netfilter basics ( iptables ) - cvalecvale.org/files/iptables/iptables.pdf · tjm 06-14-2005 what...
TRANSCRIPT
![Page 1: Netfilter Basics ( iptables ) - CVALEcvale.org/files/iptables/iptables.pdf · TJM 06-14-2005 What is Netfilter? Kernel package Packet filtering & manipulation (mangling) Consists](https://reader030.vdocuments.us/reader030/viewer/2022021707/5b9e764c09d3f26e288b7b8e/html5/thumbnails/1.jpg)
TJM 06-14-2005
Netfilter Basics( iptables )
![Page 2: Netfilter Basics ( iptables ) - CVALEcvale.org/files/iptables/iptables.pdf · TJM 06-14-2005 What is Netfilter? Kernel package Packet filtering & manipulation (mangling) Consists](https://reader030.vdocuments.us/reader030/viewer/2022021707/5b9e764c09d3f26e288b7b8e/html5/thumbnails/2.jpg)
TJM 06-14-2005
What is Netfilter?
● Kernel package
● Packet filtering & manipulation (mangling)
● Consists of many individual kernel modules
... and growing
Only a dozen needed for “basic” functions
![Page 3: Netfilter Basics ( iptables ) - CVALEcvale.org/files/iptables/iptables.pdf · TJM 06-14-2005 What is Netfilter? Kernel package Packet filtering & manipulation (mangling) Consists](https://reader030.vdocuments.us/reader030/viewer/2022021707/5b9e764c09d3f26e288b7b8e/html5/thumbnails/3.jpg)
TJM 06-14-2005
Uses
● Firewall
● Routing
● Transparent proxy / cache
● Bridging
● Use policies
![Page 4: Netfilter Basics ( iptables ) - CVALEcvale.org/files/iptables/iptables.pdf · TJM 06-14-2005 What is Netfilter? Kernel package Packet filtering & manipulation (mangling) Consists](https://reader030.vdocuments.us/reader030/viewer/2022021707/5b9e764c09d3f26e288b7b8e/html5/thumbnails/4.jpg)
TJM 06-14-2005
History
● Ported from BSD in mid-1990s
● IPFWipfwadm - 2.0 kernelipchains - 2.2 kernel
● NETFILTERiptables - 2.4 & 2.6 kernels
![Page 5: Netfilter Basics ( iptables ) - CVALEcvale.org/files/iptables/iptables.pdf · TJM 06-14-2005 What is Netfilter? Kernel package Packet filtering & manipulation (mangling) Consists](https://reader030.vdocuments.us/reader030/viewer/2022021707/5b9e764c09d3f26e288b7b8e/html5/thumbnails/5.jpg)
TJM 06-14-2005
Kernel Configuration
● Implemented in 2.4 & 2.6 kernels
● Consists of many (58) individual features(kernel 2.6.11.12)
● Only a dozen modules for basic configurations
● 2.6.11.12 kernel configuration➢ Device Drivers
➢ Networking Support➢ Networking Options
➢ Network Packet Filtering➢ IP: Netfilter Configuration
![Page 6: Netfilter Basics ( iptables ) - CVALEcvale.org/files/iptables/iptables.pdf · TJM 06-14-2005 What is Netfilter? Kernel package Packet filtering & manipulation (mangling) Consists](https://reader030.vdocuments.us/reader030/viewer/2022021707/5b9e764c09d3f26e288b7b8e/html5/thumbnails/6.jpg)
TJM 06-14-2005
Life of a Packet
ForwardChain
LocalProcesses
Drop
InputChain
OutputChain
DropDrop
Routing
IN OUT
![Page 7: Netfilter Basics ( iptables ) - CVALEcvale.org/files/iptables/iptables.pdf · TJM 06-14-2005 What is Netfilter? Kernel package Packet filtering & manipulation (mangling) Consists](https://reader030.vdocuments.us/reader030/viewer/2022021707/5b9e764c09d3f26e288b7b8e/html5/thumbnails/7.jpg)
TJM 06-14-2005
Life of a Packet
DestinationNAT
Prerouting
ForwardChain
LocalProcesses
Drop
SourceNAT
Postrouting
InputChain
OutputChain
DropDrop
Routing
![Page 8: Netfilter Basics ( iptables ) - CVALEcvale.org/files/iptables/iptables.pdf · TJM 06-14-2005 What is Netfilter? Kernel package Packet filtering & manipulation (mangling) Consists](https://reader030.vdocuments.us/reader030/viewer/2022021707/5b9e764c09d3f26e288b7b8e/html5/thumbnails/8.jpg)
TJM 06-14-2005
Rule Tables
● Different types of packet processing
● filter table is the defaultInput chainOutput chainForward chain
● nat tablePrerouting chainPostrouting chain
● mangle tablePrerouting chainOutput chain
![Page 9: Netfilter Basics ( iptables ) - CVALEcvale.org/files/iptables/iptables.pdf · TJM 06-14-2005 What is Netfilter? Kernel package Packet filtering & manipulation (mangling) Consists](https://reader030.vdocuments.us/reader030/viewer/2022021707/5b9e764c09d3f26e288b7b8e/html5/thumbnails/9.jpg)
TJM 06-14-2005
Filter Table
RULES & TARGETS
If a rule matchesThe target is executedNo more rules in chain checked
If a rule doesn't matchThe next rule in chain is checked
![Page 10: Netfilter Basics ( iptables ) - CVALEcvale.org/files/iptables/iptables.pdf · TJM 06-14-2005 What is Netfilter? Kernel package Packet filtering & manipulation (mangling) Consists](https://reader030.vdocuments.us/reader030/viewer/2022021707/5b9e764c09d3f26e288b7b8e/html5/thumbnails/10.jpg)
TJM 06-14-2005
Filter Table Targets
● Accept
● Drop
● RejectICMP type, tcp reset, echo reply
● LogThen continues with next rule
● User chain
![Page 11: Netfilter Basics ( iptables ) - CVALEcvale.org/files/iptables/iptables.pdf · TJM 06-14-2005 What is Netfilter? Kernel package Packet filtering & manipulation (mangling) Consists](https://reader030.vdocuments.us/reader030/viewer/2022021707/5b9e764c09d3f26e288b7b8e/html5/thumbnails/11.jpg)
TJM 06-14-2005
Table Rules (Match)
For both SOURCE or DESTINATION● IP address● Port (tcp & udp)
For both INPUT and OUTPUT● Physical network device (interface)
● Protocol (tcp, udp, icmp, all)● TCP flags● ICMP type● MAC source address (“in” interface)
![Page 12: Netfilter Basics ( iptables ) - CVALEcvale.org/files/iptables/iptables.pdf · TJM 06-14-2005 What is Netfilter? Kernel package Packet filtering & manipulation (mangling) Consists](https://reader030.vdocuments.us/reader030/viewer/2022021707/5b9e764c09d3f26e288b7b8e/html5/thumbnails/12.jpg)
TJM 06-14-2005
Table Rules (Match)
● StateNew, Established, Related, Invalid
● LimitInitial burst, maximum in time frame(seconds, minutes, hours, days)
![Page 13: Netfilter Basics ( iptables ) - CVALEcvale.org/files/iptables/iptables.pdf · TJM 06-14-2005 What is Netfilter? Kernel package Packet filtering & manipulation (mangling) Consists](https://reader030.vdocuments.us/reader030/viewer/2022021707/5b9e764c09d3f26e288b7b8e/html5/thumbnails/13.jpg)
TJM 06-14-2005
Iptables Example
Drop inbound packets from my neighbor
iptables -A INPUT --source 64.200.123.123 -j DROP
and / or
iptables -A INPUT--in-interface eth0--mac-source fe:00:0e:12:34:56--jump DROP
/usr/sbin/iptables
![Page 14: Netfilter Basics ( iptables ) - CVALEcvale.org/files/iptables/iptables.pdf · TJM 06-14-2005 What is Netfilter? Kernel package Packet filtering & manipulation (mangling) Consists](https://reader030.vdocuments.us/reader030/viewer/2022021707/5b9e764c09d3f26e288b7b8e/html5/thumbnails/14.jpg)
TJM 06-14-2005
Filter Table Rules (Match)
if
match AND match AND match AND match ...
then
target
elsecheck next rule
![Page 15: Netfilter Basics ( iptables ) - CVALEcvale.org/files/iptables/iptables.pdf · TJM 06-14-2005 What is Netfilter? Kernel package Packet filtering & manipulation (mangling) Consists](https://reader030.vdocuments.us/reader030/viewer/2022021707/5b9e764c09d3f26e288b7b8e/html5/thumbnails/15.jpg)
TJM 06-14-2005
Filter Table Rules (Match)
Rule[iptables] [chain] [match] [match] [target]
Next Rule[iptables] [chain] [match] [match] [target]
Next Rule[iptables] [chain] [match] [match] [target]
![Page 16: Netfilter Basics ( iptables ) - CVALEcvale.org/files/iptables/iptables.pdf · TJM 06-14-2005 What is Netfilter? Kernel package Packet filtering & manipulation (mangling) Consists](https://reader030.vdocuments.us/reader030/viewer/2022021707/5b9e764c09d3f26e288b7b8e/html5/thumbnails/16.jpg)
TJM 06-14-2005
Filter Table Rules Setup
Flush all rules in a table except user iptables -F
Delete all user defined chains in a tableiptables -X
Flush all rules from nat tableiptables -F -t nat
Set chain policyiptables -P INPUT DROPiptables -P OUTPUT DROPiptables -P FORWARD DROP
Append rule to a chainiptables -A INPUT ......
![Page 17: Netfilter Basics ( iptables ) - CVALEcvale.org/files/iptables/iptables.pdf · TJM 06-14-2005 What is Netfilter? Kernel package Packet filtering & manipulation (mangling) Consists](https://reader030.vdocuments.us/reader030/viewer/2022021707/5b9e764c09d3f26e288b7b8e/html5/thumbnails/17.jpg)
TJM 06-14-2005
Filter Table Rules Setup
iptables -Fiptables -X
iptables -P INPUT DROPiptables -P OUTPUT DROPiptables -P FORWARD DROP
iptables -A INPUT .....iptables -A INPUT ....iptables -A OUTPUT ....iptables -A INPUT ....iptables -A FORWARD ...
![Page 18: Netfilter Basics ( iptables ) - CVALEcvale.org/files/iptables/iptables.pdf · TJM 06-14-2005 What is Netfilter? Kernel package Packet filtering & manipulation (mangling) Consists](https://reader030.vdocuments.us/reader030/viewer/2022021707/5b9e764c09d3f26e288b7b8e/html5/thumbnails/18.jpg)
TJM 06-14-2005
Filter Table Rules Setup
● rc.firewall
● List rulesiptables -Liptables -L INPUTiptables -L -t natiptables -L -v -n -x --line-numbers
● Clear countersiptables -Z
![Page 19: Netfilter Basics ( iptables ) - CVALEcvale.org/files/iptables/iptables.pdf · TJM 06-14-2005 What is Netfilter? Kernel package Packet filtering & manipulation (mangling) Consists](https://reader030.vdocuments.us/reader030/viewer/2022021707/5b9e764c09d3f26e288b7b8e/html5/thumbnails/19.jpg)
TJM 06-14-2005
Network Services
Service Port / Protocol
ftp 21 / tcpssh 22 / tcptelnet 23 / tcpsmtp 25 / tcpdomain 53 / tcpdomain 53 / udphttp 80 / tcphttps 143 / tcppop3 110 / tcp
![Page 20: Netfilter Basics ( iptables ) - CVALEcvale.org/files/iptables/iptables.pdf · TJM 06-14-2005 What is Netfilter? Kernel package Packet filtering & manipulation (mangling) Consists](https://reader030.vdocuments.us/reader030/viewer/2022021707/5b9e764c09d3f26e288b7b8e/html5/thumbnails/20.jpg)
TJM 06-14-2005
Example # 1
● Flush tables & user defined chains● Set policies to drop packets● Permit new & established tcp sessions● Permit established inbound packets● Log new TCP sessions attempted from the outside
Note: This rule set is not recommended it is merely an example to show the iptables commands.
![Page 21: Netfilter Basics ( iptables ) - CVALEcvale.org/files/iptables/iptables.pdf · TJM 06-14-2005 What is Netfilter? Kernel package Packet filtering & manipulation (mangling) Consists](https://reader030.vdocuments.us/reader030/viewer/2022021707/5b9e764c09d3f26e288b7b8e/html5/thumbnails/21.jpg)
TJM 06-14-2005
Example # 1
iptables -Fiptables -P INPUT DROPiptables -P OUTPUT DROPiptables -P FORWARD DROPiptables -A OUTPUT -p tcp -m state
--state NEW,ESTABLISHED -j ACCEPTiptables -A INPUT -p tcp -m state
--state ESTABLISHED -j ACCEPTiptables -A INPUT -p tcp --syn -j LOG
--log-prefix "(In ZIN New Syn)”iptables -A INPUT -p tcp --syn -j DROP
![Page 22: Netfilter Basics ( iptables ) - CVALEcvale.org/files/iptables/iptables.pdf · TJM 06-14-2005 What is Netfilter? Kernel package Packet filtering & manipulation (mangling) Consists](https://reader030.vdocuments.us/reader030/viewer/2022021707/5b9e764c09d3f26e288b7b8e/html5/thumbnails/22.jpg)
TJM 06-14-2005
Example # 2
# Permit DNS traffic
DNS1=”206.13.31.12”USRPORT=”1024:65535”
iptables -A INPUT -s $DNS1 -p udp--sport 53 --dport $USRPORT -j ACCEPT
iptables -A INPUT -s $DNS1 -p tcp--sport 53 --dport $USRPORT -m state--state ESTABLISHED -j ACCEPT
![Page 23: Netfilter Basics ( iptables ) - CVALEcvale.org/files/iptables/iptables.pdf · TJM 06-14-2005 What is Netfilter? Kernel package Packet filtering & manipulation (mangling) Consists](https://reader030.vdocuments.us/reader030/viewer/2022021707/5b9e764c09d3f26e288b7b8e/html5/thumbnails/23.jpg)
TJM 06-14-2005
Example # 3
# Limit ping rate
LIMIT_SLOW="-m limit --limit 12/minute --limit-burst 10"
LIMIT_FAST="-m limit --limit 120/minute --limit-burst 50"
iptables -A INPUT -p icmp --icmp-type echo-reply $LIMIT_FAST -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-request $LIMIT_FAST -j ACCEPT
![Page 24: Netfilter Basics ( iptables ) - CVALEcvale.org/files/iptables/iptables.pdf · TJM 06-14-2005 What is Netfilter? Kernel package Packet filtering & manipulation (mangling) Consists](https://reader030.vdocuments.us/reader030/viewer/2022021707/5b9e764c09d3f26e288b7b8e/html5/thumbnails/24.jpg)
TJM 06-14-2005
User Chains
# Limit ping rate
iptables -N LIMITPING
iptables -A LIMITPING -p icmp --icmp-type echo-reply $LIMIT_FAST -j ACCEPT
iptables -A LIMITPING -p icmp --icmp-type echo-request $LIMIT_FAST -j ACCEPT
...
iptables -A INPUT -j LIMITPING
![Page 25: Netfilter Basics ( iptables ) - CVALEcvale.org/files/iptables/iptables.pdf · TJM 06-14-2005 What is Netfilter? Kernel package Packet filtering & manipulation (mangling) Consists](https://reader030.vdocuments.us/reader030/viewer/2022021707/5b9e764c09d3f26e288b7b8e/html5/thumbnails/25.jpg)
TJM 06-14-2005
User Chains (Return)
# Allow pings but continue checking
iptables -N LIMITPING
iptables -A LIMITPING -p icmp --icmp-type echo-reply -j RETURN
iptables -A LIMITPING -p icmp --icmp-type echo-request -j RETURN
...
iptables -A INPUT -j LIMITPING
![Page 26: Netfilter Basics ( iptables ) - CVALEcvale.org/files/iptables/iptables.pdf · TJM 06-14-2005 What is Netfilter? Kernel package Packet filtering & manipulation (mangling) Consists](https://reader030.vdocuments.us/reader030/viewer/2022021707/5b9e764c09d3f26e288b7b8e/html5/thumbnails/26.jpg)
TJM 06-14-2005
NAT● Drop externally originated broadcasts
iptables -t nat -A PREROUTING -i eth1-d 192.168.0.255 -j DROP
● Change outbound address to that of NIC
iptables -t nat -A POSTROUTING -0 eth1-j SNAT --to-source 64.73.3.28
![Page 27: Netfilter Basics ( iptables ) - CVALEcvale.org/files/iptables/iptables.pdf · TJM 06-14-2005 What is Netfilter? Kernel package Packet filtering & manipulation (mangling) Consists](https://reader030.vdocuments.us/reader030/viewer/2022021707/5b9e764c09d3f26e288b7b8e/html5/thumbnails/27.jpg)
TJM 06-14-2005
Discussion
![Page 28: Netfilter Basics ( iptables ) - CVALEcvale.org/files/iptables/iptables.pdf · TJM 06-14-2005 What is Netfilter? Kernel package Packet filtering & manipulation (mangling) Consists](https://reader030.vdocuments.us/reader030/viewer/2022021707/5b9e764c09d3f26e288b7b8e/html5/thumbnails/28.jpg)
TJM 06-14-2005
References
● Linux Firewalls – Second Edition (2002)Robert Ziegler
● Linux Firewalls – Third Edition (Oct 2005)Steve Suehring, Robert Ziegler
● Rusty Russell
● www.netfilter.org● www.linuxguruz.com/iptables/● www.linuxsecurity.com/resource_files/firewalls/IP
Tables-Tutorial/iptables-tutorial.html
... and a lot more