16 Iptables tips for a system administrator

The modern Linux kernel comes with a packetfiltering framework called NetFilter [1]. NetFilter provides operations such as allow, discard, and modify to control traffic packets entering and exiting the system. The user-level command-line tool based on the NetFilter framework iptables provides a powerful firewall configuration feature that allows you to add rules to build firewall policies. Iptables[2] Rich complex features and its baroque command syntax can be difficult to navigate. Let's explore some of these features and provide some of the skills that the system administrator needs to solve some problems.

Avoid blocking yourself.

Scenario: Let's say you're going to make changes to the firewall rules on your company's servers, you need to avoid blocking yourself and other coworkers (which can lead to a loss of time and money, and maybe a department will call you as soon as it happens).

• Tip #1: Back up the iptables configuration file before you start.

Back up the configuration file with the following command:

1. /sbin/iptables-save > /root/iptables-works

• Tip #2: A more appropriate way to add time stamps to a file.

Add a timestamp with the following command:

1. /sbin/iptables-save > /root/iptables-works-`date +%F`

Then you can generate a file with the following name:

1. /root/iptables-works-2018-09-11

This way, if the system does not work, you can also quickly restore the original status using the backup file:

1. /sbin/iptables-restore < /root/iptables-works-2018-09-11

• Tip #3: Each time you create a copy of the Iptables profile, you create a link to the most recent file.

1. ln –s /root/iptables-works-`date +%F` /root/iptables-works-latest

• Tip #4: Place specific rules at the top of the policy, with general rules at the bottom.

Avoid using some of the following general rules at the top of the policy:

1. iptables -A INPUT -p tcp --dport 22 -j DROP

The more conditions you specify in the rules, the less likely you are to block yourself. Instead of using the very general rules above, use the following rules:

1. iptables -A INPUT -p tcp --dport 22 –s 10.0.0.0/8 –d 192.168.100.101 -j DROP

This rule indicates that INPUT a new rule is appended at the end of the chain, 10.0.0.0/8 discarding all TCP () packets with the source address, the destination address 192.168.100.101 , and the destination port number 22 ( --dport 22 ) -p tcp .

There are a number of ways to set more specific rules. For example, using -i eth0 will restrict this rule to the eth0 network card and eth1 not the NIC.

• Tip #5: Whitelist your IP at the top of the policy rules.

This is an effective way to avoid blocking your own settings:

1. iptables -I INPUT -s <your IP> -j ACCEPT

You need to add the rule to the first position of the policy. -Irepresents the policy header insert rule, which -A indicates that the rule is appended at the end of the policy.

• Tip #6: Understand all the rules in an existing policy.

Making mistakes is half the success. If you understand how the Iptables strategy works, it's more handy to use. If necessary, you can draw a flowchart to clarify the direction of the packet. Also keep in mind that the expected effect and the actual effect of a strategy can be completely different.

Set Firewall Policy

Scenario: You want to configure a firewall with restrictive policies for your workstation.

• Tip #1: Set default rule to discard

1. # Set a default policy of DROP

2. *filter

3. :INPUT DROP [0:0]

4. :FORWARD DROP [0:0]

5. :OUTPUT DROP [0:0]

• Tip #2: Set the minimum number of services required for the user to do their work to allow

This policy requires that the workstation be able to -p udp --dport 67:68 -sport 67:68 obtain the IP address, subnet mask, and some other information through DHCP (). For remote operations, you need to allow the SSH service (), the Mail Service (), the DNS Service (), the ping function (), the NTP Service (), and the HTTP service () -dport 22 --dport 25 --dport 53 -p icmp --dport 123 --sport 123 -dport 80 and HTTPS service () --dport 443 .

2. # Set a default policy of DROP

4. *filter

6. :INPUT DROP [0:0]

8. :FORWARD DROP [0:0]

10. :OUTPUT DROP [0:0]

14. # Accept any related or established connections

16. -I INPUT  1 -m state --state RELATED,ESTABLISHED -j ACCEPT

18. -I OUTPUT 1 -m state --state RELATED,ESTABLISHED -j ACCEPT

22. # Allow all traffic on the loopback interface

24. -A INPUT -i lo -j ACCEPT

26. -A OUTPUT -o lo -j ACCEPT

30. # Allow outbound DHCP request

32. -A OUTPUT –o eth0 -p udp --dport 67:68 --sport 67:68 -j ACCEPT

36. # Allow inbound SSH

38. -A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW  -j ACCEPT

42. # Allow outbound email

44. -A OUTPUT -i eth0 -p tcp -m tcp --dport 25 -m state --state NEW  -j ACCEPT

48. # Outbound DNS lookups

50. -A OUTPUT -o eth0 -p udp -m udp --dport 53 -j ACCEPT

54. # Outbound PING requests

56. -A OUTPUT –o eth0 -p icmp -j ACCEPT

60. # Outbound Network Time Protocol (NTP) requests

62. -A OUTPUT –o eth0 -p udp --dport 123 --sport 123 -j ACCEPT

66. # Outbound HTTP

68. -A OUTPUT -o eth0 -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT

70. -A OUTPUT -o eth0 -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT

74. COMMIT

• Limit IP address ranges

Application scenario: Your CEO thinks that employees spend too much time on Facebook and needs to take some restrictive measures. The CEO command is issued to the Cio,cio command CISO, and the final task is for you to execute. You decide to block everything to Facebook's access connection. First you use host or whois command to get the Facebook IP address.

2. host -t a www.facebook.com

4. www.facebook.com is an alias for star.c10r.facebook.com.

6. star.c10r.facebook.com has address 31.13.65.17

8. whois 31.13.65.17 | grep inetnum

10. inetnum:        31.13.64.0 - 31.13.127.255

Then convert the [3] page using CIDR to IPV4 to convert it to CIDR notation. And then you get 31.13.64.0/18 the address. Enter the following command to block access to Facebook:

1. iptables -A OUTPUT -p tcp -i eth0 –o eth1 –d 31.13.64.0/18 -j DROP

• Limit by Time-Scenario 1

Scenario: Company employees are strongly opposed to restricting all access to Facebook, which has led to a relaxation of the CEO's requirements (taking into account employee objections and his assistant's reminder that she is responsible for updating his Facebook page). The CEO then decides to allow access to Facebook during lunchtime (between 12 o'clock to 1 o'clock in the afternoon noon). Assuming that the default rules are discarded, use the iptables time function to implement them.

1. iptables –A OUTPUT -p tcp -m multiport --dport http,https -i eth0 -o eth1 -m time --timestart 12:00 –timestop 13:00 –d 31.13.64.0/18 -j ACCEPT

This command specifies that --timestart 12:00 --timestop 13:00 ( -j ACCEPT ) to facebook.com () -d [31.13.64.0/18][5] http and HTTPS ( -m multiport --dport http,https ) access between 12 o'clock Noon () and 1 o'clock in the afternoon ().

• Limit by Time-Scenario 2

Scenario: During scheduled system maintenance, you need to set the Deny all TCP and UDP access between 2 o'clock in the morning to 3 points, so that maintenance tasks are not disturbed. Use two iptables rules to achieve:

1. iptables - A INPUT - p TCP - m Span>time -- timestart : xx -- timestop , : XX - J DROP

2. Iptables - A INPUT - p UDP - m time -- timestart 02 : xx -- timestop , : xx - J DROP

This rule prohibits () access to () -j DROP --timestart 02:00 data for --timestop 03:00 TCP and UDP () between 2 o'clock in the Morning () and 3 o'clock in the morning () -p tcp and -p udp -A INPUT .

Limit number of connections

Scenario: Your Web server may be subject to DoS attacks from around the world, in order to avoid these attacks, you can limit the number of individual IP addresses to your Web server to create connections:

1. iptables –A INPUT –p tcp –syn -m multiport -–dport http,https –m connlimit -–connlimit-above 20 –j REJECT -–reject-with-tcp-reset

Analyze the above command. If a single host is newly established () more than 20 () connections to your Web server () within a minute -p tcp -syn -connlimit-above 20 , the --dport http,https server will reject ( -j REJECT ) establish a new connection and then notify the other party that the new connection was rejected ( --reject-with-tcp-reset ).

Monitoring Iptables Rules

Scenario: Because the packet traverses the rules in the chain, Iptables follows the principle of "first match wins," so the rules that often match should be close to the top of the policy, and rules that are less frequently matched should be close to the bottom. How do you know which rules are most or least used and can be monitored near the top or bottom?

• Tip #1: See how many times a rule has been accessed

Use the command:

1. iptables -L -v -n –line-numbers

-Llists all the rules in the chain with options. Because no specific chain is specified, all chain rules are output, the details are displayed using options, and the -v -n options display number-formatted packets and byte counters, and the number at the beginning of each rule represents the position of the rule in the chain.

Depending on the result of the packet and byte count, you can put the rule with the highest frequency of access to the top and the lowest-frequency rule to the bottom.

• Tip #2: Remove unnecessary rules

Which rule has never been visited? These can be cleared away. Use the following command to view:

1. iptables -nvL | grep -v "0     0"

Note: The two digit 0 is not a Tab key, but 5 spaces.

• Tip #3: Monitor what's happening

You might also imagine using top commands to monitor iptables in real time. Use the following command to dynamically monitor the activity in iptables and show only the rules that are being traversed:

1. watch --interval=5 ‘iptables -nvL | grep -v "0     0"‘

watchiptables -nvL | grep -v “0 0“the command outputs iptables dynamics every 5 seconds through the parameters. This command allows you to view the changes in packet and byte count.

Output log

Application scenario: The manager thinks you have the quality of the work of the firewall staff, but if you can have network traffic activity log best. Sometimes this is more effective than writing a report on a job.

Use the tool Fwlogwatch[4] to generate log reports based on Iptables Firewall records. The Fwlogwatch tool supports many forms of reporting and also provides many analysis capabilities. It generates logs and monthly reports that allow administrators to save a lot of time and also better manage the network and even reduce unnoticed potential attacks.

Here is an example of a Fwlogwatch generated report:

Do not settle for allow and discard rules

This article has covered many aspects of iptables, from avoiding blocking yourself, configuring iptables firewalls, and monitoring activities in iptables, and so on, to introduce iptables. You can start here to explore iptables and even get more tips on how to use it.

16 Iptables tips for a system administrator