The modern Linux kernel comes with a packetfiltering framework called NetFilter [1]. NetFilter provides operations such as allow, discard, and modify to control traffic packets entering and exiting the system. The user-level command-line tool based on the NetFilter framework iptables
provides a powerful firewall configuration feature that allows you to add rules to build firewall policies. Iptables[2] Rich complex features and its baroque command syntax can be difficult to navigate. Let's explore some of these features and provide some of the skills that the system administrator needs to solve some problems.
Avoid blocking yourself.
Scenario: Let's say you're going to make changes to the firewall rules on your company's servers, you need to avoid blocking yourself and other coworkers (which can lead to a loss of time and money, and maybe a department will call you as soon as it happens).
- Tip #1: Back up the iptables configuration file before you start.
Back up the configuration file with the following command:
/sbin/iptables-save > /root/iptables-works
- Tip #2: A more appropriate way to add time stamps to a file.
Add a timestamp with the following command:
/sbin/iptables-save > /root/iptables-works-`date +%F`
Then you can generate a file with the following name:
/root/iptables-works-2018-09-11
This way, if the system does not work, you can also quickly restore the original status using the backup file:
/sbin/iptables-restore < /root/iptables-works-2018-09-11
- Tip #3: Each time you create a copy of the Iptables profile, you create a link to the most recent file.
ln –s /root/iptables-works-`date +%F` /root/iptables-works-latest
- Tip #4: Place specific rules at the top of the policy, with general rules at the bottom.
Avoid using some of the following general rules at the top of the policy:
iptables -A INPUT -p tcp --dport 22 -j DROP
The more conditions you specify in the rules, the less likely you are to block yourself. Instead of using the very general rules above, use the following rules:
iptables -A INPUT -p tcp --dport 22 –s 10.0.0.0/8 –d 192.168.100.101 -j DROP
This rule indicates that INPUT
a new rule is appended at the end of the chain, 10.0.0.0/8
discarding all TCP () packets with the source address, the destination address 192.168.100.101
, and the destination port number 22
( --dport 22
) -p tcp
.
There are a number of ways to set more specific rules. For example, using -i eth0
will restrict this rule to the eth0
network card and eth1
not the NIC.
- Tip #5: Whitelist your IP at the top of the policy rules.
This is an effective way to avoid blocking your own settings:
iptables -I INPUT -s <your IP> -j ACCEPT
You need to add the rule to the first position of the policy. -I
represents the policy header insert rule, which -A
indicates that the rule is appended at the end of the policy.
- Tip #6: Understand all the rules in an existing policy.
Making mistakes is half the success. If you understand how the Iptables strategy works, it's more handy to use. If necessary, you can draw a flowchart to clarify the direction of the packet. Also keep in mind that the expected effect and the actual effect of a strategy can be completely different.
Set Firewall Policy
Scenario: You want to configure a firewall with restrictive policies for your workstation.
- Tip #1: Set default rule to discard
# Set a default policy of DROP
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
- Tip #2: Set the minimum number of services required for the user to do their work to allow
This policy requires that the workstation be able to -p udp --dport 67:68 -sport 67:68
obtain the IP address, subnet mask, and some other information through DHCP (). For remote operations, you need to allow the SSH service (), the Mail Service (), the DNS Service (), the ping function (), the NTP Service (), and the HTTP service () -dport 22
--dport 25
--dport 53
-p icmp
--dport 123 --sport 123
-dport 80
and HTTPS service () --dport 443
.
# Set a default policy of DROP
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
# Accept any related or established connections
-I INPUT 1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-I OUTPUT 1 -m state --state RELATED,ESTABLISHED -j ACCEPT
# Allow all traffic on the loopback interface
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
# Allow outbound DHCP request
-A OUTPUT –o eth0 -p udp --dport 67:68 --sport 67:68 -j ACCEPT
# Allow inbound SSH
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
# Allow outbound email
-A OUTPUT -i eth0 -p tcp -m tcp --dport 25 -m state --state NEW -j ACCEPT
# Outbound DNS lookups
-A OUTPUT -o eth0 -p udp -m udp --dport 53 -j ACCEPT
# Outbound PING requests
-A OUTPUT –o eth0 -p icmp -j ACCEPT
# Outbound Network Time Protocol (NTP) requests
-A OUTPUT –o eth0 -p udp --dport 123 --sport 123 -j ACCEPT
# Outbound HTTP
-A OUTPUT -o eth0 -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT
COMMIT
Application scenario: Your CEO thinks that employees spend too much time on Facebook and needs to take some restrictive measures. The CEO command is issued to the Cio,cio command CISO, and the final task is for you to execute. You decide to block everything to Facebook's access connection. First you use host
or whois
command to get the Facebook IP address.
host -t a www.facebook.com
www.facebook.com is an alias for star.c10r.facebook.com.
star.c10r.facebook.com has address 31.13.65.17
whois 31.13.65.17 | grep inetnum
inetnum: 31.13.64.0 - 31.13.127.255
Then convert the [3] page using CIDR to IPV4 to convert it to CIDR notation. And then you get 31.13.64.0/18
the address. Enter the following command to block access to Facebook:
iptables -A OUTPUT -p tcp -i eth0 –o eth1 –d 31.13.64.0/18 -j DROP
Scenario: Company employees are strongly opposed to restricting all access to Facebook, which has led to a relaxation of the CEO's requirements (taking into account employee objections and his assistant's reminder that she is responsible for updating his Facebook page). The CEO then decides to allow access to Facebook during lunchtime (between 12 o'clock to 1 o'clock in the afternoon noon). Assuming that the default rules are discarded, use the iptables time function to implement them.
iptables –A OUTPUT -p tcp -m multiport --dport http,https -i eth0 -o eth1 -m time --timestart 12:00 –timestop 13:00 –d 31.13.64.0/18 -j ACCEPT
This command specifies that --timestart 12:00
--timestop 13:00
( -j ACCEPT
) to facebook.com () -d [31.13.64.0/18][5]
http and HTTPS ( -m multiport --dport http,https
) access between 12 o'clock Noon () and 1 o'clock in the afternoon ().
Scenario: During scheduled system maintenance, you need to set the Deny all TCP and UDP access between 2 o'clock in the morning to 3 points, so that maintenance tasks are not disturbed. Use two iptables rules to achieve:
-
iptables - A INPUT - p TCP - m Span>time -- timestart : xx -- timestop , : XX - J DROP
-
Iptables - A INPUT - p UDP - m time -- timestart 02 : xx -- timestop , : xx - J DROP
This rule prohibits () access to () -j DROP
--timestart 02:00
data for --timestop 03:00
TCP and UDP () between 2 o'clock in the Morning () and 3 o'clock in the morning () -p tcp and -p udp
-A INPUT
.
Limit number of connections
Scenario: Your Web server may be subject to DoS attacks from around the world, in order to avoid these attacks, you can limit the number of individual IP addresses to your Web server to create connections:
iptables –A INPUT –p tcp –syn -m multiport -–dport http,https –m connlimit -–connlimit-above 20 –j REJECT -–reject-with-tcp-reset
Analyze the above command. If a single host is newly established () more than 20 () connections to your Web server () within a minute -p tcp -syn
-connlimit-above 20
, the --dport http,https
server will reject ( -j REJECT
) establish a new connection and then notify the other party that the new connection was rejected ( --reject-with-tcp-reset
).
Monitoring Iptables Rules
Scenario: Because the packet traverses the rules in the chain, Iptables follows the principle of "first match wins," so the rules that often match should be close to the top of the policy, and rules that are less frequently matched should be close to the bottom. How do you know which rules are most or least used and can be monitored near the top or bottom?
- Tip #1: See how many times a rule has been accessed
Use the command:
iptables -L -v -n –line-numbers
-L
lists all the rules in the chain with options. Because no specific chain is specified, all chain rules are output, the details are displayed using options, and the -v
-n
options display number-formatted packets and byte counters, and the number at the beginning of each rule represents the position of the rule in the chain.
Depending on the result of the packet and byte count, you can put the rule with the highest frequency of access to the top and the lowest-frequency rule to the bottom.
- Tip #2: Remove unnecessary rules
Which rule has never been visited? These can be cleared away. Use the following command to view:
iptables -nvL | grep -v "0 0"
Note: The two digit 0 is not a Tab key, but 5 spaces.
- Tip #3: Monitor what's happening
You might also imagine using top
commands to monitor iptables in real time. Use the following command to dynamically monitor the activity in iptables and show only the rules that are being traversed:
watch --interval=5 ‘iptables -nvL | grep -v "0 0"‘
watch
iptables -nvL | grep -v “0 0“
the command outputs iptables dynamics every 5 seconds through the parameters. This command allows you to view the changes in packet and byte count.
Output log
Application scenario: The manager thinks you have the quality of the work of the firewall staff, but if you can have network traffic activity log best. Sometimes this is more effective than writing a report on a job.
Use the tool Fwlogwatch[4] to generate log reports based on Iptables Firewall records. The Fwlogwatch tool supports many forms of reporting and also provides many analysis capabilities. It generates logs and monthly reports that allow administrators to save a lot of time and also better manage the network and even reduce unnoticed potential attacks.
Here is an example of a Fwlogwatch generated report:
Do not settle for allow and discard rules
This article has covered many aspects of iptables, from avoiding blocking yourself, configuring iptables firewalls, and monitoring activities in iptables, and so on, to introduce iptables. You can start here to explore iptables and even get more tips on how to use it.
16 Iptables tips for a system administrator