In Linux, components of netfilter and iptables are responsible for the filtering and manipulation of network packets.
Application1: Linux as NAT Router
Step1: Enable packet forwarding for IPv4
Step3: Forward all packets incoming from an internal interface (eth0) to external interface (eth1)
$ sudo /sbin/iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT
Step4: Forward only RELATED and ESTABLISHED packets incoming from an external interface (eth1) to internal interface (eth0)
$ sudo /sbin/iptables -A FORWARD -i eth1 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
Step5: Check iptables
$ iptables -vL
OR
$ iptables -t filter -vL
To check NAT table
$ iptables -t nat -vL
[Note: if you don't specify table name using -t flag, default table 'filter' will be used ]
Step6: Try to get out to internet from PC1 or PC2. Say, browse www.google.com.
Bonus information: Let's say you want to SSH to PC2 (192.168.1.3 port 22) from an external network, you have to setup DNAT
Here, I am mapping port 11015 on an external IP address(Public Routable Address) of Linux Router to port 22 on PC2 which is in our internal network.
Now, ssh external_IP_address_of_LinuxRouter:11015 from an external network , you should get to 192.168.1.3:22.
Application2: Advanced Scenario (Firewall rules to mitigate an impact of DoS attack on Asterisk- VoIP Servers)
The filtering criteria and actions are stored in chains, which must be matched one after another for each network packets. The chains to match are stored in tables. The iptables command allows to alter these tables and rule sets.
Check out the switches of iptables command
#iptables -h
Most frequently used switches are -t , -j, -A, -F, -p, -s, -d, -i and -o
-t table table to manipulate (default: `filter')
-j target target for rule (may load target extension)
-A chain Append to chain
-F [chain] Delete all rules in chain or all chains
-p proto protocol: by number or name, eg. `tcp'
-i in-interface
-o out-interface
There are three different tables for Linux based firewall, each for a particular function:
- FILTER (Packet filtering; This table holds the filter rules that determine whether to ACCEPT or DROP packet)
- NAT (Masquerading; This table defines any changes to the source and target address of packets)
- MANGLE (The rules in this table allows IP header manipulation)
- PREROUTING
- INPUT
- FORWARD
- OUTPUT
- POSTROUTING
Fig. iptables : Possible paths for a packet (Src: SLES Security book)
Let's start with some examples. Warning!!! Be very careful while executing iptables rules as you may lock yourself out of the server or disrupt network based services running on the server.
Basic Iptables operations:
Note: Please follow the instructions step-by-step. Skipping steps is not advised.
- Allow all kind of traffic(tcp/udp) from 192.168.1.0/24 subnet
- Drop everything else
Rule1# iptables -A INPUT -s 192.168.1.0/255.255.255.0 -i eth0 -p all -j ACCEPT
(We are appending a rule to INPUT chain of FILTER table(default table). This rule checks if source address of the packet is in 192.168.1.0/24 subnet. If so, it will allow the traffic. Else, it will pass on to the next rule)
Rule2# iptables -A INPUT -s 0/0 -j DROP
(We are appending a rule to INPUT chain of FILTER table(default table). This rule drops everything else. Note: 0/0 means ANY )
Check the rules
# iptables -vL --line-numbers
- Now we want to INSERT a new rule after Rule#1. We want to allow UDP traffic from 10.0.0.0/8 subnet
(We are inserting a new rule as rule#2. This rules allows UDP traffic from 10.0.0.0/8 subnet)
Check the rules
# iptables -vL --line-numbers
- Now we want to REPLACE a new rule we just added earlier. We want to allow UDP traffic only from 10.11.0.0/16 subnet but not 10.0.0.0/8 subnet
(We are replacing rule#2 with above rule. This rule allows UDP traffic from 10.11.0.0/16 subnet)
Check the rules
# iptables -vL --line-numbers
- Now we want to place this set of rules at system startup.
Let's say you validated all the rules and your system is working as desired. Now, you want to place this set of rules at system startup so that you don't have to type above commands manually again.
#iptables-save > /etc/iptables.up.rules
#cd /etc/sysconfig/network/if-pre-up.d/
#vi iptables-load
#!/bin/sh
iptables-restore < /etc/iptables.up.rules
exit 0
#cd /etc/sysconfig/network/if-post-down.d/
#vi iptables-unload
#!/bin/sh
iptables-save -c > /etc/iptables.up.rules
if [ -f /etc/iptables.down.rules ]; then
iptables-restore < /etc/iptables.down.rules
fi
exit 0
#chmod +x iptables-load
#chmod +x iptables-unload
Restart your server and check if rules are still there and your system is working as desired.
Application1: Linux as NAT Router
Step1: Enable packet forwarding for IPv4
$ sudo vi
/etc/sysctl.conf
#
Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1
$ sudo sysctl -p /etc/sysctl.conf
Step2: MASQUERADE all the traffic leaving external interface (in our case eth1). MASQUERADE operation mask the private IP address of PC1 or PC2 with an external IP address of the Linux Router.
$ sudo /sbin/iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADEStep3: Forward all packets incoming from an internal interface (eth0) to external interface (eth1)
$ sudo /sbin/iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT
Step4: Forward only RELATED and ESTABLISHED packets incoming from an external interface (eth1) to internal interface (eth0)
$ sudo /sbin/iptables -A FORWARD -i eth1 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
Step5: Check iptables
$ iptables -vL
OR
$ iptables -t filter -vL
To check NAT table
$ iptables -t nat -vL
[Note: if you don't specify table name using -t flag, default table 'filter' will be used ]
Step6: Try to get out to internet from PC1 or PC2. Say, browse www.google.com.
Bonus information: Let's say you want to SSH to PC2 (192.168.1.3 port 22) from an external network, you have to setup DNAT
Here, I am mapping port 11015 on an external IP address(Public Routable Address) of Linux Router to port 22 on PC2 which is in our internal network.
$ sudo iptables -t nat -A PREROUTING -p tcp
--dport 11015 -j DNAT --to-destination 192.168.1.3:22
$ sudo iptables -A FORWARD -p tcp --dport 22 -d 192.168.1.3 -j ACCEPT
$ sudo iptables -t nat -A POSTROUTING -d
192.168.1.3 -p tcp --dport 22 -j MASQUERADENow, ssh external_IP_address_of_LinuxRouter:11015 from an external network , you should get to 192.168.1.3:22.
Application2: Advanced Scenario (Firewall rules to mitigate an impact of DoS attack on Asterisk- VoIP Servers)
- We want to delete all rules defined earlier and start fresh. We will be using 'hashlimit' match.
- Now, we want to define some advanced rules. We want to:
- allow all packets from 192.168.1.0/24 subnet
- limit the rate of SIP Invite from a host to mitigate DoS attack impact
- limit the rate of SIP Registration from a host to mitigate DoS attack impact
- allow all RTP(udp) traffic incoming from 10.0.0.0/8 subnet to ports 5000:31000(default RTP ports for asterisk)
- drop any other packets
#iptables -A INPUT -s 192.168.1.0/255.255.255.0 -i eth0 -p all -j ACCEPT
#iptables -A INPUT -p udp -m udp --dport 5060 -m string --string "INVITE sip:" --algo bm -m hashlimit --hashlimit-upto 10/sec --hashlimit-burst 10 --hashlimit-mode srcip --hashlimit-name sip_i_limit -j ACCEPT
Look for the string "INVITE sip:" inside the UDP payload
--hashlimit-upto 10/sec will allow upto 10 connection per second
--hashlimit-burst 10 will allow additional 10 packets before hit the limit (or how many fast connections you can have)
--hashlimit-htable-expire 10000 will expires hash entries in 10000 miliseconds
#iptables -A INPUT -p udp -m udp --dport 5060 -m string --string "REGISTER sip:" --algo bm -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 10 --hashlimit-mode srcip --hashlimit-name sip_r_limit -j ACCEPT
#iptables -A INPUT -s 10.0.0.0/8 -i eth2 -p udp -m udp --dport 5000:31000 -j ACCEPT
#iptables -A INPUT -s 10.0.0.0/8 -i eth2 -p udp -m udp --dport 5000:31000 -j ACCEPT
#iptables -A INPUT -s 0/0 -j DROP
- We want to delete all rules defined earlier and start fresh. We will be using 'recent' match instead of 'hashlimit' match and achieve similar goal mentioned earlier to mitigate an impact of DoS attack.
#iptables -A INPUT -s 192.168.1.0/255.255.255.0 -i eth0 -p all -j ACCEPT
#iptables -A INPUT 1 -i eth0 -p udp -m udp --dport 5060 -m string --string "REGISTER sip:" --algo bm --to 65535 -m recent --set --name VOIP --rsource
#iptables -A INPUT 1 -i eth0 -p udp -m udp --dport 5060 -m string --string "REGISTER sip:" --algo bm --to 65535 -m recent --update --seconds 60 --hitcount 12 --rttl --name VOIP --rsource -j DROP
Note: The maximum value for the hitcount parameter is given by the "ip_pkt_list_tot" parameter of the xt_recent kernel module. Exceeding this value on the command line will cause the rule to be rejected.
#iptables -A INPUT 1 -i eth0 -p udp -m udp --dport 5060 -m string --string "INVITE sip:" --algo bm --to 65535 -m recent --set --name VOIPINV --rsource
#iptables -A INPUT 1 -i eth0 -p udp -m udp --dport 5060 -m string --string "INVITE sip:" --algo bm --to 65535 -m recent --update --seconds 60 --hitcount 12 --rttl --name VOIPINV --rsource -j DROP
#iptables -A INPUT 1 -s 10.0.0.0/8 -i eth0 -p udp -m udp --dport 5000:31000 -j ACCEPT
#iptables -A INPUT -s 0/0 -j DROP
Go to iptables manual ( #man iptables ) to understand about hashlimit and recent match in detail.
1 comment:
Playtech Casinos - Mapyro
Looking for the best Casinos Casinos to play on 경상남도 출장샵 Mapyro? 진주 출장마사지 Check out 춘천 출장안마 our list 경산 출장안마 of the Top 5 Casinos in the UK 파주 출장마사지 for info on slots, table games, bonuses and more.
Post a Comment