iptables Workshop 

Overview 1.Intro 2.Future 3.Concepts 4.Hands-on Exercises 

Intro 01 

netfilter ● Linux Kernel 2.4 and later – Heavy improvement to ipchains (2.2.x) and ipfwadm (2.0.x) ● Callback function hooks on network stack ● stateless/stateful packet filtering (IPv4 and IPv6) ● network address and port translation, eg. NAT/NAPT ● OSI Layer 2 (Link) 

raw nat broute brouting bridge check prerouting prerouting ingress (qdisc) conntrack raw nat prerouting prerouting prerouting mangle conntrack routing decision input nat prerouting mangle bridging decision prerouting filter forward filter mangle mangle mangle forward forward forward forward forward forward filter filter filter mangle output mangle filter mangle postrouting postrouting postrouting postrouting nat nat output nat postrouting nat postrouting output reroute check nat output filter xfrm lookup nat postrouting output raw conntrack output mangle xfrm encode routing decision postrouting nat mangle input input xfrm/socket lookup filter local process egress (qdisc) interface output taps (e.g. AF_PACKET) (start) AF_PACKET XDP eBPF alloc_skb xfrm (e.g. ipsec) decode clone packet no clone to AF_PACKET clone packet clone packet XDP_TX XDP_ACCEPT userspace (AF_XDP) XDP_REDIRECT by Jan Engelhardt (based in part on Joshua Snyder's graph) XDP flow by Matteo Croce Last updated 2019-May-19; Linux 5.1 * “security” table left out for brevity * “nat” table only consulted for “NEW” connections FORWARD PATH OUTPUT PATH INPUT PATH Packet flow in Netfilter and General Networking bridge level basic set of filtering opportunities at the Other NF parts Other Networking network level 

iptables ● Userspace ● Generic table structure for rulesets ● Classifiers + Action ● netfilter, ip_tables, connection tracking (ip_conntrack, nf_conntrack), NAT subsystem, ... 

Future 02 

nftables ● Replaces the existing {ip,ip6,arp,eb}_tables infrastructure ● Different syntax ● Compatibility layer for iptables ● Generic maps and concatenation drastically reduce → number of rules ● Since Linux Kernel 3.13 

Concepts 03 

Tables ● Filter (Default) – Policies on traffic allowed inbound, through and outbound – INPUT, FORWARD, OUTPUT chains ● Nat – Redirect traffic with connection tracking (source or destination) – PREROUTING, POSTROUTING, OUTPUT ● Mangle – Packet Alteration (example: stripping off IP options) – PREROUTING, INPUT, FORWARD, POSTROUTING, OUTPUT 

Hook Points Allow you to process packets… ● PREROUTING – Arriving on an interface, after checksum validation ● INPUT – Before delivery to local process ● FORWARD – between one interface to another (important for routers!) ● POSTROUTING – Before leaving an interface ● OUTPUT – After being generated by a local process 

Filter 

NAT 

Mangling 

No content

No content

Chains ● Each table has chains, by default empty ● A Chain is comprised of Rules ● Chain default policy: ACCEPT, DROP ● All user-defined chains end with RETURN 

Rules ● ACLs ● Top to bottom ● One or more matching criteria + Target (action) ● First match which satisfies matching criteria wins (ordering!) ● No Match criteria All packets considered → ● No Target PacketCounter++ and ByteCounter++ → 

Matches ● Protocol ● Source address / port ● Destination address / port ● Extensions – Port Ranges, Comments, ... 

Targets ● ACCEPT – Let the packet through to the next stage of processing. Stop traversing the current chain ● DROP – Discontinue processing entirely. Do not check against any other rule, table, chain. (Stealth!) ● REJECT – Same as DROP, but provide feedback (example: icmp-host-prohibited) ● QUEUE – Send the packet to UserSpace (ie. code not in the kernel, development) ● RETURN – Discontinue processing this user-defined chain and return from where it previously left 

Applications ● Packet Filtering – Examining packets at various stages and making decisions on how they should be handled ● Accounting – Monitor network traffic volumes by checking packet count and byte sizes ● Connection tracking – Matching related packets (example, FTP, control/data transfer) ● Packet Mangling – Modifying packet headers (net address, port,…) or payload 

Applications ● NAT (Network Address Translation) – Overwrite source/destination address/port – SNAT (Source), DNAT (Destination), connection tracking ● Masquerading – Special type of SNAT, computer rewrites packets to make them appear like they come from itself – Share internet connection with a dynamic IP ● Port-Forwarding – Type of DNAT. Firewall accepts traffic to itself, but rewrites the packets to be destined to another machine. – Replies are rewritten as well to look like they come from itself ● Load-balancing – Distributing connections across a group of internal hosts for higher throughput. – Example: port-forwarding so destination address is selected in a round-robin fashion 

Good to know ● iptable rules not persistent remember to save! → (/etc/sysconfig/iptables, service iptables save) ● /etc/sysctl.conf net.ipv4.ip_forward = 1 → 

Workshop 04 

Start your engines ● git clone https://github.com/carroarmato0/iptables-workshop ● cd iptables-workshop ● vagrant up --provision ● vagrant ssh ● sudo su - 

Lets take a look 

iptables Commands ● -A – append to chain ● -C – check existence ● -I [#] – insert at rule number (default is 1) ● -D [#] – delete at rule number 

iptables Options ● -t – Select the Table to be manipulated ● -p – Protocol by number or name (expl: tcp, udp, icmp, …) ● -s

– Source address ● -d

– Destination address ● -i – Network interface ● -j – Jump: ACCEPT, DROP, REJECT, ● -m – Load extension for further matching, example: -m comment --comment “I am a comment” 

Lets take a look ● Try pinging 192.168.123.10 ● Try pinging from the VM to google.com ● Try pinging from the VM to 8.8.8.8 ● Which Table and Chain are causing this? – Filter and Output 

Clearing the OUTPUT chain 

Try again! ● ping 8.8.8.8 ● ping google.com … Something is still missing… Allowing related and established state! 

Try again! iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT 

Webserver ● TCP, 80/443 ● Which Table? – Filter ● Which Chain? – Input 

Webserver ● iptables -I INPUT 4 -p tcp --dport 80 -j ACCEPT -m comment --comment "Allow HTTP" ● iptables -I INPUT 4 -p tcp --dport 443 -j ACCEPT -m comment --comment "Allow HTTPS" or ● iptables -I INPUT 4 -p tcp -m multiport --dports 80,443 -j ACCEPT -m comment --comment "Allow HTTP/HTTPS" 

Webserver 

Webserver 

Organizing with User Chains Let’s block some addresses! ● iptables -N blacklist ● iptables -I blacklist -s 8.8.8.8 -j DROP ● iptables -I blacklist -s 8.8.4.4 -j DROP 

Organizing with User Chains 

Organizing with User Chains ● Try pinging 8.8.8.8 or 8.8.4.4 ● Does it still work? Why? – User chain exists, but no entry point 

Organizing with User Chains ● iptables -I INPUT -j blacklist ● What would happen if we placed that rule under the second rule? (state RELATED,ESTABLISHED) – Only replies accepted if initiated by us 

Logging ● Let’s log packets! -j LOG --log-prefix='[my-iptable-logs]' ● iptables -I OUTPUT -d 8.8.8.8 -j LOG --log-prefix='[my-iptable-logs]' 

Port-Forwarding ● Service running on 127.0.0.1 1234 ● Can we reach it from the outside? – Not without port forwarding :) ● Which Tables and Chains are involved? – NAT PREROUTING – FILTER INPUT! Remember the flow! → – * Depending on the destination, FILTER FORWARD 

Port-Forwarding ● iptables -t nat -A PREROUTING -p tcp --dport 4321 -j DNAT --to 127.0.0.1:1234 ● iptables -I INPUT -p tcp -d 127.0.0.1 --dport 1234 -j ACCEPT ● Try surfing to 192.168.123.10:4321 – Special exception! – sysctl -w net.ipv4.conf.eth1.route_localnet=1 – Security measure: kernel doesn’t route from external to localhost 

MASQUERADING OR SNAT? ● Don’t forget: sysctl -w net.ipv4.ip_forward=1 ● iptables -t nat -A POSTROUTING -o eth0 -s 192.168.123.0/24 -j MASQUERADE ● iptables -t nat -A POSTROUTING -s 192.168.123.0/24 -o eth0 -j SNAT --to-source 10.0.2.15 ● Masquerading: we don’t know the source address ahead of time or can change, so we bind to the interface. – No intervention, but slight overhead ● SNAT: we know the source address and is static – No (added) overhead, needs intervention should the address change 

Load Balancing ● Service A, B and C respectively listening on port 8081, 8082 and 8083. Make available on port 8080 ● Haven’t we seen this before? – NAT Prerouting DNAT + Filter INPUT (or FORWARD) – -m statistic 

Load Balancing ● iptables -t nat -A PREROUTING -p tcp --dport 8080 -m statistic --mode nth --every 3 --packet 0 -j DNAT --to-destination 127.0.0.1:8081 ● iptables -t nat -A PREROUTING -p tcp --dport 8080 -m statistic --mode nth --every 2 --packet 0 -j DNAT --to-destination 127.0.0.1:8082 ● iptables -t nat -A PREROUTING -p tcp --dport 8080 -j DNAT --to-destination 127.0.0.1:8083 ● iptables -I INPUT -p tcp -d 127.0.0.1 -m multiport --dports 8080:8083 -j ACCEPT 

Load Balancing 

Kubernetes != Black Magic 

INUITS bvba Essensteenweg 31 2930 Brasschaat Belgium BE 0891.514.231 Contact: +32.380.821.05 [email protected] inuits.eu Christophe Vanlancker [email protected]