Your SlideShare is downloading. ×
Iptables Configuration
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Iptables Configuration

2,302

Published on

Linux Firewall Iptables complete configuration

Linux Firewall Iptables complete configuration

Published in: Education, Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
2,302
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
207
Comments
0
Likes
2
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. CONFIGURATIONANDIMPLEMANTATIONofIPTABLEs Submitted by- SAMESWAR BEHERA 1 Guided By- ER.NUTAN KUMAR PANDA
  • 2. CertificateThis is to certify that the Project report entitled “Configuration andImplementation of Iptables” submitted by Sameswar Behera, ISEH-FRP, inpartial fulfillment of the requirement of the award of Diploma in ISEH underAPPIN TECHNOLOGY LAB: Bhubaneswar. Completed his project successfully.Er. Nutan Kumar Panda Mr. Bibhuti Bhusan Prusty Project Guide Center Head Mr. SudhanshuBhusanPrusty Managing Director 2
  • 3. AcknowledgementI have a great honor to acknowledge MR. Sudhanshu Bhusan Prusty,Managing Director, Appin Technology Labs, Bhubaneswar, Odisha. Whohad given me his consent to carry out this project . I feel immense pleasureand privilege in expressing my deep sense of gratitude towards my guideER. Nutan Kumar Panda, whose valuable guidance and critical analysis ofmy result has led to successful completion of my project.My special thanks to all my friends for giving me incentive support in thisreport work. I express my gratitude to my affectionate and friends forencouragement and enthusiastic support throughout this study.SAMESWAR BEHERA 3
  • 4. TABLE OF CONTENTSWhat is firewall……………………………………………………………………………………………………………….5What is iptables………………………………………………………………………………………………………………5Installing iptables……………………………………………………………………………………………………………5To start iptables………………………………………………………………………………………………………………6Determining the status of iptables…………………………………………………………………………………7Packet processing in iptables………………………………………………………………………………………….8Processing for packet routed by the firewall………………………………………………………………….9Iptables packet flow diagram………………………………………………………………………………………..10Targets and jumps………………………………………………………………………………………………………….11General iptables match criteria………………………………………………………………………………………12Common TCP and UDP match criteria……………………………………………………………………………21Common extended match criteria………………………………………………………………………………….29Saving iptables scripts…………………………………………………………………………………………………….31Iptables restoration…………………………………………………………………………………………………………32Allow your home network to access the internet………………………………………………………….33Allow your home network to access the firewall……………………………………………………………33Prevent DoS attack…………………………………………………………………………………………………………33Static NAT………………………………………………………………………………………………………………………..34Port forwarding……………………………………………………………………………………………………………….34Conclusion……………………………………………………………………………………………………………………….35Reference…………………………………………………………………………………………………………………………36 4
  • 5. What is a Firewall?  A firewall is hardware, software, or a combination of both that is used to prevent unauthorized programs or Internet users from accessing a private network and/or a single computer.  A set of related programs that protects the resources of a private network from users from other networks.  A mechanism for filtering network packets based on information contained within the IP header.Firewall Options:  Commercial Firewall Devices (Watchguard, Cisco PIX)  Routers (ACL Lists)  Linux (Iptables)  Software Packages (ZoneAlarm, Black Ice, Tiny Personal Firewall, Norton Personal Firewall, Comodo Firewall)Linux Firewall Programs: Ipfwadm : Linux kernel 2.0.34 Ipchains : Linux kernel 2.2. Iptables : Linux kernel 2.4. & aboveWhat Is iptables? It is the modified firewall package available in linux operating system. Before it was known asipchanes, later it comes with capabilities like natting and routing. Some other improvements are:  Better integration with the Linux kernel, so improved speed and reliability.  Stateful packet inspection.  Filter packets according to TCP header and MAC address.  System logging that provides the option of adjusting the level of detail of the reporting.  Better network address translation.  Support for transparent integration with such Web proxy programs as Squid.  A rate limiting feature that helps iptables block some types of denial of service (DoS) attacks.Installing iptables: In most Linux distros including Redhat / CentOS Linux installs iptables by default. You can use thefollowing procedure to verify that iptables has been installed or not in Redhat.Open terminal and type the following command:[root@localhost ~]#yum info iptables 5
  • 6. Sample outputs:If the above message does not appear, then type the following command to install iptables:[root@localhost ~]#yum install iptablesTo Start iptables:You can start, stop, and restart iptables after booting by using the commands:[root@localhost ~]# service iptables start[root@localhost ~]# service iptables stop[root@localhost ~]# service iptables restartTo get iptables configured to start at boot, use the chkconfig command:[root@localhost ~]# chkconfig iptables on 6
  • 7. Determining The Status of iptables:You can determine whether iptables is running or not via the service iptables status command.[root@localhost ~]# service iptables status 7
  • 8. Packet Processing In iptables:All packets inspected by iptables pass through a sequence of built-in tables (queues) for processing. Eachof these queues is dedicated to a particular type of packet activity and is controlled by an associatedpacket transformation/filtering chain.  There are three tables in total. The first is the mangle table which is responsible for the alteration of quality of service bits in the TCP header. This is hardly used in a home or SOHO environment.  The second table is the filter queue which is responsible for packet filtering. It has three built-in chains in which you can place your firewall policy rules. These are the:1. Forward chain: Filters packets to servers protected by the firewall.2. Input chain : Filters packets destined for the firewall.3. Output chain : Filters packets originating from the firewall.  The third table is the nat queue which is responsible for network address translation. It has two built-in chains; these are:4. Pre-routing chain: NATs packets when the destination address of the packet needs to be changed.5. Post-routing chain: NATs packets when the source address of the packet needs to be changed. 8
  • 9. Processing For Packets Routed By The Firewall: PacketQueue Queue Transformation Chain FunctionType Function Chain in QueueFilter Packet FORWARD Filters packets to servers accessible by another filtering NIC on the firewall. INPUT Filters packets destined to the firewall. OUTPUT Filters packets originating from the firewall. Address translation occurs before routing.Nat Network PREROUTING Facilitates the transformation of the destination IP Address address to be compatible with the firewalls routing table. Used with NAT of the destination Translation IP address, also known as destination NAT or DNAT. Address translation occurs after routing. This POSTROUTING implies that there was no need to modify the destination IP address of the packet as in pre- routing. Used with NAT of the source IP address using either one-to-one or many-to-one NAT. This is known as source NAT, or SNAT. Network address translation for packets generated OUTPUT by the firewall. (Rarely used in SOHO environments)Mangle TCP header PREROUTING Modification of the TCP packet quality of service modification POSTROUTING bits before routing occurs. (Rarely used in SOHO OUTPUT environments) INPUT FORWARD You need to specify the table and the chain for each firewall rule you create. There is anexception: Most rules are related to filtering, so iptables assumes that any chain thats defined without anassociated table will be a part of the filter table. The filter table is therefore the default.QueueTake a look at the way packets are handled by iptables. In Figure below a TCP packet from the Internetarrives at the firewalls interface on Network A to create a data connection.  The packet is first examined by your rules in the mangle tables PREROUTING chain, if any. It is then inspected by the rules in the nat tables PREROUTING chain to see whether the packet requires DNAT. It is then routed.  If the packet is destined for a protected network, then it is filtered by the rules in the FORWARD chain of the filter table and, if necessary, the packet undergoes SNAT in the POSTROUTING chain before arriving at Network B. When the destination server decides to reply, the packet undergoes 9
  • 10. the same sequence of steps. Both the FORWARD and POSTROUTING chains may be configured to implement quality of service (QoS) features in their mangle tables, but this is not usually done in SOHO environments.  If the packet is destined for the firewall itself, then it passes through the mangle table of the INPUT chain, if configured, before being filtered by the rules in the INPUT chain of the filter table before. If it successfully passes these tests then it is processed by the intended application on the firewall.  At some point, the firewall needs to reply. This reply is routed and inspected by the rules in the OUTPUT chain of the mangle table, if any. Next, the rules in the OUTPUT chain of the nat table determine whether DNAT is required and the rules in the OUTPUT chain of the filter table are then inspected to help restrict unauthorized packets. Finally, before the packet is sent back to the Internet, SNAT and QoS mangling is done by the POSTROUTING chain.TypeIptables Packet Flow Diagram:Packet 10
  • 11. Targets And Jumps: Each firewall rule inspects each IP packet and then tries to identify it as the target of some sort ofoperation. Once a target is identified, the packet needs to jump over to it for further processing.Target Description Most Common Options Iptables stops further processing andACCEPT the packet is handed over to the end N/A application. Iptables stops further processing andDROP drop the packet. N/A The packet information is sent to the syslog --log-prefix “string”LOG daemon for logging and iptables continues processing with the next rule in the table. (It tells iptable to fix the log message As you cant log and drop at the with a user defined string.) same time. --log-level 0 to 7 --reject-with qualifierREJECT Works like the DROP target, but will also (The qualifier tells what type of reject return an error message to the host message is returned.) sending the packet that the packet was Qualifiers include: blocked. icmp-port-unreachable (default) icmp-net-unreachable icmp-host-unreachable icmp-proto-unreachable icmp-net-prohibited icmp-host-prohibited tcp-reset echo-reply Used to do destination network address --to-destination ipaddressDNAT translation. ie. rewriting the destination IP address of the packet. (Tells iptables what the destination IP address should be.) Used to do source network address --to-source <ip>[-<ip>][:<port>-SNAT translation. ie. rewriting the source IP <port>] address of the packet. The source IP address is user defined. (Specifies the source IP address and ports to be used by SNAT.) Used to do Source Network Address --to-ports <port>[-<port>]MASQUERADE Translation. By default the source IP address is the (Specifies the range of source ports to same as that used by the firewalls which the original source port can be interface. mapped.)QueueChain Function 11
  • 12. Important Iptables Command Switch Operations:Each line of an iptables script not only has a jump, but they also have a number of command line optionsthat are used to append rules to chains that match your defined packet characteristics, such the source IPaddress and TCP port. There are also options that can be used to just clear a chain so you can start allover again.General Iptables Match Criteria:-Iptables command Switch Description It is to specify which table you will use from filter, nat, mangle.-t <-table-> If you don’t specify a table then the filter table is assumed. Jump to the specified target chain when the packet matches the current-j <target> rule.-A Append rule to end of a chain.-F Flush. Deletes all the rules in the selected table.-p <protocol-type> Match protocol. Types include, icmp, tcp, udp, and all.-s <ip-address> Match source IP address.-d <ip-address> Match destination IP address.-i <interface-name> Match "input" interface on which the packet enters.-o <interface-name> Match "output" interface on which the packet exits.In this command switches example:[root@localhost ~]#iptables -A INPUT -s 0/0 -i eth0 -d 0/0 -p TCP -j ACCEPTiptables is being configured to allow the firewall to accept TCP packets coming in on interface eth0 fromany IP address . The 0/0 representation of an IP address means any. 12
  • 13. 13
  • 14. [root@localhost ~]#iptables -A INPUT -s 0/0 -i eth0 -d 0/0 -p TCP -j DROP 14
  • 15. 15
  • 16. [root@localhost ~]#iptables -A INPUT -s 0/0 -i eth0 -d 0/0 -p icmp -j DROP 16
  • 17. iptables -A INPUT -s 0/0 -i eth0 -d 0/0 -p icmp –REJECT –reject-with icmp-host-unrechable 17
  • 18. 18
  • 19. 19
  • 20. Block a Specific ip-address:if you want to block a specific ip-address, you should do that first as shown below. Change the “x.x.x.x” inthe following example to the specific ip-address that you like to block.BLOCK_THIS_IP="x.x.x.x"iptables -A INPUT -s "$BLOCK_THIS_IP" -j DROPThis is helpful when you find some strange activities from a specific ip-address in your log files, and youwant to temporarily block that ip-address while you do further research.You can also use one of thefollowing variations, which blocks only TCP traffic on eth0 connection for this ip-address.iptables -A INPUT -i eth0 -s "$BLOCK_THIS_IP" -j DROPiptables -A INPUT -i eth0 -p tcp -s "$BLOCK_THIS_IP" -j DROPAllow Internal Network to External network:On the firewall server where one ethernet card is connected to the external, and another ethernet cardconnected to the internal servers, use the following rules to allow internal network talk to externalnetwork.iptables -A FORWARD -i eth0 -o eth1 -j ACCEPTIn this example, eth1 is connected to external network (internet), and eth0 is connected to internalnetwork (For example: 192.168.1.x). 20
  • 21. Common TCP and UDP Match Criteria:-Switch Description-p tcp --sport <port> TCP source port. It filter TCP source port.-p tdp --sport <start-port:end-port> Can be a single value or a range like 1024:65535-p tcp --dport <port> TCP source port. It filter TCP destination port.-p tdp --dport <start-port:end-port> Can be a single value or a range like 1024:65535-p tcp --syn Used to identify a new TCP connection request. ! --syn means, not a new connection request.-P tcp !--syn Used to identify old TCP connection request.-p udp --sport <port> UDP source port. It test UDP connections for source ports.-p udp --sport <start-port:end-port> Can be a single value or a range like 1024:65535-p udp --dport <port> UDP destination port. It test UDP connections for destination-p udp --dport <start-port:end-port> ports.Can be a single value or a range like 1024:65535In this command switches example:iptables -A OUTPUT -s 0/0 -d 0/0 -p TCP --sport 1024:65535 --dport 80 -j ACCEPT  The source port is in the range 1024 to 65535 and the destination port is port 80 (www/http). 21
  • 22. 22
  • 23. Allow outbound DNS:iptables -A OUTPUT -p udp -o eth0 --dport 53 -j ACCEPTiptables -A INPUT -p udp -i eth0 --sport 53 -j ACCEPTAllow POP3 access:iptables -A INPUT -i eth0 -p tcp --dport 110 -m state --state NEW,ESTABLISHED -j ACCEPTiptables -A OUTPUT -o eth0 -p tcp --sport 110 -m state --state ESTABLISHED -j ACCEPTAllow outbound DNS:iptables -A OUTPUT -p udp -o eth0 --dport 53 -j ACCEPTiptables -A INPUT -p udp -i eth0 --sport 53 -j ACCEPTAllow Outgoing SSH:iptables -A OUTPUT -o eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPTiptables -A INPUT -i eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPTPlease note that this is slightly different than the incoming rule. i.e We allow both the NEW andESTABLISHED state on the OUTPUT chain, and only ESTABLISHED state on the INPUT chain. For theincoming rule, it is vice versa. 23
  • 24. Common ICMP (Ping) Match Criteria:-Matches used with ---icmp-type Description--icmp-type <type> The most commonly used types are echo-reply and echo-request .Allow Ping from Outside to Inside:The following rules allow outside users to be able to ping your servers.iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPTiptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT 24
  • 25. Reject Ping from Outside to Inside:iptables -A INPUT -p icmp --icmp-type echo-request -j REJECTiptables -A OUTPUT -p icmp --icmp-type echo-reply -j REJECT 25
  • 26. Allow Ping from Inside to Outside:The following rules allow you to ping from inside to any of the outside servers.iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPTiptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT 26
  • 27. Consider another example:iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -i eth0 -j ACCEPT  The limit feature in iptables specifies the maximum average number of matches to allow per second. You can specify time intervals in the format /second, /minute, /hour, or /day, or you can use abbreviations so that 3/second is the same as 3/s.  In this example, ICMP echo requests are restricted to no more than one per second. When tuned correctly, this feature allows you to filter unusually high volumes of traffic that characterize denial of service (DOS) attacks and Internet worms. 27
  • 28. iptables -A INPUT -p tcp --syn -m limit --limit 5/s -i eth0 -j ACCEPT  In this example, you can expand on the limit feature of iptables to reduce your vulnerability to certain types of denial of service attack. Here a defense for SYN flood attacks was created by limiting the acceptance of TCP segments with the SYN bit set to no more than five per second. 28
  • 29. Common Extended Match Criteria:-Switch Description-m multiport --sports <port, port> A variety of TCP/UDP source ports separated by commas. Unlike when -m isnt used, they do not have to be within a range.-m multiport --dports <port,port> A variety of TCP/UDP destination ports separated by commas. Unlike when -m isnt used, they do not have to be within a range.-m multiport --ports <port,port> A variety of TCP/UDP ports separated by commas. Source and destination ports are assumed to be the same and they do not have to be within a range.-m –state <state> The most frequently tested states are: ESTABLISHED: The packet is part of a connection that has seen packets in both directions. NEW: The packet is the start of a new connection. RELATED: The packet is starting a new secondary connection. This is a common feature of such protocols such as an FTP data transfer, or an ICMP error. INVALID: The packet couldnt be identified. Could be due to insufficient system resources, or ICMP errors that dont match an existing data flow.In this command switch examples:iptables -A FORWARD -s 0/0 -i eth0 -d 0/0 -p TCP --sport 1024:65535 -m multiport --dports 80,443 -jACCEPTiptables -A FORWARD -d 0/0 -o eth0 -s 0/0 -p TCP -m state --state ESTABLISHED -j ACCEPT  Here iptables is being configured to allow the firewall to accept TCP packets to be routed when they enter on interface eth0 from any IP address destined for IP address of 192.168.1.58 that is reachable via interface eth1. The source port is in the range 1024 to 65535 and the destination ports are port 80 (www/http) and 443 (https). The return packets from 192.168.1.58 are allowed to be accepted too. Instead of stating the source and destination ports, you can simply allow packets related to established connections using the -m state and --state ESTABLISHED options. 29
  • 30. 30
  • 31. Saving iptables Scripts:[root@localhost ~]#service iptables save[root@localhost ~]#iptables-save  The above command permanently saves the iptables configuration in the /etc/sysconfig/iptables file. When the system reboots, the iptables-restore program reads the configuration and makes it the active configuration. 31
  • 32. Here is a sample /etc/sysconfig/iptables configuration:  It is never a good idea to edit this script directly because it is always overwritten by the save command and it doesnt save any comments at all, which can also make it extremely difficult to follow. For these reasons, youre better off writing and applying a customized script and then using the service iptables save command to make the changes permanent.[root@localhost ~]#iptables-save > firewall-configIt will actually saves a permanent copy of the firewalls active configuration in the /etc/sysconfig/iptablesfile and exports the iptables-save output to a text file named firewall-config. It can be further used forrestoration of iptables.Iptables Restoration:[root@localhost ~]#iptables-restore < firewall-config  Finally, you should permanently save the active configuration so that it will be loaded automatically when the system reboots. 32
  • 33. Allow Your Firewall To Access The Internet:Allow port 80 (www) and 443 (https) connections from the firewall:iptables -A OUTPUT -j ACCEPT -m state --state NEW,ESTABLISHED,RELATED -o eth0 -p tcp -m multiport --dports 80,443 --sport 1024:65535If you want all TCP traffic originating from the firewall to be accepted, then remove the line:-m multiport --dports 80,443 --sport 1024:65535Allow previously established connections:[root@localhost ~]#iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED -i eth0 -p tcpAllow Your Home Network To Access The Firewall:Here eth0 is directly connected to a home network using IP addresses from the 192.168.1.0 network. Alltraffic between this network and the firewall is simplistically assumed to be trusted and allowed.Further rules will be needed for the interface connected to the Internet to allow only specific ports, typesof connections and possibly even remote servers to have access to your firewall and home network.Allow all bidirectional traffic from your firewall to the protected network:[root@localhost ~]#iptables -A INPUT -j ACCEPT -p all -s 192.168.1.0/24 -i eth0[root@localhost~]#iptables -A OUTPUT -j ACCEPT -p all -d 192.168.1.0/24 -o eth0Prevent DoS Attack:The following iptables rule will help you prevent the Denial of Service (DoS) attack on your webserver.iptables -A INPUT -p tcp --dport 80 -m limit --limit 25/minute --limit-burst 100 -j ACCEPT 33
  • 34. In the above example: -m limit: This uses the limit iptables extension –limit 25/minute: This limits only maximum of 25 connection per minute. Change this value based on your specific requirement –limit-burst 100: This value indicates that the limit/minute will be enforced only after the total number of connection have reached the limit-burst level.Static NAT:In this example, all traffic to a particular public IP address, not just to a particular port, is translated to asingle server on the protected subnet.Uses one to one NAT to make the server 192.168.1.100 on your home network appear on the Internet asIP addresses 97.158.253.26.iptables -t nat -A PREROUTING -d 97.158.253.26 -i eth0 -j DNAT --to-destination 192.168.1.100iptables -t nat -A POSTROUTING -s 192.168.1.100 -o eth0 -j SNAT --to-source 97.158.253.26Creates a many to one NAT for the 192.168.1.0 home network in which all the servers appear on theInternet as IP address 97.158.253.29.iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -j SNAT -o eth0 --to-source 97.158.253.29Port Forwarding (PAT):The following example routes all traffic that comes to the port 442 to 22. This means that the incomingssh connection can come from both port 22 and 422.iptables -t nat -A PREROUTING -p tcp -d 192.168.102.37 --dport 422 -j DNAT --to 192.168.102.37:22 34
  • 35. CONCLUSION:We can get different service with this like firewall, routing, natting, logging and we canalso block some types of DoS attacks just by implementing few rules in it. 35
  • 36. REFERENCE:www.haifux.org/lectures/98-sil/IPTablesPresentation.pdfhttp://media.scottr.org/presentations/linux-home-networking.pdfhttp://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/3/html/Reference_Guide/s1-iptables-options.htmlwww.thegeekstuff.com/2011/06/iptables-rules-examples/www.cse.psu.edu/~tjaeger/cse497b.../cse497b-project-4-iptables.pdfwww.linuxhowtos.org/Security/iptables.pdf 36

×