Wednesday, April 3, 2013

Setup secure firewall in Linux : iptables and netfilter

In Linux, components of netfilter and iptables are responsible for the filtering and manipulation of network packets.
The filtering criteria and actions are stored in chains, which must be matched one after another for each  network packets. The chains to match are stored in tables. The iptables command allows to alter these tables and rule sets. 
Check out the switches of iptables command 
#iptables -h 

Most frequently used switches are -t , -j, -A, -F, -p, -s, -d, -i and -o
-t table        table to manipulate (default: `filter')
-j target       target for rule (may load target extension)
-A chain            Append to chain
-F [chain]          Delete all rules in  chain or all chains
-p proto        protocol: by number or name, eg. `tcp'
-i  in-interface 
-o  out-interface

There are three different tables for Linux based firewall, each for a particular function:
  1. FILTER (Packet filtering; This table holds the filter rules that determine whether to ACCEPT or DROP packet)
  2. NAT (Masquerading; This table defines any changes to the source and target address of packets)
  3. MANGLE (The rules in this table allows IP header manipulation)
These tables contain several predefined chains to match packets:
  1. PREROUTING
  2. INPUT
  3. FORWARD
  4. OUTPUT
  5. POSTROUTING
Fig. iptables : Possible paths for a packet (Src: SLES Security book)


Let's start with some examples. Warning!!! Be very careful while executing iptables rules as you may lock yourself out of the server or disrupt network based services running on the server.

Basic Iptables operations: 
Note: Please follow the instructions step-by-step. Skipping steps is not advised.
  • Allow all kind of traffic(tcp/udp) from 192.168.1.0/24 subnet
  • Drop everything else
Rule1# iptables -A INPUT -s 192.168.1.0/255.255.255.0 -i eth0 -p all -j ACCEPT
(We are appending a rule to INPUT chain of FILTER table(default table). This rule checks if source address of the packet is in 192.168.1.0/24 subnet. If so, it will allow the traffic. Else, it will pass on to the next rule)

Rule2# iptables -A INPUT -s 0/0 -j DROP
(We are appending a rule to INPUT chain of FILTER table(default table). This rule drops everything else. Note: 0/0 means ANY )

Check the rules
         # iptables -vL --line-numbers
  • Now we want to INSERT a new rule after Rule#1. We want to allow UDP traffic from 10.0.0.0/8 subnet
NewRule# iptables -I INPUT 2 -s 10.0.0.0/255.0.0.0 -i  eth0 -p udp -j ACCEPT
(We are inserting a new rule as rule#2. This rules allows UDP traffic from 10.0.0.0/8 subnet)

Check the rules
         # iptables -vL --line-numbers

  • Now we want to REPLACE a new rule we just added earlier. We want to allow UDP traffic only from 10.11.0.0/16 subnet but not 10.0.0.0/8 subnet
ReplaceRule# iptables -R INPUT 2 -s 10.11.0.0/255.255.0.0 -i  eth0 -p udp -j ACCEPT
(We are replacing rule#2 with above rule. This rule allows UDP traffic from 10.11.0.0/16 subnet)

Check the rules
         # iptables -vL --line-numbers

  • Now we want to place this set of rules at system startup.
Let's say you validated all the rules and your system is working as desired. Now, you want to place this set of rules at system startup so that you don't have to type above commands manually again. 

#iptables-save > /etc/iptables.up.rules


#cd /etc/sysconfig/network/if-pre-up.d/
#vi iptables-load
#!/bin/sh
iptables-restore < /etc/iptables.up.rules
exit 0

#cd /etc/sysconfig/network/if-post-down.d/
#vi iptables-unload
#!/bin/sh
iptables-save -c > /etc/iptables.up.rules
if [ -f /etc/iptables.down.rules ]; then
   iptables-restore < /etc/iptables.down.rules
fi
exit 0
    #chmod +x iptables-load
    #chmod +x iptables-unload

Restart your server and check if rules are still there and your system is working as desired. 


Application1: Linux as NAT Router

Step1: Enable packet forwarding for IPv4
$ sudo vi /etc/sysctl.conf
# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1


$ sudo sysctl -p /etc/sysctl.conf

Step2: MASQUERADE all the traffic leaving external interface (in our case eth1). MASQUERADE operation mask the private IP address of PC1 or PC2 with an external IP address of the Linux Router.
$ sudo /sbin/iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

Step3: Forward all packets incoming from an internal interface (eth0) to external interface (eth1)
$ sudo /sbin/iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT

Step4: Forward only RELATED and ESTABLISHED packets incoming from an external interface (eth1) to internal interface (eth0)
$ sudo  /sbin/iptables -A FORWARD -i eth1 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT

Step5: Check iptables
$ iptables -vL
OR
$ iptables -t filter -vL

To check NAT table
$ iptables -t nat -vL

[Note: if you don't specify table name using -t flag, default table 'filter' will be used ]

Step6: Try to get out to internet from PC1 or PC2. Say, browse www.google.com.

Bonus information:  Let's say you want to SSH  to PC2 (192.168.1.3 port 22) from an external network, you have to setup DNAT
Here, I am mapping port 11015 on an external IP address(Public Routable Address) of Linux Router to port 22 on PC2 which is in our internal network.


$   sudo iptables -t nat -A PREROUTING -p tcp --dport 11015 -j DNAT --to-destination 192.168.1.3:22
$  sudo iptables -A FORWARD -p tcp --dport 22 -d 192.168.1.3 -j ACCEPT
$  sudo iptables -t nat -A POSTROUTING -d 192.168.1.3 -p tcp --dport 22 -j MASQUERADE

Now, ssh  external_IP_address_of_LinuxRouter:11015 from an external network , you should get to 192.168.1.3:22.


Application2: Advanced Scenario (Firewall rules to mitigate an impact of DoS attack on Asterisk- VoIP Servers)

  • We want to delete all rules defined earlier and start fresh. We will be using 'hashlimit' match.
#iptables -F
  • Now, we want to define some advanced rules. We want to:
    • allow all packets from 192.168.1.0/24 subnet
    • limit the rate of SIP Invite from a host to mitigate DoS attack impact
    • limit the rate of SIP Registration from a host to mitigate DoS attack impact
    • allow all RTP(udp) traffic incoming from 10.0.0.0/8 subnet to ports 5000:31000(default RTP ports for asterisk)
    • drop any other packets
#iptables -A INPUT -s 192.168.1.0/255.255.255.0 -i eth0 -p all -j ACCEPT

#iptables -A INPUT -p udp -m udp --dport 5060 -m string --string "INVITE sip:" --algo bm -m hashlimit --hashlimit-upto 10/sec --hashlimit-burst 10 --hashlimit-mode srcip --hashlimit-name sip_i_limit -j ACCEPT

Look for the string "INVITE sip:" inside the UDP payload 
--hashlimit-upto   10/sec will allow upto 10 connection per second
--hashlimit-burst 10  will allow additional 10 packets before hit the limit (or how many fast connections you can have)
--hashlimit-htable-expire 10000   will expires hash entries in 10000 miliseconds

#iptables -A INPUT -p udp -m udp --dport 5060 -m string --string "REGISTER sip:" --algo bm -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 10 --hashlimit-mode srcip --hashlimit-name sip_r_limit -j ACCEPT

#iptables -A INPUT -s 10.0.0.0/8 -i eth2 -p udp -m udp --dport 5000:31000 -j ACCEPT
#iptables -A INPUT -s 0/0 -j DROP


  • We want to delete all rules defined earlier and start fresh. We will be using 'recent' match instead of 'hashlimit' match and achieve similar goal mentioned earlier to mitigate an impact of DoS attack.
#iptables -F

#iptables -A INPUT -s 192.168.1.0/255.255.255.0 -i eth0 -p all -j ACCEPT

#iptables -A INPUT 1 -i eth0 -p udp -m udp --dport 5060 -m string --string "REGISTER sip:" --algo bm --to 65535 -m recent --set --name VOIP --rsource

#iptables -A INPUT 1 -i eth0 -p udp -m udp --dport 5060 -m string --string "REGISTER sip:" --algo bm --to 65535 -m recent --update --seconds 60 --hitcount 12 --rttl --name VOIP --rsource -j DROP
Note: The maximum value for the hitcount parameter is given by the "ip_pkt_list_tot" parameter of the xt_recent kernel module. Exceeding this value on the command line will cause the rule to be rejected.

#iptables -A INPUT 1 -i eth0 -p udp -m udp --dport 5060 -m string --string "INVITE sip:" --algo bm --to 65535 -m recent --set --name VOIPINV --rsource

#iptables -A INPUT 1 -i eth0 -p udp -m udp --dport 5060 -m string --string "INVITE sip:" --algo bm --to 65535 -m recent --update --seconds 60 --hitcount 12 --rttl --name VOIPINV --rsource -j DROP

#iptables -A INPUT 1 -s 10.0.0.0/8 -i eth0 -p udp -m udp --dport 5000:31000 -j ACCEPT

#iptables -A INPUT -s 0/0 -j DROP

Go to iptables manual ( #man iptables ) to understand about hashlimit and recent match in detail.