Linux FirewallLinux Firewall

Netfilter/Iptables

In the NetIn the NetHello world!

DestMAC

SourceMAC CRC

DestPort

SourcePort Data

DestIP

SourceIP

• We have access to:– MAC addressess– IP address– Ports– Header Fields

• Protocol: TCP, UDP, ICMP, ARP• Flags, etc

– Application Data

DestMac

SourceMAC CRCDest

IPSource

IPDestPort

SourcePort Data

Filter trafficFilter traffic

• MAC address– Block/allow individual machines

• IP address– Block/allow individual machines or groups

• Port number– Block/allow services (http, ftp, smtp, etc.)

• Protcol– TCP, UDP, ICMP– e.g.: block “ping”

•Ping, the application programmed with ICMP

Firewalls: Basic architectureFirewalls: Basic architecture

Internal network

Internet

RelationshipsRelationships

•Each packet received or sent is processed by a table (at least)•A table contains chains that process the packets in a specific form•Chains have rules which are applied to every packet•Each rule has a one or more parameters (to look for a match) that are compared with data of the packet•In the moment that a packet matches a rule (parameter by parameter) a target is applied

TargetsTargets

• ACCEPT– The packet is accepted for the machine

• DROP– Dicards the packet and it is not processed further– It is like the packet never was sent or arrived

• LOG– It is writen in the syslog

• REJECT– Discards the packet and sends an appropiate response

• RETURN– Continue processing the packet in the chain

Some parametersSome parameters

• -p --protocol – Protocol used: udp, tcp, icmp

• -s --source – Source IP address

• -d --destination – Destination IP address

• -i --in-interface– Input network card

More parametersMore parameters

• --source-port --sport• --destination-port --dport• --tcp-flags

– SYN, ACK, PSH, URG, FIN, RST, ALL

• --icmp-type– Type of ICMP message– 0: echo-reply, 8: echo-request, 3: port

unreachable

Some commandsSome commands

• -A (Append)– Append a rule at the end of the chain

• -I number (Insert)– Insert a rule, just before rule number

• -D number (Delete)– Delete the rule number

• -F chain (Flush)– Delete all the rules in a chain

• -L chain (List)– List all the rules in a chain

Some optionsSome options

• --line-numbers– Used with --list to see the numbers of the

rules• -n

– Used with --list to use numbers instead numbers

– 80 instead of http– 22 instead of ssh

RulesRules

• iptables -A INPUT -s 10.16.54.243 -p tcp –

destination-port telnet -j DROP

• iptables -A INPUT -p tcp –-dport 23 j DROP

• iptables -A INPUT -p icmp –icmp-type 8 j DROP

• iptables -I INPUT 1 -p icmp –icmp-type 8 j DROP

• iptables -I INPUT 1 -p icmp –icmp-type 8 j REJECT

CommandsCommands

• iptables -L

– Lists all the active rules of every table and their chains

• iptables -L -n

– The rules are displayed with IP addresses and ports as number instead of names

• iptables -L -t filter

– Display all the rulesof a specific tables

– Filter is the default

• iptables -L –line-numbers

– Display all the rules numbered

– Useful when applying INSERT

CommandsCommands

• iptables -F

– Deletes all the rules of the chains in table filter

• iptables -F INPUT

– Deletes all the rules of the chain INPUT in table filter

• iptables -D INPUT 7

– Deletes the 7th rule of the chain INPUT of the table filter

• iptables -P INPUT DROP

– All the packets that do not match a rule will be discarded, with no response

SessionSession

• iptables -F

• iptables -A INPUT -s 0/0 -p tcp –-dport 22 -j ACCEPT

• iptables -A OUTPUT -d 0/0 -p tcp --sport 22 -j ACCEPT

• iptables -P INPUT DROP

• iptables -P OUTPUT DROP

• Delete all the rules of filter• Accept input and output packets of ssh• Use DROP policy for input and output packet, in case a packet does not

match any rule

The machine is completed isolated of the netwrok, with the exceptionof remote secure shell connections from any computer in the Internet

SessionSession

• iptables -A INPUT -s 0/0 -p tcp –-dport 80 -j ACCEPT

• iptables -A OUTPUT -d 0/0 -p tcp –-sport 80 -j ACCEPT

• iptables -A INPUT -p tcp –-dport http -j ACCEPT• iptables -A OUTPUT -p tcp –-sport http -j ACCEPT

Same as:

The web server can accept requests and serve pages

• iptables -A INPUT -s 0/0 -p tcp –-dport 8080 -j ACCEPT

• iptables -A OUTPUT -d 0/0 -p tcp –-sport 8080 -j ACCEPT

SessionSession

• iptables -A INPUT -p icmp –icmp-type 8 -j REJECT• iptables -A OUTPUT -p icmp –icmp-type 3 -j ACCEPT

Reject “pings” with an adequated message:“destination port unreachable”.Instead of ignoring the packet

Permanent changesPermanent changes

• The changes to the tables (new ruless) are activated right away with the iptables commands, but are kept in memory

• iptables-save [>file]– Stores all the tables in file or

/etc/sysconfig/iptables if no file is specified• iptables-restore file

– Bring the tables in file to memory