Questions about this topic? Sign up to ask in the talk tab.

Iptables

From NetSec
Jump to: navigation, search

iptables

iptables is a software that filters packets at the kernel stack layer.

Introduction

By default, IPtables have 3 traffic chains, these chains are INPUT, OUTPUT and FORWARD. These chains can be viewed by typing, iptables -nL, as root. This will also show all of the firewall rules. The commands INSERT of APPEND can be used when adding to a firewall.

  • INSERT puts the rule at the BEGINNING of the chain.
  • APPEND puts the rule at the END of the chain.

iptables -A INPUT .... - would append a rule to the INPUT chain. Additionally, each chain has a default policy, which can be accessed with -P.

An example of a default firewall:

root ~ # iptables -nL
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Analyzing this, all chains have the ACCEPT policy. To whitelist traffic, the chains need to be given DROP policies and then whitelist traffic with ACCEPT rules. There are several options that IPtables provides for reacting to traffic. These are specified with -j and can be DROP, REJECT, ACCEPT, LOG, etc. DROP means ignore the traffic and leave it be and REJECT means to politely request that the packet be returned to sender. REJECT for the TCP protocol has addition features, using -p allows specification of a protocol. You can select the type of traffic rejection using --reject-with.

IPtables allows ports to be selectively blocked by matching strings or headers. It's a stateful firewall, meaning packets can be blocked containing a string, useful for some types of DDoS attacks as all the traffic with a particular HTTP user-agent or going to a particular URL can be dropped. REJECT should not be used if there is a chance of being DDoS'd as the traffic should just be DROP(ed). During a DDoS, REJECT will cause the outbound pipe to be spammed with TCP resets if the traffic isn't dropped. Using REJECT can induce clogging of both inbound and outbound pipes during a DDoS and result in server hell.

Example

 iptables -I INPUT -p tcp -s 10.0.0.3 -j REJECT --reject-with icmp-host-unreachable

The -s switch is the source flag specifying the source IP address. Remember: During a DDoS attack traffic should be dropped instead:

 iptables -I INPUT -s 10.0.0.3 -j DROP

IPtables Module

As a side note, the IPtables modules is needed in the kernel:

ip_tables
ipt_REJECT
ipt_tos
ipt_limit
ipt_multiport
iptable_filter
iptable_mangle
ipt_TCPMSS
ipt_tcpmss
ipt_ttl
ipt_length
ipt_state 

These modules would be a useful starting point, remember to modprobe them unless they are built into kernel.

Using this, IPtables can be made to run string matches with ipt_string and QoS with ipt_conntrack. IPtables has a ton of modules so mileage depends on the depth of the search.

Pre-warning: One wrong move with IPtables can result in dropping all traffic to/from the box so it is suggested to make a script with a 5 minute timeout to restore the IPtables config to it's previous state before making any changes. This will ensure that configuration can be tested and in the event of failure, always have a chance of recovery.

If whitelisting traffic on a webserver is desired, the following would be run:

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -I INPUT -j ACCEPT -p tcp --dport 80
iptables -I INPUT -j ACCEPT -p tcp --sport 80

This should only be done if physical access is available to the machine, otherwise the machine will prevent external access as SSH packets will be dropped. In a configuration like this, port 22 for SSH will need to be whitelisted as well as any other ports required for day to day server usage.

The -p flag of IPtables designates protocol, options are: tcp, udp, icmp, or all. When using the -p flag, two additional arguments can be used: --sport and --dport, source port and destination port respectively. --sport or --dport cannot be used without the -p option.

-i specifies which interface to apply the rule to.

-A for the chain you want to add it to. INPUT for ingress traffic (ie. from an external source), and OUTPUT for traffic going out, (ie egress.) FORWARD for traffic routed through the machine.

FORWARD rules are complex and frustrating, with dozens of better solutions but IPtables is a nice, lightweight and scalable method. Writing the rules are more difficult for routing, if traffic isn't going to be forwarded, "iptables -P FORWARD DROP" is the command to use.

IPtables can be used to build a router, using a box as a router or gateway, kind of like a Linksys but with a Linux machine. Similar to connecting the box to the Internet and having a switch behind it. Additionally, it would become a router because it would route the packets through to the internal network. IPtables is firewall software and also supports CIDR notation. CIDR notation is a simplified method of representing classless subnet masks (ie. /26 as opposed to 255.255.255.192.) This allows very large range of networks inside of a 10.* (or 10.0.0.0/8) subnet to exist, making routing easier. There are 32 bits in an IP address, and the number of significant bits there are in the network can be specified (4 bytes total for the IP address, let's it be held in a CPU register).

Iptables is part of a series on administration.