Disclaimer
The opinions expressed herein are my own personal opinions and do not represent anyone else's view in any way, including those of my employer.
© Copyright 2009
The opinions expressed herein are my own personal opinions and do not represent anyone else's view in any way, including those of my employer.
© Copyright 2009
This goes along with my other article on how to setup a router/gateway in slackware. After you have setup that router you will need to be able to open up ports. I found small quick fixes for this, but i didnt really make anything that i understood till a few days later and lots of reading. That is why i’m totally rewriting this article.
The best way to think of iptables/chains is kinda like chains (go figure) the packets go from link to link until they reach their destination or are dropped/rejected. One chain link can have several links atached to it so the packet could go out several different ways, lenghts of chain can be short or long.
Iptables in two paragraphs
So just for a example lets say we have a router that just accepts http or ssh traffic (which mine does). The chain would start at the first link, it would say “is it http?” if no, next link “is it ssh” if no next link. If there is no other link the “default policy” will take effect. The default policy can be drop or accept. So if we had a policy of accept the packet would get accepted if it was not a http or ssh packet, if we had a default drop policy it would get dropped. To avoid confusion we would have another link that would “drop” the packet if its not what we want.
There are 3 main sections of chain that you can mess with, INPUT, OUTPUT and FORWARD. The input chain/table is for packets coming in, the output for packets going out and the forward for packets getting forwarded. Really hard huh ? We are mostly concerned with packets coming in, the packets we send out should not be limited in most cases, and forwarding is its own thing.
An Example
The most basic configuration of my server allows only two ports open, I believe this to be secure, or at least better than the dozen that were open before I did this. The two ports that are open are ssh (22) and http (80). This way i can remote admin my server and allow my webserver to go through (which is on the same machine).
So that all has to do with packets coming in, lets add links to the INPUT table
# (link 1) Allow http, the eth+ defines "all" ethernet devices iptables -A INPUT -i eth+ -p tcp -m tcp --dport 80 -j ACCEPT # (link 2) Allow SSH iptables -A INPUT -i eth+ -p tcp -m tcp --dport 22 -j ACCEPT # (link 3) throw everything else away iptables -A INPUT -j DROP
The comments are preceded by # so they are just saying whats going on. Basically we added three links “-A” for “append”. Ill leave the rest of the syntax up to you to figure out, but this is the main syntax that is used in most of the statements for iptables, these are very common lines.
The first link checks all eth nics (eg. eth+) and if they are passing port 80 data (http) we Accept it. Same goes for link two, except we are using port 22. Then link three just drops everything, this makes it like “stealth” mode, they cant figure out if its closed or open. Our server returns no response on “drop” if you want to report the port as closed use “REJECT”.
You should note that ORDER MATTERS, if we were to put the drop link in first it would drop all packets first. So add all the ports you want to allow before you put your Drop portion.
I’ve just done this to my home network. Since i have wifi and my bro-in law hooked up to my subnetwork 192.168.10.0 im very weary of that connection. I’m almost positive that my bro in law has spyware or something that is trying to communicate with god knows what at all hours of the day. I know this by looking at the log files.
This subnetwork is hooked up to eth1, so simple enough only traffic on port 80 is allowed on that interface. To accomplish this i send all the traffic from that port to its own chain. The chain is very short it just allows port 80 and logs/drops everything else.
iptables -N NETTWO # create table iptables -A NETTWO -p tcp -m tcp --dport 80 -j ACCEPT # is it port 80 ? iptables -A NETTWO -j LOG --log-prefix '[NETTWO DROP] : ' #if no log/drop iptables -A NETTWO -j DROP
and then add it as one of the first lines of your input table for eth1. So if anything is coming to/from eth1 we send it to this table. That way if you have another table with more complicated checking for tons of ports it does not have to check all of them before dumping the stuff on odd ports.
#first line of my input table, if eth1 jmp nettwo iptables -i eth1 -j NETTWO
I know this works well because i was editing the script in windows over the samba share on the wifi. When i clicked back over to copy my code for the page it was froze because i closed the samba ports.
Also this provides a nice way to see all the stuff being dropped by differnet parts of the network, because looking through the log files is very difficult.
Links to other links of chain
A great way of doing this is to have a list/links/chain that you make yourself, then you can add that like a link into the input chain. For instance I made a “TRUSTED” chain/table and append all the ports i want to accept into it. Then my “input” table first sends the packet to the “trusted” table and then drops it. But, first i also do a little preliminary checking and send it to another table called firewall. So its INPUT -> FIREWALL -> TRUSTED -> DROP
# create two chains, one for fw other is trusted (for clean script?) iptables -N FIREWALL iptables -N TRUSTED # allow established and related incoming connections only iptables -A FIREWALL -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT # Allow self communication iptables -A FIREWALL -i lo -j ACCEPT iptables -A FIREWALL -o lo -j ACCEPT # send all package to the trusted chain iptables -A FIREWALL -j TRUSTED # drop all other packets iptables -A FIREWALL -j DROP
The -N makes a new table, then i use state matching “-m” to see if its a established or related packet, then i automatically accept local loopback, from there i append the trusted chain then append the drop link. So, basically instead of having one long chain we have one chain link that connects to several chains, but they are all pretty short. I’m sure this helps speed up things a lot. Like for instance if you know 90% of your packets are going to one machine you can filter them out in your first link before your server even starts to think about it. Thats what the “established, related” does, I’ve we’ve already established a link to a webpage or game server there is no need to check every single packet after that, its the “new” connections that we want to worry about.
All the stuff we want to keep out we append to the firewall table before the appending of the “trusted” table. This way we see if its somone we dont like, if so we drop them if not we see if its somone we do like if so let them pass if not drop them. Pretty simple stuff, but it takes a while to get used to the syntax and such.
There is no one script for everyone
This stuff is unique to every machine, if you dont wanna learn iptables get firestarter, firewallbuilder, guarddog or any of the other gui tools out there. I only tried one, and it was just as complicated as learning this, except when you learn iptables it allows you to do everything you want. But there is no copy/paste script that you can use (that i know of) belive me i tried a lot of them, they didnt work for me and i had no idea what i was doing. If you want good security thats in your hands read the material and practice with your iptables. You can use webpages like this one to see which ports you have open, close them open them and such and make sure you have iptables down.
I got most of this information from a really good tutorial i found, you might wanna check it out. http://ubuntuforums.org/showthread.php?t=159661&highlight=iptables
I barley feel comfortable with my iptables now, and i can write it from scratch. Until you get to the point where you KNOW what is going on and can write your iptables syntax, I would not feel secure.
This was confusing me forever, you type “iptables -L” and it shows you the rules but all the source and destination are anywhere anywhere. So, it looks like everything is going trough. What we need is a better way of seeing whats going on. If you want the best way to see whats going on try tcpdump, but for our purposes the command “iptables -L -v” works great. That “-v” part makes it print out alot more detail. The most useful part of that command is that it shows you how many packets it has sent to each part, so you can easily test ports and see where everything is going. For example, check it then go do something on that port and then check it again, if the number of packets through that port has not changed something is wrong, or right 
Other Stuff
There is of course much more to it than this, there is the “forwarding” part. How do you want to handle the forwarding of your internet access to the machines on your local lan. That part is still pretty fuzzy for me, the main thing im wondering is do i need to filter out stuff for the forwarding part or is that already handled by the input part. Im pretty sure the input table filters stuff before it even gets to your forwarding table, but you might want to check up on that. Anyway this is what i do to forward to all my other machines, straight simple,
# enable port forwarding iptables -A FORWARD -j ACCEPT # hide computers behind the firewall iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE echo 1 > /proc/sys/net/ipv4/ip_forward
I was messing with that for a while trying to get it to just forward stuff on port 80 but i think the filtering stuff does not work the same in the forward table. I recommend having a basic firewall on the other systems on your lan to ensure safety.
Script ?
The best thing about all this is you can make it into one big script. I made mine into a executable in my /etc/rc.d/ folder i can access it like most of the other executables in that folder with ./firewall start or ./firewall restart and such. For instance when I know ill be playing games or hosting a server i can have special functions inside the script just for that like ./firewall gamenight or something. You could even use this to turn on/off interenet connections like if you have kids or something and you want your inet to turn off at a certain time you can just call the script ./firewall stop or ./firewall start at certain times. The possiblilites are endless, as they should be with linux. Here is the core of my bash script so you can make your own
# case statement to call the correct function, exept status which is in the case case $1 in start) start ;; stop) stop ;; restart) stop start ;; status) iptables -L iptables -t nat -L RETVAL=0 ;; lockdown) stop lockdown ;; *) echo "Usage: Firewall (start|stop|restart|status)" esac exit
Then above that you just need to make your fucntions like this is my “stop” function, you should note it calls the stop function before it resets. This pretty much opens my firewall up and enables forwarding. It illustrates the use of functions in bash, this should be above the code i have above, just like in C you cant call functions unless they are above the thing that is calling them.
# stop the firewall (everything is open !) stop() { echo "Remvoing all Iptables rules: " echo "Everything on the network will be open !!!" # set the default policy iptables -P INPUT ACCEPT # accept all incoming packets iptables -P FORWARD ACCEPT # forward all packets to other puters (flood) iptables -P OUTPUT ACCEPT # accept all outgoing packets and send them # set default policy for the NAT table iptables -t nat -P PREROUTING ACCEPT iptables -t nat -P POSTROUTING ACCEPT iptables -t nat -P OUTPUT ACCEPT # delete all old rules iptables -F # flush iptables -t nat -F # flust nat table # delete all chains iptables -X iptables -t nat -X # setup port forwarding echo "Enabling forwarding from eth0 to everyone" iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE echo "All tables flushed, all connections accepted/forwarded" RETVAL=0 }
If your interested in more of that look at this tutorial, almost everything in this article was adapted from that tutorial and the advanced one linked to on that page.
Helpful links
http://www.speedguide.net/analyzer.php? (Analize your internet connection)
https://www.grc.com/x/ne.dll?bh0bkyd2 (tests what ports are open on your computer)
http://www.speedtest.net/ ( a fast internet speed tester)
http://linux.die.net/man/8/iptables (excellent quick reference, when you already know how)
Categories
Tag Cloud
Blog RSS
Comments RSS
Void « Default
Life 
Earth 
Wind 
Water 
Fire Light 
Previous 
Next 
Last 50 Posts
Back
[...] is a continuation of articles “using iptables on your linux router“ and “how to setup your slackware linux box as a router“. This is the script [...]