Netfilter Fedora Core 5 setting up firewall for NIS and NFS labs June 2006
Netfilter Features Address Translation S NAT, D NAT IP Accounting and Mangling IP Packet filtering (Firewall) Stateful packet filtering Filter incoming packets based on TCP header flags Filter incoming packets based on source MAC Addr. Filter outgoing packets based on user ID
IP Packet Filtering Firewall iptables: is used to set up, maintain, and inspect the tables of IP packet filter rules in the Linux Kernel Several different tables may be defined, they are: filter, nat and mangle table Ecah table contains a number of built in chains and may also contain user defined chain Input, output, forward, prerouting, postrouting
iptables: tables & chains Table: filter nat mangle Chain: input output forward prerouting postrouting user-defined
Chains, rules and targets Each chain is a list of rules which can match a set of packets A firewall rule specifies criteria for a packet and a target A target can be the name of a user defined chain or one of the special values ACCEPT, DROP, QUEUE, or RETURN
rule target ACCEPT let the packet through DROP drops the packet QUEUE passes the packet to userspace (application program) RETURN stops traversing the current chain and resume at the next rule in the previous (calling) chain
chain policy Either ACCEPT or DROP Policy of a chain applied when A packet reaches the end of a built in chain, or A packet matches a rule in a built in chain with the target RETURN
Tables and built in chains Filter Table's built in chains: INPUT chain OUTPUT chain FORWARD chain
Tables and built in chains NAT Table's built in chains: PREROUTING chain Translate destination addresses OUTPUT chain POSTROUTING chain Translate source addresses
Tables and built in chains Mangle Table's built in chains: PREROUTING chain OUTPUT chain INPUT chain (>2.4.17) FORWARD chain (>2.4.17) POSTROUTING chain (>2.4.17)
Netfilter flowchart Inbound packets Mangle, nat PREROUTING Chain POSTROUTING Chain Outbound Packets Routing Decision Mangle, filter FORWARD Chain Mangle, filter INPUT Chain Local Process Mangle, nat, filter OUTPUT Chain
Basic Firewall operations Creating firewall rules Listing existing firewall rules Flushing out existing firewall rules Set/Change chain policy Saving existing firewall rules Restore firewall rules from file
Chain Policy To list current chain policy iptables t table L To set chain policy for chains in the filter table(drop or ACCEPT) iptables P INPUT DROP iptables P OUTPUT ACCEPT iptables P FORWARD ACCEPT
Chain Policy Each chain must be set individually OUTPUT chain in the filter table and the OUTPUT chain in the nat table are separate chain Use the t table to specify which table the chain is in User defined chain does not need a chain policy
A perfect firewall iptables t filter F iptables t filter P INPUT DROP After flushing all the rules in all the chains in the filter table, the input chain policy applies to all incoming packets, and drops them all block all incoming packets.
A Practical Firewall iptables t filter F iptables t filter P INPUT DROP Allow packets from any web server to go through the firewall iptables A INPUT p tcp sport 80 j ACCEPT Allow incoming SSH connection requests from any machine Iptables A INPUT p tcp port 22 j ACCEPT
Basic iptables syntax iptables [ t tables] [options] chain [match] [target] iptables [-t table] [-ADC] chain rule-specification [options] iptables [-t table] -I chain [rulenum] rule-specification [options] iptables [-t table] -R chain rulenum rule-specification iptables [-t table] -D chain rulenum [options] iptables [-t table] -{LFZ] [chain] [options] iptables [-t table] -N chain iptables [-t table] -X [chain] iptables [-t table] -P chain target [options] iptables [-t table] -E old-chain-name new-chain-name
MAC match options iptables [ t tables] [options] chain [match] [target] Example: iptables -A INPUT -m mac --mac-source 00:05:0A:1B:2D:3E -j ACCEPT iptables -A INPUT -m mac mac-source!00:05:0a:1b:2d:3e -j ACCEPT MAC match valid only in the PREROUTING, FORWARD and INPUT chains
Owner match options Matching User ID, Group ID, or Process ID Example: iptables -A OUTPUT -m owner --uid-owner 500 -j ACCEPT iptables -A OUTPUT -m owner --uid-owner! 500 -j ACCEPT iptables -A OUTPUT -m owner --gid-owner 100 -j ACCEPT iptables -A OUTPUT -m owner --gid-owner! 100 -j ACCEPT iptables -A OUTPUT -m owner --pid-owner 3120 -j ACCEPT
Allow incoming NFS traffic Ports to be opened: portmapper (fixed udp and tcp port 111) nfs (dynamic, udp and tcp, mostly 2049) nlockmgr (dynamic udp and tcp) mountd (dynamic, udp and tcp) status (dynamic udp and tcp)
open NFS UDP ports Determine nfs port with the following command For UPD upd=$(rpcinfo p grep w upd) nfs_ports=$(echo $upd grep nfs awk '{print $4}' sort u) (note: more than one port if more than one version of nfs is running) for nfs_port in $nfs_ports do iptabls A INPUT p udp dport $nfs_port j ACCEPT done
open NFS TCP ports Determine nfs port with the following command For TCP tcp=$(rpcinfo p grep w tcp) nfs_ports=$(echo $tcp grep nfs awk '{print $4}' sort u) (note: more than one port if more than one version of nfs is running) for nfs_port in $nfs_ports do iptabls A INPUT p tcp dport $nfs_port j ACCEPT done
open other dynamic ports Use similar script to capture the UDP and TCP ports for all the other daemon Use the appropriate iptables commands to open the corresponding UDP and TCP ports
Save Current Firewall Rules iptables save [ c] [ t table] Dump the contents of an IP table in a parseable format to STDOUT. iptbales save > firewall.txt Dump all the current IP tables to the file firewall.txt
Restore IP tables from file iptables restore [ c] [ n] Restore IP tables from data specified on STDIN c restore the values of all packet and byte counters n don't flush the previous contents of the table iptbales restore < firewall.txt restore IP tables from the previously save file firewall.txt