Building a Firewall with IPtables

• Your Linux workstation can be configured as a router and a firewall
• Provides protection for all the hosts on the local network
• Performs routing between the external and local networks
• Can perform port forwarding and IP masquerading using NAT
• Determines which traffic is allowed in and out of a network
• Example:If your company wants to provide web services, port 80 or 443 for SSL, would have to be opened at the firewall.

• The Firewall has two NIC cards in the above example
• One connects to the local network, 192.168.1.1
• private network addresses are not valid on the external network
• The other connects to the external network, 64.3.4.2
• The firewall machine performs routing between the local and external networks

 Linux Firewall History

• Linux has included a firewall since the 1.1 kernel
• ported ipfw from BSD by Alan Cox
• Then came ipfwadm with the 2.0 kernel
• IPChains was the firewall used in the 2.2 version of the Linux kernel in 1998
• 3rd generation Linux firewall
• Developed by Rusty Russell
• IPTables is used in the 2.4 version of the Linux kernel
• 4th generation Linux firewall
• Implemented in the kernel by the netfilter module
• compatible with IPChains
• IPTables is the user interface to netfilter

Stateless Versus Stateful

• A stateful firewall allows the filtering of packets based on their connection state
• A stateful firewall is more secure because it tracks connections in a table
• A forged packet, which is not part of an existing connection, is discarded

• 3-way handshake diagram
• SYN: Synchronize Sequence Numbers

• An intruder could craft a packet by altering the SYN flag
• nmap can do this with a stealth scan
• -sF -sX -sN
• Stealth FIN, Xmas Tree, or Null scan modes
• Below is a FIN scan: Normally a server sends a FIN to a client when there is no more data to send...
• This FIN scan is looking for open ports

# nmap -sF -p 1-100 66.165.165.2

Starting nmap V. 2.54BETA31 ( www.insecure.org/nmap/ )
       Interesting ports on ns.example.com (66.165.165.2):
       (The 97 ports scanned but not shown below are in state: closed)
       Port State Service
       22/tcp open ssh 
       53/tcp open domain 
       80/tcp open http

• Stateless firewalls can filter based on port, protocol and IP address
• but would have no way of knowing that a packet is not part of a real connection
• exploiting the SYN flag is a common attack
• Tracking connections is handled by the conntrack kernel module
• Iptables allows you to filter on arbitrary tcp flags, drop any tcp packets that have either
• no flags set (null packets)
• or all the flags set (SYN,ACK,FIN,RST,URG,PSH - an Xmas packet).
• Rule to check for FIN scans:

iptables -A INPUT -i eth1 -p tcp -m tcp --tcp-flags \
ALL FIN -j LOG --log-prefix "NMAP FIN SCANNING: "

Denial of Service Attacks

• Netfilter has the ability to limit bandwidth through rate limiting

• An attacker sends a number of TCP SYN packets to your server
• these packets are step one in the 3-way handshake
• The bad guy never responds to your server's SYN/ACK
• leaving many 1/2 open connections which fully occupy your machine

• Netfilter allows you to limit the number of SYN packets from a single source
• You can create an iptables rule to limit the number of incoming SYN packets to a given port to 3 per second

iptables -A INPUT -p tcp --syn -m limit \
    --limit 3/s --dport 21 -j ACCEPT

• Here we are logging ICMP echo-requests but limiting the logging to one per minute
  

iptables -A INPUT -p ICMP -m icmp --icmp-type \
    echo-request -m limit --limit 1/minute \
    -j LOG --log-prefix "IMCP-packet "


• The best way to foil ping flood exploits like these:

# ping xxx.xxx.xxx.255
# nmap -sP xxx.xxx.xxx.0/24

• Is to disable broadcast responses

add "1" to the   /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts file:

# echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

Or add it to your /etc/sysctl.conf file to make it permanent:

net.ipv4.icmp_echo_ignore_broadcasts = 1

Then run sysctl to update the change

# sysctl -w

How to Configure IPTables

• The kernel must be compiled with netfilter support
• Provides support for IPv4 and IPv6, but not IPX, or other protocols
• If you can load the ip_tables module, then you have netfilter support
• Note: You may have to stop the ipchains service and rmmod ipchains

# modprobe ip_tables
# lsmod | grep ip_tables
ip_tables              13696   0  (unused)

Kernel Config

• Enable  Code maturity level options
• Under the Networking options
• enable Network packet filtering
• Under IP: Netfilter Configuration
• select all options as modules

The iptables Command Line

• Provides a way to insert and remove rules into the kernel's packet filtering table
• There are three built-in chains in the packet filter tables
• A chain is a set of rules that determine what to do with a packet
• INPUT, FORWARD, and OUTPUT
• Packets will only pass through one of these chains


Diagram of how packets traverse the three basic chains in the filter table
(adapted from Iptables HOWTO by Rusty Russell)



• The three oval objects represent the chains: INPUT, OUTPUT, and FORWARD
• When a packet reaches one of the ovals in the diagram, that chain is examined to decide what to do with the packet
• Each chain contains a series of rules
• If the packet header matches a rule,  some action is carried out
• rejected, dropped, accepted, logged, etc
• If the packet header doesn't match a rule, the next rule in the chain is checked

*************** 1. *****************

When a packet enters the firewall system the kernel first looks at the destination address of the packet and makes a routing decision.

• If the packet is destined for the local machine, the routing decision is to pass the packet to the INPUT chain.
• The INPUT chains sends packets to a process running on the firewall itself
  

This rule allows ping traffic from the internal private network:

iptables -A INPUT -p icmp -s 192.168.1.0/24 -j ACCEPT

These rules deny icmp echo-request traffic and traceroute traffic to the firewall machine from any source address:

iptables -A INPUT -s 0/0 -d $LOCALIP -p icmp \
--icmp-type echo-request -j DROP

iptables -A INPUT -s 0/0 -d $LOCALIP -p udp \
-dport 33435:33525 -j DROP

If forwarding is enabled in the kernel, and the packet is destined for another network card.

• The packet will be passed to the FORWARD chain
• It is not destined for a process on the local system

iptables -A FORWARD -o eth1 -p tcp -s $DYLAN \
--dport 4000 -j DROP

• This rule prevents my son from playing Diablo on the Internet (only when he hasn't done his homework  ;)

A program running on the local system can also send packets

• This rule matches packets going out interface eth1, generated at the local machine ($LOCALIP), destined for any machine.

--sport	source port
--dport	destination port
-o	outgiong interface
-i	incoming interface

iptables -A OUTPUT -o eth1 -p tcp --sport \
1024:65535 --dport 113 -s $LOCALIP -d $ANYWHERE \
-j ACCEPT

• This rule allows the firewall host to make auth requests to another machine on the internet
• Auth is used by mail programs

• Matching a rule doesn't always terminate a chain
• A log rule won't terminate
• A rule must drop, reject, accept, or queue the packet in order to terminate a chain

Simple iptables rules example

-P	policy
-s	source network
-p	protocol

Targets/Jumps

• Tells the rule what to do with the packet if it is a perfect match

NAT (Network Address Translation) and iptables

• IPtables consists of three tables
• Each table has its own default chains
• filter
• INPUT, OUTPUT, FORWARD
• nat
• PREROUTING, POSTROUTING, OUTPUT
• mangle


The filter table

• If the table name is not specified (like our examples above), the filter table is used

The nat table

• Performs netword address translation
• Built-in chains are as follows:
• PREROUTING
• accepts the DNAT (Destination NAT) target
• The destination address is changed before routing decision
• Allows you to point different services at different machines behind the firewall
• port forwarding
• Redirect incoming traffic to another host


iptables -t nat -A PREROUTING -p tcp --dport 80 \
-i eth1 -j DNAT --to 192.168.1.21:80


• POSTROUTING
• accepts SNAT (source NAT) target
• The source address is changed
• A way to masquerade the machines on an internal networt
• Re-maps the IP address of outgoing traffic to another IP address or range of IP addresses


iptables -t nat -A POSTROUTING -o eth1 -s 192.168.1.0/24 \
-j snat --to-source 10.2.135.2
 

• Masquerading is a version of SNAT
• Allows hosts to connect ot the Internet without have public IP addresses
• outbound traffic:
• source IP is changed to the masquerader's IP (the Linux firewall machine)
• inbound traffic:
• The port address is checked against the masquerading table in the kernel

The IP address in the packet header is changed to the internal IP address found in the table


iptables -A POSTROUTING -t nat -o $EXT_INT -j MASQUERADE
 

• OUTPUT
• Packets from local host pass through OUTPUT chain of nat table then OUTPUT chain of filter table
• DNAT: Destination nat of locally-generated packets

The mangle table

• Used to change information in the packet header
• ie, TTL (time to live) , TOS (type of service), MARK (mark for advanced routing)

Putting it all together

(I haven't listed the mangle table in this diagram)

This is one way to go about locking down a private network

• Flush all previous tables
• Start with a default policy
• Enable forwarding, SYN cookie protection, defragging protection, broadcast echo protection, bad error message protection, IP spoofing protection
• Install any required modules
• Allow unlimitted traffic to loopback address
• Allow unlimited traffic within the local network
• Add rules to allow external machines to contact your mail server, web server, and ssh ports
• Allow your internal machines on a private net to access the outside world
• Drop and log everything else

rc.firewall

Testing Rules

• The best way to test your rules is to log all DROPs and watch kernel log messages
  

 Testing HTTP

$ telnet 10.1.7.12 80
Trying 10.2.135.2...
Connected to 10.2.135.2.
Escape character is '^]'.
GET /default.htm HTTP/1.0

<HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
MicrosoftOfficeWebServer: 5.0_Pub
Date: Wed, 07 May 2003 01:20:34 GMT
Content-Type: text/html
Accept-Ranges: bytes
Last-Modified: Mon, 07 Apr 2003 15:14:59 GMT
ETag: "80db2d7418fdc21:928"
Content-Length: 12513

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">

<html>
...
</html>

Testing SSH

$ ssh 10.2.135.12
pattyo's passwd:
Authentication successful.
...

Testing Sendmail
 

• Note the stealthy Vs unstealthy responses


$ telnet xx.xx.xx.xx 25
Trying xx.xx.xx.xx...
Connected to mail.example.com.
Escape character is '^]'.
220 ponto.example.com ESMTP SMTP spoken here; Tue, 6 May 2003 18:30:43 -0700

$ nslookup mail.miracosta.edu
Name:   mail.miracosta.edu
Address: 10.1.4.13

$ telnet 10.1.4.13 25
Trying 10.1.4.13...
Connected to 10.1.4.13.
Escape character is '^]'.
220 ma.usa.miracosta.cc.ca.us Microsoft ESMTP MAIL Service, Version: 5.0.2195.5329 ready at  Tue, 6 May 2003 18:27:42 -0700

$ telnet 172.20.2.15 25
Trying 172.20.2.15...
Connected to 172.20.2.15.
Escape character is '^]'.
220 mcc.miracosta.cc.ca.us ESMTP Sendmail 8.9.1a/8.9.1; Tue, 6 May 2003 18:25:23 -0700 (PDT)
<Cntr>]
telnet> quit

$ nmap 172.20.2.15

Starting nmap V. 2.54BETA31 ( www.insecure.org/nmap/ )
Warning:  You are not root -- using TCP pingscan rather than ICMP
Interesting ports on mcc.miracosta.cc.ca.us (172.20.2.15):
(The 1544 ports scanned but not shown below are in state: closed)
Port       State       Service
21/tcp     open        ftp
23/tcp     open        telnet
25/tcp     open        smtp
53/tcp     open        domain
80/tcp     open        http
81/tcp     open        hosts2-ns
106/tcp    open        pop3pw
107/tcp    open        rtelnet
110/tcp    open        pop-3
3128/tcp   open        squid-http

Listing Rules

• By default, this gives you the filter table

# iptables -L
 

• To list the nat and mangle tables
• The -n list by IP addresses and port numbers in numeric form

# iptables -t mangle -L -n

# iptables -t nat -L -n

Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
DNAT       tcp  --  0.0.0.0/0            10.2.135.2       tcp dpt:25 to:192.168.1.20:25
DNAT       tcp  --  0.0.0.0/0            10.2.135.2       tcp dpt:143 to:192.168.1.20:143
DNAT       tcp  --  0.0.0.0/0            10.2.135.2       tcp dpt:22 to:192.168.1.20:22
DNAT       tcp  --  0.0.0.0/0            10.2.135.2       tcp dpt:80 to:192.168.1.20:80
DNAT       tcp  --  0.0.0.0/0            10.2.135.2       tcp dpt:443 to:192.168.1.20:443

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
MASQUERADE  all  --  0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

• If you don't look at em, what good are they!
• By default, iptables will log to /var/log/kernel
• Searching for the most annoying rejected machines and ports

# grep SRC iptables* | sed -e 's/.*SRC=//' \
   -e 's/ .*//'| sort | uniq -c | \
   sort -nr |head -20
 
   
# ip
  COUNT    IPADDR
--------------------
   3968 209.129.35.85
    659 68.101.245.6
    649 64.160.54.43
    423 63.227.63.133
    415 68.3.97.223
    399 64.164.72.41
    397 24.165.68.196
    378 24.165.11.5
    372 68.86.76.83
    344 12.233.38.156
    342 68.6.108.118
    294 63.207.12.171
    288 66.235.25.68
    284 65.94.105.137
    216 24.130.227.252
    213 67.68.234.84
    213 24.165.41.65
    210 68.105.74.31
    210 12.219.228.245
    204 65.212.170.46

# port
  COUNT PORT
--------------------
  17253 6112
   2740 1433
   2340 137
   1738 445
   1380 1434
    566 135
    564 139
    357 3006
    345 21
    231 3439
    167 6970
    131 1921
    127 3128
    122 17300
    115 27374
     90 1336
     87 3463
     86 111
     83 1080
     82 8080