Linux Firewall

Posted on Updated on

Firewall

 

  

 

 

 

Objectives:

After completing this module student should be able to:

q Understand the firewall concept in Linux

q Understand and be able to create rules with IPTABLES/netfiter

q Implement IPTABLES to protect your private network

q Automate the firewall script

  

Introducing firewall

Together with the growth of internet, security would be major problem to be more and more about to be concerned. A firewall is a network device configured to prevent unauthorized access on an individual computer or network.

Firewall look at each IP packet and decide whether to pass or reject the packet based on a set of rules that you determine.

 

Figure 6.1 Firewalling private network

Here in this section we are going to learn about firewalling with Linux, we call the Linux-based firewall.

Understanding IP NAT or masquerading

IP Network Address Translation (NAT), also known as IP masquerading is a method for connecting your network to the internet by converting the source IP Address (private network) to another address (at external interface). Using NAT you need at least two network interface devices, one is attached to the external interface (for example internet), and the other to the private network(s).

You can translate some IP Addresses into an IP Address at the external interface, or an IP Address to an IP Address.

Figure 6.2 NAT network (It can be one IP translation or some IP translation).

        

Introduction to IP Packet Filters (Netfilter/iptables)

Beginning with the kernel 2.4, Linux introduce iptables utility, replacing the  ipchains to build a stateful packet filtering which is much more powerful than previous ipchains. The ability to examine a packet’s state permits very tight control over what packets the firewall passes or rejects without impacting the functionality of the network it protects.

Five built in chains comes with iptables, they are : INPUT, OUTPUT, FORWARD, PREROUTING, and POSTROUTING. The INPUT, OUTPUT, and FORWARD chains are designed to act and separate packets coming into, leaving from, and passing between the network interfaces. Each chain is a list of rules which can match a set of packets.  Each rule specifies what to do with a packet that matches.  This is called a `target’, which may be a jump to a user-defined chain in the same table. PREROUTING and POSTROUTING chains are available for the nat table, and the OUTPUT chain is available for both tables. 

 

No Chain Description

1

INPUT

Chain associates with the packets at incoming interface,

2

OUTPUT

Chain associates with the packets leave the external interfaces.

3

FORWARD

Examines packets that enter on one interface and are routed to another. This is essential for gateway routers.

4

PREROUTING

Arrived packets at incoming interface and before they are routed to the external interface (NAT) are examine using this chain

5

POSTROUTING

Packages are about to leave the outside interface while working with NAT.

You can also create your own chain that make use of the primary chains, creating custom chains allow you to create complex rule sets. Below is the example of creating a new chain:

$ iptables –A NEWCHAIN –p TCP –i eth0 –dport 23

  

iptables modes, parameters and options

No. Options Description

1

-A, –append

Append one or more rules to the end of the selected              chain

2

-D, –delete

Delete  one  or more rules from the selected chain

3.

-R, –replace

Replace a rule  in  the  selected  chain

4

-I, –insert

Insert  one  or more rules in the selected chain as              the given rule number

5.

-L, –list

List  all rules in the selected chain

6

-F, –flush

Flush the selected chain, This  is  equivalent  to             deleting all the rules one by one.

7

-N, –new-chain

Create a new user-defined chain by the given  name.

8

-X, -delete-chain

Delete  the  specified  user-defined  chain.

9

-P, –policy

Set the policy for the chain to the  given  target.

10

-E, –rename-chain

Rename the user specified chain to  the  user supplied name

Figure 6.3 iptables options

 

No. Parameters Description

1

-p, –protocol [!] protocol

The protocol of the rule or of the packet to check. The specified protocol can  be  one  of  tcp,  udp, icmp, or all, or it can be a numeric value, representing one of these protocols or a different  one. A   protocol   name  from  /etc/protocols  is  also allowed. A  “!”  argument  before  the   protocol inverts the test.  The number zero is equivalent to all.  Protocol all will match  with  all  protocols and  is  taken as default when this option is omitted.

2

-s, –source [!] address[/mask]

Source specification.   Address  can  be  either  a hostname,  a  network  name, or a plain IP address. The mask can be either a network mask  or  a  plain number.

3

-d, –destination [!] address[/mask]

Destination specification.

4

-j, –jump target

This  specifies  the target of the rule; i.e., what to do if the packet matches it.  The target can  be a  user-defined chain (other than the one this rule is in), one of the special  builtin  targets  which decide  the  fate  of the packet immediately, or an extension.

5

-i, –in-interface [!] [name]

Optional name of an interface via which a packet is received (for packets entering the  INPUT, FORWARD and PREROUTING chains).

6

[!]  -f, –fragment

This  means that the rule only refers to second and further fragments  of  fragmented  packets.   Since there  is  no way to tell the source or destination ports of such a  packet  (or  ICMP  type),  such  a  packet will not match any rules which specify them. When the “!” argument precedes the “-f”  flag,  the rule  will  only  match  head fragments, or unfragmented packets.

Figure 6.4 IPTABLES parameters

Beside those seen in the tables, there are additional options and extensions, you can use man utility to lists all of the options, extensions and other parameters.

Using iptables

1. Before you can use the iptables command, you must load the netfilter kernel module that provides support for it. The easiest way to do this is to use the modprobe command as follows:

 

$ modprobe ip_tables

 

  

2. in order to forward packets from one interface to another, acting as gateway, you need to set the /proc/sys/net/ipv4/ip_forward to have 1 as its value, this will enable you to forward packets from one interface to another.

You can set the value directly :

$ echo “1” >> /proc/sys/net/ipv4/ip_forward

 

 

Or you can modify the /etc/sysctl.conf file, and change the following variable:

 net.ipv4.ip_forward = 0

3. after taking care of the preliminaries, you can start to configure iptables, The general syntax of most iptables commands is:

 iptables command rule-specification extensions

 start by resetting the chain policies and removing any existing rules:

$ iptables –F INPUT$ iptables –F OUTPUT$ iptables –F FORWARD

4. you can list all rules set by using the iptables –L command:

 

$ iptables –L

5. set up the base filter policies to deny all network traffic

$ iptables –P INPUT DROP$ iptables –P OUTPUT DROP$ iptables –P FORWARD DROP 

 

6. allow all internal network traffics on the loopback interfaces:

$ iptables –A OUTPUT –j ACCEPT –o lo$ iptables –A INPUT –j ACCEPT –i lo 

 

7. configure rules for your incoming, outgoing, and forwarding packets.

Incoming packets

$ iptables –A INPUT –i eth0 –P –s $SOURCE_ADDRESS –j ACCEPT$ iptables –A INPUT –i eth1 –P –m state –state ESTABLISHED, RELATED –j ACCEPT 

 

Allow packets into internal (eth0) and external interface (eth1). The first rule above accepts all traffic from the source address (can be private LAN). The second rule examines the sate of each packet arriving at external interface, TCP packets are allowed to pass.

The –j ACCEPT parameter tells iptables to jump the ACCEPT state, which allow any packet that match the rule we specify.

The –m state option informs iptables to use the state checking module.

The –state ESTABLISHED, RELATED parameter specifies what state are to be checked. Where state is a comma separated list of the connection states to match. Possible states are INVALID meaning that the packet is associated with no known connection, ESTABLISHED meaning that the packet is associated with a connection which has seen packets in both directions, NEW meaning that the packet has started a new connection, or  otherwise associated with a connection which has not seen packets in both  directions,  and  RELATED  meaning  that  the packet  is  starting  a  new  connection, but is associated with an existing connection, such as an  FTP  data  transfer, or  an ICMP error.

Outgoing packet

$ iptables –A OUTPUT –j ACCEPT –o eth1 –p tcp –m state –state ESTABLISHED, NEW

 

this will allow any packets ( no source or destination addresses specified, will allow all addresses as default) leaving the external interface.

Forwarding packets

$ iptables –A FORWARD –i eth0 –j ACCEPT$ iptables –A FORWARD –i  eth1 –m state –state ESTABLISHED,RELATED    –j ACCEPT 

 

the first rule accepts all packets from private interface (eth0), then forward them to the external interface (eth1) if they belong to existing connection.

Exercises:

 

Let’s suppose that we have a network in our organization and that we are using a Linux-based firewall machine to allow our users to be able to access WWW servers on the Internet, but to allow no other traffic to be passed.

If our network has a 24-bit network mask (class C) and has an address of 172.100.16.0, then we’d use the following iptables rules:

 $ iptables -F FORWARD
$ iptables -P FORWARD DROP
$ iptables -A FORWARD -m tcp -p tcp -s 0/0 --sport 80 -d 172.100.16..0/24   --syn -j DROP
$ iptables -A FORWARD -m tcp -p tcp -s 172.100.16.0/24 --sport     80 -d 0/0 -j ACCEPT
$ iptables -A FORWARD -m tcp -p tcp -d 172.100.16.0/24 --dport 80 -s 0/0 -j  ACCEPT
 

The first of the commands flushes all of the rules from the forward rule sets and the second set of commands sets the default policy of the forward rule set to DROP. Finally, the third and fourth commands do the specific filtering we want. The fourth command allows datagram to and from web servers on the outside of our network to pass.

So how do you use iptables  If you  want to add rules that allowed passive mode only access to FTP servers in the outside network? Discuss it.

  

 

 

 

Building a firewall

Using iptables you can filter packets passing through your interfaces. But before setting the rules, you should first do some preliminaries tasks, loading iptables modules are required, so as your firewall can work well, you should load the modules and recompile your kernel to this purpose.

The Linux kernel must be configured to support IP firewalling. There isn’t much more to it than selecting the appropriate options when performing a make menuconfig of your kernel. Go to your /usr/src/linux directory where your kernel-souce resides. Then type the menuconfig command :

 

$ cd /usr/src/linux$ make menuconfig 

 

In 2.2 kernels you should select the following options:

Networking options  —>        [*] Network firewalls        [*] TCP/IP networking        [*] IP: firewalling        [*] IP: firewall packet logging

Firewall packet logging is a special feature that writes a line of information about each datagram that matches a particular firewall rule out to a special device so you can see them.

In kernels 2.4.0 and later you should select this option instead:

  Networking options  —>     [*] Network packet filtering (replaces ipchains)         IP: Netfilter Configuration  —>              .             <M> Userspace queueing via NETLINK (EXPERIMENTAL)             <M> IP tables support (required for filtering/masq/NAT)             <M>   limit match support             <M>   MAC address match support             <M>   netfilter MARK match support             <M>   Multiple port match support             <M>   TOS match support             <M>   Connection state match support             <M>   Unclean match support (EXPERIMENTAL)             <M>   Owner match support (EXPERIMENTAL)             <M>   Packet filtering             <M>     REJECT target support             <M>     MIRROR target support (EXPERIMENTAL)              .             <M>   Packet mangling             <M>     TOS target support             <M>     MARK target support             <M>   LOG target support             <M> ipchains (2.2-style) support                  <M> ipfwadm (2.0-style) support 

the changes you made to your kernel will not change until you recompile the kernel. Use make dep first to check dependencies, then type make all to recompile the kernel

 

$ make dep$ make all

Before executing rules, you should also load some iptables modules, you use the modprobe command to load the modules. Below are the example:

 

$ /sbin/modprobe ip_tables
$ /sbin/modprobe ip_conntrack
$ /sbin/modprobe iptable_filter
$ /sbin/modprobe iptable_mangle
$ /sbin/modprobe iptable_nat
$ /sbin/modprobe ipt_LOG
$ /sbin/modprobe ipt_limit
$ /sbin/modprobe ipt_state
 

  

now you are ready to build your own rulesets for firewalling. You can use the built in chains that come with the iptables, or build your own chains. See the example of using your own chains.

Example

1. list all chains and rules of your netfilter/ iptables :

 

   $ iptables –L

Chain INPUT (policy ACCEPT)

target     prot opt source   destination        

 

Chain FORWARD (policy ACCEPT)

target     prot opt source   destination        

 

Chain OUTPUT (policy ACCEPT)

target     prot opt source   destination   

 

  

you should see the results of your command like shown above, there’s no rulesets nor user defined chains. well we are going to build new chains then.

2. create a chain named  PRIV_LAN to handle traffic arriving from the private network. This chain passes return packets of existing connections, incoming TELNET packet addressed to the firewall, and FTP, SSH, HTTP, and SMTP packets destined to internet :

$ iptables –N PRIV_LAN 

 

this will create a new chain named PRIV_LAN, and the following commands are the rules to suits our needs for firewall.

 

$ iptables –A PRIV_LAN –m state –state ESTABLISHED,RELATED –j ACCEPT$  iptables –A PRIV_LAN –p TCP –s $PRIV –dport 23 –d 172.100.16.1 –j ACCEPT$ iptables –A PRIV_LAN –p TCP –d 0/0 –dport 20 –j ACCEPT$ iptables –A PRIV_LAN –p TCP –d 0/0 –dport 21 –j ACCEPT$ iptables –A PRIV_LAN –p TCP –d 0/0 –dport 22 –j ACCEPT$ iptables –A PRIV_LAN –p TCP –d 0/0 –dport 80 –j ACCEPT$ iptables –A PRIV_LAN –p TCP –d 0/0 –dport 25 –j ACCEPT 

3. configure the INPUT chain to direct packets to the custom PRIV_LAN chains.

 

$ iptables –A INPUT –I eth0 –j PRIV_LAN 

now you can test the filtering you have made from private networks.

  

Automating Firewall

You can build your firewall rules by writing the rules on a file, to create a firewall script, so it is no need for you to execute the command one by one, because when your Linux server boot, then the rules you had defined in your firewall will lost.

Below are the example of firewall script, if you intend to run this script at boot time, you can put it in /etc/rc.d/ directory, or anywhere else, then edit your /etc/rc.d/rc.local files, and add a new line to execute the script.

 

#!/bin/sh#LAN_IP=”192.168.0.1″LAN_BCAST_ADRESS=”192.168.0.255″LAN_IFACE=”eth2″ INET_IP=”aaa.bbb.ccc.ddd”INET_IFACE=”eth0″ DMZ_IP=”192.168.255.1″DMZ_IFACE=”eth1″ HTTP_IP=”aaa.bbb.ccc.169″ DMZ_HTTP_IP=”192.168.255.102″ LO_IP=”127.0.0.1″LO_IFACE=”lo” IPTABLES=”/sbin/iptables” ############################################# Load all required IPTables modules# ## Needed to initially load modules# /sbin/depmod -a ## Adds some iptables targets like LOG, REJECT and MASQUARADE.# /sbin/modprobe ipt_LOG/sbin/modprobe ipt_MASQUERADE ## Support for connection tracking of FTP and IRC.##/sbin/insmod ip_nat_irc#/sbin/modprobe ip_conntrack_irc/sbin/insmod ip_nat_ftp/sbin/insmod ip_conntrack_ftp #CRITICAL:  Enable IP forwarding since it is disabled by default.# echo “1” > /proc/sys/net/ipv4/ip_forward ## Dynamic IP users:##echo “1” > /proc/sys/net/ipv4/ip_dynaddr ############################################# Chain Policies gets set up before any bad packets gets through# $IPTABLES -P INPUT DROP$IPTABLES -P OUTPUT DROP$IPTABLES -P FORWARD DROP ## the allowed chain for TCP connections, utilized in the FORWARD chain# $IPTABLES -N allowed$IPTABLES -A allowed -p TCP –syn -j ACCEPT$IPTABLES -A allowed -p TCP -m state –state ESTABLISHED,RELATED -j ACCEPT$IPTABLES -A allowed -p TCP -j DROP ## ICMP rules, utilized in the FORWARD chain#  $IPTABLES -N icmp_packets # Changed rules totally$IPTABLES -A icmp_packets -p ICMP -s 0/0 –icmp-type 8 -j ACCEPT$IPTABLES -A icmp_packets -p ICMP -s 0/0 –icmp-type 11 -j ACCEPT ## bad_tcp_packets chain## Take care of bad TCP packets that we don’t want.# $IPTABLES -N bad_tcp_packets$IPTABLES -A bad_tcp_packets -p tcp ! –syn -m state –state NEW -j LOG –log-prefix “New not syn:”$IPTABLES -A bad_tcp_packets -p tcp ! –syn -m state –state NEW -j DROP ## Do some checks for obviously spoofed IP’s# $IPTABLES -A bad_tcp_packets -i $INET_IFACE -s 192.168.0.0/16 -j DROP$IPTABLES -A bad_tcp_packets -i $INET_IFACE -s 10.0.0.0/8 -j DROP$IPTABLES -A bad_tcp_packets -i $INET_IFACE -s 172.16.0.0/12 -j DROP ############################################ POSTROUTING chain in the nat table## Enable IP SNAT for all internal networks trying to get out on the Internet# $IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT –to-source $INET_IP   ############################################ PREROUTING chain in the nat table## Enable IP Destination NAT for DMZ zone# $IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $HTTP_IP –dport 80 -j DNAT –to-destination $DMZ_HTTP_IP$IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $HTTP_IP –dport 443 -j DNAT –to-destination $DMZ_HTTP_IP ############################################# FORWARD chain### Bad TCP packets we don’t want# $IPTABLES -A FORWARD -p tcp -j bad_tcp_packets  ## DMZ section## General rules# $IPTABLES -A FORWARD -i $DMZ_IFACE -o $INET_IFACE -j ACCEPT$IPTABLES -A FORWARD -i $INET_IFACE -o $DMZ_IFACE -m state –state ESTABLISHED,RELATED -j ACCEPT$IPTABLES -A FORWARD -i $LAN_IFACE -o $DMZ_IFACE -j ACCEPT$IPTABLES -A FORWARD -i $DMZ_IFACE -o $LAN_IFACE -j ACCEPT ## HTTP server# $IPTABLES -A FORWARD -p TCP  -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_HTTP_IP –dport 80 -j allowed$IPTABLES -A FORWARD -p TCP  -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_HTTP_IP –dport 443 -j allowed$IPTABLES -A FORWARD -p ICMP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_HTTP_IP -j icmp_packets ## LAN section# $IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT$IPTABLES -A FORWARD -m state –state ESTABLISHED,RELATED -j ACCEPT ## LOG all packets reaching here# $IPTABLES -A FORWARD -m limit –limit 3/minute –limit-burst 3 -j LOG –log-level DEBUG –log-prefix “IPT FORWARD packetdied: “  ############################################################# Firewall rules# Rules applying to the firewall box### INPUT chain## Bad TCP packets we don’t want# $IPTABLES -A INPUT -p tcp -j bad_tcp_packets ## Packets from the Internet to this box# $IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets ## Packets from LAN, DMZ or LOCALHOST# # From DMZ Interface to DMZ firewall IP$IPTABLES -A INPUT -p ALL -i $DMZ_IFACE -d $DMZ_IP -j ACCEPT # From LAN Interface to LAN firewall IP$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $LAN_IP -j ACCEPT$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $LAN_BCAST_ADRESS -j ACCEPT # From Localhost interface to Localhost IP$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP -j ACCEPT$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $INET_IP -j ACCEPT # All established and related packets incoming from the internet to the# firewall$IPTABLES -A INPUT -p ALL -d $INET_IP -m state –state ESTABLISHED,RELATED -j ACCEPT # Logging rule$IPTABLES -A INPUT -m limit –limit 3/minute –limit-burst 3 -j LOG –log-level DEBUG –log-prefix “IPT INPUT packetdied: “ ############################################################# OUTPUT chain### Bad TCP packets we don’t want# $IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets ## Allow ourself to send packets not spoofed everywhere# $IPTABLES -A OUTPUT -p ALL -o $LO_IFACE   -s $LO_IP   -j ACCEPT$IPTABLES -A OUTPUT -p ALL -o $LAN_IFACE  -s $LAN_IP  -j ACCEPT$IPTABLES -A OUTPUT -p ALL -o $INET_IFACE -s $INET_IP -j ACCEPT ## Logging rule# $IPTABLES -A OUTPUT -m limit –limit 3/minute –limit-burst 3 -j LOG –log-level DEBUG –log-prefix “IPT OUTPUT packetdied: “  

you can put this script on /usr/local/bin/ directory, you named the script as rc.firewall. then give it execute permission, and add in your /etc/rc.local file to execute this script at boot time:

$ cd /usr/local/bin$ chmod 755 rc.firewall$ cd /etc/rc.d$ vi rc.local 

open the rc.local file, and add the following line :

 

/usr/local/bin/rc.firewall 

reboot your computer, and after the computer start, you can use the iptables –L to lists all rules set to your kernel. And start to test the filtering rules.

 

NAT with iptables

As  described earlier, that NAT is used to translate Private IP Addresses to one or several IP Addresses used at external interfaces. Remember before setting up the NAT, you should firstly load the iptables_nat.o or ipt_MASQUERADE.o module.

$ /sbin/modprobe iptable_nat$ /sbin/modprobe ipt_MASQUERADE

 

Masquerading is the simplest way to build a NAT translation with iptables.

 

$ iptables -t nat -A POSTROUTING -s 172.100.16.0/24 -j MASQUERADE 

this command will make a simple Network address translation for 172.100.16.0/24 as your private network address. So any packets comes from 172.100.16.0/24 will be routed to its destined address, but the originating address will be translated to External interface IP Address where the packets are about to send.

Below are the same example:

 

$ iptables –t nat –A POSTROUTING –o eth1 –j SNAT –to 202.158.30.1  

in this rules, we use nat table, specify the external interface to be eth1, and –j SNAT option sets the network address translation to act on the source address and the –to 202.158.30.1 changes the source address of each packet to 202.158.30.1.

here with the similar command, you can put several nat rules, if you have some IP Addresses at the external interface, then you can set rules for multiple translation, for example you have two private network addresses, 172.100.16.0/24 and 192.168.100.0/24, then you use the following command to separate NAT translation between the two private networks.

 

$ iptables –t nat –A POSTROUTING –s 172.100.16.0/24 –o eth1 –j SNAT –to 202.158.30.1 

this will do a translation of  network address of 172.100.16.0/24 to 202.158.30.1

 

$ iptables –t nat –A POSTROUTING –s 192.168.100.0/24 –o eth1 –j SNAT –to 202.158.30.2 

and this command will do a translation of e network address of 192.168.100.0/24 to 202.158.30.2.

    

One thought on “Linux Firewall

    undangan online said:
    February 16, 2015 at 2:53 am

    I know this web site offers quality based posts and
    other material, is there any other web site which gives these things
    in quality?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s