La emergencia silenciosa de una nueva concepción del post-rock

Originally, the most popular firewall / NAT package running on Linux was ipchains but it had a number of shortcomings. The Netfilter <http://www.netfilter.org/> organization decided to create a new product called iptables in order to rectify this and developed these improvements and more:

The iptables application has better integration with the Linux kernel with the capability of loading iptables specific kernel modules designed for improved speed and reliability.

iptables does "stateful" packet inspection. This means that the firewall keeps track of each connection passing through it and in certain cases will view the contents of data flows in an attempt to anticipate the next action of certain protocols. This is an important feature in the support of active FTP and DNS as well as many other network services.

iptables can filter packets by MAC address and the values of the flags in the TCP header. This is helpful in preventing attacks using malformed packets and in restricting access from locally attached servers to other networks in spite of what their IP addresses are.

There have been improvements in system logging which now provides the option of adjusting the level of detail of the reporting.

Network address translation has been improved and new support for transparent integration with web proxy programs such as Squid has been incorporated into the product.

The new rate limiting feature helps iptables to block some types of denial of service (DoS) attacks

20.1.1 Overview

Note: 2.4 and above kernels only.

Many benefits over ipchains:

Connection Tracking.

Rate Limiting.

Many more filtering options: All TCP flags, MAC address user, etc.

Improved logging.

Format

iptables [table] [action] [chain] [options]

[target]

iptables -t filter -A INPUT -m state --state NEW -p tcp -s 12.168.1.0/24 -j ACCEPT

Capabilities

Table - Specifies which table the chain applies to: nat, filter, or mangle/

Action –Action to be taken on specified n/w or host.

Chains - 5 Built-in chains. Names capitalized unlike IPCHAINS.

# Filter Table:

INPUT - All packets entering an interface that are destined for a local process use this chain.

FORWARD - Only packets routed from one interface to another pass through this chain.

OUTPUT - All packets leaving an interface that originated from a local process use these chains.

# Nat Table:

Linux Administration – IPTABLES Page 105 of 167

PREROUTING - Rules in this chain occur before it is determined whether the packet will use the INPUT or FORWARD chain. Destination NAT (DNAT) is configured using this chain.

POSTROUTING - Rules in this chain occur after the OUTPUT and FORWARD chains. Source NAT (SNAT) is configured using this chain.

Options

-i = Input interface (eth0, eth1, lo) -o = Output interface (eth0, eth1, lo)

-p = Protocol (udp,tcp,icmp, or the protocol number)

-s = Source address of packet (192.168.1.20, 192.168.1.0/24, etc.) -d = Same as -s, only for the destination address

-m = Specify an extension module to load (e.g. -m state). This must be the first option specified if it is used

--sport = Source port --dport = Destination port

Targets

# 3 Default Targets

DROP = DROP the packet without returning an indication that it was dropped to the source ACCEPT = Accept the packet

<CHAIN> = A user defined chain

# Additional Targets provided by modules:

LOG = Log the packet

REJECT = Reject the packet and send the source a user defined response (defaults to an icmp error message) Connection Tracking

Requires state module (-m state).

Packet STATES:

NEW = A new connection

ESTABLISHED = Packet is part of an existing connection

RELATED = Packet is related to an existing connection (e.g. ICMP error messages) INVALID = Packet doesn't belong to any other connection

Tracking FTP Connections:

Because of the nature of the FTP protocol, tracking ftp connections requires a special kernel module:

ip_conntrack_ftp. If you wish to use NAT with ftp connection tracking, you must also load the ip_nat_ftp kernel module

Install Iptables iptables-1.2.9-1.0.i386.rpm package from 3rd CD of RedHat distribution.

Start iptables service

You can start/stop/restart iptables after booting by using the following commands:

[root@skynet tmp]# service iptables start [root@skynet tmp]# service iptables stop [root@skynet tmp]# service iptables restart

To get iptables configured to start at boot you can use the chkconfig command.

[root@skynet tmp]# chkconfig iptables on

IPTABLES Examples

Linux Administration – IPTABLES Page 106 of 167

www.wilshiresoft.com Wilshire Software Technologies Rev Dt: 15-Oct-08

# Set the default Policies to DENY iptables -P INPUT DENY iptables -P OUTPUT DENY iptables -P FORWARD DENY

# Allow all incoming tcp connections on interface eth0 to port 80 (www)

iptables -A INPUT -i eth0 -p tcp -s 0.0.0.0 --sport 1024: --dport 80 -j ACCEPT

# We must also allow packets back out in order for the connection to work since we aren't using connection tracking

[root@skynet tmp]#iptables -A OUTPUT -o eth0 -p tcp sport 80 -d 0.0.0.0 --dport 1024: -j ACCEPT

# Allow outgoing connections to all ports, and use connection #tracking so we don't have to create rules to allow us to receive the packets coming back.

[root@skynet tmp]#iptables -A OUTPUT -m state –state NEW,ESTABLISHED,RELATED -o eth0 -p tcp --sport 1024: -j ACCEPT

[root@skynet tmp]#iptables -A INPUT -m state –state ESTABLISHED,RELATED -i eth0 -p tcp --dport 1024: -j ACCEPT

# Allow external access to our DNS services, and keep state on the connection.

[root@skynet tmp]#iptables A INPUT m state –state NEW,ESTABLISHED,RELATED -i eth0 -p udp --dport 53 -j ACCEPT

[root@skynet tmp]#iptables -A OUTPUT -m state –state ESTABLISHED,RELATED -o eth0 -p udp --sport 53 -j ACCEPT

# Redirect all incoming traffic that hits port 8080 to port 80 on a web server in our internal LAN

[root@skynet tmp]#iptables t nat A PREROUTING p tcp i eth0 dport 8080 -j DNAT --to 192.168.1.10:80

# Allow ICMP echo requests, but limit them to 1 per second. A burst of 3 will allow a burst of up to 3 ICMP packets before the rate limiting kicks in.

[root@skynet tmp]#iptables A INPUT i eth0 p icmp sicmptype 8 m state --state NEW,ESTABLISHED -m limit --limit 1/s --limit-burst 3 -j ACCEPT

[root@skynet tmp]#iptables -A OUTPUT -o eth0 -p icmp -m state --state ESTABLISHED -j ACCEPT

The "service iptables save" command will permanently save the iptables configuration in the /etc/sysconfig/iptables file. When the system reboots, the iptables-restore program reads the configuration and makes it the active configuration.

The format of the /etc/sysconfig/iptables file is slightly different from that of the scripts shown in this document. The initialization of built in chains is automatic and the string "iptables" is omitted from the rule statements.

Linux Administration – Linux Resorce Monitoring Page 107 of 167

21. Linux Resource Monitoring