Contents

The Basics

Netfilter (Iptables) is a packet filtering framework for Linux. By making use of Netfilter (as a packet filter) and other Open Source systems like Squid (Proxy Server) and Snort (IDS) one can build a very effective firewall for any network, small or humungous.

The tables

Iptables sorts rules into tables. Each table corresponds to a particular position in the logical order of packet transition through the network stack.

The tables are as follows:

  • Filter ( The default table )
  • Mangle ( Specifically for packet alteration )
  • Nat ( Specifically suited to Network address translation and other tricks)

The Chains

In each table their are chains, also corresponding to a logical position in the network stack (and within the specific table)

For Filter they are :

  • Input
  • Output
  • Forward (packets that pass the box)

Quite self explanatory

For Nat they are :

  • Prerouting (alter packets as they enter the box)
  • Output (alter local packets before routing takes place)
  • Postrouting (alter packets as they leave the box)

For Mangle they are, since Kernel >2.4.17

  • Prerouting
  • Input
  • Forward
  • Output
  • Postrouting

The Targets

To tell netfilter what to do with a packet you must write rules. All rules have at least 3 things in common.

  • They are bound to a table
  • They act on a packet going in a particular direction (INPUT, OUTPUT, FORWARD etc)
  • They do something with that packet (Accept it, re-direct it, block it, etc)

There are a multitude of other properties of a specific packet than cat be acted on. Some of them include tcp state, icmp type, source of packet, and more.

What ultimately happens to a packet is determined by a series of TARGETS

The most common targets, and ones that will most likely be availble in whatever version of Iptables you got is

  • Accept ( Accepts a packet )
  • Drop ( Drops a packet on the floor )
  • Reject ( Nicely rejects the packet RFC like )

There are a multitude of other targets that can be used like TARPIT, ROUTE, REDIRECT, MASQUERADE, etc. If you include all the targets that arn't in the stable branch you'll probably end up with literally hundreds of them.

Quick Iptables Scripts

Setting up NAT for hosts behind a firewall

On your gateway box (connected to the Internet and your local network) do the following: 

iptables --table nat --append POSTROUTING -o ppp0 --jump MASQUERADE

This will tell iptables to perform masquerading on everything that passes by the box just replace ppp0 with your outside interface (ie: eth0 or whatever)

Next, enable ip forwarding like so: 

# echo 1 > /proc/sys/net/ipv4/ip_forward

To do this permanently see Sharing an Internet Connection.

Individual hosts on your network can now use the box as a gateway to the internet.

Trouble with packet fragmentation over DSL links

From the iptables man page:

This target is used to overcome criminally brain-dead ISPs or servers which block ICMP Fragmentation Needed packets. The symptoms of this problem are that everything works fine from your Linux firewall/router, but machines behind it can never exchange large packets:
  1. Web browsers connect, then hang with no data received.
  2. Small mail works fine, but large emails hang.
  3. ssh works fine, but scp hangs after initial handshaking.

Workaround: activate this option and add a rule to your firewall configuration like: 

iptables --insert FORWARD 1 -p tcp --tcp-flags SYN,RST SYN --jump TCPMSS --clamp-mss-to-pmtu

Block everything from the outside

This script will block everything from the outside trying to access you, and let everything from the inside out: 

iptables -P INPUT DROP 
iptables -P FORWARD DROP 
iptables -P OUTPUT ACCEPT 
iptables --append INPUT -p tcp  -m state --state ESTABLISHED,RELATED --jump ACCEPT 
iptables --append INPUT -p udp  -m state --state ESTABLISHED,RELATED --jump ACCEPT 
iptables --append INPUT -p icmp -m state --state ESTABLISHED,RELATED --jump ACCEPT

Nmap will tell anyone who tries to scan your host the following: 

# nmap mybox
Starting nmap 3.75 ( http://www.insecure.org/nmap/ ) at 2006-02-07 20:04 SAST
All 1663 scanned ports on tanuki (192.168.10.180) are: filtered
Nmap run completed -- 1 IP address (1 host up) scanned in 335.593 seconds

Block (but look like your accepting) everything from outside

There is this wonderful target in iptables (unfortunately methinks not in the main development branch) called TARPIT

Now, what it does is accept the incoming TCP connection from the remote host, but immediately resets the TCP window size to 0. Thus, no data can be sent!

This gives the appearance that a specific port is open, but you just can't send anything to it. to use it, just add the following rule before your final DROP rule: 

iptables --append INPUT -p tcp --jump TARPIT

More information

Using the Netfilter patch-o-matic system

TODO
I'll add this when next I compile iptables)

Netfilter Links

Retrieved from "http://wiki.clug.org.za/wiki/Iptables"
This page was last modified on 17 November 2006, at 10:10. This page has been accessed 2,159 times.
  
Powered by MediaWiki
Copyright © 1999-2009, Cape Linux Users Group | All contents are under GNU Free Documentation Licence | For all queries, join our mailing lists!