04/11/2022

 

Lecturer: Nguyễn Thị Thanh Vân – FIT - HCMUTE

 Introduction
 Characteristic
 IPTable Package
 Packet Processing
 IPTable Table
o Filter
o NAT
o MANGLE
 Practice

04/11/2022 2

1
 04/11/2022

 Firewall for Linux:

o Netfilter and iptables are building blocks of a framework inside
the Linux 2.4.x and 2.6.x kernel.
o This framework enables
• packet filtering,
• network address [and port] translation (NA[P]T) and
• other packet mangling.
 Version
o Ipfwadm : Linux kernel 2.0.34
o Ipchains : Linux kernel 2.2.*
o Iptables : Linux kernel 2.4.*

04/11/2022 3

 Stateful packet inspection.

o The firewall keeps track of each connection passing through it,
o This is an important feature in the support of active FTP and VoIP.
 Filtering packets based on a MAC address IPv4 / IPv6
o Very important in WLAN’s and similar enviroments.
 Filtering packets based the values of the flags in the TCP
header
o Helpful in preventing attacks using malformed packets and in restricting
access.
 Network address translation and Port translating
NAT/NAPT
o Building DMZ and more flexible NAT enviroments to increase security.
 Source and stateful routing and failover functions
o Route traffic more efficiant and faster than regular IP routers.

04/11/2022 4

2
 04/11/2022

 System logging of network activities

Provides the option of adjusting the level of detail of the reporting
 A rate limiting feature
Helps to block some types of denial of service (DoS) attacks.
 Packet manipulation (mangling) like altering the
TOS/DSCP/ECN bits of the IP header
Mark and classify packets dependent on rules. First step in QoS.

04/11/2022 5

 Most Linux already have iptables: rpm -qa intable

 Download from:
http://www.netfilter.org/downloads.html
 Documentation:
http://www.netfilter.org/documentation/index.html
 Install from sources or rpm:
# rpm –ivh iptables-1.2.9-1.0.i386.rpm
# tar xvfz iptables-1.2.9.tar.gz ; ./configure ; make ; make install
 Modules to add functionallity to IPtables:
Variour proxy modules, for example ftp and h323
Modules must be loaded into kernel
# modprobe module
# insmod module
 Patch-o-Matic (updated and modules)
http://ftp.netfilter.org/pub/patch-o-matic-ng/snapshot/

3
 04/11/2022

 You can start, stop, and restart iptables after booting by using the
commands:
o Starting IP tables: service iptables start
o Stopping IP tables: service iptables stop
o Restaring IP tables: service iptables restart
o Checking IP tables status (rulechains): service iptables status
 To get iptables configured to start at boot, use the chkconfig
command: chkconfig iptables on
 iptables itself is a command which we will see soon.
 To show all current rule chains: iptables –-list
 To drop all current rule chains: iptables –-flush

 All packets inspected by iptables pass through a sequence

of built-in tables (queues) for processing
 Three builtin tables (queues) for processing:
1. MANGLE: manipulate QoS bits in TCP header

2. FILTER: packet filtering, has three builtin chains (your firewall policy rules)
o Forward chain: filters packets to servers protected by firewall
o Input chain: filters packets destinated for the firewall
o Output chain: filters packets orginating from the firewall

3. NAT: network adress translation, has two builtin chains

o Pre-routing:NAT packets when destination address need changes
o Post-routing: NAT packets when source address need changes

4
 04/11/2022

Input chain: filters packets destinated for the firewall

Server
(destination)

PC PC
(source) (source)

Server
(source)

PC PC
(destination) (destination)

04/11/2022
Output chain: filters packets orginating from the firewall9

Forward chain: filters packets to servers protected by firewall

Server
(forward)

PC PC
(source) (destination)

10
04/11/2022

5
 04/11/2022

 Each firewall rule inspects each IP packet and then tries to identify it
as the target of some sort of operation. Once a target is identified,
the packet needs to jump over to it for further processing
 ACCEPT
o iptables accepts further processing.
o The packet is handed over to the end application or the operating
system for processing
 DROP
o iptables stops further processing.
o The packet is blocked.
 REJECT
o Works like the DROP target, but will also return an error message to the
host sending the packet that the packet was blocked
--reject-with qualifierQualifier is an ICMP message

 LOG
o The packet information is sent to the syslog daemon for logging.
o iptables continues processing with the next rule in the table.
o You can't log and drop at the same time ->use two rules.
--log-prefix ”reason"
 SNAT
o Used to do source network address translation rewriting the source IP
address of the packet
o The source IP address is user defined
--to-source <address>[-<address>][:<port>-<port>]
 DNAT
o Used to do destination network address translation. ie. rewriting the
destination IP address of the packet
--to-destination ipaddress
 MASQUERADE
o Used to do Source Network Address Translation.
o By default the source IP address is the same as that used by the firewall's
interface
[--to-ports <port>[-<port>]]

6
 04/11/2022

 S
 S
 S
 D

 d

04/11/2022 13

7
04/11/2022

8
 04/11/2022

 Deny ping
iptables -A OUTPUT -p icmp --icmp-type -j REJECT
iptables -A INPUT -p icmp --icmp-type -j DROP
 Allow ping request and reply
o iptables is being configured to allow the firewall to send ICMP echo-
requests (pings) and in turn, accept the expected ICMP echo-replies.
iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT

 –m limit sets maximum number of SYN packets

o iptables is being configured to allow the firewall to accept
maxim 5 TCP/SYN packeds per second on interface eth0.

iptables -A INPUT -p tcp --syn -m limit --limit 5/s -i eth0 -j ACCEPT

o If more than 5 SYN packets per second, the packets are dropped.
o If source/destination sence dropped packets, it will resend three
times
o If drops continue after 3 reset packets, source will reduce packet
speed.

9
 04/11/2022

 Allow both port 80 and 443 for the webserver on inside:

iptables -A FORWARD -s 0/0 -i eth0 -d 192.168.1.58 -o eth1 -p TCP \

--sport 1024:65535 -m multiport --dport 80,443 -j ACCEPT

 The return traffic from webbserver is allowed, but only of

sessions are opened:
iptables -A FORWARD -d 0/0 -o eth0 -s 192.168.1.58 -i eth1 -p TCP \
-m state --state ESTABLISHED -j ACCEPT
 If sessions are used, you can reduce an attack called half
open
Half open is known to consume server all free sockets (tcp stack
memory) and is senced as a denial of service attack, but it is not.
Sessions are usally waiting 3 minutes.

 RedHat based distributions:

/etc/sysconfig/iptables
 Other distributions uses:
There is no specific favourite place, one is:
/etc/rc.d/rc.firewall
And maby this is the most common is:
/etc/init.d/rc.firewall
 RedHat/Fedora's iptables Rule Generator:
lokkit
 There are three iptable commands:
iptables (The kernel insert rule command)
iptables-save > rc.firewall.backup
iptables-restore < rc.firewall.backup
 In RedHat/Fedora you can also:
service iptables save

10
 04/11/2022

Practice: FIREWALL - IPTable

1.Cài đặt Firewall IPTable: (theo mô hình tham khảo sau)

 FILTER: (Hình 1)
 Cho phép/ cấm các giao thức ICMP (ping), HTTP (web), FTP, telnet
 đi vào LAN: INPUT
 từ mạng LAN ra: OUTPUT
 Forward gói tin

IPTable - Filter IN/OUT PUT

http request

Ping

http reply

Ex:
Out: iptables -A OUTPUT -p icmp -j REJECT (DROP)
In: iptables -A INPUT -p icmp -j REJECT (DROP)

11
 04/11/2022

Server
(forward)

PC PC
(source) (destination)

 default route (allow forward packet)

sysctl -w net.ipv4.ip_forward=1
 Configure:
iptables -A FORWARD –d <Ip_des>.... ACCEPT
 PC source, destination: Gateway side

04/11/2022 23

12