Configuring a Stateful Linux Firewall with IPTables / NetFilter

Tony Perrie
Engineer / Scientist
IBM Network Processor Development
Rochester, Minnesota

January 9, 2002

Linux Packet Filtering Implementations

• 1st Generation - Alan Cox's port of BSD UNIX's ipfw to Linux 1.1
• 2nd Generation - Jos Vos and others added the ipfwadm tool in Linux 2.0.
• 3rd Generation - Rusty Russel and Michael Neuling made significant changes to ipfw, and ipchains was released in Linux 2.2.
• 4th Generation - Rusty Russel and others implemented a modular packet filter/mangler infrastructure called NetFilter for Linux 2.4.

Routing Packets with SNAT

• Source Network Address Translation enables you to get access to an external network (usually the Internet) from behind the firewall.
• Enable Packet Forwarding
  • echo 1 > /proc/sys/net/ipv4/ip_forward
  • Allows kernel-level IP Forwarding
  • Disabled by default in most distros
  • service network restart resets ip_forward to 0 (unless you've h4x0red /etc/init.d/network)
• Enable Masquerading
  • Dynamic IP: iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
  • Static IP: iptables -t nat -A POSTROUTING -o eth0 -j SNAT -to 24.0.0.0
  • This allows machines to masquerade from behind the firewall.

Default Policies / Output Port Blocking

• Default Policies
  • iptables -P INPUT DROP
    • This is a highly recommended as default.
    • Basically drop everything unless told otherwise
  • iptables -P OUTPUT ACCEPT
    • Some suggest to default OUTPUT to DROP
    • It's not really necessary though.
  • iptables -P FORWARD ACCEPT
  • This is needed for NAT / MASQUERADING
• Output Port Blocking
  • Be careful blocking output ports. Blocking port 80 doesn't only stop hackers, it also stops IE, Netscape, Galeon, from accessing most web servers.
  • iptables -A OUTPUT -o eth0 -p tcp -dport 31337 -j DROP
  • iptables -A OUTPUT -o eth0 -p tcp -sport 31337 -j DROP

Output Port Blocking / External Port Blocking

• Output Port Blocking Continued
  • Ports to block: 31337 , 31335, 27444, 27665, 20034 NetBus, 9704, 137-139 (smb), 1433, 2049, 5432, 5999, 6063, 5900-5910 (vnc)
• External Port Blocking
  • Reject Ident Requests (ircers will probably want to accept ident)
  • iptables -A FORWARD -i eth0 -p tcp -dport 113 -j REJECT
  • iptables -A OUTPUT -o eth0 -p tcp -dport 113 -j REJECT
  • Allow Nortel IPSEC Rekey Packets (IBM VPN)
  • iptables -A FORWARD -i eth0 -p tcp -dport 500 -j ALLOW
  • iptables -A OUTPUT -o eth0 -p tcp -dport 500 -j ALLOW

Drop Bogus Packets / Log & Limit Suspicious Traffic

• Drop Bogus Packets
  • RESERVED_NET="0.0.0.0/8 1.0.0.0/8 2.0.0.0/8 5.0.0.0/8 7.0.0.0/8 ... "

    	for NET in $RESERVED_NET; do
    	  iptables -A FORWARD -d $NET -j DROP
    	done
    

• Log Suspicious Packets
  • Create a new chain called CHECK_FLAGS
  • iptables -N CHECK_FLAGS
  • iptables -A CHECK_FLAGS -p tcp -tcp-flags ALL FIN,URG,PSH -m limit -limit 5/minute -j LOG -log-level 6
    -log-prefix "NMAP-XMAS:"
  • iptables -A CHECK_FLAGS -p tcp -tcp-flags ALL FIN,URG,PSH -j DROP

Jump to a Custom Chain / Define Stateful Rules

• Jump to a Custom Chain
  • iptables -A INPUT -i eth0 -j CHECK_FLAGS
  • iptables -A FORWARD -i eth0 -j CHECK_FLAGS
• Define Stateful Rules
  • iptables -A OUTPUT -m state -state INVALID -j DROP
  • iptables -A OUTPUT -m state -state RELATED, ESTABLISHED -j ACCEPT
  • iptables -A OUTPUT -i ! eth0 -m state
    -state NEW -j ACCEPT
  • ACCEPT packets whose input interface is anything but the external interface.

Blocking ICMP / Port Forwarding with DNAT

• Port Forwarding
  • Port Forwarding an IPSEC client/server on 500 using protocol 17 (needed for VPN access)
  • iptables -t nat -A PREROUTING -i eth0 -p 17 -dport 500 -j DNAT -to 192.168.0.2:500
  • Port Forwarding WWW on Port 80
  • iptables -t nat -A PREROUTING -i eth0 -p tcp -dport 80 -j DNAT -to 192.168.0.2:80
• Blocking ICMP
  • Using Default DROP for input blocks ICMP (Ping)
  • iptables -A OUTPUT -i eth0 -p icmp
    -icmp-type 8 -j DROP
  • iptables -A FORWARD -i eth0 -p icmp
    -icmp-type 8 -j DROP
  • iptables -A OUTPUT -i eth0 -p icmp
    -icmp-type 8 -j ACCEPT

ToS Packet Mangling / MAC Addresses as Filtering Criteria

• ToS Packet Mangling
  • Allows for Type-Of-Service Parameters to be set per protocol
  • iptables -t mangle -A FORWARD -p tcp -dport 22 -j TOS -set-tos 16
  • iptables -t mangle -A FORWARD -p tcp -dport 80 -j TOS -set-tos 8
• MAC Addresses as Filtering Criteria
  • iptables -A FORWARD -m state -state NEW -m mac -mac-source 00:C7:8F:72:14 -j ACCEPT
  • Allows a known MAC Address to be forwarded

IBM-Rochester Nortel VPN Access

 ## OPENS NORTEL EXTERNAL PORT 500
 iptables -A OUTPUT  -i eth0 -p tcp
--dport 500 -j ACCEPT
 iptables -A FORWARD -i eth0 -p tcp
--dport 500 -j ACCEPT
 ## PORT FORWARD FOR IPSEC "REKEYING"
 iptables -t nat -A PREROUTING -i eth0 -p 17 
   --dport 500 -j DNAT --to 192.168.0.2:500

• Assumes 192.168.0.2 is the computer you are running the VPN client, and eth0 is external

Configuring dhcpd

#filename: /etc/dhcpd.conf

default-lease-time 86400;
max-lease-time 86400;

subnet 192.168.0.0 netmask 255.255.255.0 {
  range 192.168.0.2 192.168.0.250;
  option subnet-mask 255.255.255.0;
  option broadcast-address 192.168.0.255;
  option routers 192.168.0.1;
  option domain-name-servers 192.168.0.4, 
  12.24.250.39, 12.24.250.40, 206.25.127.40;
  option domain-name "chartermi.net";
}

• On Redhat boxes do a "service dhcpd start" to start the dhcpd daemon.