Thursday, May 1, 2008

Linux Firewall : iptables - FILTER table

Further to the basic understanding on the iptables in my earlier post ( Linux Firewall : iptables - Basic ), now let's me continue with some example commands for FILTER table :

To list the iptables table/chain

#iptables -L

#iptables -t <table> -L

( use to list the specify table besides default - FILTER table )

#iptables -t <table> -L -vnx

( use this with verbose, show numeric output and expand the numbers )

To add a rule on top of the chain

#iptables -I <chain> -j [ACCEPT|DROP|REJECT|other]

e.g. # iptables -I FORWARD -j ACCEPT

To append a rule at the bottom of the chain

#iptables -A <chain> -j [ACCEPT|DROP|REJECT|other]

e.g. # iptables -I INPUT -j DROP

To delete a rule in a chain

#iptables -D <chain> <the row number of the rule started from 1>

e.g. # iptables -D FORWARD 2

To create a new chain

#iptables -N <chain>

e.g. # iptables -N CUSTOMFORWARD

To change the default policy of a chain

#iptables -P <chain> [ACCEPT|DROP|REJECT|other]

e.g. # iptables -P FORWARD DROP

# iptables -P CUSTOMFORWARD ACCEPT

To flush the iptables

#iptables -F

To flush specify TABLE

#iptables -t <table> -F

To delete a CHAIN

#iptables -X <chain>

So, have you warmed-up? Now let's go into more commands, try to understand and apply it wisely. :P

Case 1

To drop all the traffic from 192.168.0.0/24 which trying to ssh-ing to the firewall itself, 10.133.0.1

# iptables -I INPUT -p tcp --dport 22 -s 192.168.0.0/24 -d 10.133.0.1 -j ACCEPT

-I = to add this rule to the top of INPUT chain.

-p = protocol, specifically here is TCP.

--dport = destination port, specifying SSH port ( port 22 ).

-s = the source address, pertaining where this traffic from where is 192.168.0.0/24 for this rule.

-d = the destination address, here is the firewall itself (suppose) as it is INPUT chain.

-j = jump to targer. Here is to accept the traffic.

Case 2

To drop all the traffic from 192.168.0.0/24 passing thru the firewall and only allowed 192.168.0.188 to pass thru.

# iptables -P FORWARD DROP

# iptables -I FORWARD -s 192.168.0.188 -j ACCEPT

# iptables -I FORWARD -d 192.168.0.188 -j ACCEPT

Firstly, we set the FORWARD as "default drop policy" ( means drop everything! ). Then we add the 2 following rules on top of the FORWARD chain. In order to allows the traffic passing thru, it should be dual-way. Thus, two(2) different rules as above are created with specifying source and destination address respectively.

General Network Traffic rules

Next, we will want to use some standard rules for general network traffic. This goes a bit beyond the basic stuff, however iptables can determine the 'state' that a packet is in. This has to do with standard TCP communication. For example, the 3 way handshake between two hosts when transmitting data.

  • NEW => Server1 connects to Server2 issuing a SYN (Synchronize) packet.
  • RELATED => Server 2 receives the SYN packet, and then responds with a SYN-ACK (Synchronize Acknowledgment) packet.
  • ESTABLISHED => Server 1 receives the SYN-ACK packet and then responds with the final ACK (Acknowledgment) packet.

After this 3 way handshake is complete, the traffic is now ESTABLISHED. In order for this type of TCP communication, something similar to these three rules are necessary:

# iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT # iptables -A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT # iptables -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

The last rule obviously allows any traffic the leave the server.

The result of the three rules and the previous commands in Case 1 and Case 2 above will be as follow respectively :

Chain INPUT (policy ACCEPT) target prot in out source destination ACCEPT tcp * * 192.168.0.0/24 10.133.0.1 tcp dpt:ssh ACCEPT all * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED

Chain FORWARD (policy DROP) target prot in out source destination ACCEPT * * * 0.0.0.0/0 1 92.168.0.188 ACCEPT ACCEPT * * * 192.168.0.188 0.0.0.0/0 ACCEPT ACCEPT * eth0 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED

Chain OUTPUT (policy ACCEPT) target prot in out source destination ACCEPT * * * 0.0.0.0/0 0.0.0.0/0 state NEW,RELATED,ESTABLISHED

From here you can add whatever rules you like depending on your server requirements :

To block some BAD source IP address

#iptables -A INPUT -s 10.10.132.2 -j DROP

To drop some spamming from a source IP address ( if you are using default accept policy or accepted SMTP port in other rule )

#iptables -A FORWARD -p tcp --dport 25 -s 192.168.0.111 -j DROP

To allow the LAN (eth0) to access your web while block all external access from WAN(eth1) to your web

#iptables -I INPUT -p tcp --dport 80 -j DROP

#iptables -I INPUT -p tcp --dport 80 -s 192.168.0.0/24 -j ACCEPT

The 1st rule should be execute before the 2nd rule as you are using the -I ( add ).

To drop all ICMP/Ping packet to the firewall

#iptables -A INPUT -p icmp -j DROP

If you are using the default ACCEPT policy, then you must be DROP anything else at the last of the rule. In our case here ( since FORWARD chain is default drop policy ), you should reject everything for the INPUT chain.

# iptables -A INPUT -j REJECT

There are more to explore besides the example shown above. But bear in mind, ***NEVER TRY ON A LIVE SYSTEM!!***

In the next post, I will proceed to NAT table.

No comments: