Wednesday, February 6, 2008

Iptables Introduction

What is iptables?

iptables is the userspace command line program used to configure the Linux 2.4.x and 2.6.x IPv4 packet filtering ruleset. It is targeted towards system administrators.

Since Network Address Translation is also configured from the packet filter ruleset, iptables is used for this, too.

The iptables package also includes ip6tables. ip6tables is used for configuring the IPv6 packet filter.
Dependencies

iptables requires a kernel that features the ip_tables packet filter. This includes all 2.4.x and 2.6.x kernel releases.
Main Features

* listing the contents of the packet filter ruleset
* adding/removing/modifying rules in the packet filter ruleset
* listing/zeroing per-rule counters of the packet filter ruleset

Rules

* If you create a set of rules in iptables during one session and then reboot your computer, all the rules that were added will be lost.

* If you want the rules to persist, you should put the commands to add them into a startup script.

* To check what rules are already implemented:

o Type into a terminal window:

ComputerName:~# iptables -L
o A list of the present rules will appear on the screen under a variety of headings.

Rule Components

* There are three basic components to each rule:

1. Where to apply the rule during the process of sending and receiving network traffic (packets). There are three different places, or chains:

1. INPUT: Applies rules to packets being received from the network.
2. OUPUT: Applies rules to packets being sent from your computer.
3. FORWARD: Applies rules to packets that your machine is forwarding to others on the network.

2. What type of effect the rule has, regardless of where it is applied. The 3 effects are:

1. ACCEPT: Accepts a given packet and allows it to pass either in or out.
2. DENY: Does not allow a packet to pass but sends an error message back to its sender.
3. DROP: Completely ignores a packet without sending an error message to its sender.

Each chain also has a default policy (usually ACCEPT) that is applied if a specific packet does not match any rules.

3. The location you want to block packets from or going to, usually called the source can be written as either an IP address or a DNS name (such as www.yahoo.com).

* Each of these three components are used to create a rule through command line arguments.

Back to top

Adding a Rule

* To add a rule:

o Use the argument -A to tell iptables to add a rule to the chain Chain_Name.

o Add the source with the option -s . We can also specify a range of IPs with the '/' character (200.200.200.1/24 specifies 200.200.200.*) as well as use the wildcard character '*' (Find further information on t;/##" notation called CIDR blocks).

o Specify the desired effect with the -j argument.
For example, if we wanted to block information coming from 200.200.200.1 we would enter:

ComputerName:~# iptables -A INPUT -s 200.200.200.1 -j DROP
o Typing # iptables -L again will now show the new rule under the INPUT chain heading. It should look like this:

Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP all -- 200.200.200.1 anywhere

Back to top

Removing a Rule

* Removing a rule:

o Type the argument -D where Rule_Num starts at 1 and counts down from the top of each list of rules. To remove our rule, we simply type in (assuming that the new rule is the first in the list):

ComputerName:~# iptables -D INPUT 1

o Now, typing:

# iptables -L

should show that the rule has been deleted.

Back to top

Advanced Rule Examples:

* There are many other advanced options for these rules, one of the most important of which is the ability to specify what "type" of packets to block by blocking specific ports on which certain services operate. For example, we could specify that we wanted to block only packets going into port 23, named telnet packets, coming into your computer from 200.200.200.1 by writing the rule:

ComputerName:~# iptables -A INPUT -s 200.200.200.1 -j DROP -p tcp --destination-port telnet

* Other ports can be specified. For a full list of ports being used on your computer and the name or type attached to each, go to your /etc/services file.

* Other common ports to block are:

o HTTP (port 80)
o (port 21)
o SSH (22)

* There are also a wide variety of other command line arguments that can be used, but these simple rules so far introduced allow for a wide variety of applications.
o If you wanted to block all incoming telnet connections to your computer:

ComputerName:~# iptables -A INPUT -j DROP -p tcp --destination-port telnet

Since there is no defined source, any telnet request to your computer will be blocked.
o If you have two or more network connections, you can specify which of these connections you would like to apply your rule with -i command for input rules and -o command for output rules. For example, if we would like to block any incoming tcp packets on your second Ethernet connection (eth1):

ComputerName:~# iptables -A INPUT -j DROP -p tcp -i eth1

This rule is not very useful since all incoming ports are blocked. We would not hear any tcp packet replies to our outbound requests, thus rendering our connection for the most part useless.
o We can specify ports that we want open while the rest would remain closed by implementing two rules:

1. Explicitly accept packets on the port we want to open, and
2. Block all of the ports.

o For the web server example above, the first rule would accept tcp packets on port 80 through eth1 and the second would block all incoming tcp traffic. These two rules are given below:

+ ComputerName:~# iptables -A INPUT -j ACCEPT -p tcp --destination-port 80 -i eth1

+ ComputerName:~# iptables -A INPUT -j DROP -p tcp -i eth1

This combination of rules works because iptables implements the rules in order. When a new incoming tcp packet bound for port 80 arrives, iptables will see the accept rule first and admit the packet before the all-encompassing deny rule takes effect.
o For blocking only incoming tcp transactions but allowing our computer to start new transactions with other web servers or the like, we can use the --syn option in the following rule:

ComputerName:~# iptables -A INPUT -p tcp --syn -j DROP

Since all tcp connections must first be initialized, we can block all incoming packets that take the task of initializing the connection, the SYN tcp packets. This basically tells our computer to ignore anything it did not speak to first.
o While the solution above will work, a better implementation is to put the following as the first rule in your list:

ComputerName:~# iptables -A INPUT -m star --state ESTABLISHED,RELATED -S ACCEPT
o You could block specific, rowdy users on your network from accessing your computer by blocking their IP, but if his or her IP ever changed they would be able to access your computer once again. Blocking the hardware address or MAC address of their Ethernet card is more efficient. This address is a set of six two-digit hexadecimal numbers separated by colons (ex: 00:0B:DB:45:56:42). The option for specifying a MAC address, --mac-source , could be used as follows:

ComputerName:~# iptables -A INPUT --mac-source 00:0B:DB:45:56:42 -j DROP

For more information on other command line options for iptables, please refer to the man page.

No comments: