Linux
Security with Firewall
The
Linux kernel uses the Netfilter kernel module to filter packets,
allowing some of them to be received by or pass through the system
while stopping or modifying others implementing a network firewall.
Netfilter is built in to the Linux kernel and can be managed at
system level using iptables tool installed by iptables RPM.
Netfilter
Netfilter uses three
built-in tables or rules lists in order to filter or modify network
packets:
filter
The default table for handling network packets.
nat
Used to modify network packets implementing the Network Address Translation NAT. It is also known as masquerading.
mangle
Used on very specific types of network packet modification.
Each netfilter table (filter,nat,mangle) has a group of 'chains' that defines the actions performed on the network packet by netfilter :
filter
The default table for handling network packets.
nat
Used to modify network packets implementing the Network Address Translation NAT. It is also known as masquerading.
mangle
Used on very specific types of network packet modification.
Each netfilter table (filter,nat,mangle) has a group of 'chains' that defines the actions performed on the network packet by netfilter :
Filter
INPUT
Matches network packets that are targeted for the host.
OUTPUT
Matches network packets generated locally on the host.
FORWARD
Matches network packets routed through the host.
Matches network packets that are targeted for the host.
OUTPUT
Matches network packets generated locally on the host.
FORWARD
Matches network packets routed through the host.
Nat
PREROUTING
Modifies network packets when they arrive to the hosts.
OUTPUT
Modifies network packets generated locally before they are sent from the host.
POSTROUTING
Modifies network packets before they are sent from the host.
Modifies network packets when they arrive to the hosts.
OUTPUT
Modifies network packets generated locally before they are sent from the host.
POSTROUTING
Modifies network packets before they are sent from the host.
Mangle
INPUT
Modifies network packets targeted for the host.
OUTPUT
Modifies network packets generated locally before they are sent from the host.
FORWARD
Modifies network packets routed through the host.
PREROUTING
Modifies incoming network packets before they are routed through the host.
POSTROUTING
Modifies network packets before they are sent from the host.
When a network packet match a particular rule in one of the tables, an action is applied to it. If the rule specifies an ACCEPT action the packet skips the rest of the rules and is allowed to continue to its destination. If a rule specifies a DROP action the access to the host is denied and nothing is sent back to the host that sent the packet. If a rule specifies a QUEUE action the packet is passed to user-space. If a rule specifies REJECT action the packet is dropped and a error is sent to the packet's originator. Every chain has a default policy to ACCEPT, DROP, REJECT, or QUEUE. If none of the rules in the chain apply to the packet, then the default policy is applied to the network packet.
Modifies network packets targeted for the host.
OUTPUT
Modifies network packets generated locally before they are sent from the host.
FORWARD
Modifies network packets routed through the host.
PREROUTING
Modifies incoming network packets before they are routed through the host.
POSTROUTING
Modifies network packets before they are sent from the host.
When a network packet match a particular rule in one of the tables, an action is applied to it. If the rule specifies an ACCEPT action the packet skips the rest of the rules and is allowed to continue to its destination. If a rule specifies a DROP action the access to the host is denied and nothing is sent back to the host that sent the packet. If a rule specifies a QUEUE action the packet is passed to user-space. If a rule specifies REJECT action the packet is dropped and a error is sent to the packet's originator. Every chain has a default policy to ACCEPT, DROP, REJECT, or QUEUE. If none of the rules in the chain apply to the packet, then the default policy is applied to the network packet.
Iptables
The iptables command
that can be used in order to define the matching rule and the actions
to be taken on the network packets. The following is the basic
options used on iptables command:
# iptables -t table [action direction] [packet match] -j [what to do]
--> The -t table option is used in order to select the netfilter table where the rule will be applied. As said before it can take the values filter, nat or mangle. By default filter table is used if this option is not specified.
--> The [action direction] has four basic actions associated:
-A or --append
Appends the rule to the end of a chain.
-D or --delete
Deletes a rule from a chain.
-L or --list
Lists configured rules in the chain.
-F or --flush
Flushes all of the rules in the current iptables chain.
Appending to -A or deleting from -D a chain can be applied network packets travelling in one of three directions:
INPUT
Incoming packets are checked against the rules in this chain.
OUTPUT
Outgoing packets are checked against the rules in this chain.
FORWARD
Packets being sent to another computer are checked against the rules in this chain.
--> The [packet match] is used to identify the network packet to be filtered/modified. All netfilter checks every packet against this pattern :
-s ipaddress
Network packets are checked for a specific source IP address. For example '-s 192.168.1.0/24' matches all ips on 192.168.1.0/24 LAN.
-d ipaddress
Network packets are checked for a specific destination IP address. For example '-d 192.168.1.1' only matches that ip.
-p protocol
Matches the network protocol used on the communication. It can be TCP, UDP or ICMP.
--dport port
Matches the destination port used on the network communication. For example '--dport 22' matches all network packets sent by a ssh-client when trying to open a ssh connection to a ssh-server.
-i interface
Name of a network interface through the network packet has been received. For example '-i eth0' .
-o interface
Name of a network interface through the network packet is going to be sent. For example '-o eth1' .
--> The -j [what to do] defines the action to be taken when iptables finds a packet pattern match :
DROP
The network packet is dropped and no message is sent to the requesting computer.
REJECT
The network packet is dropped and an error message is sent to the requesting computer.
ACCEPT
The network packet is allowed to proceed as specified with the -A action: INPUT, OUTPUT, or FORWARD.
In resume the best way to summarize how iptables works is with the following :
# iptables -t [filter|nat|mangle] [-A|-D|-L|-F] [INPUT|OUTPUT|FORWARD] -p [tcp|udp] -m [tcp|udp] -s [sourceip] -d [destip] --dport [port] -j [DROP|REJECT|ACCEPT]
For more information 'man iptables'. Important note: iptables do not make DNS resolutions so it does NOT support the use of hostnames. It only understand numerical IP addresses.
# iptables -t table [action direction] [packet match] -j [what to do]
--> The -t table option is used in order to select the netfilter table where the rule will be applied. As said before it can take the values filter, nat or mangle. By default filter table is used if this option is not specified.
--> The [action direction] has four basic actions associated:
-A or --append
Appends the rule to the end of a chain.
-D or --delete
Deletes a rule from a chain.
-L or --list
Lists configured rules in the chain.
-F or --flush
Flushes all of the rules in the current iptables chain.
Appending to -A or deleting from -D a chain can be applied network packets travelling in one of three directions:
INPUT
Incoming packets are checked against the rules in this chain.
OUTPUT
Outgoing packets are checked against the rules in this chain.
FORWARD
Packets being sent to another computer are checked against the rules in this chain.
--> The [packet match] is used to identify the network packet to be filtered/modified. All netfilter checks every packet against this pattern :
-s ipaddress
Network packets are checked for a specific source IP address. For example '-s 192.168.1.0/24' matches all ips on 192.168.1.0/24 LAN.
-d ipaddress
Network packets are checked for a specific destination IP address. For example '-d 192.168.1.1' only matches that ip.
-p protocol
Matches the network protocol used on the communication. It can be TCP, UDP or ICMP.
--dport port
Matches the destination port used on the network communication. For example '--dport 22' matches all network packets sent by a ssh-client when trying to open a ssh connection to a ssh-server.
-i interface
Name of a network interface through the network packet has been received. For example '-i eth0' .
-o interface
Name of a network interface through the network packet is going to be sent. For example '-o eth1' .
--> The -j [what to do] defines the action to be taken when iptables finds a packet pattern match :
DROP
The network packet is dropped and no message is sent to the requesting computer.
REJECT
The network packet is dropped and an error message is sent to the requesting computer.
ACCEPT
The network packet is allowed to proceed as specified with the -A action: INPUT, OUTPUT, or FORWARD.
In resume the best way to summarize how iptables works is with the following :
# iptables -t [filter|nat|mangle] [-A|-D|-L|-F] [INPUT|OUTPUT|FORWARD] -p [tcp|udp] -m [tcp|udp] -s [sourceip] -d [destip] --dport [port] -j [DROP|REJECT|ACCEPT]
For more information 'man iptables'. Important note: iptables do not make DNS resolutions so it does NOT support the use of hostnames. It only understand numerical IP addresses.
Iptables Examples
# iptables -A INPUT
-s 10.0.0.0/24 -p icmp -j DROP
This rules stops users from computers on LAN 10.0.0.0/24 pinging your server.
# iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
This rule opens your web server (port TCP/IP 80) to everybody.
# iptables -A INPUT -s !192.168.1.0/24 -j REJECT
It rejects all traffic from any computer that it is NOT on 192.168.1.0/24 LAN sending a "destination unreachable" error message.
# iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited
Rejects any network packet from any source with the icmp-host-prohibited message. This rule is used as the default DENY ALL rule at the end of any iptables chain to be sure that the only network packets that are allowed are those that are allowed by any iptables rules matched BEFORE this DENY ALL rule.
This rules stops users from computers on LAN 10.0.0.0/24 pinging your server.
# iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
This rule opens your web server (port TCP/IP 80) to everybody.
# iptables -A INPUT -s !192.168.1.0/24 -j REJECT
It rejects all traffic from any computer that it is NOT on 192.168.1.0/24 LAN sending a "destination unreachable" error message.
# iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited
Rejects any network packet from any source with the icmp-host-prohibited message. This rule is used as the default DENY ALL rule at the end of any iptables chain to be sure that the only network packets that are allowed are those that are allowed by any iptables rules matched BEFORE this DENY ALL rule.
Network Address Translation
NAT Masquerade
Network Address
Translation (NAT) allows share the same public IP Internet address to
any client on a LAN. It replaces on network packets the source
address with the IP address of the firewall, which serves as a
gateway between the LAN and the Internet. The source address is
cached on the gateway and knows which computer made the request. With
this technique with only one public IP address you can access to the
Internet from any computer on the LAN hiding (masquerading)
the real client IP with the firewall IP address.
# iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth1 -j MASQUERADE
With this rule any network packet from the LAN 192.168.1.0/24 and destination on Internet will enter to the gateway firewall through its eth0 LAN interface 192.168.1.1 and will leave the firewall through the public network interface eth1 and reach the Internet destination using as source IP address the firewall public IP eth1. When the Internet service answers the source network packet it will send the answer to the firewall public IP address and the firewall will forward that packet to the LAN client that has initiated the network communication.
# iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth1 -j MASQUERADE
With this rule any network packet from the LAN 192.168.1.0/24 and destination on Internet will enter to the gateway firewall through its eth0 LAN interface 192.168.1.1 and will leave the firewall through the public network interface eth1 and reach the Internet destination using as source IP address the firewall public IP eth1. When the Internet service answers the source network packet it will send the answer to the firewall public IP address and the firewall will forward that packet to the LAN client that has initiated the network communication.
NAT Prerouting
In order to make
available on the Internet a network service that is on a internal LAN
the -j DNAT target of the PREROUTING chain in NAT can be used. It
specifies a destination IP address and port where incoming packets
requesting a connection to your internal service can be forwarded.
For example, in order to forward incoming HTTP requests from the
Internet to a dedicated Apache HTTP Server at 10.0.0.1 :
# iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to 10.0.0.1:80
All networks packets coming from the Internet with destination public IP interface eth1 of the gateway firewall port 80 (web requests) will be forwarded to the apache web server running on 10.0.0.1 port 80 through gateway firewall LAN interface eth0 . Of course answers from this web service will be forwarded to the remote client using the public network interface eth1 on the gateway firewall.
# iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to 10.0.0.1:80
All networks packets coming from the Internet with destination public IP interface eth1 of the gateway firewall port 80 (web requests) will be forwarded to the apache web server running on 10.0.0.1 port 80 through gateway firewall LAN interface eth0 . Of course answers from this web service will be forwarded to the remote client using the public network interface eth1 on the gateway firewall.
Saving and Restoring IPTables Rules
As other Linux
services, iptables can be managed with the standard RHEL tools. For
example in order to activate/deactivate iptables service:
# chkconfig iptables on/off
In order to print on the STDIN the iptables running on real time :
# iptables -L
Rules applied on iptables with the iptables command are not persistent, if the iptables service is restarted the rules are flushed. In order to save the running rules and make them loaded when the iptables service is started the following command can be used :
# service iptables save
With this command iptables rules are saved in the file /etc/sysconfig/iptables and are automatically applied when the iptables service is started :
cat /etc/sysconfig/iptables
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
As can be seen this file applies iptables rules on table filter to the INPUT network packets. It only accepts network packets related on ssh (port TCP/IP 22) and http (port TCP/IP 80) network traffic. The rest of the INPUT and FORWARD network packets are rejected. Every time iptables service is started these rules are automatically applied.
# chkconfig iptables on/off
In order to print on the STDIN the iptables running on real time :
# iptables -L
Rules applied on iptables with the iptables command are not persistent, if the iptables service is restarted the rules are flushed. In order to save the running rules and make them loaded when the iptables service is started the following command can be used :
# service iptables save
With this command iptables rules are saved in the file /etc/sysconfig/iptables and are automatically applied when the iptables service is started :
cat /etc/sysconfig/iptables
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
As can be seen this file applies iptables rules on table filter to the INPUT network packets. It only accepts network packets related on ssh (port TCP/IP 22) and http (port TCP/IP 80) network traffic. The rest of the INPUT and FORWARD network packets are rejected. Every time iptables service is started these rules are automatically applied.
No comments :
Post a Comment