Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Iptables Workshop

Iptables Workshop

What is iptables, the command line interface to manage firewall rules in Linux?

Christophe Vanlancker

November 29, 2019
Tweet

More Decks by Christophe Vanlancker

Other Decks in Technology

Transcript

  1. netfilter • Linux Kernel 2.4 and later – Heavy improvement

    to ipchains (2.2.x) and ipfwadm (2.0.x) • Callback function hooks on network stack • stateless/stateful packet filtering (IPv4 and IPv6) • network address and port translation, eg. NAT/NAPT • OSI Layer 2 (Link)
  2. raw nat broute brouting bridge check prerouting prerouting ingress (qdisc)

    conntrack raw nat prerouting prerouting prerouting mangle conntrack routing decision input nat prerouting mangle bridging decision prerouting filter forward filter mangle mangle mangle forward forward forward forward forward forward filter filter filter mangle output mangle filter mangle postrouting postrouting postrouting postrouting nat nat output nat postrouting nat postrouting output reroute check nat output filter xfrm lookup nat postrouting output raw conntrack output mangle xfrm encode routing decision postrouting nat mangle input input xfrm/socket lookup filter local process egress (qdisc) interface output taps (e.g. AF_PACKET) (start) AF_PACKET XDP eBPF alloc_skb xfrm (e.g. ipsec) decode clone packet no clone to AF_PACKET clone packet clone packet XDP_TX XDP_ACCEPT userspace (AF_XDP) XDP_REDIRECT by Jan Engelhardt (based in part on Joshua Snyder's graph) XDP flow by Matteo Croce Last updated 2019-May-19; Linux 5.1 * “security” table left out for brevity * “nat” table only consulted for “NEW” connections FORWARD PATH OUTPUT PATH INPUT PATH Packet flow in Netfilter and General Networking bridge level basic set of filtering opportunities at the Other NF parts Other Networking network level
  3. iptables • Userspace • Generic table structure for rulesets •

    Classifiers + Action • netfilter, ip_tables, connection tracking (ip_conntrack, nf_conntrack), NAT subsystem, ...
  4. nftables • Replaces the existing {ip,ip6,arp,eb}_tables infrastructure • Different syntax

    • Compatibility layer for iptables • Generic maps and concatenation drastically reduce → number of rules • Since Linux Kernel 3.13
  5. Tables • Filter (Default) – Policies on traffic allowed inbound,

    through and outbound – INPUT, FORWARD, OUTPUT chains • Nat – Redirect traffic with connection tracking (source or destination) – PREROUTING, POSTROUTING, OUTPUT • Mangle – Packet Alteration (example: stripping off IP options) – PREROUTING, INPUT, FORWARD, POSTROUTING, OUTPUT
  6. Hook Points Allow you to process packets… • PREROUTING –

    Arriving on an interface, after checksum validation • INPUT – Before delivery to local process • FORWARD – between one interface to another (important for routers!) • POSTROUTING – Before leaving an interface • OUTPUT – After being generated by a local process
  7. NAT

  8. Chains • Each table has chains, by default empty •

    A Chain is comprised of Rules • Chain default policy: ACCEPT, DROP • All user-defined chains end with RETURN
  9. Rules • ACLs • Top to bottom • One or

    more matching criteria + Target (action) • First match which satisfies matching criteria wins (ordering!) • No Match criteria All packets considered → • No Target PacketCounter++ and ByteCounter++ →
  10. Matches • Protocol • Source address / port • Destination

    address / port • Extensions – Port Ranges, Comments, ...
  11. Targets • ACCEPT – Let the packet through to the

    next stage of processing. Stop traversing the current chain • DROP – Discontinue processing entirely. Do not check against any other rule, table, chain. (Stealth!) • REJECT – Same as DROP, but provide feedback (example: icmp-host-prohibited) • QUEUE – Send the packet to UserSpace (ie. code not in the kernel, development) • RETURN – Discontinue processing this user-defined chain and return from where it previously left
  12. Applications • Packet Filtering – Examining packets at various stages

    and making decisions on how they should be handled • Accounting – Monitor network traffic volumes by checking packet count and byte sizes • Connection tracking – Matching related packets (example, FTP, control/data transfer) • Packet Mangling – Modifying packet headers (net address, port,…) or payload
  13. Applications • NAT (Network Address Translation) – Overwrite source/destination address/port

    – SNAT (Source), DNAT (Destination), connection tracking • Masquerading – Special type of SNAT, computer rewrites packets to make them appear like they come from itself – Share internet connection with a dynamic IP • Port-Forwarding – Type of DNAT. Firewall accepts traffic to itself, but rewrites the packets to be destined to another machine. – Replies are rewritten as well to look like they come from itself • Load-balancing – Distributing connections across a group of internal hosts for higher throughput. – Example: port-forwarding so destination address is selected in a round-robin fashion
  14. Good to know • iptable rules not persistent remember to

    save! → (/etc/sysconfig/iptables, service iptables save) • /etc/sysctl.conf net.ipv4.ip_forward = 1 →
  15. iptables Commands • -A <chain> – append to chain •

    -C <chain> – check existence • -I <chain> [#] – insert at rule number (default is 1) • -D <chain> [#] – delete at rule number
  16. iptables Options • -t <table> – Select the Table to

    be manipulated • -p <proto> – Protocol by number or name (expl: tcp, udp, icmp, …) • -s <address> – Source address • -d <address> – Destination address • -i <interface> – Network interface • -j <target> – Jump: ACCEPT, DROP, REJECT, <user defined table> • -m <extension> – Load extension for further matching, example: -m comment --comment “I am a comment”
  17. Lets take a look • Try pinging 192.168.123.10 • Try

    pinging from the VM to google.com • Try pinging from the VM to 8.8.8.8 • Which Table and Chain are causing this? – Filter and Output
  18. Try again! • ping 8.8.8.8 • ping google.com … Something

    is still missing… Allowing related and established state!
  19. Webserver • iptables -I INPUT 4 -p tcp --dport 80

    -j ACCEPT -m comment --comment "Allow HTTP" • iptables -I INPUT 4 -p tcp --dport 443 -j ACCEPT -m comment --comment "Allow HTTPS" or • iptables -I INPUT 4 -p tcp -m multiport --dports 80,443 -j ACCEPT -m comment --comment "Allow HTTP/HTTPS"
  20. Organizing with User Chains Let’s block some addresses! • iptables

    -N blacklist • iptables -I blacklist -s 8.8.8.8 -j DROP • iptables -I blacklist -s 8.8.4.4 -j DROP
  21. Organizing with User Chains • Try pinging 8.8.8.8 or 8.8.4.4

    • Does it still work? Why? – User chain exists, but no entry point
  22. Organizing with User Chains • iptables -I INPUT -j blacklist

    • What would happen if we placed that rule under the second rule? (state RELATED,ESTABLISHED) – Only replies accepted if initiated by us
  23. Logging • Let’s log packets! -j LOG --log-prefix='[my-iptable-logs]' • iptables

    -I OUTPUT -d 8.8.8.8 -j LOG --log-prefix='[my-iptable-logs]'
  24. Port-Forwarding • Service running on 127.0.0.1 1234 • Can we

    reach it from the outside? – Not without port forwarding :) • Which Tables and Chains are involved? – NAT PREROUTING – FILTER INPUT! Remember the flow! → – * Depending on the destination, FILTER FORWARD
  25. Port-Forwarding • iptables -t nat -A PREROUTING -p tcp --dport

    4321 -j DNAT --to 127.0.0.1:1234 • iptables -I INPUT -p tcp -d 127.0.0.1 --dport 1234 -j ACCEPT • Try surfing to 192.168.123.10:4321 – Special exception! – sysctl -w net.ipv4.conf.eth1.route_localnet=1 – Security measure: kernel doesn’t route from external to localhost
  26. MASQUERADING OR SNAT? • Don’t forget: sysctl -w net.ipv4.ip_forward=1 •

    iptables -t nat -A POSTROUTING -o eth0 -s 192.168.123.0/24 -j MASQUERADE • iptables -t nat -A POSTROUTING -s 192.168.123.0/24 -o eth0 -j SNAT --to-source 10.0.2.15 • Masquerading: we don’t know the source address ahead of time or can change, so we bind to the interface. – No intervention, but slight overhead • SNAT: we know the source address and is static – No (added) overhead, needs intervention should the address change
  27. Load Balancing • Service A, B and C respectively listening

    on port 8081, 8082 and 8083. Make available on port 8080 • Haven’t we seen this before? – NAT Prerouting DNAT + Filter INPUT (or FORWARD) – -m statistic
  28. Load Balancing • iptables -t nat -A PREROUTING -p tcp

    --dport 8080 -m statistic --mode nth --every 3 --packet 0 -j DNAT --to-destination 127.0.0.1:8081 • iptables -t nat -A PREROUTING -p tcp --dport 8080 -m statistic --mode nth --every 2 --packet 0 -j DNAT --to-destination 127.0.0.1:8082 • iptables -t nat -A PREROUTING -p tcp --dport 8080 -j DNAT --to-destination 127.0.0.1:8083 • iptables -I INPUT -p tcp -d 127.0.0.1 -m multiport --dports 8080:8083 -j ACCEPT