TechForce: IPtables Intro

What is IPtables

As described in the man page:

Iptables is used to set up, maintain, and inspect the tables of IPv4 packet filter rules in the Linux kernel. Several different tables may be defined. Each table contains a number of built-in chains and may also contain user-defined chains.
Each chain is a list of rules which can match a set of packets. Each rule specifies what to do with a packet that matches. This is called a `target’, which may be a jump to a user-defined chain in the same table.

IPtables is a packet-based type of firewall which operates at kernel level. This makes it a sophisticated system for making decisions based on previously received packets.

How it works

It is called “IPTables” as it has many tables which define different policies and rules for different uses. By default, IPtables has 4 tables Filter, Nat, Mangle, Raw. Nat and mangle are for routing and manipulating packets and we will not consider them here.

Tables contain 5 chains:PREROUTING,INPUT,FORWARD,OUTPUT,POSTROUTING to manage the rules. A chain might contain multiple rules. Rules are defined for packets.

So, the structure is: IPtables -> Tables -> Chains -> Rules. Let’s look more at this structure and the relation between tables and chains.

Here is how Packet flow and IPtables work:

  • Packets come into a machine to use resources (Route A): The Packets are judged in Route Decision. Filter with chain Inputmanages Packets.
  • Packets are forwarded to other places with the machine’s help (Route B): In this route, IPtables will help forward the packets to another destination. In this process, the packet will accessFilter with chain Forward and Nat with chain PreRouting, PostRouting.
  • Packets will be sent from the local machine (Route C): Every packet sent from the local machine will go through route C.

Table Mangle is usually ‘sleeping’, as it is seldom used. We can remove it to make our explanation clearer and easier to understand.

In fact, Filter with chain Input, Output is the table which is most used in Linux machines. Nat is an interesting table which can help mange the packet flow between machines in a Lan, functioning like a router.

IPtables Rules

Key points to remember for IPtables rules:

  • Rules contain a criteria and a target.
  • If the criteria is matched, it goes to the rules specified in the target or executes the special values mentioned in the target.
  • If the criteria is not matched, it moves on to the next rule.

The possible special values that you can specify in the target are:

  • ACCEPT – Firewall lets the packet through.
  • DROP – Firewall drops the packet.
  • QUEUE – Firewall lets the packet packet pass to the userspace.
  • RETURN – Firewall will stop traversing this chain and resume at the next rule in the previous (calling) chain

IPtables also supports extension modules to add additional functionality. Extension targets such as DNAT, MASQUERADE, REDIRECT etc. are common. See the man page for more information.

How to use IPtables

If you type “iptables –L” or, alternatively, “service iptables status”, you’ll see the firewall rules on your system. The example below displays the default input table, default input chain, forward chain, and output chain.

<code>root@theplant:/home/theplant# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
</code>

For more basic commands please read the Linux man page.

Interesting uses

String filter

We can ask IPtables to help us filter any packet which has special key words:

iptables -A INPUT -p tcp -m string --algo kmp --string "ggffww" -j REJECT --reject-with tcp-reset

$ nc -l 4230 &
$ telnet localhost 4230
$ Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
ggffww
Connection closed by foreign host.

With this test you will find IPtables can filter tcp packets which include the word ggffww and reset it.

  • To prevent an intrusion attempt
iptables -I INPUT 1 -p tcp --dport 80 -m string --string "cmd.exe" --algo bm -j DROP
  • To defend DDOS to a service
iptables -I INPUT 1 -p tcp --dport 80 -m string --string "domain.com" --algo kmp -j DROP
  • To defend against E-mail spoofing.
iptables -I INPUT -p tcp --dport 25 -m string --string "Subject" --algo bm -j DROP

Dynamic Filter

This is a great feature of IPtables that makes it smarter than other normal Firewalls. The most common use for this is with FTP, using the ip_conntrack_ftp.o module, which allows us to track FTP connections back into our network properly. When we download from an FTP server it will try to make a TCP connection back to our system.

<code>iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
</code>

With this feature and the above rule’s help, all we need to do is make 22 port available (provided you use this as the default port for FTP).

Make a Linux machine into a router (SNAT and DNAT)

If you have two network interfaces on one machine it can be interesting to build a simple router for other machines to connect to the Internet. How does it work? With the Nat table and the POSTRouting chain help we can change the source IP. Source NAT (SNAT) replaces the source IP address in the packets with their own external network IP and when the packets return, the NAT function knows who sent the packets and forwards them back to the originating workstation inside the network.

  1. On the Router machine: Set Lan Network interface IP to192.168.100.253
# Open the ip_forward option to give linux the route function
    $ echo "1" > /proc/sys/net/ipv4/ip_forward
    # $EXTIF is the network interface which connects to Internet
    # 192.168.100.0/24 is the network client range LAN
    $ iptables -t nat -A POSTROUTING -s 192.168.100.0/24 -o $EXTIF -j MASQUERADE
  1. On the Client machine:
Set  NETWORK 192.168.100.0
    IP      192.168.100.110
    NETMASK 255.255.255.0
    Gateway 192.168.100.253
    For the DNS, set it as you do the `Router`

Done. Now the Client can surf the Internet with Routermachine’s help.

DNAT can make the Router machine have the DMZ function like a real Router. It is really simple:

<code>iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination 192.168.100.110:80 
</code>

This will redirect all requests from eth0 on port 80 to192.168.100.110. Yep, really simple.


Reference