Linux Services Organization

Our goal, introduce Linux services to the enterprise world.
Contact us in contact@linuxsv.org

Linux Services Organization : Linux FIREWALL Linux Server

The Linux kernel uses the Netfilter kernel module to filter packets, allowing some of them to be received by or pass through the system while stopping or modifying others implementing a network firewall. Netfilter is built in to the Linux kernel and can be managed at system level using iptables tool installed by iptables RPM.

Netfilter

Netfilter uses three built-in tables or rules lists in order to filter or modify network packets:

filter
The default table for handling network packets.

nat
Used to modify network packets implementing the Network Address Translation NAT. It is also known as masquerading.

mangle
Used on very specific types of network packet modification.

Each netfilter table (filter,nat,mangle) has a group of 'chains' that defines the actions performed on the network packet by netfilter :

Filter

INPUT
Matches network packets that are targeted for the host.

OUTPUT
Matches network packets generated locally on the host.

FORWARD
Matches network packets routed through the host.

Nat

PREROUTING
Modifies network packets when they arrive to the hosts.

OUTPUT
Modifies network packets generated locally before they are sent from the host.

POSTROUTING
Modifies network packets before they are sent from the host.

Mangle

INPUT
Modifies network packets targeted for the host.

OUTPUT
Modifies network packets generated locally before they are sent from the host.

FORWARD
Modifies network packets routed through the host.

PREROUTING
Modifies incoming network packets before they are routed through the host.

POSTROUTING
Modifies network packets before they are sent from the host.

When a network packet match a particular rule in one of the tables, an action is applied to it. If the rule specifies an ACCEPT action the packet skips the rest of the rules and is allowed to continue to its destination. If a rule specifies a DROP action the access to the host is denied and nothing is sent back to the host that sent the packet. If a rule specifies a QUEUE action the packet is passed to user-space. If a rule specifies REJECT action the packet is dropped and a error is sent to the packet's originator. Every chain has a default policy to ACCEPT, DROP, REJECT, or QUEUE. If none of the rules in the chain apply to the packet, then the default policy is applied to the network packet.

Iptables

The iptables command that can be used in order to define the matching rule and the actions to be taken on the network packets. The following is the basic options used on iptables command:

# iptables -t table [action direction] [packet match] -j [what to do]

--> The -t table option is used in order to select the netfilter table where the rule will be applied. As said before it can take the values filter, nat or mangle. By default filter table is used if this option is not specified.

--> The [action direction] has four basic actions associated:

-A or --append
Appends the rule to the end of a chain.

-D or --delete
Deletes a rule from a chain.

-L or --list
Lists configured rules in the chain.

-F or --flush
Flushes all of the rules in the current iptables chain.

Appending to -A or deleting from -D a chain can be applied network packets travelling in one of three directions:

INPUT
Incoming packets are checked against the rules in this chain.

OUTPUT
Outgoing packets are checked against the rules in this chain.

FORWARD
Packets being sent to another computer are checked against the rules in this chain.

--> The [packet match] is used to identify the network packet to be filtered/modified. All netfilter checks every packet against this pattern :

-s ipaddress
Network packets are checked for a specific source IP address. For example '-s 192.168.1.0/24' matches all ips on 192.168.1.0/24 LAN.

-d ipaddress
Network packets are checked for a specific destination IP address. For example '-d 192.168.1.1' only matches that ip.

-p protocol
Matches the network protocol used on the communication. It can be TCP, UDP or ICMP.

--dport port
Matches the destination port used on the network communication. For example '--dport 22' matches all network packets sent by a ssh-client when trying to open a ssh connection to a ssh-server.

-i interface
Name of a network interface through the network packet has been received. For example '-i eth0' .

-o interface
Name of a network interface through the network packet is going to be sent. For example '-o eth1' .

--> The -j [what to do] defines the action to be taken when iptables finds a packet pattern match :

DROP
The network packet is dropped and no message is sent to the requesting computer.

REJECT
The network packet is dropped and an error message is sent to the requesting computer.

ACCEPT
The network packet is allowed to proceed as specified with the -A action: INPUT, OUTPUT, or FORWARD.

In resume the best way to summarize how iptables works is with the following :

# iptables -t [filter|nat|mangle] [-A|-D|-L|-F] [INPUT|OUTPUT|FORWARD] -p [tcp|udp] -m [tcp|udp] -s [sourceip] -d [destip] --dport [port] -j [DROP|REJECT|ACCEPT]

For more information 'man iptables'. Important note: iptables do not make DNS resolutions so it does NOT support the use of hostnames. It only understand numerical IP addresses.

Iptables Examples

# iptables -A INPUT -s 10.0.0.0/24 -p icmp -j DROP

This rules stops users from computers on LAN 10.0.0.0/24 pinging your server.

# iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT

This rule opens your web server (port TCP/IP 80) to everybody.

# iptables -A INPUT -s !192.168.1.0/24 -j REJECT

It rejects all traffic from any computer that it is NOT on 192.168.1.0/24 LAN sending a "destination unreachable" error message.

# iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited

Rejects any network packet from any source with the icmp-host-prohibited message. This rule is used as the default DENY ALL rule at the end of any iptables chain to be sure that the only network packets that are allowed are those that are allowed by any iptables rules matched BEFORE this DENY ALL rule.

Network Address Translation

NAT Masquerade

Network Address Translation (NAT) allows share the same public IP Internet address to any client on a LAN. It replaces on network packets the source address with the IP address of the firewall, which serves as a gateway between the LAN and the Internet. The source address is cached on the gateway and knows which computer made the request. With this technique with only one public IP address you can access to the Internet from any computer on the LAN hiding (masquerading) the real client IP with the firewall IP address.

# iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth1 -j MASQUERADE

With this rule any network packet from the LAN 192.168.1.0/24 and destination on Internet will enter to the gateway firewall through its eth0 LAN interface 192.168.1.1 and will leave the firewall through the public network interface eth1 and reach the Internet destination using as source IP address the firewall public IP eth1. When the Internet service answers the source network packet it will send the answer to the firewall public IP address and the firewall will forward that packet to the LAN client that has initiated the network communication.

NAT Prerouting

In order to make available on the Internet a network service that is on a internal LAN the -j DNAT target of the PREROUTING chain in NAT can be used. It specifies a destination IP address and port where incoming packets requesting a connection to your internal service can be forwarded. For example, in order to forward incoming HTTP requests from the Internet to a dedicated Apache HTTP Server at 10.0.0.1 :

# iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to 10.0.0.1:80

All networks packets coming from the Internet with destination public IP interface eth1 of the gateway firewall port 80 (web requests) will be forwarded to the apache web server running on 10.0.0.1 port 80 through gateway firewall LAN interface eth0 . Of course answers from this web service will be forwarded to the remote client using the public network interface eth1 on the gateway firewall.

Saving and Restoring IPTables Rules

As other Linux services, iptables can be managed with the standard RHEL tools. For example in order to activate/deactivate iptables service:

# chkconfig iptables on/off

In order to print on the STDIN the iptables running on real time :

# iptables -L

Rules applied on iptables with the iptables command are not persistent, if the iptables service is restarted the rules are flushed. In order to save the running rules and make them loaded when the iptables service is started the following command can be used :

# service iptables save

With this command iptables rules are saved in the file /etc/sysconfig/iptables and are automatically applied when the iptables service is started :

cat /etc/sysconfig/iptables

# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT


As can be seen this file applies iptables rules on table filter to the INPUT network packets. It only accepts network packets related on ssh (port TCP/IP 22) and http (port TCP/IP 80) network traffic. The rest of the INPUT and FORWARD network packets are rejected. Every time iptables service is started these rules are automatically applied.

Questions

1.- Linux Kernel uses iptables kernel module in order to filter network packets (true/false).

2.- By default iptables tool is installed on RHEL6 system by iptables RPM (true/false).

3.- Which command can be used in order to list the iptables rules running on a Linux system ?

4.- Which iptables command can be used in order to do not allow pinging to any server network interface ?

A - # iptables -A INPUT -s 10.0.0.0/24 -p icmp -j DROP
B - # iptables -A INPUT -p icmp -j DROP
C - Both of them
D - None of them

5.- Which RHEL6 standard can be used in order to save the active iptables rules on file /etc/sysconfig/iptables ?

A - service iptables save
B - /etc/init.d/iptables save
C - Both of them
D - None of them

Labs

1.- Configure iptables rules in order to deny ALL network traffic coming from any source IP. Makes sure that ping is also denied. This configuration must be persistent to a system reboot.

2.- On the firewall configurated on previous lab open communication to a ssh service only from clients on 10.0.0.0/24 LAN and log this traffic on /var/log/messages file. This configuration must be persistent to a system reboot.

-- This page is part of Linux Server online tutorial --