netfilter/iptables - javax.mty.itesm.mxjavax.mty.itesm.mx/networks2/material/linuxfirewall.pdffilter...
TRANSCRIPT
• We have access to:– MAC addressess– IP address– Ports– Header Fields
• Protocol: TCP, UDP, ICMP, ARP• Flags, etc
– Application Data
DestMac
SourceMAC CRCDest
IPSource
IPDestPort
SourcePort Data
Filter trafficFilter traffic
• MAC address– Block/allow individual machines
• IP address– Block/allow individual machines or groups
• Port number– Block/allow services (http, ftp, smtp, etc.)
• Protcol– TCP, UDP, ICMP– e.g.: block “ping”
•Ping, the application programmed with ICMP
RelationshipsRelationships
•Each packet received or sent is processed by a table (at least)•A table contains chains that process the packets in a specific form•Chains have rules which are applied to every packet•Each rule has a one or more parameters (to look for a match) that are compared with data of the packet•In the moment that a packet matches a rule (parameter by parameter) a target is applied
TargetsTargets
• ACCEPT– The packet is accepted for the machine
• DROP– Dicards the packet and it is not processed further– It is like the packet never was sent or arrived
• LOG– It is writen in the syslog
• REJECT– Discards the packet and sends an appropiate response
• RETURN– Continue processing the packet in the chain
Some parametersSome parameters
• -p --protocol – Protocol used: udp, tcp, icmp
• -s --source – Source IP address
• -d --destination – Destination IP address
• -i --in-interface– Input network card
More parametersMore parameters
• --source-port --sport• --destination-port --dport• --tcp-flags
– SYN, ACK, PSH, URG, FIN, RST, ALL
• --icmp-type– Type of ICMP message– 0: echo-reply, 8: echo-request, 3: port
unreachable
Some commandsSome commands
• -A (Append)– Append a rule at the end of the chain
• -I number (Insert)– Insert a rule, just before rule number
• -D number (Delete)– Delete the rule number
• -F chain (Flush)– Delete all the rules in a chain
• -L chain (List)– List all the rules in a chain
Some optionsSome options
• --line-numbers– Used with --list to see the numbers of the
rules• -n
– Used with --list to use numbers instead numbers
– 80 instead of http– 22 instead of ssh
RulesRules
• iptables -A INPUT -s 10.16.54.243 -p tcp –
destination-port telnet -j DROP
• iptables -A INPUT -p tcp –-dport 23 j DROP
• iptables -A INPUT -p icmp –icmp-type 8 j DROP
• iptables -I INPUT 1 -p icmp –icmp-type 8 j DROP
• iptables -I INPUT 1 -p icmp –icmp-type 8 j REJECT
CommandsCommands
• iptables -L
– Lists all the active rules of every table and their chains
• iptables -L -n
– The rules are displayed with IP addresses and ports as number instead of names
• iptables -L -t filter
– Display all the rulesof a specific tables
– Filter is the default
• iptables -L –line-numbers
– Display all the rules numbered
– Useful when applying INSERT
CommandsCommands
• iptables -F
– Deletes all the rules of the chains in table filter
• iptables -F INPUT
– Deletes all the rules of the chain INPUT in table filter
• iptables -D INPUT 7
– Deletes the 7th rule of the chain INPUT of the table filter
• iptables -P INPUT DROP
– All the packets that do not match a rule will be discarded, with no response
SessionSession
• iptables -F
• iptables -A INPUT -s 0/0 -p tcp –-dport 22 -j ACCEPT
• iptables -A OUTPUT -d 0/0 -p tcp --sport 22 -j ACCEPT
• iptables -P INPUT DROP
• iptables -P OUTPUT DROP
• Delete all the rules of filter• Accept input and output packets of ssh• Use DROP policy for input and output packet, in case a packet does not
match any rule
The machine is completed isolated of the netwrok, with the exceptionof remote secure shell connections from any computer in the Internet
SessionSession
• iptables -A INPUT -s 0/0 -p tcp –-dport 80 -j ACCEPT
• iptables -A OUTPUT -d 0/0 -p tcp –-sport 80 -j ACCEPT
• iptables -A INPUT -p tcp –-dport http -j ACCEPT• iptables -A OUTPUT -p tcp –-sport http -j ACCEPT
Same as:
The web server can accept requests and serve pages
• iptables -A INPUT -s 0/0 -p tcp –-dport 8080 -j ACCEPT
• iptables -A OUTPUT -d 0/0 -p tcp –-sport 8080 -j ACCEPT
SessionSession
• iptables -A INPUT -p icmp –icmp-type 8 -j REJECT• iptables -A OUTPUT -p icmp –icmp-type 3 -j ACCEPT
Reject “pings” with an adequated message:“destination port unreachable”.Instead of ignoring the packet
Permanent changesPermanent changes
• The changes to the tables (new ruless) are activated right away with the iptables commands, but are kept in memory
• iptables-save [>file]– Stores all the tables in file or
/etc/sysconfig/iptables if no file is specified• iptables-restore file
– Bring the tables in file to memory