Netfilter Firewall and Router
__ _ -o)/ / (_)__ __ ____ __ Derek Winterstien /\\ /__/ / _ \/ // /\ \/ / r.o.a.c.h.@.r.o.b.o.t.z...c.o.m _\_v __/_/_//_/\_,_/ /_/\_\
supplemental: iptables firewall and internet connection sharing using netfilter under linux.
This messy document has recently been revised
Contents
- 1 PART I: Education Section
- 2 PART II: INSTRUCTIONAL EXAMPLES
- 3 PART III: WORKING EXAMPLES AND RELATED MATERIAL
- 3.1 WATCH MASQUERADED LAN TRAFFIC (SEE WHAT USERS ARE CONNECTING TO)
- 3.2 MORE SOPHISTICATED INTERNET AND IP-NAT EXAMPLE
- 3.3 RANDOM CODE SAMPLES TO PERFORM VARIOUS TASKS SUCH AS FORWARDING ETC
- 3.4 OPTIONAL SECURITY CONFIGURATIONS FOR YOUR FIREWALL
- 3.5 BLOCK OR RESTRICT INTERNET TRAFFIC TO SPECIFIC CLIENTS ON LAN
PART I: Education Section
IPTABLES DEFINITIONS (chains)
INPUT
meant solely for packets to local host that do not get routed to any other destination. Do all filtering here for packets destined for the firewall itself.
FORWARD
all packets passing though the firewall. first routing decisions that is not destined for the local machine itself. Do all filtering here for packets passing though to other internal hosts.
packets may be destined for the local machine, but the destination address may be changed within the PREROUTING chain by doing NAT
OUTPUT
can filter outbound packets from local host. Locally generated packets are handled in the OUTPUT chain.
PREROUTING
decide if packet goes to local machine INPUT or nat FORWARD. Done before other chains. Very first chain before all others.
POSTROUTING
After routing, very last chain after all others. Used to alter packets just as they are about to leave the firewall. Never do filtering here.
- DNAT
- SNAT
- MASQUERADE
- REDIRECT
PART II: INSTRUCTIONAL EXAMPLES
BASIC IPTABLES RULES FOR HOME BROADBAND INTERNET CONNECTION SHARING
# Create file touch /var/lock/subsys/local #Flush old rules /sbin/iptables -F #Add a rule icmp protocol max 3 connections /sbin/iptables -A INPUT -p icmp -m limit --limit 3 -j ACCEPT #Add rule: forward packets from eth1 to eth0(internet) outbound /sbin/iptables -A FORWARD -i eth1 -o eth0 -s 10.10.0.0/24 -j ACCEPT #This is the main part..internet connection sharing /sbin/iptables -A POSTROUTING -t nat -o eth0 -s 10.10.0.0/24 -j MASQUERADE
note: You can place these iptables rules in your /etc/rc.local file. They will get executed when the system starts. Do not forget to enable packet forwarding in the kernel. You could also do this in rc.local.
echo 1 > /proc/sys/net/ipv4/ip_forward
DELETING RULES AND KEEPING THEM IN THE SAME ORDER
The order of IPTABLES rules are significant. By deleting a rule and trying to "re-add" it there may be undesired results. Some preconfigured firewalls have sections not to be user edited.
You may wish to experiment without the risk of locking yourself out of an iptables firewall appliance. You can remote a chain of rules and add them again in the same order. (example)
#FLUSH ALL INPUT RULES SO THEY CAN BE RELOADED iptables -D INPUT -j LAN_ACCEPT iptables -D INPUT -p icmp -j ACCEPT iptables -D INPUT -p gre -j ACCEPT iptables -D INPUT -p tcp -j REJECT --reject-with tcp-reset iptables -D INPUT -j REJECT --reject-with icmp-port-unreachable #RELOAD THEM IN THE SAME ORDER iptables -A INPUT -j LAN_ACCEPT iptables -A INPUT -p icmp -j ACCEPT iptables -A INPUT -p gre -j ACCEPT iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset iptables -A INPUT -j REJECT --reject-with icmp-port-unreachable
Here the significance of the final REJECT rules will not impact modifications to middle rules if the entire set is reloaded.
You can also -R replace a rule, however, there are circumstances where this will fail.
PART III: WORKING EXAMPLES AND RELATED MATERIAL
WATCH MASQUERADED LAN TRAFFIC (SEE WHAT USERS ARE CONNECTING TO)
cat /proc/net/ip_conntrack
MORE SOPHISTICATED INTERNET AND IP-NAT EXAMPLE
touch /var/lock/subsys/local /sbin/modprobe -a ip_nat_ftp /sbin/modprobe -a ip_conntrack_ftp # eth0: INTERNET ADDRESS eth1: 10.10.0.1 # -i --in-interface -o --out-interface -p --protocol (tcp, udp, icmp, all) -m --match /sbin/iptables -F # Flush Old Tables /sbin/iptables -t nat -F # Flust NAT Rules /sbin/iptables -P INPUT DROP # /sbin/iptables -P FORWARD DROP # /sbin/iptables -A INPUT -p icmp -m limit --limit 3 -j ACCEPT # ping of death # part 1 to establish conduit to an internal MOHAA game server iptables -t nat -A PREROUTING -p tcp -d X.X.X.X --dport 23 -j DNAT --to 10.10.0.X:23 iptables -t nat -A PREROUTING -p udp -d X.X.X.X --dport 12203 -j DNAT --to 10.10.0.X:23 iptables -t nat -A PREROUTING -p udp -d X.X.X.X --dport 12300 -j DNAT --to 10.10.0.X:23 # block sites and networks we dont want such as sitefinder.verisign.com and banners /sbin/iptables -A FORWARD -p tcp -d 12.158.80.10 -j DROP /sbin/iptables -A FORWARD -p tcp -d 64.94.110.11 -j DROP /sbin/iptables -A FORWARD -p tcp -d 216.73.86.0/24 -j REJECT --reject-with tcp-reset /sbin/iptables -A FORWARD -p tcp -d 216.73.85.0/24 -j REJECT --reject-with tcp-reset /sbin/iptables -A FORWARD -p tcp -d 206.65.183.0/24 -j REJECT --reject-with tcp-reset # protect your ms windowze and other computers inside your lan /sbin/iptables -A FORWARD -p udp --dport 4156 -j DROP # slapper /sbin/iptables -A FORWARD -p tcp --dport 135 -j DROP # msblaster /sbin/iptables -A FORWARD -p tcp --dport 136 -j DROP # msblaster /sbin/iptables -A FORWARD -p tcp --dport 137 -j DROP # msblaster /sbin/iptables -A FORWARD -p tcp --dport 138 -j DROP # msblaster /sbin/iptables -A FORWARD -p tcp --dport 139 -j DROP # msblaster /sbin/iptables -A FORWARD -p tcp --dport 445 -j DROP # msblaster /sbin/iptables -A FORWARD -p tcp --dport 593 -j DROP # msblaster /sbin/iptables -A FORWARD -p udp --dport 69 -j DROP # tftp /sbin/iptables -A FORWARD -p tcp --dport 4444 -j DROP # tftp /sbin/iptables -A FORWARD -p udp --dport 135 -j DROP # Windows Messenger /sbin/iptables -A FORWARD -p udp --dport 1026 -j DROP # Windows Messenger # part 2 to establish conduit to an internal MOHAA game server iptables -A FORWARD -p tcp --dport 23 -j ACCEPT iptables -A FORWARD -p udp --dport 12203 -j ACCEPT iptables -A FORWARD -p udp --dport 12300 -j ACCEPT # for Internet sharing sbin/iptables -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT # established connections # machines allowed access to our firewall /sbin/iptables -A INPUT -i eth1 -s 10.10.0.0/24 -j ACCEPT # accept connections from inside /sbin/iptables -A INPUT -i eth0 -s X.X.X.X/29 -j ACCEPT # friend has access to firewall # more security related stuff /sbin/iptables -A INPUT -p tcp --tcp-flags SYN FIN -j DROP # drop TCP SYN packets FIN flag set /sbin/iptables -A FORWARD -p tcp --syn -m limit --limit 3 -j ACCEPT # Syn-flood protection /sbin/iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 3 -j ACCEPT # furtive port scanner /sbin/iptables -A FORWARD -p icmp -m limit --limit 3 -j ACCEPT # ping of death protection # all computers on our lan are allowed access to Internet via ip masquerade /sbin/iptables -A FORWARD -i eth1 -o eth0 -s 10.10.0.0/24 -j ACCEPT # everything from lan, out to inet /sbin/iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT /sbin/iptables -A POSTROUTING -t nat -o eth0 -s 10.10.0.0/24 -j MASQUERADE # masquerade packets from lan ip
RANDOM CODE SAMPLES TO PERFORM VARIOUS TASKS SUCH AS FORWARDING ETC
##### touch /var/lock/subsys/local echo 1 > /proc/sys/net/ipv4/ip_forward iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE iptables -A FORWARD -i eth2 -j ACCEPT iptables -t nat -A PREROUTING -d 202.63.167.192 -i eth0 -p tcp -m tcp --dport 995 -j DNAT --to-destination 10.0.0.2:995 iptables -t nat -A PREROUTING -d 202.63.167.192 -i eth0 -p udp -m udp --dport 995 -j DNAT --to-destination 10.0.0.2:995 iptables -t nat -A PREROUTING -d 202.63.167.192 -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.0.0.2:80 iptables -t nat -A PREROUTING -d 202.63.167.192 -i eth0 -p udp -m udp --dport 80 -j DNAT --to-destination 10.0.0.2:80 iptables -t nat -A PREROUTING -d 202.63.167.192 -i eth0 -p tcp -m tcp --dport 53 -j DNAT --to-destination 10.0.0.2:53 iptables -t nat -A PREROUTING -d 202.63.167.192 -i eth0 -p udp -m udp --dport 53 -j DNAT --to-destination 10.0.0.2:53 iptables -t nat -A PREROUTING -d 202.63.167.192 -i eth0 -p tcp -m tcp --dport 25 -j DNAT --to-destination 10.0.0.2:25 iptables -t nat -A PREROUTING -d 202.63.167.192 -i eth0 -p udp -m udp --dport 25 -j DNAT --to-destination 10.0.0.2:25 iptables -t nat -A PREROUTING -d 202.63.167.192 -i eth0 -p tcp -m tcp --dport 110 -j DNAT --to-destination 10.0.0.2:110 iptables -t nat -A PREROUTING -d 202.63.167.192 -i eth0 -p udp -m udp --dport 110 -j DNAT --to-destination 10.0.0.2:110 iptables -t nat -A PREROUTING -s 192.168.0.0/255.255.255.0 -d 202.63.167.192 -i eth2 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.0.0.2:80 iptables -t nat -A PREROUTING -s 192.168.0.0/255.255.255.0 -d 202.63.167.192 -i eth2 -p udp -m udp --dport 80 -j DNAT --to-destination 10.0.0.2:80 iptables -t nat -A PREROUTING -s 192.168.0.0/255.255.255.0 -d 202.63.167.192 -i eth2 -p tcp -m tcp --dport 53 -j DNAT --to-destination 10.0.0.2:53 iptables -t nat -A PREROUTING -s 192.168.0.0/255.255.255.0 -d 202.63.167.192 -i eth2 -p udp -m udp --dport 53 -j DNAT --to-destination 10.0.0.2:53 iptables -t nat -A PREROUTING -s 192.168.0.0/255.255.255.0 -d 202.63.167.192 -i eth2 -p tcp -m tcp --dport 110 -j DNAT --to-destination 10.0.0.2:110 iptables -t nat -A PREROUTING -s 192.168.0.0/255.255.255.0 -d 202.63.167.192 -i eth2 -p udp -m udp --dport 110 -j DNAT --to-destination 10.0.0.2:110 iptables -t nat -A PREROUTING -s 192.168.0.0/255.255.255.0 -d 202.63.167.192 -i eth2 -p tcp -m tcp --dport 995 -j DNAT --to-destination 10.0.0.2:995 iptables -t nat -A PREROUTING -s 192.168.0.0/255.255.255.0 -d 202.63.167.192 -i eth2 -p udp -m udp --dport 995 -j DNAT --to-destination 10.0.0.2:995 iptables -t nat -A PREROUTING -s 192.168.0.0/255.255.255.0 -d 202.63.167.192 -i eth2 -p tcp -m tcp --dport 25 -j DNAT --to-destination 10.0.0.2:25 iptables -t nat -A PREROUTING -s 192.168.0.0/255.255.255.0 -d 202.63.167.192 -i eth2 -p udp -m udp --dport 25 -j DNAT --to-destination 10.0.0.2:25 ###################
OPTIONAL SECURITY CONFIGURATIONS FOR YOUR FIREWALL
To turn off answers to icmp_echos (such as ping) may help to avoid some types of attacks. Open the /etc/sysctl.conf and add the following lines:
net.ipv4.icmp_echo_ignore_broadcasts = 1 net.ipv4.icmp_echo_ignore_all = 1
Command 'sysctl -p' will cause these modifications to start immediately.
sysctl -p
or
echo 1>/proc/sys/net/ipv4/icmp_echo_ignore_all
You can block PING with an IPTABLE rule also, and still allow other types of icmp traffic.
iptables -A INPUT -p icmp --icmp-type 8 -s SourceIPAddress -j DROP
BLOCK OR RESTRICT INTERNET TRAFFIC TO SPECIFIC CLIENTS ON LAN
For clients with a static IP address on your LAN, you can restrict internet traffic on a per host basis.
In this example all Internet hosts (including web sites) will be blocked for a specific LAN host with a static IP, except the user will be allowed access to one specific network, robotz.com
The following goes after :
/sbin/iptables -A INPUT -p icmp -m limit --limit 3 -j ACCEPT
(and also after any specific hosts being restricted to all users)
/sbin/iptables -A FORWARD -p tcp -s 192.168.254.7 -d 64.21.192.0/19 -j ACCEPT /sbin/iptables -A FORWARD -p tcp -s 192.168.254.7 -d 0.0.0.0/0 -j REJECT --reject-with tcp-reset
First line, if the network destination is robotz.com, then allow the Internet host access. Second line, for the internal host block everything else.
