Previous Section
 < Day Day Up > 
Next Section


Packet Filtering

Netfilter is essentially a framework for packet management that can check packets for particular network protocols and notify parts of the kernel listening for them. Built on the Netfilter framework is the packet selection system implemented by IP tables. With IP tables, different tables of rules can be set up to select packets according to differing criteria. Netfilter currently supports three tables: filter, nat, and mangle. Packet filtering is implemented using a filter table that holds rules for dropping or accepting packets. Network address translation operations such as IP masquerading are implemented using the NAT table that holds IP masquerading rules. The mangle table is used for specialized packet changes. Changes can be made to packets before they are sent out, when they are received, or as they are being forwarded. This structure is extensible in that new modules can define their own tables with their own rules. It also greatly improves efficiency. Instead of all packets checking one large table, they access only the table of rules they need to.

IP table rules are managed using the iptables command. For this command, you will need to specify the table you want to manage. The default is the filter table, which need not be specified. You can list the rules you have added at any time with the -L and -n options, as shown here. The -n option says to use only numeric output for both IP addresses and ports, avoiding a DNS lookup for hostnames. You could, however, just use the -L option to see the port labels and hostnames:

iptables -L -n
Note 

In iptables commands, chain names have to be entered in uppercase, as with the chain names INPUT, OUTPUT, and FORWARD.

Chains

Rules are combined into different chains. The kernel uses chains to manage packets it receives and sends out. A chain is simply a checklist of rules. These rules specify what action to take for packets containing certain headers. The rules operate with an if-then-else structure. If a packet does not match the first rule, the next rule is then checked, and so on. If the packet does not match any rules, the kernel consults chain policy. Usually, at this point the packet is rejected. If the packet does match a rule, it is passed to its target, which determines what to do with the packet. The standard targets are listed in Table 19-2. If a packet does not match any of the rules, it is passed to the chain's default target.

Table 19-2: iptables Targets

Target

Function

ACCEPT

Allow packet to pass through the firewall.

DROP

Deny access by the packet.

REJECT

Deny access and notify the sender.

QUEUE

Send packets to user space.

RETURN

Jump to the end of the chain and let the default target process it.

Targets

A target could, in turn, be another chain of rules, even a chain of user-defined rules. A packet could be passed through several chains before finally reaching a target. In the case of user-defined chains, the default target is always the next rule in the chains from which it was called. This sets up a procedure or function call–like flow of control found in programming languages. When a rule has a user-defined chain as its target, when activated, that user-defined chain is executed. If no rules are matched, execution returns to the next rule in the originating chain.

Tip 

Specialized targets and options can be added by means of kernel patches provided by the Netfilter site. For example, the SAME patch returns the same address for all connections. A patch-o-matic option for the Netfilter make file will patch your kernel source code, adding support for the new target and options. You can then rebuild and install your kernel as described in Chapter 33.

Firewall Chains

The kernel uses three firewall chains: INPUT, OUTPUT, and FORWARD. When a packet is received through an interface, the INPUT chain is used to determine what to do with it. The kernel then uses its routing information to decide where to send it. If the kernel sends the packet to another host, the FORWARD chain is checked. Before the packet is actually sent, the OUTPUT chain is also checked. In addition, two NAT table chains, POSTROUTING and PREROUTING, are implemented to handle masquerading and packet address modifications. The built-in Netfilter chains are listed in Table 19-3.

Table 19-3: Netfilter Built-in Chains

Chain

Descriptions

INPUT

Rules for incoming packets

OUTPUT

Rules for outgoing packets

FORWARD

Rules for forwarded packets

PREROUTING

Rules for redirecting or modifying incoming packets, NAT table only

POSTROUTING

Rules for redirecting or modifying outgoing packets, NAT table only

Adding and Changing Rules

You add and modify chain rules using the iptables commands. An iptables command consists of the keyword iptables, followed by an argument denoting the command to execute. For example, iptables -A is the command to add a new rule, whereas iptables -D is the command to delete a rule. The iptables commands are listed in Table 19-4. The following command simply lists the chains along with their rules currently defined for your system. The output shows the default values created by iptables commands.

iptables -L -n
Chain input (policy ACCEPT):
Chain forward (policy ACCEPT):
Chain output (policy ACCEPT):

To add a new rule to a chain, you use -A. Use -D to remove it, and -R to replace it. Following the command, list the chain to which the rule applies, such as the INPUT, OUTPUT, or FORWARD chain, or a user-defined chain. Next, you list different options that specify the actions you want taken (most are the same as those used for ipchains, with a few exceptions). The -s option specifies the source address attached to the packet, -d specifies the destination address, and the -j option specifies the target of the rule. The ACCEPT target will allow a packet to pass. The -i option now indicates the input device and can be used only with the INPUT and FORWARD chains. The -o option indicates the output device and can be used only for OUTPUT and FORWARD chains. Table 19-5 lists several basic options.

Table 19-4: iptables Commands

Option

Function

-A chain

Appends a rule to a chain.

-D chain [ rulenum]

Deletes matching rules from a chain. Deletes rule rulenum (1 = first) from chain.

-I chain [rulenum]

Inserts in chain as rulenum (default 1 = first).

-R chain rulenum

Replaces rule rulenum (1 = first) in chain.

-L [chain]

Lists the rules in chain or all chains.

-E [chain]

Renames a chain.

-F [chain]

Deletes (flushes) all rules in chain or all chains.

-R chain

Replaces a rule; rules are numbered from 1.

-Z [chain]

Zero counters in chain or all chains.

-N chain

Creates a new user-defined chain.

-X chain

Deletes a user-defined chain.

-P chain target

Changes policy on chain to target.

iptables Options

The iptables package is designed to be extensible, and there are a number of options with selection criteria that can be included with iptables. For example, the TCP extension includes the --syn option that checks for SYN packets. The ICMP extension provides the --icmp-type option for specifying ICMP packets as those used in ping operations. The limit extension includes the --limit option with which you can limit the maximum number of matching packets in a specified time period, such as a second.

Table 19-5: iptables Options

Option

Function

-p [!] proto

Specifies a protocol, such as TCP, UDP, ICMP, or ALL.

-s [!] address[/mask] [!] [port[:port]]

Source address to match. With the port argument, you can specify the port.

--sport [!] [port[:port]]

Source port specification. You can specify a range of ports using the colon, port:port.

-d [!] address[/mask] [!] [port[:port]]

Destination address to match. With the port argument, you can specify the port.

--dport [!][port[:port]]

Destination port specification.

--icmp-type [!] typename

Specifies ICMP type.

-i [!] name[+]

Specifies an input network interface using its name (for example, eth0). The + symbol functions as a wildcard. The + attached to the end of the name matches all interfaces with that prefix (eth+ matches all Ethernet interfaces). Can be used only with the INPUT chain.

-j target [port]

Specifies the target for a rule (specify [port] for REDIRECT target).

--to-source < ipaddr>[-< ipaddr>][: port- port]

Used with the SNAT target, rewrites packets with new source IP address.

--to-destination < ipaddr>
[-< ipaddr>][: port- port]

Used with the DNAT target, rewrites packets with new destination IP address.

-n

Numeric output of addresses and ports, used with -L.

-o [!] name[+]

Specifies an output network interface using its name (for example, eth0). Can be used only with FORWARD and OUTPUT chains.

-t table

Specifies a table to use, as in -t nat for the NAT table.

-v

Verbose mode, shows rule details, used with -L.

-x

Expands numbers (displays exact values), used with -L.

[!] -f

Matches second through last fragments of a fragmented packet.

[!] -V

Prints package version.

!

Negates an option or address.

-m

Specifies a module to use, such as state.

--state

Specifies options for the state module such as NEW, INVALID, RELATED, and ESTABLISHED. Used to detect packet's state. NEW references SYN packets (new connections).

--syn

SYN packets, new connections.

--tcp-flags

TCP flags: SYN, ACK, FIN, RST, URG, PS, and ALL for all flags.

--limit

Option for the limit module (-m limit). Used to control the rate of matches, matching a given number of times per second.

--limit-burst

Option for the limit module (-m limit). Specifies maximum burst before the limit kicks in. Used to control denial-of-service attacks.

In the following example, the user adds a rule to the INPUT chain to accept all packets originating from the address 192.168.0.55. Any packets that are received (INPUT) whose source address (-s) matches 192.168.0.55 are accepted and passed through (-j ACCEPT).

iptables -A INPUT -s 192.168.0.55 -j ACCEPT

Accepting and Denying Packets: DROP and ACCEPT

There are two built-in targets, DROP and ACCEPT. Other targets can be either user-defined chains or extensions added on, such as REJECT. There are two special targets used to manage chains, RETURN and QUEUE. RETURN indicates the end of a chain and returns to the chain it started from. QUEUE is used to send packets to user space.

iptables -A INPUT -s www.myjunk.com -j DROP

You can turn a rule into its inverse with an ! symbol. For example, to accept all incoming packets except those from a specific address, place an ! symbol before the -s option and that address. The following example will accept all packets except those from the IP address 192.168.0.45:

iptables -A INPUT -j ACCEPT ! -s 192.168.0.45

You can specify an individual address using its domain name or its IP number. For a range of addresses, you can use the IP number of their network and the network IP mask. The IP mask can be an IP number or simply the number of bits making up the mask. For example, all of the addresses in network 192.168.0 can be represented by 192.168.0.0/225.255.255.0 or by 192.168.0.0/24. To specify any address, you can use 0.0.0.0/0.0.0.0 or simply 0/0. By default, rules reference any address if no -s or -d specification exists. The following example accepts messages coming in that are from (source) any host in the 192.168.0.0 network and that are going (destination) anywhere at all (the -d option is left out or could be written as -d 0/0):

iptables -A INPUT -s 192.168.0.0/24  -j ACCEPT

The iptables rules are usually applied to a specific network interface such as the Ethernet interface used to connect to the Internet. For a single system connected to the Internet, you will have two interfaces, one that is your Internet connection and a localhost interface (lo) for internal connections between users on your system. The network interface for the Internet is referenced using the device name for the interface. For example, an Ethernet card with the device name /dev/eth0 would be referenced by the name eth0. A modem using PPP protocols with the device name /dev/ppp0 would have the name ppp0. In iptables rules, you use the -i option to indicate the input device; it can be used only with the INPUT and FORWARD chains. The -o option indicates the output device and can be used only for OUTPUT and FORWARD chains. Rules can then be applied to packets arriving and leaving on particular network devices. In the following examples, the first rule references the Ethernet device eth0, and the second, the localhost:

iptables -A INPUT -j DROP -i eth0 -s 192.168.0.45
iptables -A INPUT -j ACCEPT  -i lo

User-Defined Chains

With iptables, the FORWARD and INPUT chains are evaluated separately. One does not feed into the other. This means that if you want to completely block certain addresses from passing through your system, you will need to add both a FORWARD rule and an INPUT rule for them.

iptables -A INPUT -j DROP -i eth0 -s 192.168.0.45
iptables -A FORWARD -j DROP -i eth0 -s 192.168.0.45

A common method for reducing repeated INPUT and FORWARD rules is to create a user chain that both the INPUT and FORWARD chains feed into. You define a user chain with the -N option. The next example shows the basic format for this arrangement. A new chain is created called incoming (it can be any name you choose). The rules you would define for your FORWARD and INPUT chains are now defined for the incoming chain. The INPUT and FORWARD chains then use the incoming chain as a target, jumping directly to it and using its rules to process any packets they receive.

iptables -N incoming
   
iptables -A incoming -j DROP -i eth0 -s 192.168.0.45
iptables -A incoming -j ACCEPT  -i lo
   
iptables -A FORWARD -j incoming
iptables -A INPUT -j incoming

ICMP Packets

Firewalls often block certain Internet Control Message Protocol (ICMP) messages. ICMP redirect messages, in particular, can take control of your routing tasks. You need to enable some ICMP messages, however, such as those needed for ping, traceroute, and particularly destination-unreachable operations. In most cases, you always need to make sure destination- unreachable packets are allowed; otherwise, domain name queries could hang. Some of the more common ICMP packet types are listed in Table 19-6. You can enable an ICMP type of packet with the --icmp-type option, which takes as its argument a number or a name representing the message. The following examples enable the use of echo-reply, echo-request, and destination-unreachable messages, which have the numbers 0, 8, and 3.

iptables -A INPUT -j ACCEPT  -p icmp -i eth0 --icmp -type  echo-reply -d 10.0.0.1
iptables -A INPUT -j ACCEPT  -p icmp -i eth0 --icmp-type  echo-request -d 10.0.0.1
iptables -A INPUT -j ACCEPT -p icmp -i eth0 --icmp-type  destination-unreachable -d
10.0.0.1

Their rule listing will look like this:

ACCEPT     icmp --  0.0.0.0/0            10.0.0.1           icmp type 0
ACCEPT     icmp --  0.0.0.0/0            10.0.0.1           icmp type 8
ACCEPT     icmp --  0.0.0.0/0            10.0.0.1           icmp type 3

Ping operations need to be further controlled to avoid the ping-of-death security threat. You can do this several ways. One way is to deny any ping fragments. Ping packets are normally very small. You can block ping-of-death attacks by denying any ICMP packet that is a fragment. Use the -f option to indicate fragments.

iptables -A INPUT -p icmp -j DROP -f

Another way is to limit the number of matches received for ping packets. You use the limit module to control the number of matches on the ICMP ping operation. Use -m limit to use the limit module, and --limit to specify the number of allowed matches. 1/s will allow one match per second.

iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
Table 19-6: Common ICMP Packets

Number

Name

Required By

0

echo-reply

ping

3

destination-unreachable

Any TCP/UDP traffic

5

redirect

Routing if not running routing daemon

8

echo-request

ping

11

time-exceeded

traceroute

Controlling Port Access

If your system is hosting an Internet service, such as a Web or FTP server, you can use iptables to control access to it. You can specify a particular service by using the source port (--sport) or destination port (--dport) options with the port that the service uses. iptables lets you use names for ports such as www for the Web server port. The names of services and the ports they use are listed in the /etc/services file, which maps ports to particular services. For a domain name server, the port would be domain. You can also use the port number if you want, preceding the number with a colon. The following example accepts all messages to the Web server located at 192.168.0.43:

iptables -A INPUT -d 192.168.0.43 --dport www -j ACCEPT

You can also use port references to protect certain services and deny others. This approach is often used if you are designing a firewall that is much more open to the Internet, letting users make freer use of Internet connections. Certain services you know can be harmful, such as Telnet and NTP, can be denied selectively. For example, to deny any kind of Telnet operation on your firewall, you can drop all packets coming in on the Telnet port, 23. To protect NFS operations, you can deny access to the port used for the portmapper, 111. You can use either the port number or the port name.

# deny outside access to portmapper port on firewall.
iptables -A arriving  -j DROP -p tcp -i eth0  --dport 111
# deny outside access to telnet port on firewall.
iptables -A arriving  -j DROP -p tcp -i eth0  --dport telnet

The rule listing will look like this:

DROP      tcp  --  0.0.0.0/0    0.0.0.0/0     tcp dpt:111
DROP      tcp  --  0.0.0.0/0    0.0.0.0/0     tcp dpt:23

One port-related security problem is access to your X server on the XFree86 ports that range from 6000 to 6009. On a relatively open firewall, these ports could be used to illegally access your system through your X server. A range of ports can be specified with a colon, as in 6000:6009. You can also use x11 for the first port, x11:6009. Sessions on the X server can be secured by using SSH, which normally accesses the X server on port 6010.

iptables -A arriving  -j DROP -p tcp -i eth0  --dport 6000:6009

Common ports checked and their labels are shown here:

Service

Port Number

Port Label

Auth

113

auth

Finger

79

finger

FTP

21

ftp

NTP

123

ntp

Portmapper

111

sunrpc

Telnet

23

telnet

Web server

80

www

XFree86

6000:6009

x11:6009

Packet States: Connection Tracking

One of the more useful extensions is the state extension, which can easily detect tracking information for a packet. Connection tracking maintains information about a connection such as its source, destination, and port. It provides an effective means for determining which packets belong to an established or related connection. To use connection tracking, you specify the state module first with -m state. Then you can use the --state option. Here you can specify any of the following states:

State

Description

NEW

A packet that creates a new connection

ESTABLISHED

A packet that belongs to an existing connection

RELATED

A packet that is related to, but not part of, an existing connection, such as an ICMP error or a packet establishing an FTP data connection

INVALID

A packet that could not be identified for some reason

RELATED+REPLY

A packet that is related to an established connection, but not part of one directly

If you are designing a firewall that is meant to protect your local network from any attempts to penetrate it from an outside network, you may want to restrict packets coming in. Simply denying access by all packets is unfeasible because users connected to outside servers—say, on the Internet—must receive information from them. You can, instead, deny access by a particular kind of packet used to initiate a connection. The idea is that an attacker must initiate a connection from the outside. The headers of these kinds of packets have their SYN bit set on and their FIN and ACK bits empty. The state module's NEW state matches on any such SYN packet. By specifying a DROP target for such packets, you deny access by any packet that is part of an attempt to make a connection with your system. Anyone trying to connect to your system from the outside is unable to do so. Users on your local system who have initiated connections with outside hosts can still communicate with them. The following example will drop any packets trying to create a new connection on the eth0 interface, though they will be accepted on any other interface:

iptables -A INPUT -m state --state NEW -i eth0 -j DROP

You can use the ! operator on the eth0 device combined with an ACCEPT target to compose a rule that will accept any new packets except those on the eth0 device. If the eth0 device is the only one that connects to the Internet, this still effectively blocks outside access. At the same time, input operation for other devices such as your localhost are free to make new connections. This kind of conditional INPUT rule is used to allow access overall with exceptions. It usually assumes that a later rule such as a chain policy will drop remaining packets.

iptables -A INPUT -m state --state NEW ! -i eth0 -j ACCEPT

The next example will accept any packets that are part of an established connection or related to such a connection on the eth0 interface:

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT


Previous Section
 < Day Day Up > 
Next Section
This HTML Help has been published using the chm2web software.