Netfilter Firewall and Router

From Free Knowledge Base- The DUCK Project: information for everyone
Jump to: navigation, search
__   _
  -o)/ /  (_)__  __ ____  __      Derek Winterstien
  /\\ /__/ / _ \/ // /\ \/ /      r.o.a.c.h.@.r.o.b.o.t.z...c.o.m
 _\_v __/_/_//_/\_,_/ /_/\_\

supplemental: iptables firewall and internet connection sharing using netfilter under linux.

This messy document has recently been revised


PART I: Education Section

IPTABLES DEFINITIONS (chains)

INPUT

meant solely for packets to local host that do not get routed to any other destination. Do all filtering here for packets destined for the firewall itself.

FORWARD

all packets passing though the firewall. first routing decisions that is not destined for the local machine itself. Do all filtering here for packets passing though to other internal hosts.

packets may be destined for the local machine, but the destination address may be changed within the PREROUTING chain by doing NAT

OUTPUT

can filter outbound packets from local host. Locally generated packets are handled in the OUTPUT chain.

PREROUTING

decide if packet goes to local machine INPUT or nat FORWARD. Done before other chains. Very first chain before all others.

POSTROUTING

After routing, very last chain after all others. Used to alter packets just as they are about to leave the firewall. Never do filtering here.


  • DNAT
  • SNAT
  • MASQUERADE
  • REDIRECT


PART II: INSTRUCTIONAL EXAMPLES

BASIC IPTABLES RULES FOR HOME BROADBAND INTERNET CONNECTION SHARING

# Create  file
touch /var/lock/subsys/local

#Flush old rules
/sbin/iptables -F

#Add a rule icmp protocol max 3 connections
/sbin/iptables -A INPUT -p icmp -m limit --limit 3 -j ACCEPT

#Add rule: forward packets from eth1 to eth0(internet) outbound
/sbin/iptables -A FORWARD -i eth1 -o eth0 -s 10.10.0.0/24 -j ACCEPT

#This is the main part..internet connection sharing
/sbin/iptables -A POSTROUTING -t nat -o eth0 -s 10.10.0.0/24 -j MASQUERADE

note: You can place these iptables rules in your /etc/rc.local file. They will get executed when the system starts. Do not forget to enable packet forwarding in the kernel. You could also do this in rc.local.

echo 1 > /proc/sys/net/ipv4/ip_forward

DELETING RULES AND KEEPING THEM IN THE SAME ORDER

The order of IPTABLES rules are significant. By deleting a rule and trying to "re-add" it there may be undesired results. Some preconfigured firewalls have sections not to be user edited.

You may wish to experiment without the risk of locking yourself out of an iptables firewall appliance. You can remote a chain of rules and add them again in the same order. (example)

#FLUSH ALL INPUT RULES SO THEY CAN BE RELOADED
iptables -D INPUT -j LAN_ACCEPT    
iptables -D INPUT -p icmp -j ACCEPT
iptables -D INPUT -p gre -j ACCEPT                        
iptables -D INPUT -p tcp -j REJECT --reject-with tcp-reset     
iptables -D INPUT -j REJECT --reject-with icmp-port-unreachable

#RELOAD THEM IN THE SAME ORDER 
iptables -A INPUT -j LAN_ACCEPT    
iptables -A INPUT -p icmp -j ACCEPT
iptables -A INPUT -p gre -j ACCEPT                        
iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset     
iptables -A INPUT -j REJECT --reject-with icmp-port-unreachable

Here the significance of the final REJECT rules will not impact modifications to middle rules if the entire set is reloaded.

You can also -R replace a rule, however, there are circumstances where this will fail.


PART III: WORKING EXAMPLES AND RELATED MATERIAL

WATCH MASQUERADED LAN TRAFFIC (SEE WHAT USERS ARE CONNECTING TO)

cat /proc/net/ip_conntrack

MORE SOPHISTICATED INTERNET AND IP-NAT EXAMPLE

touch /var/lock/subsys/local

/sbin/modprobe -a ip_nat_ftp
/sbin/modprobe -a ip_conntrack_ftp

#       eth0: INTERNET ADDRESS   eth1: 10.10.0.1
#       -i --in-interface       -o --out-interface      -p --protocol (tcp, udp, icmp, all) -m --match
/sbin/iptables -F                                                                       # Flush Old Tables
/sbin/iptables -t nat -F                                                                # Flust NAT Rules
/sbin/iptables -P INPUT DROP                                                            #
/sbin/iptables -P FORWARD DROP                                                          #
/sbin/iptables -A INPUT -p icmp -m limit --limit 3 -j ACCEPT                            # ping of death
# part 1 to establish conduit to an internal MOHAA game server
iptables -t nat -A PREROUTING -p tcp -d X.X.X.X --dport 23 -j DNAT --to 10.10.0.X:23
iptables -t nat -A PREROUTING -p udp -d X.X.X.X --dport 12203 -j DNAT --to 10.10.0.X:23
iptables -t nat -A PREROUTING -p udp -d X.X.X.X --dport 12300 -j DNAT --to 10.10.0.X:23
# block sites and networks we dont want such as sitefinder.verisign.com and banners
/sbin/iptables -A FORWARD -p tcp -d 12.158.80.10 -j DROP
/sbin/iptables -A FORWARD -p tcp -d 64.94.110.11 -j DROP
/sbin/iptables -A FORWARD -p tcp -d 216.73.86.0/24 -j REJECT --reject-with tcp-reset
/sbin/iptables -A FORWARD -p tcp -d 216.73.85.0/24 -j REJECT --reject-with tcp-reset
/sbin/iptables -A FORWARD -p tcp -d 206.65.183.0/24 -j REJECT --reject-with tcp-reset
# protect your ms windowze and other computers inside your lan
/sbin/iptables -A FORWARD -p udp --dport 4156 -j DROP                                   # slapper
/sbin/iptables -A FORWARD -p tcp --dport 135 -j DROP                                    # msblaster
/sbin/iptables -A FORWARD -p tcp --dport 136 -j DROP                                    # msblaster
/sbin/iptables -A FORWARD -p tcp --dport 137 -j DROP                                    # msblaster
/sbin/iptables -A FORWARD -p tcp --dport 138 -j DROP                                    # msblaster
/sbin/iptables -A FORWARD -p tcp --dport 139 -j DROP                                    # msblaster
/sbin/iptables -A FORWARD -p tcp --dport 445 -j DROP                                    # msblaster
/sbin/iptables -A FORWARD -p tcp --dport 593 -j DROP                                    # msblaster
/sbin/iptables -A FORWARD -p udp --dport 69 -j DROP                                     # tftp
/sbin/iptables -A FORWARD -p tcp --dport 4444 -j DROP                                   # tftp
/sbin/iptables -A FORWARD -p udp --dport 135 -j DROP                                    # Windows Messenger
/sbin/iptables -A FORWARD -p udp --dport 1026 -j DROP                                   # Windows Messenger
# part 2 to establish conduit to an internal MOHAA game server
iptables -A FORWARD -p tcp --dport 23 -j ACCEPT
iptables -A FORWARD -p udp --dport 12203 -j ACCEPT
iptables -A FORWARD -p udp --dport 12300 -j ACCEPT
# for Internet sharing
sbin/iptables -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT           # established connections
# machines allowed access to our firewall 
/sbin/iptables -A INPUT -i eth1 -s 10.10.0.0/24 -j ACCEPT                             # accept connections from inside
/sbin/iptables -A INPUT -i eth0 -s X.X.X.X/29 -j ACCEPT                                 # friend has access to firewall
# more security related stuff
/sbin/iptables -A INPUT -p tcp --tcp-flags SYN FIN -j DROP                              # drop TCP SYN packets FIN flag set
/sbin/iptables -A FORWARD -p tcp --syn -m limit --limit 3 -j ACCEPT                     # Syn-flood protection
/sbin/iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 3 -j ACCEPT   # furtive port scanner
/sbin/iptables -A FORWARD -p icmp -m limit --limit 3 -j ACCEPT                          # ping of death protection
# all computers on our lan are allowed access to Internet via ip masquerade
/sbin/iptables -A FORWARD -i eth1 -o eth0 -s 10.10.0.0/24 -j ACCEPT                   # everything from lan, out to inet
/sbin/iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A POSTROUTING -t nat -o eth0 -s 10.10.0.0/24 -j MASQUERADE            # masquerade packets from lan ip

RANDOM CODE SAMPLES TO PERFORM VARIOUS TASKS SUCH AS FORWARDING ETC

#####
touch /var/lock/subsys/local
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i eth2 -j ACCEPT

iptables -t nat -A PREROUTING -d 202.63.167.192 -i eth0 -p tcp -m tcp --dport 995 -j DNAT --to-destination 10.0.0.2:995
iptables -t nat -A PREROUTING -d 202.63.167.192 -i eth0 -p udp -m udp --dport 995 -j DNAT --to-destination 10.0.0.2:995
iptables -t nat -A PREROUTING -d 202.63.167.192 -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.0.0.2:80
iptables -t nat -A PREROUTING -d 202.63.167.192 -i eth0 -p udp -m udp --dport 80 -j DNAT --to-destination 10.0.0.2:80
iptables -t nat -A PREROUTING -d 202.63.167.192 -i eth0 -p tcp -m tcp --dport 53 -j DNAT --to-destination 10.0.0.2:53
iptables -t nat -A PREROUTING -d 202.63.167.192 -i eth0 -p udp -m udp --dport 53 -j DNAT --to-destination 10.0.0.2:53
iptables -t nat -A PREROUTING -d 202.63.167.192 -i eth0 -p tcp -m tcp --dport 25 -j DNAT --to-destination 10.0.0.2:25
iptables -t nat -A PREROUTING -d 202.63.167.192 -i eth0 -p udp -m udp --dport 25 -j DNAT --to-destination 10.0.0.2:25
iptables -t nat -A PREROUTING -d 202.63.167.192 -i eth0 -p tcp -m tcp --dport 110 -j DNAT --to-destination 10.0.0.2:110
iptables -t nat -A PREROUTING -d 202.63.167.192 -i eth0 -p udp -m udp --dport 110 -j DNAT --to-destination 10.0.0.2:110

iptables -t nat -A PREROUTING -s 192.168.0.0/255.255.255.0 -d 202.63.167.192 -i eth2 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.0.0.2:80
iptables -t nat -A PREROUTING -s 192.168.0.0/255.255.255.0 -d 202.63.167.192 -i eth2 -p udp -m udp --dport 80 -j DNAT --to-destination 10.0.0.2:80

iptables -t nat -A PREROUTING -s 192.168.0.0/255.255.255.0 -d 202.63.167.192 -i eth2 -p tcp -m tcp --dport 53 -j DNAT --to-destination 10.0.0.2:53
iptables -t nat -A PREROUTING -s 192.168.0.0/255.255.255.0 -d 202.63.167.192 -i eth2 -p udp -m udp --dport 53 -j DNAT --to-destination 10.0.0.2:53
iptables -t nat -A PREROUTING -s 192.168.0.0/255.255.255.0 -d 202.63.167.192 -i eth2 -p tcp -m tcp --dport 110 -j DNAT --to-destination 10.0.0.2:110
iptables -t nat -A PREROUTING -s 192.168.0.0/255.255.255.0 -d 202.63.167.192 -i eth2 -p udp -m udp --dport 110 -j DNAT --to-destination 10.0.0.2:110
iptables -t nat -A PREROUTING -s 192.168.0.0/255.255.255.0 -d 202.63.167.192 -i eth2 -p tcp -m tcp --dport 995 -j DNAT --to-destination 10.0.0.2:995
iptables -t nat -A PREROUTING -s 192.168.0.0/255.255.255.0 -d 202.63.167.192 -i eth2 -p udp -m udp --dport 995 -j DNAT --to-destination 10.0.0.2:995
iptables -t nat -A PREROUTING -s 192.168.0.0/255.255.255.0 -d 202.63.167.192 -i eth2 -p tcp -m tcp --dport 25 -j DNAT --to-destination 10.0.0.2:25
iptables -t nat -A PREROUTING -s 192.168.0.0/255.255.255.0 -d 202.63.167.192 -i eth2 -p udp -m udp --dport 25 -j DNAT --to-destination 10.0.0.2:25
###################

OPTIONAL SECURITY CONFIGURATIONS FOR YOUR FIREWALL

To turn off answers to icmp_echos (such as ping) may help to avoid some types of attacks. Open the /etc/sysctl.conf and add the following lines:

net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_echo_ignore_all = 1

Command 'sysctl -p' will cause these modifications to start immediately.

sysctl -p

or

echo 1>/proc/sys/net/ipv4/icmp_echo_ignore_all

You can block PING with an IPTABLE rule also, and still allow other types of icmp traffic.

iptables -A INPUT -p icmp --icmp-type 8 -s SourceIPAddress -j DROP

BLOCK OR RESTRICT INTERNET TRAFFIC TO SPECIFIC CLIENTS ON LAN

For clients with a static IP address on your LAN, you can restrict internet traffic on a per host basis.

In this example all Internet hosts (including web sites) will be blocked for a specific LAN host with a static IP, except the user will be allowed access to one specific network, robotz.com

The following goes after :

/sbin/iptables -A INPUT -p icmp -m limit --limit 3 -j ACCEPT

(and also after any specific hosts being restricted to all users)

/sbin/iptables -A FORWARD -p tcp -s 192.168.254.7 -d 64.21.192.0/19 -j ACCEPT
/sbin/iptables -A FORWARD -p tcp -s 192.168.254.7 -d 0.0.0.0/0 -j REJECT --reject-with tcp-reset

First line, if the network destination is robotz.com, then allow the Internet host access. Second line, for the internal host block everything else.