SUSE Conversations


Basic iptables Tutorial



By: DamianMyerscough

December 27, 2007 9:43 am

Reads:3306

Comments:0

Rating:5.0

Environment:

This article was tested on SUSE Linux Enterprise Server and SUSE Linux Enterprise Desktop.

Introduction to iptables

iptables provide a packet filtering framework for Linux that allows administrators and/or users to filter network traffic that flows in and out of their server/workstation. iptables provide a rich set of features such as stateless/stateful packet filtering, NAT (Network Address Translation) and PAT (Port Address Translation), packet manipulation and a lot more. iptables also provides an extensive module selection, some of the modules that are available are listed in Table 1.

Module Description
Nth This module allows you to match a particular Nth packet which has been received. This allows you to turn you’re machine into a balance loader.
Time This module allows you to match a packet based on its arrival or departure timestamp.
String This module allows you to match a string anywhere in the packet.
Quota This module allows you to set a quota.

Table 1: iptables extension modules.

In SUSE Enterprise Linux there is a service called “SuSEfirewall2_setup” that controls the firewall settings that have been configured with the YaST firewall utility. This service can be started, stopped and restarted using the “service” command as shown in Figure 1.

linux-w2mu:~ # service SuSEfirewall2_setup stop 
Shutting down the Firewall SuSEfirewall2: Warning: ip6tables does not support state matching. Extended IPv6 support disabled.

done

 
linux-w2mu:~ #

Figure 1: Stopping SUSE’s firewall.

When you stop the “SuSEfirewall2_setup” firewall the default rules that are applied are accept all, thus allowing all inbound and outbound traffic. In this article we are going to be working with the “SuSEfirewall2_setup” firewall turned off.

IPTable tables

iptables has four different tables; filter, mangle, nat and raw, Table 2 explains what each table does. In this article we will be concentrating on the filter table to perform MAC filtering and restriction users network activities.

Table Description
Filter This is the default table (if no -t option is passed). It contains the built-in chains INPUT (for packets destined to local sockets), FORWARD (for packets being routed through the box), and OUTPUT (for locally-generated packets).
Mangle This table is used for specialized packet alteration. Until kernel 2.4.17 it had two built-in chains: PREROUTING (for altering incoming packets before routing) and OUTPUT (for altering locally-generated packets before routing). Since kernel 2.4.18, three other built-in chains are also supported: INPUT (for packets coming into the box itself), FORWARD (for altering packets being routed through the box), and POSTROUTING (for altering packets as they are about to go out).
NAT This table is consulted when a packet that creates a new connection is encountered. It consists of three built-ins: PREROUTING (for altering packets as soon as they come in), OUTPUT (for altering locally-generated packets before routing), and POSTROUTING (for altering packets as they are about to go out).
RAW This table is used mainly for configuring exemptions from connection tracking in combination with the NOTRACK target. It registers at the netfilter hooks with higher priority and is thus called before ip_conntrack, or any other IP tables. It provides the following built-in chains: PREROUTING (for packets arriving via any network interface) OUTPUT (for packets generated by local processes)

Table 2: iptables man page (iptables, 2007).

IPTable Targets

When using iptables it is required that you specify a jump target, every rule has a jump target. Table 2.1 explains what targets are available and what they do.

Table Description
ACCEPT This target grants the permission for the packet to travel through the machine.
REJECT This target denies the packet thus sending a acknowledgment.
DROP This target denies the packet and does not send and acknowledgment.
LOG This target logs information about the packet to the “/var/log/firewall” log file.

Table 2.1: Jump targets.

iptables interface

iptables in SUSE can be configured via two different methods. The first method is using the YaST utility either via a GUI (Graphical User Interface) or a curses based interface as shown in Figure 1.1. The second method is using the “iptables” command which allows you to create much more complex rules and also fine tune your firewall. The only possible disadvantage is that you need to write out each rule manually and make sure the ordering is correct set.

The GUI and curses based interface allows administrators to simply manage their firewall without the need of knowing any IPTable commands however, the YaST utility does not utilize all the features that are available with iptables.

Rule status and ordering

The ordering of iptables is very important as when a rule has been matched that action is performed and then no other action is performed, for example if you wanted to deny a user from accessing the SSH daemon and also log there actions you would need to perform the logging first otherwise the information would not be logged. Figure 2 shows the incorrect rule ordering and Figure 2.1 shows the correct ordering.

linux-w2mu # iptables -A INPUT -s 192.168.2.1 -p tcp --dport 22 -j DROP
linux-w2mu # iptables -A INPUT -p tcp –dport 22 -j LOG –log-prefix "Someone knocked on port 22"
Figure 2: Incorrect order.

linux-w2mu # iptables -A INPUT -p tcp –dport 22 -j LOG –log-prefix "Someone knocked on port 22"
linux-w2mu # iptables -A INPUT -s 192.168.2.1 -p tcp --dport 22 -j DROP
Figure 2.1: Correct order.

If you try the rules shown in Figure 2 and list the current rules with the verbose qualifier "-v" turn on you should see something similar to Figure 2.2.

linux-w2mu:/home/damian # iptables -L INPUT -v 
Chain INPUT (policy ACCEPT 2665 packets, 1254K bytes) 
 pkts bytes target     prot opt in     out     source               destination 
   23  1808 DROP    tcp   --  any    any    192.168.2.1       anywhere            tcp dpt:ssh 
    0         0 LOG      tcp   --  any    any    anywhere           anywhere            tcp dpt:ssh LOG level warning prefix `Someone knocked on port 22'

Figure 2.2: iptables status.

As you can see from Figure 2.2 the packet and byte count for the “LOG” rule is zero whereas the packet count for the “DROP” rule is 23 and the byte count is 1808. This shows that once a rule has been matched no other rules are processed.

When creating IPTable rules the best way to debug your rules is by supplying the verbose qualifier “-v” as shown in Figure 2.2. The verbose qualifier allows you to see how may packets have hit a certain rule and how many bytes the rule has dealt with.

Default policy

The default policy can be viewed by issuing the “iptables -L” command as shown in Figure 3.

linux-w2mu:~ # iptables -L 
Chain INPUT (policy ACCEPT) 
target     prot opt source               destination         
...
...

Chain FORWARD (policy ACCEPT) 
target     prot opt source               destination         
...
...

Chain OUTPUT (policy ACCEPT) 
target     prot opt source               destination         
...
...

Figure 3: Default IPTable rules.

As you can see from Figure 3 the FORWARD, INPUT and OUTPUT chain’s have a default policy of accept. Having a default policy of “ACCEPT” is considered insecure as it allows all traffic to flow in and out of you’re machine. The recommended default policy for the INPUT chain is “DROP”. The reason for this is because you don’t have to worry about forgetting to close any insecure services.

The default policy can be altered by using the “iptables” command with the “-P” qualifier followed by the chain you would like to change and then the action you would like to perform, as shown in Figure 3.1.

linux-w2mu:~ # iptables -P INPUT DROP

Figure 3.1: Setting the default policy of the INPUT chain to drop.

The command shown in Figure 3.1 will change the default policy for the “INPUT” chain to “DROP”, so what this means is if no rule has been matched the packet will be dropped. Once you have changed the default policy you can issue the “iptables -L INPUT” command to check the new policy has been set as shown in Figure 3.2.

linux-w2mu:~ # iptables -L INPUT 
Chain INPUT (policy DROP) 
target     prot opt source               destination         
..
..

Figure 3.2: Checking the default policy has successfully changed.

Once you have changed the “INPUT” change you will notice that all packets that travel through your machine will be dropped, you may also notice that some program break as local sockets are also affected. I would recommend you change the default policy back to accept until you get use to iptables because if you wanted a default policy of “DROP” you would need to implement stateful packet filtering.

Your first rule

The first rule we are going to write is to simply block access to the SSH daemon. First we will block access to all machines then we will block an individual IP address. Figure 4 shows the command used to block all SSH access.

linux-w2mu:~ # iptables -A INPUT -p tcp --dport 22 -j DROP

Figure 4: Block all access to the SSH daemon.

The rule shown in Figure 4 is very simple to understand, Table 3 explains what each qualifier does.

Qualifier Description
-A INPUT This qualifier tells iptables that we are appending a new rule into the INPUT chain.
-p tcp This qualifier tells iptables what protocol we are filter for, which is TCP.
–dport 22 This qualifier tells iptables that we are looking for the destination port of 22.
-j DROP This qualifier tells iptables what to do if we find a match for this rule.

Table 3: Figure 4 command explained.

The next rule we will write will block a specific IP address. The IP address we will block is 192.168.0.1 and allow all other IP addresses as shown in Figure 4.1.

linux-w2mu:~ # iptables -A INPUT -s 192.168.0.1 -p tcp --dport 22 -j DROP

Figure 4.1: Block “192.168.0.1″ access to the SSH daemon.

The rule shown in Figure 4.1 looks very similar to Figure 4 with the addition of one extra qualifier “-s”. Table 3.1 explains what each qualifier does.

Qualifier Description
-A INPUT This qualifier tells iptables that we are appending a new rule to the INPUT chain.
-s 192.168.0.1 This qualifier tells iptables to match against the source IP address of 192.168.0.1.
-p tcp This qualifier tells iptables what protocol we are filter for which is TCP.
–dport 22 This qualifier tells iptables that we are looking for the destination port of 22.
-j DROP This qualifier tells iptables what to do if we find a match for this rule.

Table 3.1: Figure 4.1 command explained.

MAC filtering

Now that you have wrote some simple rules we can move onto a more complex example. This time we are going to filter based on a MAC (Media Access Control) address. The rule we will write is to allow a specific MAC address access to the SSH daemon and deny all other MAC addresses.

linux-w2mu:~ # iptables -A INPUT -m mac ! --mac-source 00:00:5A:9C:D1:73 -j DROP

Figure 5: Allow access to a specific MAC address.

The rule shown in Figure 5 introduces you to two new qualifier, “-m” and the logical explanation point(!). The rule shown in Figure 5 is explain in Table 4.

Qualifier Description
-A INPUT This qualifier tells iptables that we are appending a rule to the INPUT chain.
-m mac This qualifier tells iptables to load the mac module.
! –mac-source 00:00:5A:9C:D1:73 This qualifier inverts the argument e.g. The MAC address is “NOT” 00:00:5A:9C:D1:73.
-j DROP This qualifier tells iptables what to do if we find a match for this rule.

Table 4: Figure 4 command explained.

UID and GID filtering

The next type of filtering we are going to perform is based on user IDs and group IDs. The chain that we will be using for this example is “OUTPUT”. The rule that we will write is to deny users access to port 80 (HTTP) and 443 (HTTPS).

linux-w2mu:~ # iptables -A OUTPUT -m owner --uid-owner 1000 -p tcp --dport 80 -j DROP

Figure 6: Block the user ID of 1000 from accessing port 80.

The IPTable rule shown in Figure 6 blocks the user ID of 1000 from accessing port 80 which is for web traffic. Once you have applied this rule you should issue the “iptables -L -v” command to see the packet count and byte count increment when the user attempts to access a website, as shown in Figure 6.1.

linux-w2mu:~ # iptables -L OUTPUT -v 
Chain OUTPUT (policy ACCEPT 592 packets, 54866 bytes) 
 pkts bytes target     prot opt in     out     source               destination         
   12   720 DROP       tcp  --  any    any     anywhere             anywhere            OWNER UID match damian tcp dpt:http

Figure 6.1: Checking the packet and byte count.

This shows that the user tried to connect to a website but was unable to establish a full connection as all 12 packets were dropped.

Modules

When you are using modules in iptables and you forget or don’t know what qualifiers a module takes you can use the “–help” qualifier. The “–help” qualifier will provide a list of possible qualifiers as shown in Figure 7.

linux-w2mu:~ # iptables -A INPUT -m mac --help 
iptables v1.3.8 
...
...
MAC v1.3.8 options: 
 --mac-source [!] XX:XX:XX:XX:XX:XX 
                                Match source MAC address

Figure 7: Retrieving a list of possible qualifiers for modules.

As you can see in Figure 7 the available options for the MAC module are “–mac-source“.

Conclusion

This article has just touched the very basics of iptables, there is a lot more that I have not mentioned and can be viewed via the man pages [1]. I would also recommend visiting the netfilter website [2] as you will be able to learn a lot more about iptables and get a list of the latest modules.

Reference

  1. /usr/share/man/man8/iptables.8.gz
  2. http://www.netfilter.org/
VN:D [1.9.22_1171]
Rating: 5.0/5 (2 votes cast)
Basic iptables Tutorial, 5.0 out of 5 based on 2 ratings

Tags: ,
Categories: SUSE Linux Enterprise Desktop, SUSE Linux Enterprise Server, Technical Solutions

Disclaimer: As with everything else at SUSE Conversations, this content is definitely not supported by SUSE (so don't even think of calling Support if you try something and it blows up).  It was contributed by a community member and is published "as is." It seems to have worked for at least one person, and might work for you. But please be sure to test, test, test before you do anything drastic with it.

Comment

RSS