The Linux kernel uses the Netfilter kernel module to filter packets, allowing some of them to be received by or pass through the system while stopping or modifying others implementing a network firewall. Netfilter is built in to the Linux kernel and can be managed at system level using iptables tool installed by iptables RPM.

Netfilter

Netfilter uses three built-in tables or rules lists in order to filter or modify network packets:

filter
The default table for handling network packets.

nat
Used to modify network packets implementing the Network Address Translation NAT. It is also known as masquerading.

mangle
Used on very specific types of network packet modification.

Each netfilter table (filter,nat,mangle) has a group of 'chains' that defines the actions performed on the network packet by netfilter :

Filter

INPUT
Matches network packets that are targeted for the host.

OUTPUT
Matches network packets generated locally on the host.

FORWARD
Matches network packets routed through the host.

Nat

PREROUTING
Modifies network packets when they arrive to the hosts.

OUTPUT
Modifies network packets generated locally before they are sent from the host.

POSTROUTING
Modifies network packets before they are sent from the host.

Mangle

INPUT
Modifies network packets targeted for the host.

OUTPUT
Modifies network packets generated locally before they are sent from the host.

FORWARD
Modifies network packets routed through the host.

PREROUTING
Modifies incoming network packets before they are routed through the host.

POSTROUTING
Modifies network packets before they are sent from the host.

When a network packet match a particular rule in one of the tables, an action is applied to it. If the rule specifies an ACCEPT action the packet skips the rest of the rules and is allowed to continue to its destination. If a rule specifies a DROP action the access to the host is denied and nothing is sent back to the host that sent the packet. If a rule specifies a QUEUE action the packet is passed to user-space. If a rule specifies REJECT action the packet is dropped and a error is sent to the packet's originator. Every chain has a default policy to ACCEPT, DROP, REJECT, or QUEUE. If none of the rules in the chain apply to the packet, then the default policy is applied to the network packet.

Iptables

The iptables command that can be used in order to define the matching rule and the actions to be taken on the network packets. The following is the basic options used on iptables command:

# iptables -t table [action direction] [packet match] -j [what to do]

--> The -t table option is used in order to select the netfilter table where the rule will be applied. As said before it can take the values filter, nat or mangle. By default filter table is used if this option is not specified.

--> The [action direction] has four basic actions associated:

-A or --append
Appends the rule to the end of a chain.

-D or --delete
Deletes a rule from a chain.

-L or --list
Lists configured rules in the chain.

-F or --flush
Flushes all of the rules in the current iptables chain.

Appending to -A or deleting from -D a chain can be applied network packets travelling in one of three directions:

INPUT
Incoming packets are checked against the rules in this chain.

OUTPUT
Outgoing packets are checked against the rules in this chain.

FORWARD
Packets being sent to another computer are checked against the rules in this chain.

--> The [packet match] is used to identify the network packet to be filtered/modified. All netfilter checks every packet against this pattern :

-s ipaddress
Network packets are checked for a specific source IP address. For example '-s 192.168.1.0/24' matches all ips on 192.168.1.0/24 LAN.

-d ipaddress
Network packets are checked for a specific destination IP address. For example '-d 192.168.1.1' only matches that ip.

-p protocol
Matches the network protocol used on the communication. It can be TCP, UDP or ICMP.

--dport port
Matches the destination port used on the network communication. For example '--dport 22' matches all network packets sent by a ssh-client when trying to open a ssh connection to a ssh-server.

-i interface
Name of a network interface through the network packet has been received. For example '-i eth0' .

-o interface
Name of a network interface through the network packet is going to be sent. For example '-o eth1' .

--> The -j [what to do] defines the action to be taken when iptables finds a packet pattern match :

DROP
The network packet is dropped and no message is sent to the requesting computer.

REJECT
The network packet is dropped and an error message is sent to the requesting computer.

ACCEPT
The network packet is allowed to proceed as specified with the -A action: INPUT, OUTPUT, or FORWARD.

In resume the best way to summarize how iptables works is with the following :

# iptables -t [filter|nat|mangle] [-A|-D|-L|-F] [INPUT|OUTPUT|FORWARD] -p [tcp|udp] -m [tcp|udp] -s [sourceip] -d [destip] --dport [port] -j [DROP|REJECT|ACCEPT]

For more information 'man iptables'. Important note: iptables do not make DNS resolutions so it does NOT support the use of hostnames. It only understand numerical IP addresses.

Iptables Examples

# iptables -A INPUT -s 10.0.0.0/24 -p icmp -j DROP

This rules stops users from computers on LAN 10.0.0.0/24 pinging your server.

# iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT

This rule opens your web server (port TCP/IP 80) to everybody.

# iptables -A INPUT -s !192.168.1.0/24 -j REJECT

It rejects all traffic from any computer that it is NOT on 192.168.1.0/24 LAN sending a "destination unreachable" error message.

# iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited

Rejects any network packet from any source with the icmp-host-prohibited message. This rule is used as the default DENY ALL rule at the end of any iptables chain to be sure that the only network packets that are allowed are those that are allowed by any iptables rules matched BEFORE this DENY ALL rule.

Network Address Translation

NAT Masquerade

Network Address Translation (NAT) allows share the same public IP Internet address to any client on a LAN. It replaces on network packets the source address with the IP address of the firewall, which serves as a gateway between the LAN and the Internet. The source address is cached on the gateway and knows which computer made the request. With this technique with only one public IP address you can access to the Internet from any computer on the LAN hiding (masquerading) the real client IP with the firewall IP address.

# iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth1 -j MASQUERADE

With this rule any network packet from the LAN 192.168.1.0/24 and destination on Internet will enter to the gateway firewall through its eth0 LAN interface 192.168.1.1 and will leave the firewall through the public network interface eth1 and reach the Internet destination using as source IP address the firewall public IP eth1. When the Internet service answers the source network packet it will send the answer to the firewall public IP address and the firewall will forward that packet to the LAN client that has initiated the network communication.

NAT Prerouting

In order to make available on the Internet a network service that is on a internal LAN the -j DNAT target of the PREROUTING chain in NAT can be used. It specifies a destination IP address and port where incoming packets requesting a connection to your internal service can be forwarded. For example, in order to forward incoming HTTP requests from the Internet to a dedicated Apache HTTP Server at 10.0.0.1 :

# iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to 10.0.0.1:80

All networks packets coming from the Internet with destination public IP interface eth1 of the gateway firewall port 80 (web requests) will be forwarded to the apache web server running on 10.0.0.1 port 80 through gateway firewall LAN interface eth0 . Of course answers from this web service will be forwarded to the remote client using the public network interface eth1 on the gateway firewall.

Saving and Restoring IPTables Rules

As other Linux services, iptables can be managed with the standard RHEL tools. For example in order to activate/deactivate iptables service:

# chkconfig iptables on/off

In order to print on the STDIN the iptables running on real time :

# iptables -L

Rules applied on iptables with the iptables command are not persistent, if the iptables service is restarted the rules are flushed. In order to save the running rules and make them loaded when the iptables service is started the following command can be used :

# service iptables save

With this command iptables rules are saved in the file /etc/sysconfig/iptables and are automatically applied when the iptables service is started :

cat /etc/sysconfig/iptables

# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT


As can be seen this file applies iptables rules on table filter to the INPUT network packets. It only accepts network packets related on ssh (port TCP/IP 22) and http (port TCP/IP 80) network traffic. The rest of the INPUT and FORWARD network packets are rejected. Every time iptables service is started these rules are automatically applied.

Questions

1.- Linux Kernel uses iptables kernel module in order to filter network packets (true/false).

2.- By default iptables tool is installed on RHEL6 system by iptables RPM (true/false).

3.- Which command can be used in order to list the iptables rules running on a Linux system ?

4.- Which iptables command can be used in order to do not allow pinging to any server network interface ?

A - # iptables -A INPUT -s 10.0.0.0/24 -p icmp -j DROP
B - # iptables -A INPUT -p icmp -j DROP
C - Both of them
D - None of them

5.- Which RHEL6 standard can be used in order to save the active iptables rules on file /etc/sysconfig/iptables ?

A - service iptables save
B - /etc/init.d/iptables save
C - Both of them
D - None of them

Lab 1

* Login as root on rhel6 (10.0.0.1) and make sure that iptables service is running and active at boot time

# /etc/init.d/iptables start
# chkconfig iptables on


* One kick way to configure the Linux firewall is using system-config-firewall-tui tool, a semigraphical tools that allows configure the Linux firewall through iptables in graphical and not graphical environments.

# system-config-firewall-tui

--> Customize --> Uncheck any entrance --> Close --> OK --> Yes

The following configuration will be written on file /etc/sysconfig/iptables :

# cat /etc/sysconfig/iptables

# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT


This configuration closes any TCP/UDP communication to rhel6 server, but ping stills works. In order to filter ping on rhel just change the line '-A INPUT -p icmp -j ACCEPT' by '-A INPUT -p icmp -j DROP' and restart iptables service

'-A INPUT -p icmp -j DROP' --> /etc/sysconfig/iptables
# /etc/init.d/iptables restart


* Connect to node01 (10.0.0.10) and try ping to rhel6 server 10.0.0.1

node01> ping 10.0.0.1

PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data.
...


Pinging rhel6 is not allowed as expected.

* Using nmap port scanner we can verify that all TCP/UDP ports are filtered on rhel6

node01> nmap -PS 10.0.0.1

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2011-08-13 22:45 CEST
Warning: Giving up on port early because retransmission cap hit.


As expected from node01 we can not reach any TCP port on rhel6

node01> nmap -PU 10.0.0.1

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2011-08-13 22:45 CEST
Warning: Giving up on port early because retransmission cap hit.


As expected from node01 we can not reach any UDP port on rhel6

Lab 2

* Login as root on rhel6 (10.0.0.1) and use 'system-config-firewall-tui' order to accept ssh traffic from clients on 10.0.0.0/24 LAN. This line must be added just before the default deny lines:

'-A INPUT -m state --state NEW -m tcp -p tcp -s 10.0.0.0/24 --dport 22 -j ACCEPT'

# cat /etc/sysconfig/iptables

# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp -s 10.0.0.0/24 --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT


Do not forget also close pinging to rhel6 and restart iptables service :

# /etc/init.d/iptables restart

* Do a TCP network scan with nmap from node01 and verify that now port TCP/IP 22 is open

node01> nmap -PS 10.0.0.1

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2011-08-13 22:54 CEST
Interesting ports on 10.0.0.1:
Not shown: 1679 filtered ports
PORT STATE SERVICE
22/tcp open ssh
MAC Address: 00:0C:29:78:97:8C (VMware)

Nmap finished: 1 IP address (1 host up) scanned in 1086.266 seconds


* In order to log all INPUT traffic on the firewall the following line must be added at the begging of the INPUT chain:

'-A INPUT -j LOG'

# cat /etc/sysconfig/iptables

# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -j LOG
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp -s 10.0.0.0/24 --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

# /etc/init.d/iptables restart


* With this configuration all INPUT network packets get logged on /var/log/messages just before iptables takes an action on it :

# tail -f /var/log/messages

kernel:IN=eth0 OUT= MAC=00:0c:29:78:97:8c:00:0c:29:4b:ce:ed:08:00 SRC=10.0.0.10 DST=10.0.0.1 LEN=52 TOS=0x10 PREC=0x00 TTL=64 ID=54033 DF PROTO=TCP SPT=56680 DPT=22 WINDOW=501 RES=0x00 ACK URGP=0