Brief iptables 101 for server & network administrators
#1

Brief iptables 101 for server & network administrators


Introduction


Welcome to this brief iptables 101 for server & network administrators guide. In this guide you're going to learn how to use the firewall iptables to secure your server & network. Firewalls are important components of crucial systems & networks for production & their security. Therefore every system & network administrator should know atleast some of the basics of iptables in order to setup a basic firewall on the hostnode. Further security steps include dedicated hardware firewalls with filters for various different attacks on all seven layers & much more.

This is really only a brief iptables 101 & nothing more. I do not teach you everything about iptables & firewalls! There is a lot more that you'll have to learn to be a well knowledged & mastering system & network administrator. What you learn here should be however enough to secure your own VPS & small network for normal cases of traffic.

Prologos


A firewall is a network component that operates as a gateway between two or more different networks. In most cases these networks are the Internet & the local network behind the firewall. Only traffic that meets the firewall's requirements (iptables rules) may pass & the rest will be blocked or better said "dropped". There are three zones that a firewall is generally managing: 1. INPUT - everything incoming, 2. FORWARD - traffic that goes through & 3. OUTPUT - everything outgoing. Beside these three zones there are two others that are playing a key role in routing of the traffic: 1. PREROUTING & 2. POSTROUTING.

Firewalls always work with two simple concepts:
1. Everything is allowed that was not explicitly forbidden
2. Everything is forbidden that was not explicitly allowed.



A firewall is also a packetfilter! In order to find out what's good & what's bad the firewall has to filter all data packets. This way it can find out which traffic is bad & can drop it & which traffic is good & may pass. Most packetfilters work with information received on layer 3 of the OSI model. This information are source IP address & source port & destination IP address & destination port. Layer 3 information is checked against the rules in the firewall & if necessary the right action will be taken.

Example: Computer A with the IP address 123.123.123.123 sends packets to Server A with the IP address 123.124.125.126 on port 80 (http).

A simple example. The above case is simple traffic coming from a normal computer to a website over HTTP with a browser like Firefox, Chrome or whatever. A correct setup of a firewall on Server A will let all traffic coming from 0.0.0.0 to its address on port 80 pass so everyone can visit the site.

Example 2: Computer B (a hacker) with the IP address 13.37.13.37 tries to access Server A with the IP address 123.124.125.126 on port 22 (ssh).

This is the opposite of the first example. A hacker tries to access ssh on Server A to break in. A correct setup on Server A will only accept SSH connections from a special IP that was given green light to connect via SSH. This isn't always the case in the real world though. Anyway if the setup is correct the hacker's traffic will be dropped & he won't be able to hack ssh on Server A & the day is saved.

Packetfilters however are prone to issues. A packetfilter will break down on high load hence why dedicated hardware firewalls with a lot more features & protection are used to mitigate huge attacks. There is absolutely no logging of what passed & what was dropped & last but not least packetfilters cannot filter the actual content of packets (only data received on layer 3 of the OSI model).


In order to have more protection netfilters should be used. Compared to packetfilters netfilters do not only filter packets by 1. source IP address, 2. source port, 3. destination IP address & 4. destination port but also by the actual content & protocols. These also have a logging feature that logs all the traffic for later analysis through network forensics (i.e: find out who exactly was taking part in the attack of Server A).



Explanation of terms


Filter rules: The filter rules are applying to the three important zones or chains of the firewall: 1. INPUT, 2. FORWARD & 3. OUTPUT. Filters & their rules are taking care of the core of the system & network. INPUT - everything that is incoming, FORWARD - everything that is passing through & OUTPUT - everything that is outgoing.


NAT: Network Address Translation (change of IP addresses). NAT rules affect PREROUTING, POSTROUTING & OUTPUT. NAT is generally used for forwarding of traffic to other destinations or sources.

Source-NAT (SNAT): The source IP address is being changed (PREROUTING)
Destination-NAT (DNAT): The destination IP address is being changed (POSTROUTING)

A great example for NAT setups are VPSs behind a single IPv4 address. Through NAT these VPSs can communicate with other networks such as the Internet without getting messed up traffic & receiving false answers (i.e: VPS A sent a request to Debian package server & at the same time VPS B sent a request to another Debian package server but for another package. NAT will prevent that VPS A may accidently get the package VPS B requested while VPS B gets the package that VPS A requested). But you may also know NAT at home. A lot of clients behind one IP address & the traffic is also being properly routed to the right addresses behind the single public IP address through the NAT setup of your router.


Mangle: Mangle is basically filter rules & NAT together. It affects all zones/chains: 1. INPUT, 2. FORWARD, 3. OUTPUT, 4. PREROUTING & 5. POSTROUTING. Mangle is used to alter traffic!



iptables Syntax & Commands


List iptables rules:

In order to see a list of currently loaded iptables rules you can use the commands below.

Short:

Terminal

iptables -L


Long:

Terminal

iptables --list



Set policies:

Policies are general rules that apply to all traffic going through the chains. The automatically apply unless explicitly stated otherwise. A crucial part of the two concepts of a firewall. You can set policies with the commands below.

Terminal

iptables -P <chain> <target>

Replace <chain> & <target> with the appropriate chain & target below.

Chains: INPUT, OUTPUT, FORWARD; PREROUTING, POSTROUTING
Targets: DROP, ACCEPT, RETURN, QUEUE, SNAT, DNAT

Example:

Terminal

iptables -P INPUT ACCEPT

All traffic for the INPUT chain is being accepted & may pass through to the destination.

It is important to set policies before setting any other iptables rule!


Allow/disallow traffic via APPEND

With APPEND you can add specific rules to iptables that will control traffic. So you can for example limit access to ssh on your server only to your IP address, close unwanted ports & much more.

Terminal

iptables -A <chain> -p <basis protocol> -j <target>

Replace <chain>, <target> & <basis protocol> with the appropriate chain, target & basis protocol below.

Chains: INPUT, OUTPUT, FORWARD; PREROUTING, POSTROUTING
Targets: DROP, ACCEPT, RETURN, QUEUE, SNAT, DNAT
Basis protocols: tcp, udp, icmp

Example:

Terminal

iptables -A OUTPUT -p tcp -j ACCEPT

All outgoing tcp traffic is allowed.

Example 2:

Terminal

iptables -A INPUT -p udp -j DROP

All incoming UDP traffic is disallowed & will be dropped.


Other parameters:

There are other parameters for the APPEND rules that should be known to filter traffic more specificly.


Source port

The source port allows filtering of traffic coming from a certain port.

Short: --sport
Long: -source-port

Example:

Terminal

iptables -A INPUT -p tcp --sport 2500 -j DROP

All traffic coming from the source port 2500 will be dropped.


Destination port

The destination port allows filtering of traffic that are targeted towards a port on the side of the firewalled network or the other network

Short: --dport
Long: -destination-port

Example:

Terminal

iptables -A OUTPUT -p tcp --dport 22 -j DROP

This will drop all connections from the firewalled network that are targeted towards ssh on the other network.


Source IP address

You can also filter by the source IP address.

Short: -s
Long: --source

Example:

Terminal

iptables -A INPUT -p udp --dport 27015 -s 123.123.123.123 -j DROP

All UDP connections from the source IP address 123.123.123.123 to the destination port 27015 (Valve games servers) will be dropped. Getting rid of attackers/hackers/lame people with a static IP address Wink .


Destination IP address

Filtering by destination IP address is especially helpful within the firewalled network area.

Short: -d
Long: --destination

Example:

Terminal

iptables -A INPUT -p icmp -d 192.168.2.100 -j DROP

All ICMP packets coming from all clients & going to 192.168.2.100 will be dropped (i.e: blocks PING requests).


These additional parameters can be combined in APPEND rules for a detailed & specific filtering of traffic.


Removing rules:

You can also remove rules that you no longer want to apply. Below you will find the command to remove single rules from the list.

Terminal

iptables -D <chain> -p <basis protocol> -j <target>

Replace <chain>, <target> & <basis protocol> with the appropriate chain, target & basis protocol below. If you have also used additional parameters in the APPEND rule be sure to include them here, too!

Chains: INPUT, OUTPUT, FORWARD; PREROUTING, POSTROUTING
Targets: DROP, ACCEPT, RETURN, QUEUE, SNAT, DNAT
Basis protocols: tcp, udp, icmp

Example:

You want to remove the following rule to allow connections to your Counter-Strike game server:

Terminal

iptables -A INPUT -p udp --dport 27015 -j DROP


This is how you would remove it:

Terminal

iptables -D INPUT -p udp --dport 27015 -j DROP



Rules can also be removed by their chain & number/position in the list printed out with "iptables -L".

Terminal

iptables -D <chain> <number/position>

Replaces <chain> with a chain below and <number/position> with the number/position of the rule you want to delete from the list created by "iptables -L".

Chains: INPUT, OUTPUT, FORWARD; PREROUTING, POSTROUTING

Example:

Terminal

iptables -D INPUT 3



You can also fully wipe all iptables rules with the command below.

Short

Terminal

iptables -F


Long

Terminal

iptables --flush





This small iptables 101 with some basics of what a firewall is & what it does including the most important iptables commands should help you to manage your server & network while keeping it secure. I recommend to learn more about iptables to gain more knowledge and master it.

More information is available on the Internet and of course the MAN page of iptables Wink .

iptables MAN: http://unixhelp.ed.ac.uk/CGI/man-cgi?iptables+8




Users browsing this thread: 1 Guest(s)