Questions about this topic? Sign up to ask in the talk tab.

Difference between revisions of "Iptables"

From NetSec
Jump to: navigation, search
(formalized.)
Line 1: Line 1:
 
{{cleanup}}
 
{{cleanup}}
 
{{wrongPerson}}
 
  
 
==iptables==
 
==iptables==
Line 7: Line 5:
  
 
===1.0 - Introduction===
 
===1.0 - Introduction===
By default, IPtables have 3 traffic chains, these chains are INPUT, OUTPUT and FORWARD. You can view these chains by typing, ''iptables -nL'', as root. This will also show you all of your firewall rules. Now, when adding a firewall you can either use INSERT or APPEND.
+
By default, IPtables have 3 traffic chains, these chains are INPUT, OUTPUT and FORWARD. These chains can be viewed by typing, ''iptables -nL'', as root. This will also show all of the firewall rules. The commands INSERT of APPEND can be used when adding to a firewall.  
  
 
* INSERT puts the rule at the BEGINNING of the chain.
 
* INSERT puts the rule at the BEGINNING of the chain.
 
* APPEND puts the rule at the END of the chain.
 
* APPEND puts the rule at the END of the chain.
  
''iptables -A INPUT ....'' - would append a rule to the INPUT chain. Additionally, each chain has a default policy, which you can access with '''-P'''.
+
''iptables -A INPUT ....'' - would append a rule to the INPUT chain. Additionally, each chain has a default policy, which can be accessed with '''-P'''.
  
 
An example of a default firewall:
 
An example of a default firewall:
Line 23: Line 21:
 
  target    prot opt source              destination
 
  target    prot opt source              destination
  
Analysing this, all chains have the ACCEPT policy. To whitelist traffic, you want to give the chains DROP policies and then whitelist traffic with ACCEPT rules. There are several options that IPtables provides for reacting to traffic. These are specified with '''-j''' and can be DROP, REJECT, ACCEPT, LOG, etc.
+
Analysing this, all chains have the ACCEPT policy. To whitelist traffic, the chains need to be given DROP policies and then whitelist traffic with ACCEPT rules. There are several options that IPtables provides for reacting to traffic. These are specified with '''-j''' and can be DROP, REJECT, ACCEPT, LOG, etc.
DROP means ignore the traffic and leave it be and REJECT means to politely request that the packet be returned to sender. REJECT for the TCP protocol has addition features, using '''-p''' allows you to specify a protocol. You can select the type of traffic rejection using '''--reject-with'''.
+
DROP means ignore the traffic and leave it be and REJECT means to politely request that the packet be returned to sender. REJECT for the TCP protocol has addition features, using '''-p''' allows specification of a protocol. You can select the type of traffic rejection using '''--reject-with'''.
  
IPtables allows you to selectively block ports by matching strings or headers. It's a stateful firewall, meaning you can block any packets containing a string, useful for some types of DDoS attacks as you can drop all the traffic with a particular HTTP user-agent or going to a particular URL. You don't want to use REJECT if there is a chance of being DDoS'd as you really just want to DROP the traffic. During a DDoS, REJECT will cause your outbound pipe to be spammed with TCP resets if the traffic isn't dropped.  Using REJECT can in clogging of both inbound and outbound pipes during a DDoS and result in server hell.
+
IPtables allows ports to be selectively blocked by matching strings or headers. It's a stateful firewall, meaning packets can be blocked containing a string, useful for some types of DDoS attacks as all the traffic with a particular HTTP user-agent or going to a particular URL can be dropped. REJECT should not be used if there is a chance of being DDoS'd as the traffic should just be DROP(ed). During a DDoS, REJECT will cause the outbound pipe to be spammed with TCP resets if the traffic isn't dropped.  Using REJECT can induce clogging of both inbound and outbound pipes during a DDoS and result in server hell.
  
 
===1.1 - Example===
 
===1.1 - Example===
 
  iptables -I INPUT -p tcp -s 10.0.0.3 -j REJECT --reject-with icmp-host-unreachable
 
  iptables -I INPUT -p tcp -s 10.0.0.3 -j REJECT --reject-with icmp-host-unreachable
The '''-s''' switch is the source flag specifying the source IP address. Remember: During a DDoS attack you might want to drop some traffic instead.
+
The '''-s''' switch is the source flag specifying the source IP address. Remember: During a DDoS attack traffic should be dropped instead.
  
 
===1.2 - Side Note - IPtables Module===
 
===1.2 - Side Note - IPtables Module===
As a side note, you need the IPtables modules in your kernel:
+
As a side note, the IPtables modules is needed in the kernel:
 
  ip_tables
 
  ip_tables
 
  ipt_REJECT
 
  ipt_REJECT
Line 48: Line 46:
 
These modules would be a useful starting point, remember to modprobe them unless they are built into kernel.
 
These modules would be a useful starting point, remember to modprobe them unless they are built into kernel.
  
Using this, you can then make IPtables run string matches with ''ipt_string'' and QoS with ''ipt_conntrack''. IPtables has a ton of modules so your mileage depends on how deep you search.
+
Using this, IPtables can be made to run string matches with ''ipt_string'' and QoS with ''ipt_conntrack''. IPtables has a ton of modules so mileage depends on the depth of the search.
  
Pre-warning: One wrong move with IPtables can result in dropping all traffic to/from the box so it is suggested to make a script with a 5 minute timeout to restore your IPtables config to it's previous state before making any changes. This will ensure that you can test the configuration and always have a chance of recovery.
+
Pre-warning: One wrong move with IPtables can result in dropping all traffic to/from the box so it is suggested to make a script with a 5 minute timeout to restore the IPtables config to it's previous state before making any changes. This will ensure that configuration can be tested and in the event of failure, always have a chance of recovery.
  
If you wanted to whitelist traffic on a webserver, you would run:
+
If whitelisting traffic on a webserver is desired, the following would be run:
 
  iptables -P INPUT DROP
 
  iptables -P INPUT DROP
 
  iptables -P OUTPUT DROP
 
  iptables -P OUTPUT DROP
 
  iptables -I INPUT -j ACCEPT -p tcp --dport 80
 
  iptables -I INPUT -j ACCEPT -p tcp --dport 80
 
  iptables -I INPUT -j ACCEPT -p tcp --sport 80
 
  iptables -I INPUT -j ACCEPT -p tcp --sport 80
Now obviously, you will only want to do this if you have physical access to the machine, otherwise you will be locked out of the machine as SSH packets will be dropped. In a configuration like this, you need to whitelist port 22 for SSH as well as any other ports required for day to day server usage.
+
This should only be done if physical access is available to the machine, otherwise the machine will prevent external access as SSH packets will be dropped. In a configuration like this, port 22 for SSH will need to be whitelisted as well as any other ports required for day to day server usage.
  
The '''-p''' flag of IPtables designates protocol, options are: ''tcp'', ''udp'', ''icmp'', or ''all''. When using the '''-p''' flag, you can then use two additional arguments: '''--sport''' and '''--dport''', source port and destination port respectively. You cannot use '''--sport''' or '''--dport''' without the '''-p''' option.
+
The '''-p''' flag of IPtables designates protocol, options are: ''tcp'', ''udp'', ''icmp'', or ''all''. When using the '''-p''' flag, two additional arguments can be used: '''--sport''' and '''--dport''', source port and destination port respectively. '''--sport''' or '''--dport''' cannot be used without the '''-p''' option.
  
 
'''-i''' specifies which interface to apply the rule to.
 
'''-i''' specifies which interface to apply the rule to.
  
'''-A''' for the chain you want to add it to. ''INPUT'' for ingress traffic (ie. from an external source), and ''OUTPUT'' for traffic going out, (ie egress.) ''FORWARD'' for traffic routed through your machine.
+
'''-A''' for the chain you want to add it to. ''INPUT'' for ingress traffic (ie. from an external source), and ''OUTPUT'' for traffic going out, (ie egress.) ''FORWARD'' for traffic routed through the machine.
  
FORWARD rules are complex and frustrating, with dozens of better solutions but IPtables is a nice, lightweight and scalable method. Writing the rules are more difficult for routing, if you aren't going to be forwarding any traffic, "iptables -P FORWARD DROP" is the way to go.
+
FORWARD rules are complex and frustrating, with dozens of better solutions but IPtables is a nice, lightweight and scalable method. Writing the rules are more difficult for routing, if traffic isn't going to be forwarded, "iptables -P FORWARD DROP" is the command to use.
  
You can use IPtables to build a router, using your box as a router or gateway, kind of like a Linksys but with a Linux machine. Similar to connecting the box to the Internet and having a switch behind it. Additionally, it would become a router because it would route the packets through to the internal network. IPtables is firewall software and also supports CIDR notation. CIDR notation is a simplified method of representing classless subnet masks (ie. /26 as opposed to 255.255.255.192.) This allows you to have a very large range of networks inside of a 10.* (or 10.0.0.0/8) subnet, making routing a little easier. There are 32 bits in an IP address, and you specify how many significant bits there are in the network (4 bytes total for the IP address, let's it be held in a CPU register).
+
IPtables can be used to build a router, using a box as a router or gateway, kind of like a Linksys but with a Linux machine. Similar to connecting the box to the Internet and having a switch behind it. Additionally, it would become a router because it would route the packets through to the internal network. IPtables is firewall software and also supports CIDR notation. CIDR notation is a simplified method of representing classless subnet masks (ie. /26 as opposed to 255.255.255.192.) This allows very large range of networks inside of a 10.* (or 10.0.0.0/8) subnet to exist, making routing easier. There are 32 bits in an IP address, and the number of significant bits there are in the network can be specified (4 bytes total for the IP address, let's it be held in a CPU register).

Revision as of 01:56, 15 May 2012

iptables

iptables is a software that filters packets at the kernel stack layer.

1.0 - Introduction

By default, IPtables have 3 traffic chains, these chains are INPUT, OUTPUT and FORWARD. These chains can be viewed by typing, iptables -nL, as root. This will also show all of the firewall rules. The commands INSERT of APPEND can be used when adding to a firewall.

  • INSERT puts the rule at the BEGINNING of the chain.
  • APPEND puts the rule at the END of the chain.

iptables -A INPUT .... - would append a rule to the INPUT chain. Additionally, each chain has a default policy, which can be accessed with -P.

An example of a default firewall:

root ~ # iptables -nL
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Analysing this, all chains have the ACCEPT policy. To whitelist traffic, the chains need to be given DROP policies and then whitelist traffic with ACCEPT rules. There are several options that IPtables provides for reacting to traffic. These are specified with -j and can be DROP, REJECT, ACCEPT, LOG, etc. DROP means ignore the traffic and leave it be and REJECT means to politely request that the packet be returned to sender. REJECT for the TCP protocol has addition features, using -p allows specification of a protocol. You can select the type of traffic rejection using --reject-with.

IPtables allows ports to be selectively blocked by matching strings or headers. It's a stateful firewall, meaning packets can be blocked containing a string, useful for some types of DDoS attacks as all the traffic with a particular HTTP user-agent or going to a particular URL can be dropped. REJECT should not be used if there is a chance of being DDoS'd as the traffic should just be DROP(ed). During a DDoS, REJECT will cause the outbound pipe to be spammed with TCP resets if the traffic isn't dropped. Using REJECT can induce clogging of both inbound and outbound pipes during a DDoS and result in server hell.

1.1 - Example

iptables -I INPUT -p tcp -s 10.0.0.3 -j REJECT --reject-with icmp-host-unreachable

The -s switch is the source flag specifying the source IP address. Remember: During a DDoS attack traffic should be dropped instead.

1.2 - Side Note - IPtables Module

As a side note, the IPtables modules is needed in the kernel:

ip_tables
ipt_REJECT
ipt_tos
ipt_limit
ipt_multiport
iptable_filter
iptable_mangle
ipt_TCPMSS
ipt_tcpmss
ipt_ttl
ipt_length
ipt_state 

These modules would be a useful starting point, remember to modprobe them unless they are built into kernel.

Using this, IPtables can be made to run string matches with ipt_string and QoS with ipt_conntrack. IPtables has a ton of modules so mileage depends on the depth of the search.

Pre-warning: One wrong move with IPtables can result in dropping all traffic to/from the box so it is suggested to make a script with a 5 minute timeout to restore the IPtables config to it's previous state before making any changes. This will ensure that configuration can be tested and in the event of failure, always have a chance of recovery.

If whitelisting traffic on a webserver is desired, the following would be run:

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -I INPUT -j ACCEPT -p tcp --dport 80
iptables -I INPUT -j ACCEPT -p tcp --sport 80

This should only be done if physical access is available to the machine, otherwise the machine will prevent external access as SSH packets will be dropped. In a configuration like this, port 22 for SSH will need to be whitelisted as well as any other ports required for day to day server usage.

The -p flag of IPtables designates protocol, options are: tcp, udp, icmp, or all. When using the -p flag, two additional arguments can be used: --sport and --dport, source port and destination port respectively. --sport or --dport cannot be used without the -p option.

-i specifies which interface to apply the rule to.

-A for the chain you want to add it to. INPUT for ingress traffic (ie. from an external source), and OUTPUT for traffic going out, (ie egress.) FORWARD for traffic routed through the machine.

FORWARD rules are complex and frustrating, with dozens of better solutions but IPtables is a nice, lightweight and scalable method. Writing the rules are more difficult for routing, if traffic isn't going to be forwarded, "iptables -P FORWARD DROP" is the command to use.

IPtables can be used to build a router, using a box as a router or gateway, kind of like a Linksys but with a Linux machine. Similar to connecting the box to the Internet and having a switch behind it. Additionally, it would become a router because it would route the packets through to the internal network. IPtables is firewall software and also supports CIDR notation. CIDR notation is a simplified method of representing classless subnet masks (ie. /26 as opposed to 255.255.255.192.) This allows very large range of networks inside of a 10.* (or 10.0.0.0/8) subnet to exist, making routing easier. There are 32 bits in an IP address, and the number of significant bits there are in the network can be specified (4 bytes total for the IP address, let's it be held in a CPU register).