Iptables Workshop

Transcript

1. iptables Workshop

2. Overview 1.Intro 2.Future 3.Concepts 4.Hands-on Exercises

3. Intro 01

4. netfilter • Linux Kernel 2.4 and later – Heavy improvement

   to ipchains (2.2.x) and ipfwadm (2.0.x) • Callback function hooks on network stack • stateless/stateful packet filtering (IPv4 and IPv6) • network address and port translation, eg. NAT/NAPT • OSI Layer 2 (Link)

5. raw nat broute brouting bridge check prerouting prerouting ingress (qdisc)

   conntrack raw nat prerouting prerouting prerouting mangle conntrack routing decision input nat prerouting mangle bridging decision prerouting filter forward filter mangle mangle mangle forward forward forward forward forward forward filter filter filter mangle output mangle filter mangle postrouting postrouting postrouting postrouting nat nat output nat postrouting nat postrouting output reroute check nat output filter xfrm lookup nat postrouting output raw conntrack output mangle xfrm encode routing decision postrouting nat mangle input input xfrm/socket lookup filter local process egress (qdisc) interface output taps (e.g. AF_PACKET) (start) AF_PACKET XDP eBPF alloc_skb xfrm (e.g. ipsec) decode clone packet no clone to AF_PACKET clone packet clone packet XDP_TX XDP_ACCEPT userspace (AF_XDP) XDP_REDIRECT by Jan Engelhardt (based in part on Joshua Snyder's graph) XDP flow by Matteo Croce Last updated 2019-May-19; Linux 5.1 * “security” table left out for brevity * “nat” table only consulted for “NEW” connections FORWARD PATH OUTPUT PATH INPUT PATH Packet flow in Netfilter and General Networking bridge level basic set of filtering opportunities at the Other NF parts Other Networking network level

6. iptables • Userspace • Generic table structure for rulesets •

   Classifiers + Action • netfilter, ip_tables, connection tracking (ip_conntrack, nf_conntrack), NAT subsystem, ...

7. Future 02

8. nftables • Replaces the existing {ip,ip6,arp,eb}_tables infrastructure • Different syntax

   • Compatibility layer for iptables • Generic maps and concatenation drastically reduce → number of rules • Since Linux Kernel 3.13

9. Concepts 03

10. Tables • Filter (Default) – Policies on traffic allowed inbound,

    through and outbound – INPUT, FORWARD, OUTPUT chains • Nat – Redirect traffic with connection tracking (source or destination) – PREROUTING, POSTROUTING, OUTPUT • Mangle – Packet Alteration (example: stripping off IP options) – PREROUTING, INPUT, FORWARD, POSTROUTING, OUTPUT

11. Hook Points Allow you to process packets… • PREROUTING –

    Arriving on an interface, after checksum validation • INPUT – Before delivery to local process • FORWARD – between one interface to another (important for routers!) • POSTROUTING – Before leaving an interface • OUTPUT – After being generated by a local process

12. Filter

13. NAT

14. Mangling

15. None
16. None

17. Chains • Each table has chains, by default empty •

    A Chain is comprised of Rules • Chain default policy: ACCEPT, DROP • All user-defined chains end with RETURN

18. Rules • ACLs • Top to bottom • One or

    more matching criteria + Target (action) • First match which satisfies matching criteria wins (ordering!) • No Match criteria All packets considered → • No Target PacketCounter++ and ByteCounter++ →

19. Matches • Protocol • Source address / port • Destination

    address / port • Extensions – Port Ranges, Comments, ...

20. Targets • ACCEPT – Let the packet through to the

    next stage of processing. Stop traversing the current chain • DROP – Discontinue processing entirely. Do not check against any other rule, table, chain. (Stealth!) • REJECT – Same as DROP, but provide feedback (example: icmp-host-prohibited) • QUEUE – Send the packet to UserSpace (ie. code not in the kernel, development) • RETURN – Discontinue processing this user-defined chain and return from where it previously left

21. Applications • Packet Filtering – Examining packets at various stages

    and making decisions on how they should be handled • Accounting – Monitor network traffic volumes by checking packet count and byte sizes • Connection tracking – Matching related packets (example, FTP, control/data transfer) • Packet Mangling – Modifying packet headers (net address, port,…) or payload

22. Applications • NAT (Network Address Translation) – Overwrite source/destination address/port

    – SNAT (Source), DNAT (Destination), connection tracking • Masquerading – Special type of SNAT, computer rewrites packets to make them appear like they come from itself – Share internet connection with a dynamic IP • Port-Forwarding – Type of DNAT. Firewall accepts traffic to itself, but rewrites the packets to be destined to another machine. – Replies are rewritten as well to look like they come from itself • Load-balancing – Distributing connections across a group of internal hosts for higher throughput. – Example: port-forwarding so destination address is selected in a round-robin fashion

23. Good to know • iptable rules not persistent remember to

    save! → (/etc/sysconfig/iptables, service iptables save) • /etc/sysctl.conf net.ipv4.ip_forward = 1 →

24. Workshop 04

25. Start your engines • git clone https://github.com/carroarmato0/iptables-workshop • cd iptables-workshop

    • vagrant up --provision • vagrant ssh • sudo su -

26. Lets take a look

27. iptables Commands • -A <chain> – append to chain •

    -C <chain> – check existence • -I <chain> [#] – insert at rule number (default is 1) • -D <chain> [#] – delete at rule number

28. iptables Options • -t <table> – Select the Table to

    be manipulated • -p <proto> – Protocol by number or name (expl: tcp, udp, icmp, …) • -s <address> – Source address • -d <address> – Destination address • -i <interface> – Network interface • -j <target> – Jump: ACCEPT, DROP, REJECT, <user defined table> • -m <extension> – Load extension for further matching, example: -m comment --comment “I am a comment”

29. Lets take a look • Try pinging 192.168.123.10 • Try

    pinging from the VM to google.com • Try pinging from the VM to 8.8.8.8 • Which Table and Chain are causing this? – Filter and Output

30. Clearing the OUTPUT chain

31. Try again! • ping 8.8.8.8 • ping google.com … Something

    is still missing… Allowing related and established state!

32. Try again! iptables -I INPUT -m state --state ESTABLISHED,RELATED -j

    ACCEPT

33. Webserver • TCP, 80/443 • Which Table? – Filter •

    Which Chain? – Input

34. Webserver • iptables -I INPUT 4 -p tcp --dport 80

    -j ACCEPT -m comment --comment "Allow HTTP" • iptables -I INPUT 4 -p tcp --dport 443 -j ACCEPT -m comment --comment "Allow HTTPS" or • iptables -I INPUT 4 -p tcp -m multiport --dports 80,443 -j ACCEPT -m comment --comment "Allow HTTP/HTTPS"

35. Webserver

36. Webserver

37. Organizing with User Chains Let’s block some addresses! • iptables

    -N blacklist • iptables -I blacklist -s 8.8.8.8 -j DROP • iptables -I blacklist -s 8.8.4.4 -j DROP

38. Organizing with User Chains

39. Organizing with User Chains • Try pinging 8.8.8.8 or 8.8.4.4

    • Does it still work? Why? – User chain exists, but no entry point

40. Organizing with User Chains • iptables -I INPUT -j blacklist

    • What would happen if we placed that rule under the second rule? (state RELATED,ESTABLISHED) – Only replies accepted if initiated by us

41. Logging • Let’s log packets! -j LOG --log-prefix='[my-iptable-logs]' • iptables

    -I OUTPUT -d 8.8.8.8 -j LOG --log-prefix='[my-iptable-logs]'

42. Port-Forwarding • Service running on 127.0.0.1 1234 • Can we

    reach it from the outside? – Not without port forwarding :) • Which Tables and Chains are involved? – NAT PREROUTING – FILTER INPUT! Remember the flow! → – * Depending on the destination, FILTER FORWARD

43. Port-Forwarding • iptables -t nat -A PREROUTING -p tcp --dport

    4321 -j DNAT --to 127.0.0.1:1234 • iptables -I INPUT -p tcp -d 127.0.0.1 --dport 1234 -j ACCEPT • Try surfing to 192.168.123.10:4321 – Special exception! – sysctl -w net.ipv4.conf.eth1.route_localnet=1 – Security measure: kernel doesn’t route from external to localhost

44. MASQUERADING OR SNAT? • Don’t forget: sysctl -w net.ipv4.ip_forward=1 •

    iptables -t nat -A POSTROUTING -o eth0 -s 192.168.123.0/24 -j MASQUERADE • iptables -t nat -A POSTROUTING -s 192.168.123.0/24 -o eth0 -j SNAT --to-source 10.0.2.15 • Masquerading: we don’t know the source address ahead of time or can change, so we bind to the interface. – No intervention, but slight overhead • SNAT: we know the source address and is static – No (added) overhead, needs intervention should the address change

45. Load Balancing • Service A, B and C respectively listening

    on port 8081, 8082 and 8083. Make available on port 8080 • Haven’t we seen this before? – NAT Prerouting DNAT + Filter INPUT (or FORWARD) – -m statistic

46. Load Balancing • iptables -t nat -A PREROUTING -p tcp

    --dport 8080 -m statistic --mode nth --every 3 --packet 0 -j DNAT --to-destination 127.0.0.1:8081 • iptables -t nat -A PREROUTING -p tcp --dport 8080 -m statistic --mode nth --every 2 --packet 0 -j DNAT --to-destination 127.0.0.1:8082 • iptables -t nat -A PREROUTING -p tcp --dport 8080 -j DNAT --to-destination 127.0.0.1:8083 • iptables -I INPUT -p tcp -d 127.0.0.1 -m multiport --dports 8080:8083 -j ACCEPT

47. Load Balancing

48. Kubernetes != Black Magic

49. INUITS bvba Essensteenweg 31 2930 Brasschaat Belgium BE 0891.514.231 Contact:

    +32.380.821.05 [email protected] inuits.eu Christophe Vanlancker [email protected]