Linux Firewalls

IPtables
• The command used to execute packet filtering and NAT tasks is iptables, and the software is commonly referred to as simply IPtables. The IPtables software can be built directly into the kernel or loaded as a kernel module, iptable_filter.o.

Packet Filtering
• IPtables is essentially a framework for packet management that can check packets for particular network protocols and notify parts of the kernel listening for them.

Tables
• IPtables currently supports three tables: filter, nat, and mangle. • Packet filtering is implemented using a filter table that holds rules for dropping or accepting packets. Network address translation operations such as IP masquerading are implemented using the NAT table that holds IP masquerading rules. The mangle table is used for specialized packet changes. • You can list the rules you have added at any time with the -L and -n options, as shown below. The -n option says to use only numeric output for both IP addresses and ports, avoiding a DNS lookup for hostnames. # iptables -L -n

the next rule is then checked. . If a packet does not match the first rule. • The most important built-in chains are the INPUT. These rules specify what action to take for packets containing certain headers. The rules operate with an if-then-else structure. and FORWARD chains in the filter table. • The PREROUTING and POSTROUTING chains in the NAT table. OUTPUT.Chains • Rules are combined into different chains. A chain is simply a checklist of rules. and so on. The kernel uses chains to manage packets it receives and sends out.

.g.Matches • Every iptables rule has a set of matches along with a target that tells iptables what to do with a packet that conforms to the rule. • --source (-s) • --destination (-d) • --protocol (-p) Match on a source IP address or network Match on a destination IP address or network Match on an IP value • --in-interface (-i) • --out-interface (-o) • --state Input interface (e. eth0) Output interface Match on a set of connection states • --string Match on a sequence of application layer data bytes • --comment Comment data with a rule within kernel memory .

in turn. even a chain of userdefined rules. A packet could be passed through several chains before finally reaching a target. be another chain of rules.Targets • A target could. .

and FORWARD. When a packet is received through an interface. the FORWARD chain is checked. If the kernel sends the packet to another host. • Before the packet is actually sent. . OUTPUT. are implemented to handle masquerading and packet address modifications. the OUTPUT chain is also checked. two NAT table chains.Firewall and NAT Chains • The kernel uses three firewall chains: INPUT. the INPUT chain is used to determine what to do with it. In addition. The kernel then uses its routing information to decide where to send it. POSTROUTING and PREROUTING.

An iptables command consists of the keyword iptables.Adding and Changing Rules • You add and modify chain rules using the iptables commands. . followed by an argument denoting the command to execute.

Adding and Changing Rules .

IPtables Options .

IPtables Options .

such as REJECT.com -j DROP # iptables -A INPUT -j ACCEPT ! -s 192. QUEUE is used to send packets to user space.168. Other targets can be either user-defined chains or extensions added on.168.168.0. Two special targets are used to manage chains. DROP and ACCEPT.Accepting and Denying Packets: DROP and ACCEPT • There are two built-in targets.0/24 -j ACCEPT # iptables -A INPUT -j DROP -i eth0 -s 192.0. # iptables -A INPUT -s www. RETURN indicates the end of a chain and returns to the chain it started from.0. RETURN and QUEUE.45 # iptables -A INPUT -j ACCEPT -i lo .45 # iptables -A INPUT -s 192.myjunk.

0.168.45 # iptables -A incoming -j ACCEPT -i lo # iptables -A FORWARD -j incoming # iptables -A INPUT -j incoming .User-Defined Chains • A common method for reducing repeated INPUT and FORWARD rules is to create a user chain. You define a user chain with the -N option. # iptables -N incoming # iptables -A incoming -j DROP -i eth0 -s 192.

ICMP Packets • Firewalls often block certain Internet Control Message Protocol (ICMP) messages. You can enable an ICMP type of packet with the -icmp-type option. traceroute. # iptables -A INPUT -j ACCEPT -p icmp -i eth0 --icmp -type echo-reply -d \ 10. You need to enable some ICMP messages.1 # iptables -A INPUT -j ACCEPT -p icmp -i eth0 --icmp-type destination.1 .0. such as those needed for ping.0.0.1 # iptables -A INPUT -j ACCEPT -p icmp -i eth0 --icmp-type echo-request -d \ 10.\ unreachable -d 10.0.0. and particularly destinationunreachable operations. which takes as its argument a number or a name representing the message. however.0.

Use -m limit to use the limit module and --limit to specify the number of allowed matches.ICMP Packets • You use the limit module to control the number of matches on the ICMP ping operation. # iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit \ 1/s -j ACCEPT . 1/s will allow one match per second.

Connection tracking maintains information about a connection such as its source. # iptables -A INPUT -m state --state NEW -i eth0 -j DROP # iptables -A INPUT -m state --state NEW ! -i eth0 -j ACCEPT # iptables -A INPUT -m state --state ESTABLISHED. which can easily detect tracking information for a packet.RELATED -j ACCEPT .Packet States: Connection Tracking • One of the more useful extensions is the state extension. you specify the state module first with -m state. Then you can use the --state option. To use connection tracking. destination. and port.

If you have multiple servers but only one IP address. support for multiple servers. You can also use NAT to have your IP address reference a particular server application such as a Web server (transparent proxy).Network Address Translation (NAT) • NAT is the process whereby a system will change the destination or source of packets as they pass through the system. • With IP masquerading. The gateway has a single IP address that other local computers can use through NAT operations. NAT tables are not implemented for ip6tables. . Networking features such as IP masquerading. NAT operations will change destination and source of a packet moving through a firewall/gateway linking Internet to computers on a local network. you can use NAT to send packets to the alternate servers. and transparent proxying. NAT is used to provide access to systems that may be connected to the Internet through only one IP address.

# iptables -t nat • With the -L option.Adding NAT Rules • To add rules to the NAT table. you can list the rules you have added to the NAT table: # iptables -t nat -L -n . you have to specify the NAT table with the -t option.

and destination NAT.Nat Targets and Chains • There are two types of NAT operations: source NAT. POSTROUTING. • PREROUTING is used for destination NAT (DNAT) rules. • OUTPUT is used for destination NAT rules for locally generated packets. These are for packets leaving. • POSTROUTING is used for source NAT (SNAT) rules. specified as DNAT target. . • Three chains in the NAT table are used by the kernel for NAT operations. These are packets that are arriving. These are PREROUTING. and OUTPUT. specified as SNAT target.

168. You would implement IP masquerading by adding a MASQUERADE rule to the POSTROUTING chain: # iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE • To change the source address of a packet leaving your system. as well as the input (-i) and output (-o) devices. you can specify source (-s) and destination (-d) addresses.Nat Targets and Chains • As with packet filtering.0. you use the --to-source option to specify the source address: # iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 192. you would use the POSTROUTING rule with the SNAT target. The -j option will specify a target such as MASQUERADE.4 . For the SNAT target.

0.0.0.3 • You implement port forwarding. every packet arriving on port 80 (the Web service port) is redirected to 10.3 . which in this case would be a system running a Web server.168. you would use the PREROUTING rule with the DNAT target and the --to-destination option: # iptables -t nat -A PRETROUTING -i eth0 -j DNAT --to-destination 192. In the next example.0.0.3. # iptables -t nat -A PRETROUTING -i eth0 -dport 80 -j DNAT --to-destination 10.Nat Targets and Chains • To change the destination address of packets arriving on your system.

a process transparent to the user.Nat Redirection: Transparent Proxies • NAT tables can be used to implement any kind of packet redirection. 80. With transparent proxies. packets arriving on the Web service port. packets received can be automatically redirected to a proxy server. can be redirected to the Squid Proxy service port. usually 3128. For example. # iptables -t nat -A PREROUTING -i eth1 --dport 80 -j REDIRECT --to-port 3128 .

and priority. • The mangle table is indicated with the -t mangle option. in this case. connection size. • For example. the TOS target can be used directly in the mangle table to change the Type of Service field to modifying a packet’s priority. Rules applied specifically to this table are often designed to control the mundane behavior of packets. rewriting its destination.Packet Mangling: the Mangle Table • The packet mangling table is used to actually modify packet information. rather than just redirecting it. like routing. • Several extensions such as the ROUTE extension will change a packet. • The ECN target lets you work around ECN black holes. # iptables -t mangle -L . and the DSCP target will let you change DSCP bits. • A TCPMSS target could be set to control the size of a connection.

Maximum segment size (MSS) is a parameter of TCP protocol ENC .(Differentiated Services Field) marks inside a packet .Packet Mangling: the Mangle Table • • • • TOS .Addition of Explicit Congestion Notification (ECN) to IP DSCP .Type of Service in the Internet Protocol Suite TCPMSS .

IPtables Scripts • The following command will list your current rules: # service iptables status • The iptables service script with the stop option to clear out any previous rules: # service iptables stop • Then run your script./myfilters . as shown here for the myfilters script: # .

Saving IPtables Rules • Once you are satisfied that your IPtables rules are working correctly. • The service script actually uses iptables-save with the -c option to save rules to the /etc/sysconfig/iptables file. # iptables-save -c > /etc/sysconfig/iptables • You can also save your rules to a file of your choosing.rules . # iptables-save > /etc/iptables. such as /etc/iptables.rules. you can save your rules to the /etc/sysconfig/iptables file.rules • Then.save. in case you to need to restore the older rules. use the iptables-restore script to read the IPtables commands from that saved file: # iptables-restore < /etc/iptables. to restore the rules. # service iptables save • A backup of the original is saved in /etc/sysconfig/iptables.

An IPtables Script Example: IPv4 .

.

.

168.168. # iptables -A INPUT -j ACCEPT -i lo .0 # iptables -A FORWARD -j DROP -i \! lo -s 127.0/24 • IP spoofing.0.0.0/24 # iptables -A FORWARD -j DROP \! -i eth1 -s 192.IP Spoofing • One way to protect a private network from the IP spoofing of any packets is to check for any outside addresses on the Ethernet device dedicated to the private network.0/24 # iptables -A FORWARD -j DROP -i eth1 \! -s 192.0/255.0/24 • IP spoofing.0. • IP spoofing.0/255.0 • Allow all packets sent and received within your system (localhost) to pass.168. deny any outside packets with localhost address (packets not on the lo interface (any #on eth0 or eth1) that have the source address of localhost) # iptables -A INPUT -j DROP -i \! lo -s 127. deny any packets on the internal network that has an external source address.0.0.0.0.0.0/24 # iptables -A INPUT -j DROP -i eth1 \! -s 192.168.168. deny any outside packets (any not on eth1) that have the source address of the internal network # iptables -A INPUT -j DROP \! -i eth1 -s 192.0. # iptables -A INPUT -j LOG -i eth1 \! -s 192.0.0.0.0.

0/24 -j DROP .0.RELATED -i eth0 -p tcp -sport www -s 10. This prevents anyone from breaking into the local network through the Web server. you want to allow access by outside users but block access by anyone attempting to initiate a connection from the Web server into the private network.Server Access • For the Web server.0.168.1.0/24 -j ACCEPT • Prevent new connections from Web servers to internal network # iptables -A OUTPUT -m state --state NEW -o eth0 -p tcp --sport www -d 192.2 -d\ 192.2 • Allow established connections from Web servers to internal network # iptables -A INPUT -m state --state ESTABLISHED.0.0. In the next example. port www # iptables -A INPUT -j ACCEPT -p tcp -i eth0 --dport www -s 10. which is open to outside access.0. • Allow communication to the Web server (address 10.0. Established connections are allowed.0. but the Web server cannot initiate contact with the private network. permitting the private network to use the Web server. all messages are accepted to the Web server.168.2).0.

RELATED -i eth0 -p \! icmp -j ACCEPT Blocking Outside Initiated Access • To prevent outsiders from initiating any access to your system.Firewall Outside Access • To allow access by the firewall to outside networks. you allow input by all packets except for ICMP packets. except for ICMP packets # iptables -A INPUT -m state --state ESTABLISHED. create a rule to block access by SYN packets from the outside using the state option with NEW. • Allow outside communication to the firewall. • Prevent outside initiated connections # iptables -A INPUT -m state --state NEW -i eth0 -j DROP # iptables -A FORWARD -m state --state NEW -i eth0 -j DROP .

where systems on the private network can use the gateway’s Internet address to connect to Internet hosts.168. eth1.Local Network Access • To allow interaction by the internal network with the firewall. you allow input by all packets on the internal Ethernet connection. # iptables -A INPUT -j ACCEPT -p all -i eth1 -s 192.0/24 Masquerading Local Networks • To implement masquerading. The valid internal network addresses are designated as the input source.0. # iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE .

and for destination unreachable. To enable ping operations.2 -j SNAT . you could use the NAT table to rewrite addresses for a few selected hosts.1 # iptables -A INPUT -j ACCEPT -p icmp -i eth0 --icmp-type destination-unreachable -d 10.0.0.168.1 Masquerading Selected Hosts • Instead of masquerading all local hosts as the single IP address of the firewall/gateway host.0. # iptables -A INPUT -j ACCEPT -p icmp -i eth0 --icmp-type echo-reply -d 10. you use the destination-unreachable type.0.0.5 --to-source 10.168. to allow ping and destination-reachable ICMP packets.0.0. # iptables -t nat -A PREROUTING -d 10.1 # iptables -A INPUT -j ACCEPT -p icmp -i eth0 --icmp-type echo-request -d 10.5 -j DNAT # iptables -t nat -A POSTROUTING -s 192.0.0.0.2 --to-destination 192. you use both echo-reply and echo-request ICMP types.0. you enter INPUT rules with the firewall as the destination.Controlling ICMP Packets • In addition.0.

Linux Demilitarized Zone (DMZ) Demilitarized zone. The basic method is to use a single Linux firewall with 3 Ethernet cards. . used to secure an internal network from external access. The following simple example discusses DMZ setup and forwarding public traffic to internal servers. You can use Linux firewall to create DMZ easily. There are many different ways to design a network with a DMZ.

1 private IP address .1 private IP address .168.2.Sample Example DMZ Setup Consider the following DMZ host with 3 NIC: [a] eth0 with 192.1 public IP address .1.1.WAN connected to ISP router [c] eth2 with 192.54.DMZ connected to Mail / Web / DNS and other private servers .168.Internal LAN ~ Desktop system [b] eth1 with 202.

RELATED -j ACCEPT iptables -A FORWARD -i eth1 -o eth2 -m state --state NEW. Mail etc iptables -A FORWARD -i eth2 -o eth1 -m state --state ESTABLISHED.168.ESTABLISHED.1 --dport 25 -j DNAT --to-destination 192.2 iptables -t nat -A PREROUTING -p tcp -i eth1 -d 202..2 # Route incoming HTTP (port 80 ) traffic to DMZ server load balancer IP 192.4 iptables -t nat -A PREROUTING -p tcp -i eth1 -d 202.RELATED -j ACCEPT # Route incoming SMTP (port 25 ) traffic to DMZ server 192.2.1 --dport 443 -j DNAT --to-destination 192.2.1 --dport 80 -j DNAT --to-destination 192.2.3 # Route incoming HTTPS (port 443 ) traffic to DMZ server reverse load balancer IP 192.168.4 ### End DMZ .2.2.RELATED -j ACCEPT # forward traffic between DMZ and WAN servers SMTP.168.54.1.2.54. Add other rules ### .168.RELATED -j ACCEPT iptables -A FORWARD -i eth2 -o eth0 -m state --state ESTABLISHED.168.168.### Start DMZ stuff #### # forward traffic between DMZ and LAN iptables -A FORWARD -i eth0 -o eth2 -m state --state NEW.1.54.1.3 iptables -t nat -A PREROUTING -p tcp -i eth1 -d 202.ESTABLISHED.

FORWARD 3. this matches packets traveling through the firewall based on their MAC (Ethernet hardware) address. It offers good protection against malicious users who spoof or change their IP address. PREROUTING 2.Iptables MAC address filtering Iptables comes with MAC module. Remember that mac filtering only makes sense for packets coming from an Ethernet device and entering the chains: 1. INPUT iptables -A INPUT -m mac --mac-source 00:0F:EA:91:04:08 -j DROP iptables -A INPUT -p tcp --destination-port 22 -m mac --mac-source 00:0F:EA:91:04:07 -j ACCEPT .