Wednesday, April 23, 2008

Linux Firewall : iptables - Basic

Introductions

IPTABLES is an applications for linux in configuring netfiters, chains and rules. This command must be executed by the root privilege user. Normally this command is located at /usr/sbin/iptables or /sbin/iptables.

 

How iptables works ?

Every packet inspected by the iptables will be passing through a sequence of built in tables or queues for processing.

Basically the iptables is built up with THREE(3) tables which are MANGLE table which responsible for altering the TCP header, FILTER table for packet filtering and NAT table which responsible for network address translation(NAT).

FILTER Table

Filter table can be divided into 3 different chains, which are :-

INPUT Chain

This chain will filter all the packets which destinated to the firewall or the device itself.

FORWARD Chain

This chain responsible to filter all packets which passing through from one interface to another interface in firewall.

OUTPUT Chain

This chain filters all the packets which originated from the firewall or the device itself.

NAT Table

There are also 3 different chains in the NAT table, which are : -

PREROUTING Chain

This chain will translate the address before routing. Normally it is used with destination NAT or DNAT. Normally this chain be used when doing port forwarding.

POSTROUTING Chain

This chain will translate the address after routing. Normally it is used to change source NAT or SNAT IP.

OUTPUT Chain

Used to network address translate the firewall outgoing packets but it is rarely being used.

MANGLE Table

This table responsible in modify the TCP header to provide quality of service (QoS) before routing. It might be rarely used in a small SOHO network.

There are five chains in this table which are PREROUTING, POSTROUTING, INPUT, OUTPUT and FORWARD.

 

Everytime you create/remove/alter the iptables rules, you need to specify the TABLE and CHAIN. If there is no TABLE is being specify, the system will assume it is the default table, which is FILTER table as most rules are related to the FILTER table.

You will understand more when it comes to the command syntax, where I will touch on later.

 

How a packet flow through the iptables tables/chains ?

tables_traverse

When a packet hits the WAN to create a data connection, it will flow as accordingly as below :

  1. It will examined by MANGLE table's PREROUTING chain, if any.
  2. Followed by the NAT table's PREROUTING chain if it's required DNAT.
  3. Then it is routed.
  4. If the packet is destinated to the LAN network, it will be examined by the MANGLE table's FORWARD chain for QoS if any  followed by the FILTER table's FORWARD chain. Then it will examined by the MANGLE table's POSTROUTING chain for QoS if any followed by the FILTER table's POSTROUTING chain if any SNAT is needed.
  5. Then the packet will arrive to the LAN station. If the destinated LAN station is decided to reply, then it will go thru the same TABLES and CHAINS reversely.
  6. If the packet is destinated to the firewall itself, then it will be examined by the MANGLE table's INPUT chain followed by the FILTER table's INPUT chain. If it is success, then the packet will be reaching the firewall.
  7. If the firewall decided to reply then it will be examing through the MANGLE, NAT and FILTER table's OUTPUT sequencely. Then followed by the MANGLE and NAT table's POSTROUTING before the replying packet back to the WAN side.

 

What is iptables TARGET and JUMP ?

When each and every iptables rules examine the packet, it will tries to identify the user-defined target or jump for some sort of operations.

Basically there are few TARGET where we are commonly used as :

ACCEPT

As named, it is to accept and will pass it to the destinated applications or IP/network.

DROP

The packet will be blocked and will not be passing through/to. No notifications will be provided to the SENDER.

REJECT

There is slightly different between REJECT target and DROP target, reject will blocked the packet but will also provide an ERROR message to the SENDER.

DNAT

This is use to do destination network address translation whereby it will change the destination IP address of the packet.

SNAT

This is use to do source network address translation whereby it will rewrite the source IP address of the packet.

MASQUERADE

This is considered the dynamic way to do source network address translation whereby the source IP address will be rewrite as the firewall's WAN interface IP address.

 

Common iptables command switch operations

Before you able to create/remove/alter the iptables firewall rules, you need to understand the subnetting(CIDR), routing and TCP/IP concept very well. Else, you might be MESSED UP the firewall !!!

               *** Play and try at your own risk ***

- t  <table>

To specify the TABLE ( MANGLE, NAT or FILTER )

-j <target>

To jump to the specified target chain when the packet matches the current rule.

-A

To append a rule to the end of the chain.

-I

To add a rule to the top of the chain.

-D

To delete a specify rule in the chain.

-F

To flush the whole rules.   *** Dangerous command ***

-p <protocol type>

To match a protocol like udp, tcp, icmp etc.

-p udp/tcp --dport <destination port>

To match a protocol like udp/tcp with destination port number.

-p udp/tcp --sport <source port>

To match a protocol like udp/tcp with source port number.

-s <source address>

To match the source address / network.

-d <destination address>

To match the destination address / network.

-i <incoming interface>

To match the incoming interface like eth0, eth2 etc.

-o <outgoing interface>

To match the outgoing interface like eth0, eth2 etc.

Example command

/usr/sbin/iptables -A INPUT -i eth0 -p tcp --dport 22 -s 192.168.0.0/24 -j ACCEPT

This command will add a rule at the bottom of the FILTER table's INPUT chain to accept the TCP packet from 192.168.0.0/24 network thru eth0 interface which destinated to the firewall port 22.

There are still more advanced ways to create firewall rules using iptables. I will continue discuss it in the coming post.

Have a nice try and still the same advise....

                     *** Try at your own risk !!! ***

No comments: