Next: About this document ...
Configuring a Stateful Linux Firewall with IPTables / NetFilter
Tony Perrie
Engineer / Scientist
IBM Network Processor Development
Rochester, Minnesota
January 9, 2002
Linux Packet Filtering Implementations
- 1st Generation - Alan Cox's port of BSD UNIX's ipfw to Linux 1.1
- 2nd Generation - Jos Vos and others added the ipfwadm tool in Linux 2.0.
- 3rd Generation - Rusty Russel and Michael Neuling made significant changes to
ipfw, and ipchains was released in Linux 2.2.
- 4th Generation - Rusty Russel and others implemented a modular packet filter/mangler infrastructure
called NetFilter for Linux 2.4.
Routing Packets with SNAT
- Source Network Address Translation enables you to
get access to an external network (usually the Internet) from
behind the firewall.
- Enable Packet Forwarding
- echo 1 > /proc/sys/net/ipv4/ip_forward
- Allows kernel-level IP Forwarding
- Disabled by default in most distros
- service network restart resets ip_forward to 0
(unless you've h4x0red /etc/init.d/network)
- Enable Masquerading
- Dynamic IP: iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
- Static IP: iptables -t nat -A POSTROUTING -o eth0 -j SNAT -to 24.0.0.0
- This allows machines to masquerade from behind the firewall.
Default Policies / Output Port Blocking
- Default Policies
- iptables -P INPUT DROP
- This is a highly recommended as default.
- Basically drop everything unless told otherwise
- iptables -P OUTPUT ACCEPT
- Some suggest to default OUTPUT to DROP
- It's not really necessary though.
- iptables -P FORWARD ACCEPT
- This is needed for NAT / MASQUERADING
- Output Port Blocking
- Be careful blocking output ports. Blocking port 80 doesn't only stop hackers, it also
stops IE, Netscape, Galeon, from accessing most web servers.
- iptables -A OUTPUT -o eth0 -p tcp -dport 31337 -j DROP
- iptables -A OUTPUT -o eth0 -p tcp -sport 31337 -j DROP
Output Port Blocking / External Port Blocking
- Output Port Blocking Continued
- Ports to block: 31337 , 31335, 27444, 27665,
20034 NetBus, 9704, 137-139 (smb), 1433, 2049, 5432, 5999, 6063, 5900-5910 (vnc)
- External Port Blocking
- Reject Ident Requests (ircers will probably want to accept ident)
- iptables -A FORWARD -i eth0 -p tcp -dport 113 -j REJECT
- iptables -A OUTPUT -o eth0 -p tcp -dport 113 -j REJECT
- Allow Nortel IPSEC Rekey Packets (IBM VPN)
- iptables -A FORWARD -i eth0 -p tcp -dport 500 -j ALLOW
- iptables -A OUTPUT -o eth0 -p tcp -dport 500 -j ALLOW
Drop Bogus Packets / Log & Limit Suspicious Traffic
- Log Suspicious Packets
- Create a new chain called CHECK_FLAGS
- iptables -N CHECK_FLAGS
- iptables -A CHECK_FLAGS -p tcp -tcp-flags ALL FIN,URG,PSH -m limit
-limit 5/minute -j LOG -log-level 6
-log-prefix "NMAP-XMAS:"
- iptables -A CHECK_FLAGS -p tcp -tcp-flags ALL FIN,URG,PSH -j DROP
Jump to a Custom Chain / Define Stateful Rules
- Jump to a Custom Chain
- iptables -A INPUT -i eth0 -j CHECK_FLAGS
- iptables -A FORWARD -i eth0 -j CHECK_FLAGS
- Define Stateful Rules
- iptables -A OUTPUT -m state -state INVALID -j DROP
- iptables -A OUTPUT -m state -state RELATED, ESTABLISHED -j ACCEPT
- iptables -A OUTPUT -i ! eth0 -m state
-state NEW -j ACCEPT
- ACCEPT packets whose input interface is anything but the external interface.
Blocking ICMP / Port Forwarding with DNAT
- Port Forwarding
- Port Forwarding an IPSEC client/server on 500 using protocol 17 (needed for VPN access)
- iptables -t nat -A PREROUTING -i eth0 -p 17 -dport 500 -j DNAT -to 192.168.0.2:500
- Port Forwarding WWW on Port 80
- iptables -t nat -A PREROUTING -i eth0 -p tcp -dport 80 -j DNAT -to 192.168.0.2:80
- Blocking ICMP
- Using Default DROP for input blocks ICMP (Ping)
- iptables -A OUTPUT -i eth0 -p icmp
-icmp-type 8 -j DROP
- iptables -A FORWARD -i eth0 -p icmp
-icmp-type 8 -j DROP
- iptables -A OUTPUT -i eth0 -p icmp
-icmp-type 8 -j ACCEPT
ToS Packet Mangling / MAC Addresses as Filtering Criteria
- ToS Packet Mangling
- Allows for Type-Of-Service Parameters to be set per protocol
- iptables -t mangle -A FORWARD -p tcp -dport 22 -j TOS -set-tos 16
- iptables -t mangle -A FORWARD -p tcp -dport 80 -j TOS -set-tos 8
- MAC Addresses as Filtering Criteria
- iptables -A FORWARD -m state -state NEW -m mac -mac-source 00:C7:8F:72:14 -j ACCEPT
- Allows a known MAC Address to be forwarded
IBM-Rochester Nortel VPN Access
## OPENS NORTEL EXTERNAL PORT 500
iptables -A OUTPUT -i eth0 -p tcp
--dport 500 -j ACCEPT
iptables -A FORWARD -i eth0 -p tcp
--dport 500 -j ACCEPT
## PORT FORWARD FOR IPSEC "REKEYING"
iptables -t nat -A PREROUTING -i eth0 -p 17
--dport 500 -j DNAT --to 192.168.0.2:500
- Assumes 192.168.0.2 is the computer you are running the VPN client, and eth0 is external
Configuring dhcpd
#filename: /etc/dhcpd.conf
default-lease-time 86400;
max-lease-time 86400;
subnet 192.168.0.0 netmask 255.255.255.0 {
range 192.168.0.2 192.168.0.250;
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.0.255;
option routers 192.168.0.1;
option domain-name-servers 192.168.0.4,
12.24.250.39, 12.24.250.40, 206.25.127.40;
option domain-name "chartermi.net";
}
- On Redhat boxes do a "service dhcpd start" to start the dhcpd daemon.
Next: About this document ...
root
2002-01-09