Iptables used for packet filtering and as a firewall to some extent.
A rate limiting feature that helps iptables block some types of denial of service (DoS) attacks.
All packets inspected by iptables pass through a sequence of built-in tables (queues) for processing. Each of these queues is dedicated to a particular type of packet activity and is controlled by an associated packet
transformation/filtering chain.
There are three tables in total:-
The first is the mangle table which is responsible for the alteration of quality of service bits in the TCP header. This is hardly used in a home
or SOHO environment.
The second table is the filter queue which is responsible for packet filtering. It has three built-in chains in which you can place your firewall policy rules.
These are the:
Forward chain: Filters packets to servers protected by the firewall.
Input chain: Filters packets destined for the firewall ie, Packets coming
towards Firewall
Output chain: Filters packets originating from the firewall ie, Packets
going out from Firewall
The third table is the nat queue which is responsible for network address translation. It has two built-in chains; these are:
Pre-routing chain: NATs packets when the destination address of the packet needs to be changed.
Post-routing chain: NATs packets when the source address of the packet needs to be changed.
Queue-Type: Filter
Queue-Function: Packet filtering
Packet-Transformation-Chain-in-Queue: FORWARD
Chain-Function: Filters packets to servers accessible by another NIC on the firewall.[if a machine has two interfaces its used FORWARD from
one to the other, from local machine to router to the internet.]
Queue-Type: Filter
Queue-Function: Packet filtering
Packet-Transformation-Chain-in-Queue: INPUT
Chain-Function: Filters packets destined to the firewall.
Queue-Type: Filter
Queue-Function: Packet filtering
Packet-Transformation-Chain-in-Queue: OUTPUT
Chain-Function: Filters packets originating from the firewall.
Queue-Type: Nat
Queue-Function: Network Address Translation
Packet-Transformation-Chain-in-Queue: PREROUTING
Chain-Function: Address translation occurs before routing. Facilitates the transformation of the destination IP address to be compatible with the firewall's routing table. Used with NAT of the destination IP address,
also known as destination NAT or DNAT.
Queue-Type: Nat
Queue-Function: Network Address Translation
Packet-Transformation-Chain-in-Queue: POSTROUTING
Chain-Function: Address translation occurs after routing. This implies that there was no need to modify the destination IP address of the packet as in pre-routing. Used with NAT of the source IP address using either one-to-one or many-to-one NAT. This is known as source NAT, or SNAT.
Queue-Type: Nat
Queue-Function: Network Address Translation
Packet-Transformation-Chain-in-Queue: OUTPUT
Chain-Function: Network address translation for packets generated by the firewall. (Rarely used in SOHO environments)
Queue-Type: Mangle
Queue-Function: TCP header modification
Packet-Transformation-Chain-in-Queue: PREROUTING
POSTROUTING
OUTPUT
INPUT
FORWARD
Chain-Function: Modification of the TCP packet quality of service bits before routing occurs. (Rarely used in SOHO environments)
You need to specify the table and the chain for each firewall rule you create.
There is an exception: Most rules are related to filtering, so iptables assumes that any chain that's defined without an associated table will be a part of the filter table. The filter table is therefore the default.
EXMP:- a TCP packet from the Internet arrives at the firewall's interface on Network A to create a data connection. The packet is first examined by your rules in the mangle table's PREROUTING chain, if any. It is then inspected by the rules in the nat table's PREROUTING chain to see whether the packet requires DNAT. It is then routed.
If the packet is destined for a protected network, then it is filtered by the rules in the FORWARD chain of the filter table and, if necessary, the packet undergoes SNAT in the POSTROUTING chain before arriving at Network B.
When the destination server decides to reply, the packet undergoes the same sequence of steps.
Both the FORWARD and POSTROUTING chains may be configured to implement quality of service (QoS) features in their mangle tables.
If the packet is destined for the firewall itself, then it passes through the mangle table of the INPUT chain, if configured, before being filtered by
the rules in the INPUT chain of the filter table before. If it successfully passes these tests then it is processed by the intended application on the firewall.
At some point, the firewall needs to reply. This reply is routed and inspected by the rules in the OUTPUT chain of the mangle table, if any. Next, the rules in the OUTPUT chain of the nat table determine whether DNAT is required and the rules in the OUTPUT chain of the filter table are then inspected to help restrict unauthorized packets. Finally, before the packet is sent back to the Internet, SNAT and QoS mangling is done by the POSTROUTING chain.
Targets And Jumps
Each firewall rule inspects each IP packet and then tries to identify it as the target of some sort of operation. Once a target is identified, the packet needs to jump over to it for further processing.
check the built-in targets that iptables uses:-
Target : ACCEPT
Description : * iptables stops further processing.
* The packet is handed over to the end application or the
operating system for processing
Most-Common-Options : N/A
Target : DROP
Description : * iptables stops further processing.
* The packet is blocked. It won't return any
error message to the host.
Most-Common-Options : N/A
Target : LOG
Description : * The packet information is sent to the syslog daemon for
logging
* iptables continues processing with the next rule
in the table
* As you can't log and drop at the same time,
it is common to have two similar rules in sequence.
The first will log the packet, the second will drop it.
Most-Common-Options : --log-prefix "string"
Tells iptables to prefix all log messages with
a user defined string. Frequently used to tell why the
logged packet was dropped.
Target : REJECT
Description : * Works like the DROP target, but will also return an error
message to the host sending the packet that
the packet was blocked.
Most-Common-Options : --reject-with qualifier
The qualifier tells what type of reject message is returned. Qualifiers include: icmp-port-unreachable (default)
icmp-net-unreachable
icmp-host-unreachable
icmp-proto-unreachable
icmp-net-prohibited
icmp-host-prohibited
tcp-reset
echo-reply
Target : DNAT
Description : * Used to do destination network address translation.
ie. rewriting the destination IP address of the packet.
Most-Common-Options : --to-destination ipaddress
Tells iptables what the destination IP address should be.
Target : SNAT
Description : * Used to do source network address translation
rewriting the source IP address of the packet,
* The source IP address is user defined
Most-Common-Options :
--to-source <address>[-<address>][:<port>-<port>]
Specifies the source IP address and ports to be used by SNAT.
Target : MASQUERADE
Description : * Used to do Source Network Address Translation.
* By default the source IP address is the same as that used
by the firewall's interface
Most-Common-Options : [--to-ports <port>[-<port>]]
Specifies the range of source ports to which the original source
port can be mapped.
General Iptables Match Criteria
iptables command Switch Desciption
-t <-table-> If you don't specify a table, then the filter
table is assumed. As discussed before,
the possible built-in tables include: filter, nat,
mangle.
-j <target> Jump to the specified target chain
when the packet matches the current rule.
-A Append rule to end of a chain
-F Flush. Deletes all the rules in the selected table
-p <protocol-type> Match protocol. Types include,
icmp, tcp, udp, and all
-s <ip-address> Match source IP address
-d <ip-address> Match destination IP address
-i <interface-name> Match "input" interface on which
the packet enters.
-o <interface-name> Match "output" interface on which
the packet exits
In this command switches example:-
# iptables -A INPUT -s 0/0 -i eth0 -d 192.168.1.1 -p TCP -j ACCEPT
iptables is being configured to allow the firewall to accept TCP packets coming in on interface eth0 from any IP address destined for the firewall's IP address of 192.168.1.1. The 0/0 representation of an IP address means any.
Common TCP and UDP Match Criteria
Switch Desciption
-p tcp --sport <port> TCP source port. Can be a single value
or a range in the format:
start-port-number:end-port-number
-p tcp --dport <port> TCP destination port. Can be a single
value or a range in the format:
starting-port:ending-port
-p tcp --syn Used to identify a new TCP connection
request. ! --syn means, not a new connection
request
-p udp --sport <port> UDP source port. Can be a
single value or a range in the format:
starting-port:ending-port
-p udp --dport <port> UDP destination port. Can be a
single value or a range in the format:
starting-port:ending-port
In this example:
# iptables -A FORWARD -s 0/0 -i eth0 -d 192.168.1.58 -o eth1 -p TCP --sport 1024:65535 --dport 80 -j ACCEPT
iptables is being configured to allow the firewall to accept TCP packets for routing when they enter on interface eth0 from any IP address and are destined for an IP address of 192.168.1.58 that is reachable via interface eth1. The source port is in the range 1024 to 65535 and the destination
port is port 80 (www/http).
Common ICMP (Ping) Match Criteria
Matches used with ---icmp-type Desciption
--icmp-type <type> The most commonly used
types are echo-reply and
echo-request
In this example:
iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
iptables is being configured to allow the firewall to send ICMP echo-requests (pings) and in turn, accept the expected ICMP echo-replies.
Consider another example:
# iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -i eth0 -j ACCEPT
The limit feature in iptables specifies the maximum average number of matches to allow per second.
You can specify time intervals in the format /second, /minute, /hour, or /day, or you can use abbreviations so that 3/second is the same as 3/s.
In this example, ICMP echo requests are restricted to no more than one per second.
When tuned correctly, this feature allows you to filter unusually high volumes of traffic that characterize denial of service (DOS) attacks and Internet worms.
# iptables -A INPUT -p tcp --syn -m limit --limit 5/s -i eth0 -j ACCEPT
You can expand on the limit feature of iptables to reduce your vulnerability to certain types of denial of service attack.
Here a defense for SYN flood attacks was created by limiting the acceptance of TCP segments with the SYN bit set to no more than five per second.
A rate limiting feature that helps iptables block some types of denial of service (DoS) attacks.
All packets inspected by iptables pass through a sequence of built-in tables (queues) for processing. Each of these queues is dedicated to a particular type of packet activity and is controlled by an associated packet
transformation/filtering chain.
There are three tables in total:-
The first is the mangle table which is responsible for the alteration of quality of service bits in the TCP header. This is hardly used in a home
or SOHO environment.
The second table is the filter queue which is responsible for packet filtering. It has three built-in chains in which you can place your firewall policy rules.
These are the:
Forward chain: Filters packets to servers protected by the firewall.
Input chain: Filters packets destined for the firewall ie, Packets coming
towards Firewall
Output chain: Filters packets originating from the firewall ie, Packets
going out from Firewall
The third table is the nat queue which is responsible for network address translation. It has two built-in chains; these are:
Pre-routing chain: NATs packets when the destination address of the packet needs to be changed.
Post-routing chain: NATs packets when the source address of the packet needs to be changed.
Queue-Type: Filter
Queue-Function: Packet filtering
Packet-Transformation-Chain-in-Queue: FORWARD
Chain-Function: Filters packets to servers accessible by another NIC on the firewall.[if a machine has two interfaces its used FORWARD from
one to the other, from local machine to router to the internet.]
Queue-Type: Filter
Queue-Function: Packet filtering
Packet-Transformation-Chain-in-Queue: INPUT
Chain-Function: Filters packets destined to the firewall.
Queue-Type: Filter
Queue-Function: Packet filtering
Packet-Transformation-Chain-in-Queue: OUTPUT
Chain-Function: Filters packets originating from the firewall.
Queue-Type: Nat
Queue-Function: Network Address Translation
Packet-Transformation-Chain-in-Queue: PREROUTING
Chain-Function: Address translation occurs before routing. Facilitates the transformation of the destination IP address to be compatible with the firewall's routing table. Used with NAT of the destination IP address,
also known as destination NAT or DNAT.
Queue-Type: Nat
Queue-Function: Network Address Translation
Packet-Transformation-Chain-in-Queue: POSTROUTING
Chain-Function: Address translation occurs after routing. This implies that there was no need to modify the destination IP address of the packet as in pre-routing. Used with NAT of the source IP address using either one-to-one or many-to-one NAT. This is known as source NAT, or SNAT.
Queue-Type: Nat
Queue-Function: Network Address Translation
Packet-Transformation-Chain-in-Queue: OUTPUT
Chain-Function: Network address translation for packets generated by the firewall. (Rarely used in SOHO environments)
Queue-Type: Mangle
Queue-Function: TCP header modification
Packet-Transformation-Chain-in-Queue: PREROUTING
POSTROUTING
OUTPUT
INPUT
FORWARD
Chain-Function: Modification of the TCP packet quality of service bits before routing occurs. (Rarely used in SOHO environments)
You need to specify the table and the chain for each firewall rule you create.
There is an exception: Most rules are related to filtering, so iptables assumes that any chain that's defined without an associated table will be a part of the filter table. The filter table is therefore the default.
EXMP:- a TCP packet from the Internet arrives at the firewall's interface on Network A to create a data connection. The packet is first examined by your rules in the mangle table's PREROUTING chain, if any. It is then inspected by the rules in the nat table's PREROUTING chain to see whether the packet requires DNAT. It is then routed.
If the packet is destined for a protected network, then it is filtered by the rules in the FORWARD chain of the filter table and, if necessary, the packet undergoes SNAT in the POSTROUTING chain before arriving at Network B.
When the destination server decides to reply, the packet undergoes the same sequence of steps.
Both the FORWARD and POSTROUTING chains may be configured to implement quality of service (QoS) features in their mangle tables.
If the packet is destined for the firewall itself, then it passes through the mangle table of the INPUT chain, if configured, before being filtered by
the rules in the INPUT chain of the filter table before. If it successfully passes these tests then it is processed by the intended application on the firewall.
At some point, the firewall needs to reply. This reply is routed and inspected by the rules in the OUTPUT chain of the mangle table, if any. Next, the rules in the OUTPUT chain of the nat table determine whether DNAT is required and the rules in the OUTPUT chain of the filter table are then inspected to help restrict unauthorized packets. Finally, before the packet is sent back to the Internet, SNAT and QoS mangling is done by the POSTROUTING chain.
Targets And Jumps
Each firewall rule inspects each IP packet and then tries to identify it as the target of some sort of operation. Once a target is identified, the packet needs to jump over to it for further processing.
check the built-in targets that iptables uses:-
Target : ACCEPT
Description : * iptables stops further processing.
* The packet is handed over to the end application or the
operating system for processing
Most-Common-Options : N/A
Target : DROP
Description : * iptables stops further processing.
* The packet is blocked. It won't return any
error message to the host.
Most-Common-Options : N/A
Target : LOG
Description : * The packet information is sent to the syslog daemon for
logging
* iptables continues processing with the next rule
in the table
* As you can't log and drop at the same time,
it is common to have two similar rules in sequence.
The first will log the packet, the second will drop it.
Most-Common-Options : --log-prefix "string"
Tells iptables to prefix all log messages with
a user defined string. Frequently used to tell why the
logged packet was dropped.
Target : REJECT
Description : * Works like the DROP target, but will also return an error
message to the host sending the packet that
the packet was blocked.
Most-Common-Options : --reject-with qualifier
The qualifier tells what type of reject message is returned. Qualifiers include: icmp-port-unreachable (default)
icmp-net-unreachable
icmp-host-unreachable
icmp-proto-unreachable
icmp-net-prohibited
icmp-host-prohibited
tcp-reset
echo-reply
Target : DNAT
Description : * Used to do destination network address translation.
ie. rewriting the destination IP address of the packet.
Most-Common-Options : --to-destination ipaddress
Tells iptables what the destination IP address should be.
Target : SNAT
Description : * Used to do source network address translation
rewriting the source IP address of the packet,
* The source IP address is user defined
Most-Common-Options :
--to-source <address>[-<address>][:<port>-<port>]
Specifies the source IP address and ports to be used by SNAT.
Target : MASQUERADE
Description : * Used to do Source Network Address Translation.
* By default the source IP address is the same as that used
by the firewall's interface
Most-Common-Options : [--to-ports <port>[-<port>]]
Specifies the range of source ports to which the original source
port can be mapped.
General Iptables Match Criteria
iptables command Switch Desciption
-t <-table-> If you don't specify a table, then the filter
table is assumed. As discussed before,
the possible built-in tables include: filter, nat,
mangle.
-j <target> Jump to the specified target chain
when the packet matches the current rule.
-A Append rule to end of a chain
-F Flush. Deletes all the rules in the selected table
-p <protocol-type> Match protocol. Types include,
icmp, tcp, udp, and all
-s <ip-address> Match source IP address
-d <ip-address> Match destination IP address
-i <interface-name> Match "input" interface on which
the packet enters.
-o <interface-name> Match "output" interface on which
the packet exits
In this command switches example:-
# iptables -A INPUT -s 0/0 -i eth0 -d 192.168.1.1 -p TCP -j ACCEPT
iptables is being configured to allow the firewall to accept TCP packets coming in on interface eth0 from any IP address destined for the firewall's IP address of 192.168.1.1. The 0/0 representation of an IP address means any.
Common TCP and UDP Match Criteria
Switch Desciption
-p tcp --sport <port> TCP source port. Can be a single value
or a range in the format:
start-port-number:end-port-number
-p tcp --dport <port> TCP destination port. Can be a single
value or a range in the format:
starting-port:ending-port
-p tcp --syn Used to identify a new TCP connection
request. ! --syn means, not a new connection
request
-p udp --sport <port> UDP source port. Can be a
single value or a range in the format:
starting-port:ending-port
-p udp --dport <port> UDP destination port. Can be a
single value or a range in the format:
starting-port:ending-port
In this example:
# iptables -A FORWARD -s 0/0 -i eth0 -d 192.168.1.58 -o eth1 -p TCP --sport 1024:65535 --dport 80 -j ACCEPT
iptables is being configured to allow the firewall to accept TCP packets for routing when they enter on interface eth0 from any IP address and are destined for an IP address of 192.168.1.58 that is reachable via interface eth1. The source port is in the range 1024 to 65535 and the destination
port is port 80 (www/http).
Common ICMP (Ping) Match Criteria
Matches used with ---icmp-type Desciption
--icmp-type <type> The most commonly used
types are echo-reply and
echo-request
In this example:
iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
iptables is being configured to allow the firewall to send ICMP echo-requests (pings) and in turn, accept the expected ICMP echo-replies.
Consider another example:
# iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -i eth0 -j ACCEPT
The limit feature in iptables specifies the maximum average number of matches to allow per second.
You can specify time intervals in the format /second, /minute, /hour, or /day, or you can use abbreviations so that 3/second is the same as 3/s.
In this example, ICMP echo requests are restricted to no more than one per second.
When tuned correctly, this feature allows you to filter unusually high volumes of traffic that characterize denial of service (DOS) attacks and Internet worms.
# iptables -A INPUT -p tcp --syn -m limit --limit 5/s -i eth0 -j ACCEPT
You can expand on the limit feature of iptables to reduce your vulnerability to certain types of denial of service attack.
Here a defense for SYN flood attacks was created by limiting the acceptance of TCP segments with the SYN bit set to no more than five per second.
No comments:
Post a Comment