IPTables/Netfilter Notes:

1. IPTables is really a front-end(user-space) tool to manage NetFilter(integrate

d within th Linux Kernel)
2. IPTables functions primarily at OSI Layers 3(Network(IP)) & 4(Transport(TCP/U
DP))
3. Layer 3 focuses on Source(192.168.1.20) & Destination(192.168.1.30) Addresses
IP Addresses are based on 32-bit ranges (4billion addresses)
4. Layer 4 focuses on Protocols:Ports TCP:80, UDP:69
TCP/UDP ports use a 16-bit range (0-65535)
5. IPTables can manage ICMP
ICMP uses types - echo-request, echo-reply
6. /boot/config* - check to ensure that CONFIG_NETFILTER=y
7. 3 Default Tables contain chains, which contain rules
a. mangle - alter packets within TCP/UDP/ICMP/etc. (TOS/TTL)
b. Network Address Translation (NAT) - change IP addresses/ports
192.168.1.20 - 10.0.0.1
c. filter - IP Packet filtering (INPUT, FORWARD, OUTPUT)
8. Discuss ACL syntax
a. use the 'iptables' command
b. iptables commands
1. name of chain - action(what to do to the chain(Append/Insert/Replace)
2. name of table(filter), - mangle/nat/user-defined
3. layer3 object(source/destination address) -s/-d
4. optionally layer4 object (tcp/udp protocols/ports) -p, --sport/--dport
5. Jump/Target -j - ACCEPT/DROP/DENY/REJECT/LOG
Eg. Block source IP(192.168.1.30) from communicating with our system
iptables -A INPUT -s 192.168.1.30 -j DROP
9. Saving/Restoring - Mangaging rules via text files
a. iptables-save (default dumps to STDOUT)
b. iptables-restore (default reads rules from STDIN)
c. Flush rules - iptables -F (flushes all rules in all chains in filter table)
d. To save rules use iptables-save > filename
e. To restore rules use iptables-restore < filename
10. CHAIN MANAGEMENT - IN VARIOUS TABLES(MANGLE/NAT/FILTER)
a. List various tables/chains
1. INPUT chain of Filter table relates to traffic destined to OUR host.
2. -v - reveals bytes in (K/M/G)
b. Appending(-A)/Inserting(-I INPUT line number) rules
source ICMP(echo-request) to 192.168.1.30, traverses local OUTPUT chain
192.168.1.30 responds with echo-reply, traverses local INPUT chain
1. permit SSH - iptables -A INPUT -p tcp --dport 22 -j ACCEPT
2. deny Telnet - iptables -A INPUT -p tcp --dport telnet -j DROP
Note: appending rules simply adds to end of list
c. Deleting(-D INPUT #)/Replacing(-R INPUT #) rules
1. /sbin/iptables -D INPUT 4 - deletes rules based on line number
2. /sbin/iptables -D INPUT -p tcp --dport telnet -j DROP - deletes rule based o
n first match
3. /sbin/iptables -R INPUT 1 -p tcp --dport telnet -j ACCEPT

d. Flush(-F INPUT)/Zero Counters (-Z INPUT) rules

1. /sbin/iptables -F
e. User-Defined Chains(-N ChainName)/Rename Chains(-E old new)
1. packet-processing occurs top-down through chains
2. define INTRANET chain - contain IP Addresses under our auspices
a. /sbin/iptables -N INTRANET
b. /sbin/iptables -R 1 -s 192.168.1.0/24 -j INTRANET
c. /sbin/iptables -A INTRANET -p tcp --dport telnet -j DROP
Note: User-defined chains MUST have unique names
3. rename chain - /sbin/iptables -E INTRANET EXTRANET
f. Chain Policies (-P ACCEPT/DROP)
1. Update INTRANET user-defined chain to permit appropriate access
a. /sbin/iptables -A INTRANET -s 192.168.1.0/24 -p tcp --dport 5801 -j ACCEPT
b. /sbin/iptables -A INTRANET -s 192.168.1.0/24 -p tcp --dport 5901 -j ACCEPT
c. /sbin/iptables -A INTRANET -s 192.168.1.0/24 -p tcp --dport 8080 -j ACCEPT
d. /sbin/iptables -A INTRANET -s 192.168.1.0/24 -p tcp --dport telnet -j ACCEPT
e. /sbin/iptables -A INTRANET -s 192.168.1.0/24 -p tcp --dport 22 -j ACCEPT
2. Change default policy of INPUT chain from ACCEPT to DROP
a. /sbin/iptables -P INPUT DROP
Note: Default DROP policy may prevent typical TCP/UDP/ICMP communications
TCP - uses 3-way handshake
1. SYN
2. SYN-ACK
3. ACK
BASIC MATCHES:
--src,-s,--source
-d,dst,--destination
1. block all traffic from source ip 192.168.1.72/32
2. block all traffic based on interface. i.e. eth0/eth1
3. negation - block all traffic not sourced/from 192.168.1.100
a. /sbin/iptables -A INPUT -s ! 192.168.1.100 -j DROP
4. wildcard an interface by adding '+' to the end of the common characters.
a. eth0 eth1, eth+ - /sbin/iptables -A INPUT -i eth+ -p tcp --dport telnet -j D
ROP
TCP(Layer 4(Transport)) MATCHES: - Connection-Oriented
-p tcp, --protocol tcp
--sport,--source-port - generally picked arbitrarily from > 1024
--dport 23/telnet(/etc/services),--destination-port
--tcp-flags SYN,FIN,ACK SYN, ACK
UDP(Layer 4(Transport)) MATCHES: - Connectionless
UDP Applications:
1. TFTP(booting systems/Updating infrastructure devices(Cisco)) - UDP:69
2. SysLog - UDP:514
3. NTP - UDP:123
4. DHCP - UDP:67 UDP:68
-p udp, --protocol udp
--sport,--source-port - same source port as destination port
--dport 123/ntp(/etc/services),--destination-port
1. restrict access to SysLog
a. /sbin/iptables -A INPUT -p udp --dport 514 -s ! 192.168.1.1 -j DROP
Internet Control Messaging Protocol (ICMP)

ICMP Types:
a. echo-request - PING
b. echo-reply - pong
PING - local system sends via OUTPUT chain an echo-request(PING)
Remote system received echo-request in its INPUT chain ->
Remote system responds with an echo-reply(Pong)
-p icmp, --protocol icmp
--icmp-type name/number
2. Deny ICMP echo-replies from all hosts
a. /sbin/iptables -A INPUT -p icmp --icmp-type echo-reply -j DROP
3. Drop echo-replies from our system to all hosts
Match multiple
Filter traffic
/sbin/iptables
/sbin/iptables

ports with fewer rules

to ports 8080 and 23
-A INPUT -p tcp --dport web-cache -j DROP
-A INPUT -p tcp --dport telnet -j DROP

/sbin/iptbles -A INPUT -p tcp -m multiport --destination-port 8080,23 -s ! 127.0

.0.1 -j DROP
/sbin/iptbles -A INPUT -p tcp -m multiport --destination-port 8080,23 -s 192.168
.1.30 -j DROP
MAC ADDRESS FILTERING:
Deny access to our telnet service from IP Address: 192.168.1.10
/sbin/iptables -A INPUT -p tcp -m mac --mac-source 00:02:B3:98:41:08
Note: Filtering based on MAC(Layer2) address is more secure than filtering based
on IP(Layer3) address because the IP address can easily be changed.
If user changes Layer3 address of host that matches our MAC rule, the rule still
applies.
The State Machine/IPTables' Statefullness (TCP/UDP/ICMP)
NEW,ESTABLISHED,RELATED,INVALID
Business Rule: Permit Host to initiate(SYN) but deny other hosts from initiating
traffic to our hosts
/sbin/iptables -I INTRANET 3 -m state --state ESTABLISHED -j ACCEPT
/sbin/iptables -A OUTPUT -m state --state NEW,ESTABLISHED -j ACCEPT
Note: NEW means first SYN traffic
Targets:
ACCEPT -> sends packet to other rules or process
DROP -> sends no courtesy indication to client/calling-host
REJECT -> courtesy message is sent to client
REDIRECT -> applied to PREROUTING chain of NAT table - local ports ONLY
LOG -> allows us to log using SysLog
Business Rule: Log all traffic destined to 192.168.1.20/10.0.0.1
LOG ALL except VNC from 192.168.1.100
/sbin/iptables -R INTRANET 1 -m multiport -p tcp --destination-port ! 5801,5901
-j LOG
Prefix interesting traffic with a log prefix
--log-prefix "SSH ACCESS ATTEMPT:"
Prefix unauthorized traffic with "SERVICE NAME UNAUTHORIZED ACCESS ATTEMPT"

--log-tcp-options
--log-ip-options
--log-tcp-sequence
--log-level debug-emerg (warning)
192.168.1.20 <-> 10.0.0.1 -> 10.0.0.50(Windows 2003)
192.168.1.10
192.168.1.30
192.168.1.72
192.168.1.1(Cisco PIX Firewall)
192.168.1.30 (echo-request) -> 10.0.0.50
192.168.1.20 -> FORWARD CHAIN of Filter Table
Change default
/sbin/iptables
Business Rule:
on 10.0.0.50
/sbin/iptables
CCEPT

(ACCEPT) Policy of FORWARD Chain to (DROP)

-P FORWARD DROP
Permit ALL 192.168.1.x hosts the ability to use Terminal Services
-A FORWARD -s 192.168.1.0/24 -d 10.0.050 -p tcp --dport 3389 -j A

Create LOGGINGFORWARD Sub-chain

/sbin/iptables -N LOGGINGFORWARD
/sbin/iptables -A FORWARD -s 192.168.1.0/24 -d 10.0.0.50 -p tcp --dport 3389 -j
LOG
Permit established sessions from 10.0.0.50 -> 192.168.1.0/24
/sbin/iptables -I FORWARD 3 -m state --state ESTABLISHED -j ACCEPT
SYN,SYN-ACK(ESTABLISHED)
ACK
Business Rule: Allow Windows host the ability to SSH into any Linux Host on the
192.168.1.0/24
/sbin/iptables -A FORWARD -s 10.0.0.50 -d 192.168.1.0/24 -p tcp --dport 22 -j AC
CEPT
Business Rule: Allow 10.0.0.0/24 Hosts the ability to use the web (80/443)
Network Address Translation (NAT)
subnet1 10.0.0.50-> Linux Firewall 192.168.1.20-> subnet2 - MASQUERADING
Source Network Address Translation SNAT
3 Default Chains (CANNOT BE DELETED):
1. PREROUTING -> DNAT - Destination NAT
2. POSTROUTING -> SNAT/MASQUERADING(DHCP)
3. OUTPUT -> Locally-sourced packets
Business Rule: MASQUERADE all traffic from 10.x.y.z/24 to 192.x.y.z
Business Rule: MASQUERADE all 10.x.y.z/24 traffic & force source-port range to 1
024-10240
/sbin/iptables -R POSTROUTING 1 -t nat -p tcp -j MASQUERADE --to-ports 1024-1024
0
Source Network Address Translation (SNAT) - used when using static IPs
permits 1-to-1 and/or 1-to-many mappings
Business Rule: SNAT all 10.x.y.z/24 traffic & force source-port range to 1024-10
240
/sbin/iptables -R POSTROUTING 1 -t nat -p tcp -j SNAT --to-source 192.168.1.20:1
024-10240

Business Rule: Bind multiple addresses to the eth0(public/Internet) interface

Also, SNAT 10.x.y.z/24 traffic using 192.168.1.21
Business Rule: Use source 192.168.1.21 when communicating with 192.168.1.10
Use source 192.168.1.22 when communicating with everyone else
/sbin/iptables -R POSTROUTING 1 -p tcp -j SNAT --to-source 192.168.1.21 -d 192.1
68.1.10 -s 10.0.0.0/24
/sbin/iptables -A POSTROUTING -p tcp -j SNAT --to-source 192.168.1.22 -s 10.0.0.
0/24 -o eth0
subnet1 10.0.0.50-> Linux Firewall 192.168.1.20-> NET subnet2 - MASQUERADING
DNAT - permits connections to unexposed hosts
Business Rule: Publish to the NET port 3389 -> Windows box
/sbin/iptables -t nat -A PREROUTING -p tcp --dport 3389 -j DNAT --to-destination
10.0.0.50
NAT:
SNAT/MASQUERADING(POSTROUTING)
DNAT(PREROUTING)
Local NAT (OUTPUT)
NETMAP TARGET: NAT Table - PREROUTING CHAIN
subnet1(10.0.0.0/24) -> Linux/Netfilter Firewall -> subnet2(192.168.1.0/24) ->NE
T
Win2k3 .50
2**8 = 256 - 2(subnet/broadcast)
254 useable addresses - 1-254
Business Rule: present all 10.0.0.0/24 hosts as equivalent 192.168.1.0/24
/sbin/iptables -A PREROUTING -t nat -s 10.0.0.0/24 -j NETMAP --to 192.168.1.0/24
10.0.0.0
172.16-31/.0.0/16
subnet1(Internal)10.0.0.0/24
subnet3(192.168.1.0/24) -> Gateway
subnet2(DMZ1)172.16.75.0/24
Host -> 172.16.75.2
Business Rule: NAT 172.16.75.2(22/80) -> 192.168.1.200
Note: This requires 2 DNAT entries
/sbin/iptables -t nat -A PREROUTING -d 192.168.1.202 -p tcp --dport 22 -j DNAT -to-destination 172.16.75.2
/sbin/iptables -t nat -A PREROUTING -d 192.168.1.202 -p tcp --dport 80 -j DNAT -to-destination 172.16.75.2
Note: This is AKA Port Address Translation (PAT)
Configure split DNS or 2 DNS systems (inside/outside)
Business Rule: Deny access to the DMZ from Internet(192.168.1.0/24) Hosts
Note: Need to filter in Filter table - FORWARD chain
/sbin/iptables -A FORWARD -s 10.0.0.0/24 -j ACCEPT
/sbin/iptables -P FORWARD DROP
/sbin/iptables -A FORWARD -s 172.16.75.0/24 -m state --state established -j ACCE
PT
Note: This rule-set restricts DMZ-based hosts from sourcing traffic.
Double DMZ (Tier1/Tier2 Implementations)

subnet1(Internal)10.0.0.0/24
subnet3(192.168.1.0/24) -> Gateway
subnet2(DMZ1)172.16.75.0/24 (Web Tier)
Host -> 172.16.75.2
subnet4(DMZ2)172.17.76./24 (Middleware Tier)
Tier1(Presentation(WWW))
Tier2(MiddleWare)
Tier3(RDBMS)
Business Rule: Permit ONLY subnet2(DMZ1) to talk to subnet4(DMZ2)
Business Rule: Permit subnet4(DMZ2) to source connections to DBMS
/sbin/iptables -A FORWARD -s 172.17.76.0/24 -d 10.0.0.0/24 -p tcp --dport 1433 j ACCEPT
NET -> Tier1(WWW) -> Tier2(Middleware) -> Tier3(RDBMS)