Difference between revisions of "Iptables"
Norine3953 (Talk | contribs) |
Norine3953 (Talk | contribs) |
||
| Line 1: | Line 1: | ||
| + | {{cleanup}} | ||
| + | |||
{{wrongPerson}} | {{wrongPerson}} | ||
Revision as of 06:24, 9 May 2012
iptables
iptables is a software that filters packets at the kernel stack layer.
1.0 - Introduction
By default, IPtables have 3 traffic chains, these chains are INPUT, OUTPUT and FORWARD. You can view these chains by typing, iptables -nL, as root. This will also show you all of your firewall rules. Now, when adding a firewall you can either use INSERT or APPEND.
- INSERT puts the rule at the BEGINNING of the chain.
- APPEND puts the rule at the END of the chain.
iptables -A INPUT .... - would append a rule to the INPUT chain. Additionally, each chain has a default policy, which you can access with -P.
An example of a default firewall:
root ~ # iptables -nL Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination
Analysing this, all chains have the ACCEPT policy. To whitelist traffic, you want to give the chains DROP policies and then whitelist traffic with ACCEPT rules. There are several options that IPtables provides for reacting to traffic. These are specified with -j and can be DROP, REJECT, ACCEPT, LOG, etc. DROP means ignore the traffic and leave it be and REJECT means to politely request that the packet be returned to sender. REJECT for the TCP protocol has addition features, using -p allows you to specify a protocol. You can select the type of traffic rejection using --reject-with.
IPtables allows you to selectively block ports by matching strings or headers. It's a stateful firewall, meaning you can block any packets containing a string, useful for some types of DDoS attacks as you can drop all the traffic with a particular HTTP user-agent or going to a particular URL. You don't want to use REJECT if there is a chance of being DDoS'd as you really just want to DROP the traffic. During a DDoS, REJECT will cause your outbound pipe to be spammed with TCP resets if the traffic isn't dropped. Using REJECT can in clogging of both inbound and outbound pipes during a DDoS and result in server hell.
1.1 - Example
iptables -I INPUT -p tcp -s 10.0.0.3 -j REJECT --reject-with icmp-host-unreachable
The -s switch is the source flag specifying the source IP address. Remember: During a DDoS attack you might want to drop some traffic instead.
1.2 - Side Note - IPtables Module
As a side note, you need the IPtables modules in your kernel:
ip_tables ipt_REJECT ipt_tos ipt_limit ipt_multiport iptable_filter iptable_mangle ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length ipt_state
These modules would be a useful starting point, remember to modprobe them unless they are built into kernel.
Using this, you can then make IPtables run string matches with ipt_string and QoS with ipt_conntrack. IPtables has a ton of modules so your mileage depends on how deep you search.
Pre-warning: One wrong move with IPtables can result in dropping all traffic to/from the box so it is suggested to make a script with a 5 minute timeout to restore your IPtables config to it's previous state before making any changes. This will ensure that you can test the configuration and always have a chance of recovery.
If you wanted to whitelist traffic on a webserver, you would run:
iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -I INPUT -j ACCEPT -p tcp --dport 80 iptables -I INPUT -j ACCEPT -p tcp --sport 80
Now obviously, you will only want to do this if you have physical access to the machine, otherwise you will be locked out of the machine as SSH packets will be dropped. In a configuration like this, you need to whitelist port 22 for SSH as well as any other ports required for day to day server usage.
The -p flag of IPtables designates protocol, options are: tcp, udp, icmp, or all. When using the -p flag, you can then use two additional arguments: --sport and --dport, source port and destination port respectively. You cannot use --sport or --dport without the -p option.
-i specifies which interface to apply the rule to.
-A for the chain you want to add it to. INPUT for ingress traffic (ie. from an external source), and OUTPUT for traffic going out, (ie egress.) FORWARD for traffic routed through your machine.
FORWARD rules are complex and frustrating, with dozens of better solutions but IPtables is a nice, lightweight and scalable method. Writing the rules are more difficult for routing, if you aren't going to be forwarding any traffic, "iptables -P FORWARD DROP" is the way to go.
You can use IPtables to build a router, using your box as a router or gateway, kind of like a Linksys but with a Linux machine. Similar to connecting the box to the Internet and having a switch behind it. Additionally, it would become a router because it would route the packets through to the internal network. IPtables is firewall software and also supports CIDR notation. CIDR notation is a simplified method of representing classless subnet masks (ie. /26 as opposed to 255.255.255.192.) This allows you to have a very large range of networks inside of a 10.* (or 10.0.0.0/8) subnet, making routing a little easier. There are 32 bits in an IP address, and you specify how many significant bits there are in the network (4 bytes total for the IP address, let's it be held in a CPU register).
