Firewall Iptables Analysis

Firewall iptables analysis One, iptables basic concept

Match: Matches the specified condition, such as the specified IP address and port.

Drop: When a packet arrives, it is simply discarded and no other processing is done.

Accept: And discard the opposite, accept this package and let this package pass.

Deny (Reject): similar to discard, but it also sends an error message to the source host that sent the package. This error message can be specified or generated automatically.

Target: Specifies the action that describes how to handle a package, such as: Discard, accept, or reject.

Jump: Similar to a target, but it does not specify a specific action, but another chain, which means to jump to that chain.

Rule: One or more matches and their corresponding targets.

Chain (chain): Each chain contains a series of rules that are applied sequentially to each packet that traverses the chain. Each chain has its own specific purpose, which we will discuss in detail below.

Table: Each table contains a number of different chains, such as the filter table contains input,forward,output three chains by default. Iptables has four tables, namely: Raw,nat,mangle and filter, each with its own special use, such as the most commonly used filter table is designed to do packet filtering, and the NAT table is specifically used to do NAT.

Strategy (Police): The strategy we mentioned here refers to the default processing action for a chain in iptables when all the rules are not successful.

Connection tracking (Connection track): Also known as dynamic filtering, can be based on the state of the specified connection to do some appropriate filtering, is a very powerful function, but also more consumption of memory resources.

Second, the iptables of the packet flow

Figure 1 The packet flow through iptables

Figure 1 expresses the basic flow of data packets through iptables, which divides the processing of packet packets into three types.

1) message for the purpose of the machine

When the message is the destination address of the machine, its iptables process is:

1. Packet from network to network card

2. After the NIC receives the packet, it enters the prerouting chain of the raw table. The function of this chain is to process the message before the connection is tracked, and to set up a connection that is not connected to the tracking process. (Note: Do not add additional rules on the raw table)

3. If connection tracking is set, it is processed on this connection.

4. After raw processing, enter the prerouting chain of the mangle table. This chain is mainly used to modify the message's TOS, TTL, and to set special mark for the message. (Note: Usually mangle table to the message set mark-based, in this table, do not do filter/nat/camouflage such things)

5. Enter the prerouting chain of the NAT table. This chain is mainly used to deal with DNAT, you should avoid filtering in this chain, otherwise it may cause some messages will be missing. (Note: It is only used to complete the conversion of the source/destination address)

6. Incoming routing determines the processing of the packet. For example, decide whether the message is on the computer or forwarded or somewhere else. (Note: This assumes that the message is given to the native processing)

7. Enter the INPUT chain of the mangle table. After the message is actually sent to the machine, after routing, we can modify the message again.

8. Enter the INPUT chain of the filter table. Here we filter all the messages sent to this machine, and note that all messages received and the destination address will go through this chain, regardless of which interface comes in or where it goes.

9. In-rule filtering, messages are processed by local processes or applications, such as servers or client programs.

2) The local host sends the message

When a packet is emitted by the native computer, its iptables process is:

1. Local processes or applications (such as servers or client programs) emit packets.

2. Route selection, which source address to use and which interface to go out, of course, there are some other necessary information.

3. Enter the OUTPUT chain of the raw table. Here is the point at which the message can be processed before the connection tracking takes effect, where it is possible to mark a connection that is not being tracked by the connection.

4. Connection tracking processes the local packets.

5. Enter the OUTPUT chain of the mangle table, where we can modify the packet, but do not filter (to avoid side effects).

6. Enter the OUTPUT chain of the NAT table to make the destination NAT (DNAT) for the data emitted by the firewall itself.

7. Enter the OUTPUT chain of the filter table to filter the packets that are going out locally.

8. Routing decision again, because the previous mangle and NAT tables may have modified the message routing information.

9. Enter the postrouting chain of the mangle table. This chain can be traversed by two kinds of messages, one is the forwarded message, the other is the message generated by the machine.

10. Enter the postrouting chain of the NAT table. In this we do source NAT (SNAT), it is recommended that you do not filter in this message, because there are side effects. Even if you set a default policy, some messages may slip past.

11. Enter the network interface to go out.

3) Forwarding Message

The process by which a message is iptables into the forward is:

1. Packet from network to network card

2. After the NIC receives the packet, it enters the prerouting chain of the raw table. The function of this chain is to process the message before the connection is tracked, and to set up a connection that is not connected to the tracking process. (Note: Do not add additional rules on the raw table)

3. If connection tracking is set, it is processed on this connection.

4. After raw processing, enter the prerouting chain of the mangle table. This chain is mainly used to modify the message's TOS, TTL, and to set special mark for the message. (Note: Usually mangle table to the message set mark-based, in this table, do not do filter/nat/camouflage such things)

5. Enter the prerouting chain of the NAT table. This chain is mainly used to deal with DNAT, you should avoid filtering in this chain, otherwise it may cause some messages will be missing. (Note: It is only used to complete the conversion of the source/destination address)

6. Incoming routing determines the processing of the packet. For example, decide whether the message is on the computer or forwarded or somewhere else. (Note: This assumes that the message is forwarded)

7. Enter the FORWARD chain of the mangle table, which is also very special here, after the first routing decision, we can still make some modifications to the packet before making the final routing decision.

8. Enter the FORWARD chain of the filter table, where we can filter all forwarded packets. It is important to note that the packets passed here are forwarded, and the direction is bidirectional.

9. Enter the postrouting chain of the mangle table, where all the routing decisions have been done, but the packets are still on the local host, and we can make some modifications.

10. Enter the postrouting chain of the NAT table, here is generally used to do SNAT, do not filter here.

11. Enter the network interface to go out.

Iii. tables, chains, and rules of iptables

Figure 2 Iptables of tables, chains, and rules

A rule is a predefined condition for a network administrator, and the rule is generally defined as "if the packet header conforms to such a condition, it will handle the packet." Rules are stored in the packet-filtering tables of the kernel space, which specify the source address, destination address, transport protocol (such as TCP, UDP, ICMP), and service type (such as HTTP, FTP, and SMTP). When a packet matches a rule, iptables processes the packets according to the method defined by the rule, such as release (accept), Deny (reject), and drop (drop). The primary task of configuring a firewall is to add, modify, and delete these rules.

Chain (chains) is the path of packet propagation, each chain is actually a checklist in many rules, each chain can have one or several rules. When a packet arrives at a chain, the iptables starts checking from the first rule in the chain to see if the packet satisfies the conditions defined by the rule. If satisfied, the system processes the packet according to the method defined by the rule, otherwise iptables will continue to check the next rule, and if the packet does not conform to any of the rules in the chain, Iptables will process the packet based on the default policy defined by the chain.

Table (tables) provides specific functionality, the Iptables contains 4 tables, the filter table, the NAT table, the Mangle table, and the raw table, respectively, to implement packet filtering, network address translation, packet refactoring (modification), and data tracking processing.

As you can see from Figure 2, the relationship between the table and the chain, raw, mangle, NAT, and filter four tables contain a different chain:

Raw table has prerouting chain and output chain;

Mangle table has prerouting chain, postrouting chain, input chain, output chain and forward chain;

Nat table has prerouting chain, postrouting chain and output chain of four chains;

The filter table has input chains, forward chains, and output chains.

Iv. Common iptables Filter rules 1) The commands added by the iptables rule:

iptables [-t table] command [match] [Target/jump]

The graphic is abbreviated as follows,

Figure 3 Iptables command

You can refer to the Man Manual or Iptables guide in Linux for the specific meanings of the command parameter, the match parameter, and the Target/jump parameter in iptables commands.

2) Common Iptables filter rules

1. Delete an existing rule

Iptables-f or Iptables--flush

2. Set the default chain policy

There are three kinds of chains in the Ptables filter table: INPUT, Forward, and output. The default chain policy is accept, which can be set to drop with the following command:

Iptables-p input drop modifies the default policy for the input chain to drop

Iptables-p FORWARD DROP Modify FORWARD Chain

Iptables-p output DROP Modify output chain

3. Block the specified IP address

The following rules will block the IP address specified by BLOCK_THIS_IP from accessing the local host:

block_this_ip= "x.x.x.x"

Iptables-a input-i eth0-s "$BLOCK _this_ip"-j DROP

(or block only TCP packets from that IP)

Iptables-a input-i eth0-p tcp-s "$BLOCK _this_ip"-j DROP

4. Block the ping from the outside

Iptables-a input-p ICMP--icmp-type echo-request-j DROP

Iptables-a output-p ICMP--icmp-type echo-reply-j DROP

5. Masking the external host from the native ping

Iptables-a output-p ICMP--icmp-type echo-request-j DROP

Iptables-a input-p ICMP--icmp-type echo-reply-j DROP

6. Shielded loopback (loopback) Access

Iptables-a input-i lo-j DROP

Iptables-a Output-o lo-j DROP

7. Allow all SSH connection requests

This rule allows all external SSH connection requests, that is, only packets that are allowed to enter the Eth0 interface and that have a destination port of 22.

Iptables-a input-i eth0-p TCP--dport 22-m State--state new,established-j ACCEPT

Iptables-a output-o eth0-p TCP--sport 22-m State--state established-j ACCEPT

8. Allow SSH connections originating from the local

This rule allows the native to initiate an SSH connection:

Iptables-a output-o eth0-p TCP--dport 22-m State--state new,established-j ACCEPT

Iptables-a input-i eth0-p TCP--sport 22-m State--state established-j ACCEPT

9. Allow only SSH connection requests from the specified network

The following rules allow only networks from 172.16.132.0/24:

Iptables-a input-i eth0-p tcp-s 172.16.132.0/24--dport 22-m State--state new,established-j ACCEPT

Iptables-a output-o eth0-p TCP--sport 22-m State--state established-j ACCEPT

10. Allow only SSH connection requests originating locally to a specified network

The following rules only allow connections from the local host to the 172.16.1132.0/24 network:

Iptables-a output-o eth0-p tcp-d 172.16.132.0/24--dport 22-m State--state new,established-j ACCEPT

Iptables-a input-i eth0-p TCP--sport 22-m State--state established-j ACCEPT

11. Allow HTTP/HTTPS Connection request

# 1. Allow HTTP connection: 80 port

Iptables-a input-i eth0-p TCP--dport 80-m State--state new,established-j ACCEPT

Iptables-a output-o eth0-p TCP--sport 80-m State--state established-j ACCEPT

# 2. Allow HTTPS connections: 443 ports

Iptables-a input-i eth0-p TCP--dport 443-m State--state new,established-j ACCEPT

Iptables-a output-o eth0-p TCP--sport 443-m State--state established-j ACCEPT

12. Allow HTTPS connections to be initiated locally

This rule allows the user to initiate an HTTPS connection from the local host to access the Internet.

Iptables-a output-o eth0-p TCP--dport 443-m State--state new,established-j ACCEPT

Iptables-a input-i eth0-p TCP--sport 443-m State--state established-j ACCEPT

-M Multiport: Specifying Multiple ports

By specifying the-M multiport option, you can allow SSH, HTTP, and HTTPS connections in one rule:

Iptables-a input-i eth0-p tcp-m multiport--dports 22,80,443-m State--state new,established-j ACCEPT

Iptables-a output-o eth0-p tcp-m multiport--sports 22,80,443-m State--state established-j ACCEPT

14. Allow IMAP and IMAPS

map:143

Iptables-a input-i eth0-p TCP--dport 143-m State--state new,established-j ACCEPT

Iptables-a output-o eth0-p TCP--sport 143-m State--state established-j ACCEPT

# imaps:993

Iptables-a input-i eth0-p TCP--dport 993-m State--state new,established-j ACCEPT

Iptables-a output-o eth0-p TCP--sport 993-m State--state established-j ACCEPT

15. Allow POP3 and pop3s

# pop3:110

Iptables-a input-i eth0-p TCP--dport 110-m State--state new,established-j ACCEPT

Iptables-a output-o eth0-p TCP--sport 110-m State--state established-j ACCEPT

# pop3s:995

Iptables-a input-i eth0-p TCP--dport 995-m State--state new,established-j ACCEPT

Iptables-a output-o eth0-p TCP--sport 995-m State--state established-j ACCEPT

16. Preventing Dos attacks

Iptables-a input-p tcp--dport 80-m limit--limit 25/minute--limit-burst 100-j ACCEPT

-M limit: Enable limit extension

–limit 25/minute: Allow up to 25 connections per minute

–limit-burst 100: When 100 connections are reached, the above 25/minute restrictions are enabled

17. Allow Routing

If the local host has two network cards, a connection to the intranet (eth0), a connection to the external network (ETH1), then you can use the following rules to route eth0 data to Eht1:

Iptables-a forward-i eth0-o eth1-j ACCEPT

Dnat and Port forwarding

The following rules will forward traffic from Port 422 to Port 22, which means that the SSH connection request from Port 422 is equivalent to a request from Port 22.

# 1. Enable Dnat forwarding

Iptables-t nat-a prerouting-p tcp-d 172.16.132.17--dport 422-j DNAT--to-destination 172.16.132.17:22

# 2. Allow connections to 422 port requests

Iptables-a input-i eth0-p TCP--dport 422-m State--state new,established-j ACCEPT

Iptables-a output-o eth0-p TCP--sport 422-m State--state established-j ACCEPT

Assuming that the extranet gateway is xxx.xxx.xxx.xxx, then the rules for forwarding HTTP requests to an internal computer are as follows:

Iptables-t nat-a prerouting-p tcp-i eth0-d xxx.xxx.xxx.xxx--dport 8888-j DNAT--to 192.168.0.2:80

Iptables-a forward-p tcp-i eth0-d 192.168.0.2--dport 80-j ACCEPT

Snat and Masquerade

The following command indicates that all packets of 192.168.1.0 network segments are snat to 172.132.16.99 IP and sent out:

Iptables-t nat-a postrouting-s 192.168.1.0/24-o eth0-j snat--to-source 172.132.16.99

For Snat, regardless of the number of addresses, you must explicitly specify the IP to Snat. If our computer uses ADSL dial-up method to surf the internet, then the external IP is dynamic, we can consider using Masquerade

Iptables-t nat-a postrouting-s 192.168.1.0/255.255.255.0-o eth0-j Masquerade

20. Custom Chain

To record dropped packets:

# 1. Create a new chain named logging

Iptables-n LOGGING

# 2. Jump all packets from the input chain into the logging chain

Iptables-a input-j LOGGING

# 3. Specify a custom log prefix "IPTables Packet Dropped:"

Iptables-a logging-m limit--limit 2/min-j LOG--log-prefix "iptables Packet Dropped:"--log-level 7

# 4. Discard these packets

Iptables-a logging-j DROP

IP range matching (IP ranges match options)

Source: iptables-a input-p tcp-m iprange--src-range 192.168.1.13-192.168.2.19-j DROP

Purpose iptables-a input-p tcp-m iprange--dst-range 192.168.1.13-192.168.2.19-j DROP

Mac match

Iptables-a Input-m mac--mac-source 00:00:00:00:00:01-j DROP

Firewall Iptables Analysis