Home > Security > IPTables Part 1

IPTables Part 1

One of the very first questions I read was related to Iptables.  I am familiar with Cisco’s ACL’s and IPSec filters so with that in hand I’m sure to get a grasp on Iptables

The source of the packet determines which chain it traverses initially.  A chain defines the directional flow of the physical traffic.  There are three predefined chains (INPUT, OUTPUT, and FORWARD) in the “filter” table.   Predefined chains have a policy, for example DROP, which is applied to the packet if it reaches the end of the chain. The system administrator can create as many other chains as desired. The command “iptables -L” is executed by user root to display the firewall configuration.  I found the below info on LinuxHomeNetworking in an article called “Quick How To: Linux Firewalls, Using Ipchains”.

 

Queue Type Queue Function Packet Transformation Chain in Queue Chain Function
Filter Packet filtering
FORWARD
Filters packets to servers accessible by another NIC on the firewall.
INPUT
Filters packets destined to the firewall.
OUTPUT
Filters packets originating from the firewall
Nat Network Address Translation
PREROUTING
Address translation occurs before routing. Facilitates the transformation of the destination IP address to be compatible with the firewall’s routing table. Used with NAT of the destination IP address, also known as destination NAT or DNAT.
POSTROUTING
Address translation occurs after routing. This implies that there was no need to modify the destination IP address of the packet as in pre-routing. Used with NAT of the source IP address using either one-to-one or many-to-one NAT. This is known as source NAT, or SNAT.
OUTPUT
Network address translation for packets generated by the firewall. (Rarely used in SOHO environments)
Mangle TCP header modification
PREROUTING
POSTROUTING
OUTPUT
INPUT
FORWARD
Modification of the TCP packet quality of service bits before routing occurs. (Rarely used in SOHO environments)

 

I will need to first define the traffic that I want and then create the rules.  The list below clearly defines the traffic required for communication:

  1. ICMP request\replies
  2. DNS queries for web sites

Now that i understand Ipchains a bit more it’s time to start building some tables, or chains…whatever.  Anyway I’ll begin by allowing the box to ping and recieve echo replies.  This will assist in troubelshooting connectivity at the network layer.

iptables -A OUTPUT -p icmp –icmp-type echo-request -j ACCEPT
iptables -A INPUT  -p icmp –icmp-type echo-reply   -j ACCEPT

The first line states were using the Output filter which filters packets orginating from the firewall.   The -p states that one of the following protocols is being: ICMP, TCP, UDP and ALL.  In this case ICMP is being referenced which is the protocol that is synonymous with ping.  –ICMP-TYPE ECHO-REPLY states the type of ICMP being used and -j jumps to the specified target chain when the patched matches the current rule.

If i decided to remain anonymous and deny all echo request sent to the box the following line would be used:

iptables -A INPUT -p icmp –icmp-type any -j DROP

What about something else like DNS queries for web sites.  A few new switches need to be used such as -O and -i, which states the Ouput\Input port of ETH0 is being used.  –DPORT 53 is for DNS and –SPORT is for a souce port between 1024 to 65535.  Once again the traffic is jumped -j to ACCEPT.

iptables -A OUTPUT -p udp -o eth0 –dport 53 –sport 1024:65535 -j ACCEPT
iptables -A INPUT -p udp -i eth0 –sport 53 –dport 1024:65535 -j ACCEPT

I just found another great site called iptablesrocks.org with an how to with configuring a whole table.

I have decided to also review the questions I’ve downloaded from TestKingCert for this exam.  As I cover a topic any relevant questions will be posted.

You need to add a line to your IPTables Firewall Input chain that will stop any attempts to use the default install of Back Orifice against hosts on your 10.10.10.0 network.  Which of the following would be the correct command to use?

Ans: ipchains -A INPUT -p TCP -s 0.0.0.0/0 -d 10.10.,10.0/24 31337 -j DENY

When using IPTable when you need to specify all possible IP Address the syntax can be either 0/0, 0.0.0.0/0 or any.

You are reviewing the current configuration of an  IPTables firewall and notice the following rule: ipchains -A output -p TCP -d ! 10.0.0.1 http://www.  What does this mean?

Ans: This rule for the output chain states that all TCP packets are able to get the the www service on any IP address except for 10.0.0.1

What does the following rule imply: iptables -A output -p TCP -s 10.0.0.0/24 -d 0.0.0.0/0 80 -j ACCEPT

Ans: This rule for the output chain states that any TCP packets from the 10.0.0.0/24 network and destined to any IP address on port 80 is accepted

What does the following rule imply: iptables -A input -p TCP -s 0.0.0.0/24 -d 10.0.0.0/24 500:5000 -j DENY

Ans: This rule for input chain states that any TCP from any IP Address and destined to the 10.0.0.0/24 network on ports 500 through 5000 will be denied

Advertisements
Categories: Security
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: