interface. SSH client connections from the local laptop addressed to anywhere are assigned the mark value 0x10070.

Line 4 identifies the listing as being for the OUTPUT chain, the chain where mangle table operations are applied to locally generated packets. The OUTPUT chain's default policy is DROP.

Line 5 contains the same column headings as Line 2.

Line 6 is a TOS rule to alter the tos value in the IP packet header of outgoing SSH client packets. SSH client connections from the local host addressed to the local bastion firewall are assigned the tos value minimize-delay.