Escolar Documentos
Profissional Documentos
Cultura Documentos
IPtables
The command used to execute packet filtering and NAT tasks is iptables, and the software is commonly referred to as simply IPtables. The IPtables software can be built directly into the kernel or loaded as a kernel module, iptable_filter.o.
Packet Filtering
IPtables is essentially a framework for packet management that can check packets for particular network protocols and notify parts of the kernel listening for them.
Tables
IPtables currently supports three tables: filter, nat, and mangle. Packet filtering is implemented using a filter table that holds rules for dropping or accepting packets. Network address translation operations such as IP masquerading are implemented using the NAT table that holds IP masquerading rules. The mangle table is used for specialized packet changes. You can list the rules you have added at any time with the -L and -n options, as shown below. The -n option says to use only numeric output for both IP addresses and ports, avoiding a DNS lookup for hostnames. # iptables -L -n
Chains
Rules are combined into different chains. The kernel uses chains to manage packets it receives and sends out. A chain is simply a checklist of rules. These rules specify what action to take for packets containing certain headers. The rules operate with an if-then-else structure. If a packet does not match the first rule, the next rule is then checked, and so on. The most important built-in chains are the INPUT, OUTPUT, and FORWARD chains in the filter table. The PREROUTING and POSTROUTING chains in the NAT table.
Matches
Every iptables rule has a set of matches along with a target that tells iptables what to do with a packet that conforms to the rule. --source (-s) --destination (-d) --protocol (-p) Match on a source IP address or network Match on a destination IP address or network Match on an IP value
--in-interface (-i)
--out-interface (-o) --state
--string
--comment
Targets
A target could, in turn, be another chain of rules, even a chain of userdefined rules. A packet could be passed through several chains before finally reaching a target.
IPtables Options
IPtables Options
special targets are used to manage chains, RETURN and QUEUE. RETURN
indicates the end of a chain and returns to the chain it started from. QUEUE is used to send packets to user space. # iptables -A INPUT -s www.myjunk.com -j DROP # iptables -A INPUT -j ACCEPT ! -s 192.168.0.45 # iptables -A INPUT -s 192.168.0.0/24 -j ACCEPT # iptables -A INPUT -j DROP -i eth0 -s 192.168.0.45
User-Defined Chains
A common method for reducing repeated INPUT and FORWARD rules is to create a user chain. You define a user chain with the -N option. # iptables -N incoming # iptables -A incoming -j DROP -i eth0 -s 192.168.0.45 # iptables -A incoming -j ACCEPT -i lo # iptables -A FORWARD -j incoming
ICMP Packets
Firewalls often block certain Internet Control Message Protocol (ICMP) messages. You need to enable some ICMP messages, however, such as those needed for ping, traceroute, and particularly destinationunreachable operations. You can enable an ICMP type of packet with the -icmp-type option, which takes as its argument a number or a name representing the message. # iptables -A INPUT -j ACCEPT -p icmp -i eth0 --icmp -type echo-reply -d \ 10.0.0.1 # iptables -A INPUT -j ACCEPT -p icmp -i eth0 --icmp-type echo-request -d \ 10.0.0.1 # iptables -A INPUT -j ACCEPT -p icmp -i eth0 --icmp-type destination- \ unreachable -d 10.0.0.1
ICMP Packets
You use the limit module to control the number of matches on the ICMP ping operation. Use -m limit to use the limit module and --limit to specify the number of allowed matches. 1/s will allow one match per second. # iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit \
1/s -j ACCEPT
To use connection tracking, you specify the state module first with -m
state. Then you can use the --state option.
# iptables -A INPUT -m state --state NEW -i eth0 -j DROP # iptables -A INPUT -m state --state NEW ! -i eth0 -j ACCEPT # iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
For example, the TOS target can be used directly in the mangle table to
change the Type of Service field to modifying a packets priority. A TCPMSS target could be set to control the size of a connection. The ECN target lets you work around ECN black holes, and the DSCP target will let you change DSCP bits. Several extensions such as the ROUTE extension will change a packet, in this case, rewriting its destination, rather than just redirecting it.
TOS - Type of Service in the Internet Protocol Suite TCPMSS - Maximum segment size (MSS) is a parameter of TCP protocol ENC - Addition of Explicit Congestion Notification (ECN) to IP DSCP - (Differentiated Services Field) marks inside a packet
IPtables Scripts
The following command will list your current rules: # service iptables status The iptables service script with the stop option to clear out any previous rules: # service iptables stop Then run your script, as shown here for the myfilters script: # ./myfilters
IP Spoofing
One way to protect a private network from the IP spoofing of any packets is to check for any outside addresses on the Ethernet device dedicated to the private network. IP spoofing, deny any packets on the internal network that has an external source address. # iptables -A INPUT -j LOG -i eth1 \! -s 192.168.0.0/24 # iptables -A INPUT -j DROP -i eth1 \! -s 192.168.0.0/24 # iptables -A FORWARD -j DROP -i eth1 \! -s 192.168.0.0/24 IP spoofing, deny any outside packets (any not on eth1) that have the source address of the internal network # iptables -A INPUT -j DROP \! -i eth1 -s 192.168.0.0/24 # iptables -A FORWARD -j DROP \! -i eth1 -s 192.168.0.0/24 IP spoofing, deny any outside packets with localhost address (packets not on the lo interface (any #on eth0 or eth1) that have the source address of localhost) # iptables -A INPUT -j DROP -i \! lo -s 127.0.0.0/255.0.0.0 # iptables -A FORWARD -j DROP -i \! lo -s 127.0.0.0/255.0.0.0 Allow all packets sent and received within your system (localhost) to pass. # iptables -A INPUT -j ACCEPT -i lo
Server Access
For the Web server, you want to allow access by outside users but block access by anyone attempting to initiate a connection from the Web server into the private network. In the next example, all messages are accepted to the Web server, but the Web server cannot initiate contact with the private network. This prevents anyone from breaking into the local network through the Web server, which is open to outside access. Established connections are allowed, permitting the private network to use the Web server. Allow communication to the Web server (address 10.0.0.2), port www # iptables -A INPUT -j ACCEPT -p tcp -i eth0 --dport www -s 10.0.0.2 Allow established connections from Web servers to internal network # iptables -A INPUT -m state --state ESTABLISHED,RELATED -i eth0 -p tcp -sport www -s 10.0.0.2 -d\ 192.168.0.0/24 -j ACCEPT Prevent new connections from Web servers to internal network # iptables -A OUTPUT -m state --state NEW -o eth0 -p tcp --sport www -d 192.168.0.1.0/24 -j DROP
[b] eth1 with 202.54.1.1 public IP address - WAN connected to ISP router
[c] eth2 with 192.168.2.1 private IP address - DMZ connected to Mail / Web / DNS and other private servers
### Start DMZ stuff #### # forward traffic between DMZ and LAN iptables -A FORWARD -i eth0 -o eth2 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i eth2 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT # forward traffic between DMZ and WAN servers SMTP, Mail etc
iptables -t nat -A PREROUTING -p tcp -i eth1 -d 202.54.1.1 --dport 25 -j DNAT --to-destination 192.168.2.2
# Route incoming HTTP (port 80 ) traffic to DMZ server load balancer IP 192.168.2.3 iptables -t nat -A PREROUTING -p tcp -i eth1 -d 202.54.1.1 --dport 80 -j DNAT --to-destination 192.168.2.3
# Route incoming HTTPS (port 443 ) traffic to DMZ server reverse load balancer IP 192.168.2.4
iptables -t nat -A PREROUTING -p tcp -i eth1 -d 202.54.1.1 --dport 443 -j DNAT --to-destination 192.168.2.4 ### End DMZ .. Add other rules ###
makes sense for packets coming from an Ethernet device and entering the chains:
1. PREROUTING 2. FORWARD 3. INPUT
iptables -A INPUT -m mac --mac-source 00:0F:EA:91:04:08 -j DROP iptables -A INPUT -p tcp --destination-port 22 -m mac --mac-source 00:0F:EA:91:04:07 -j ACCEPT