4.12. The iptables Program

4.12.1. Main Features

The similarities between ipchains and iptables can be seen in the same commands and parameters they use:

• -A chain rule Append a rule to the end of the chain. The chain argument can be INPUT, OUTPUT, or FORWARD.

• -D chain number Delete the rule with the specified number from the specified chain.

• -R chain number rule Replace the rule with the specified number in the specified chain.

• -I chain number rule Insert the rule into the specified chain under the specified number. For example, in the number equals 1 , the rule will be the first one in the chain.

• -L chain View the contents of the specified chain.

• -F chain Delete all rules from the specified chain.

• -p protocol Define the protocol covered by the rule.

• -i interface Specifies the incoming network interface. Available values are INPUT, FORWARD , and PREROUTTNG .

• -o interface Specifies the outgoing network interface. Available values are OUTPUT, FORWARD , and POSTROUTING .

• - j action The action to apply to the packet, called the target in the iptables terminology. The main target options are the following:

  • LOG Record receipt of the packet in the log.

  • REJECT Delete the packet and notify the sender.

  • DROP Delete the packet.

  • BLOCK Block the packet.

• -s address The source IP address. As in ipchains , the address can be preceded by the ! argument and followed by the /mask network mask.

• -d address The destination address.

As you can see, most of the parameters are the same as those for the ipchains program. But there are also important differences. For example, the -o and -i parameters provide an easy way to specify the source and destination interface of a packet. Because the practical aspects of the configuration processes for both services are similar, I will not waste book space on considering the process separately for iptables and will only briefly consider the rule-creation process.

In the preceding description of the command options, I considered only the main ones. But if you examine the documentation file, you will see that there are many options that can be used with the -j parameter. (If you recall, the -j parameter specifies, which actions should be applied to the packet that meets the rule's criterion.)

The configuration process for iptables chains is not different from that for ipchains . The chain-formation process starts by flushing all contents of the chain. Rules are added to the chain starting with prohibiting everything and then permitting only those actions and packets that will not harm the server. Potentially dangerous services should only be made available to trusted users who require them.

Changes to the iptables configuration, as with ipchains , must be saved manually to the configuration file (/etc/sysconfi/iptables by default):

 service iptables save 

4.12.2. Forwarding

Forwarding in iptables is enabled by executing the following command:

 iptables -A FORWARD -o ppp0 -j MASQUERADE 

The command allows forwarding to the ppp0 interface. The -j parameter means that you require to hide the source IP address, that is, enable masquerading.

For the Network Address Translation (NAT) table, the command may look as follows :

 iptables -t nat -A FORWARD -o ppp0 -j MASQUERADE 

The -t nat table option indicates that the iptable_nat module has to be loaded. This module can also be loaded manually by executing the following command:

 modprobe iptable_nat 

Here, iptable_nat is the kernel module that allows the firewall to work with NAT.

4.12.3. Configuring the iptables Program

I will not describe here various prohibitions in detail because I considered those when describing the ipchains program. I will just briefly consider the process of creating various rules.

All incoming packets can be prohibited by the following command:

 iptables -P INPUT DROP 

All incoming packets will be deleted, or dropped in iptables terminology. As with ipchains , you should start configuring iptables with this command. Note that the -P command in used, which sets the default policy for the given chain to the specified target (action). Adding the rule using the -A command option (appended at the end of the chain) will prohibit connections of any type.

Some security specialists recommend logging access requests by adding the following filter to the firewall:

 iptables -A INPUT -j LOG 

I personally recommend against logging. Public servers have their ports scanned hundreds, if not thousands, of times. To log all of these scannings, you would need a huge hard drive to store the logs. Unless you provide enough space to store the logs, a full hard drive will take down the system. In this way, repeatedly scanning a prohibited port for a certain period will successfully perpetrate a DoS attack

The following command creates a rule prohibiting the acceptance of echo requests from any computer:

 iptables -A INPUT -s 0/0 -d localhost \ -p icmp --icmp-type echo-request -j DROP 

As you can see, creating a filter does not differ significantly from the analogous ipchains procedure.

The following command prohibits access to the FTP port:

 iptables -A INPUT -s 0/0 -d localhost \ -p tcp --dport 21 -j DROP 

To prohibit access from a certain interface, add the -i option and specify the eth0 interface as follows:

 iptables -A INPUT -i eth0 -s 0/0 -d localhost \ -p tcp --dport 21 -j DROP 

Outgoing packets from port 21 are prohibited by the following command:

 iptables -A OUTPUT -i eth0 -s localhost -d 0/0 \ -p tcp --dport 21 -j DROP 

A powerful iptables feature is the capability to inspect the contents of packets. This is a handy feature when filtering Web requests, for example. You can allow access to port 80, but only to packets that meet the specified parameter requirements. The subject of Web server security will be treated in Chapter 7 , along with various defense techniques. For now, consider a simple but universal protection technique.

Suppose you want to allow access to the FTP server but prohibit access to the /etc/passwd and /etc/shadow files. The latter is achieved by prohibiting packets containing this particular text. A request packet containing references to these packets will be dropped. The following commands prohibit access to these files using the FTP and the World Wide Web protocol:

 iptables -A INPUT -m string --string "/etc/passwd" \ -s 0/0 -d localhost -p tcp --dport 21 -j DROP iptables -A INPUT -m string --string "/etc/shadow" \ -s 0/0 -d localhost -p tcp --dport 21 -j DROP iptables -A INPUT -m string --string "/etc/passwd" \ -s 0/0 -d localhost -p tcp --dport 80 -j DROP iptables -A INPUT -m string --string "/etc/shadow" \ -s 0/0 -d localhost -p tcp --dport 80 -j DROP 

You also have to take into account the information-protection aspect. Suppose you have a server that receives traffic encoded using the "stunnel" technique, decodes it, and forwards it to another machine. (The stunnel secure tunnel technique, which creates an encoded channel between two machines, is considered in Section 5.2 .) In this case, the firewall will not detect the text to watch for in the incoming packets. But the outgoing packets are decoded and contain commands in plaintext. This configuration requires that both incoming and outgoing traffic be controlled.

Even if stunnel transfers the decoded traffic to another port within the same computer, all types of packets can be controlled on all interfaces to inspect them after decoding.