Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Iptables Workshop

Iptables Workshop

What is iptables, the command line interface to manage firewall rules in Linux?

Christophe Vanlancker

November 29, 2019

More Decks by Christophe Vanlancker

Other Decks in Technology


  1. iptables Workshop

  2. Overview 1.Intro 2.Future 3.Concepts 4.Hands-on Exercises

  3. Intro 01

  4. netfilter • Linux Kernel 2.4 and later – Heavy improvement

    to ipchains (2.2.x) and ipfwadm (2.0.x) • Callback function hooks on network stack • stateless/stateful packet filtering (IPv4 and IPv6) • network address and port translation, eg. NAT/NAPT • OSI Layer 2 (Link)
  5. raw nat broute brouting bridge check prerouting prerouting ingress (qdisc)

    conntrack raw nat prerouting prerouting prerouting mangle conntrack routing decision input nat prerouting mangle bridging decision prerouting filter forward filter mangle mangle mangle forward forward forward forward forward forward filter filter filter mangle output mangle filter mangle postrouting postrouting postrouting postrouting nat nat output nat postrouting nat postrouting output reroute check nat output filter xfrm lookup nat postrouting output raw conntrack output mangle xfrm encode routing decision postrouting nat mangle input input xfrm/socket lookup filter local process egress (qdisc) interface output taps (e.g. AF_PACKET) (start) AF_PACKET XDP eBPF alloc_skb xfrm (e.g. ipsec) decode clone packet no clone to AF_PACKET clone packet clone packet XDP_TX XDP_ACCEPT userspace (AF_XDP) XDP_REDIRECT by Jan Engelhardt (based in part on Joshua Snyder's graph) XDP flow by Matteo Croce Last updated 2019-May-19; Linux 5.1 * “security” table left out for brevity * “nat” table only consulted for “NEW” connections FORWARD PATH OUTPUT PATH INPUT PATH Packet flow in Netfilter and General Networking bridge level basic set of filtering opportunities at the Other NF parts Other Networking network level
  6. iptables • Userspace • Generic table structure for rulesets •

    Classifiers + Action • netfilter, ip_tables, connection tracking (ip_conntrack, nf_conntrack), NAT subsystem, ...
  7. Future 02

  8. nftables • Replaces the existing {ip,ip6,arp,eb}_tables infrastructure • Different syntax

    • Compatibility layer for iptables • Generic maps and concatenation drastically reduce → number of rules • Since Linux Kernel 3.13
  9. Concepts 03

  10. Tables • Filter (Default) – Policies on traffic allowed inbound,

    through and outbound – INPUT, FORWARD, OUTPUT chains • Nat – Redirect traffic with connection tracking (source or destination) – PREROUTING, POSTROUTING, OUTPUT • Mangle – Packet Alteration (example: stripping off IP options) – PREROUTING, INPUT, FORWARD, POSTROUTING, OUTPUT
  11. Hook Points Allow you to process packets… • PREROUTING –

    Arriving on an interface, after checksum validation • INPUT – Before delivery to local process • FORWARD – between one interface to another (important for routers!) • POSTROUTING – Before leaving an interface • OUTPUT – After being generated by a local process
  12. Filter

  13. NAT

  14. Mangling

  15. None
  16. None
  17. Chains • Each table has chains, by default empty •

    A Chain is comprised of Rules • Chain default policy: ACCEPT, DROP • All user-defined chains end with RETURN
  18. Rules • ACLs • Top to bottom • One or

    more matching criteria + Target (action) • First match which satisfies matching criteria wins (ordering!) • No Match criteria All packets considered → • No Target PacketCounter++ and ByteCounter++ →
  19. Matches • Protocol • Source address / port • Destination

    address / port • Extensions – Port Ranges, Comments, ...
  20. Targets • ACCEPT – Let the packet through to the

    next stage of processing. Stop traversing the current chain • DROP – Discontinue processing entirely. Do not check against any other rule, table, chain. (Stealth!) • REJECT – Same as DROP, but provide feedback (example: icmp-host-prohibited) • QUEUE – Send the packet to UserSpace (ie. code not in the kernel, development) • RETURN – Discontinue processing this user-defined chain and return from where it previously left
  21. Applications • Packet Filtering – Examining packets at various stages

    and making decisions on how they should be handled • Accounting – Monitor network traffic volumes by checking packet count and byte sizes • Connection tracking – Matching related packets (example, FTP, control/data transfer) • Packet Mangling – Modifying packet headers (net address, port,…) or payload
  22. Applications • NAT (Network Address Translation) – Overwrite source/destination address/port

    – SNAT (Source), DNAT (Destination), connection tracking • Masquerading – Special type of SNAT, computer rewrites packets to make them appear like they come from itself – Share internet connection with a dynamic IP • Port-Forwarding – Type of DNAT. Firewall accepts traffic to itself, but rewrites the packets to be destined to another machine. – Replies are rewritten as well to look like they come from itself • Load-balancing – Distributing connections across a group of internal hosts for higher throughput. – Example: port-forwarding so destination address is selected in a round-robin fashion
  23. Good to know • iptable rules not persistent remember to

    save! → (/etc/sysconfig/iptables, service iptables save) • /etc/sysctl.conf net.ipv4.ip_forward = 1 →
  24. Workshop 04

  25. Start your engines • git clone https://github.com/carroarmato0/iptables-workshop • cd iptables-workshop

    • vagrant up --provision • vagrant ssh • sudo su -
  26. Lets take a look

  27. iptables Commands • -A <chain> – append to chain •

    -C <chain> – check existence • -I <chain> [#] – insert at rule number (default is 1) • -D <chain> [#] – delete at rule number
  28. iptables Options • -t <table> – Select the Table to

    be manipulated • -p <proto> – Protocol by number or name (expl: tcp, udp, icmp, …) • -s <address> – Source address • -d <address> – Destination address • -i <interface> – Network interface • -j <target> – Jump: ACCEPT, DROP, REJECT, <user defined table> • -m <extension> – Load extension for further matching, example: -m comment --comment “I am a comment”
  29. Lets take a look • Try pinging • Try

    pinging from the VM to google.com • Try pinging from the VM to • Which Table and Chain are causing this? – Filter and Output
  30. Clearing the OUTPUT chain

  31. Try again! • ping • ping google.com … Something

    is still missing… Allowing related and established state!
  32. Try again! iptables -I INPUT -m state --state ESTABLISHED,RELATED -j

  33. Webserver • TCP, 80/443 • Which Table? – Filter •

    Which Chain? – Input
  34. Webserver • iptables -I INPUT 4 -p tcp --dport 80

    -j ACCEPT -m comment --comment "Allow HTTP" • iptables -I INPUT 4 -p tcp --dport 443 -j ACCEPT -m comment --comment "Allow HTTPS" or • iptables -I INPUT 4 -p tcp -m multiport --dports 80,443 -j ACCEPT -m comment --comment "Allow HTTP/HTTPS"
  35. Webserver

  36. Webserver

  37. Organizing with User Chains Let’s block some addresses! • iptables

    -N blacklist • iptables -I blacklist -s -j DROP • iptables -I blacklist -s -j DROP
  38. Organizing with User Chains

  39. Organizing with User Chains • Try pinging or

    • Does it still work? Why? – User chain exists, but no entry point
  40. Organizing with User Chains • iptables -I INPUT -j blacklist

    • What would happen if we placed that rule under the second rule? (state RELATED,ESTABLISHED) – Only replies accepted if initiated by us
  41. Logging • Let’s log packets! -j LOG --log-prefix='[my-iptable-logs]' • iptables

    -I OUTPUT -d -j LOG --log-prefix='[my-iptable-logs]'
  42. Port-Forwarding • Service running on 1234 • Can we

    reach it from the outside? – Not without port forwarding :) • Which Tables and Chains are involved? – NAT PREROUTING – FILTER INPUT! Remember the flow! → – * Depending on the destination, FILTER FORWARD
  43. Port-Forwarding • iptables -t nat -A PREROUTING -p tcp --dport

    4321 -j DNAT --to • iptables -I INPUT -p tcp -d --dport 1234 -j ACCEPT • Try surfing to – Special exception! – sysctl -w net.ipv4.conf.eth1.route_localnet=1 – Security measure: kernel doesn’t route from external to localhost
  44. MASQUERADING OR SNAT? • Don’t forget: sysctl -w net.ipv4.ip_forward=1 •

    iptables -t nat -A POSTROUTING -o eth0 -s -j MASQUERADE • iptables -t nat -A POSTROUTING -s -o eth0 -j SNAT --to-source • Masquerading: we don’t know the source address ahead of time or can change, so we bind to the interface. – No intervention, but slight overhead • SNAT: we know the source address and is static – No (added) overhead, needs intervention should the address change
  45. Load Balancing • Service A, B and C respectively listening

    on port 8081, 8082 and 8083. Make available on port 8080 • Haven’t we seen this before? – NAT Prerouting DNAT + Filter INPUT (or FORWARD) – -m statistic
  46. Load Balancing • iptables -t nat -A PREROUTING -p tcp

    --dport 8080 -m statistic --mode nth --every 3 --packet 0 -j DNAT --to-destination • iptables -t nat -A PREROUTING -p tcp --dport 8080 -m statistic --mode nth --every 2 --packet 0 -j DNAT --to-destination • iptables -t nat -A PREROUTING -p tcp --dport 8080 -j DNAT --to-destination • iptables -I INPUT -p tcp -d -m multiport --dports 8080:8083 -j ACCEPT
  47. Load Balancing

  48. Kubernetes != Black Magic

  49. INUITS bvba Essensteenweg 31 2930 Brasschaat Belgium BE 0891.514.231 Contact:

    +32.380.821.05 [email protected] inuits.eu Christophe Vanlancker [email protected]