Checking the Input, Output, and Forwarding Rules

Previous page
Table of content
Next page

Now that you've seen what a firewall chain listing looks like and what formatting options are available, we'll go through brief lists of INPUT, OUT, and FORWARD rules. The sample rules are representative of some of the rules you'll most likely use yourself.

Checking the Input Rules

Your input rules are mostly ACCEPT rules when the default policy is DROP. Everything is denied, by default, and you explicitly define what will be accepted. Remember that packets arriving on the INPUT chain are targeted to the local host. The following example contains a representative sample of input acceptance rules:

 > iptables -v -L INPUT Chain INPUT (policy DROP 0 packets, 0 bytes)    pkts bytes target     prot opt in     out     source               \       destination 1     4   390 ACCEPT     all  --  lo     any     anywhere             \       anywhere 2    59  2599 ACCEPT     all  --  any    any     anywhere             \       anywhere           state RELATED,ESTABLISHED 3     0     0 DROP       all  --  !lo    any     choke.dmz.lan        \       anywhere 4     0     0 DROP       all  --  !lo    any     router.private.lan   \       anywhere 5     0     0 DROP       all  --  eth0   any     ! .private.lan       \       anywhere 6    0     0 ACCEPT     udp  --  eth0   any     .private.lan         \       router.private.lan udp spt:1024:65535 dpt:domain state NEW 7    0     0 REJECT     tcp  --  eth1   any     anywhere             \       choke.dmz.lan tcp spts:1024:65535 dpt:auth state NEW 8    0     0 ACCEPT     udp  --  eth0   any     jet.private.lan      \       255.255.255.255    udp spt:ntp dpt:ntp state NEW 9     0     0 ACCEPT     tcp  --  any    any     anywhere             \       anywhere           tcp flags:FIN,ACK/FIN,ACK 10    0     0 LOG        all  --  any    any     anywhere             \       anywhere           LOG level warning

The default policy for incoming packets is DROP. Denied packets are simply dropped without any notification being returned to the source address. There are 10 rules on the chain:

  • Line 1 All packets arriving on the loopback interface are accepted.

  • Line 2 All incoming packets identified as part of a previously accepted connection or exchange, or a packet related to one, are accepted.

  • Line 3 Any packet arriving on any interface except the loopback interface that claims to be from this machine's external DMZ network interface is dropped.

  • Line 4 Any packet arriving on any interface except the loopback interface that claims to be from this machine's internal private LAN network interface is dropped.

  • Line 5 Any packet arriving on the internal private LAN interface that claims to be from a source address other than an address within the internal private LAN network is dropped.

  • Line 6 UDP DNS client requests from hosts in the private LAN are accepted.

  • Line 7 All incoming TCP packets destined for the local identd server at AUTH service port 113 are rejected. An ICMP error notification Type 3, Service Unavailable, will be returned to the source address.

  • Line 8 Limited broadcasts from the local printer to the UDP ntp time server port 123 are accepted.

  • Line 9 FIN/ACK packets from anywhere are accepted.

  • Line 10 All other incoming packets are logged before being dropped by the default policy.

Checking the Output Rules

Your output rules are mostly ACCEPT rules when the default policy is DROP. Everything is blocked, by default. You explicitly define what will be accepted. The following example contains a representative sample of output acceptance rules:

 > iptables -L OUTPUT   Chain OUTPUT (policy DROP 0 packets, 0 bytes)    pkts bytes target     prot opt in     out     source               \       destination  1   34  3558 ACCEPT     all  --  any    lo      anywhere             \       anywhere 2   92 12721 ACCEPT     all  --  any    any     anywhere             \       anywhere           state RELATED,ESTABLISHED 3    1    82 ACCEPT     udp  --  any    eth1    choke.dmz.lan        \       nameserver.dmz.lan udp spt:domain dpt:domain state NEW 4    0     0 ACCEPT     udp  --  any    eth1    choke.dmz.lan        \       nameserver.dmz.lan udp spts:1024:65535 dpt:domain state NEW 5    0     0 ACCEPT     tcp  --  any    eth1    choke.dmz.lan        \       nameserver.dmz.lan tcp spts:1024:65535 dpt:domain state NEW 6    2   120 ACCEPT     tcp  --  any    eth0    router.private.lan   \       .private.lan       multiport dports ssh,http,https,auth,ftp     \       tcp spts:1024:65535 flags:SYN,RST,ACK/SYN state NEW 7    0     0 ACCEPT     tcp  --  any    eth1    choke.dmz.lan        \       .dmz.lan           tcp spts:1024:65535 dpt:ssh state NEW 8    0     0 ACCEPT     tcp  --  any    eth1    choke.dmz.lan        \       anywhere           multiport dports http,https,auth,ftp,nicname \       tcp spts:1024:65535 flags:SYN,RST,ACK/SYN state NEW 9    0     0 ACCEPT     tcp  --  any    eth1    choke.dmz.lan        \       mail.dmz.lan       tcp spts:1024:65535 dpt:smtp state NEW 10    0     0 ACCEPT     udp  --  any    eth1    choke.dmz.lan        \       timeserver.edu     udp spts:1024:65535 dpt:ntp state NEW 11    0     0 ACCEPT     icmp --  any    eth1    choke.dmz.lan        \       anywhere           icmp fragmentation-needed 12    0     0 ACCEPT     icmp --  any    eth0    router.private.lan   \       .private.lan       icmp echo-request 13    0     0 ACCEPT     icmp --  any    eth0    router.private.lan   \       .private.lan       icmp echo-reply 14    0     0 ACCEPT     icmp --  any    eth1    choke.dmz.lan        \       .dmz.lan           icmp echo-request 15    0     0 ACCEPT     icmp --  any    eth1    choke.dmz.lan        \       firewall.dmz.lan   icmp echo-reply 16    0     0 ACCEPT     tcp  --  any    eth0    router.private.lan   \       jet.private.lan    tcp dpt:printer state NEW 17    0     0 ACCEPT     tcp  --  any    any     anywhere             \       anywhere           tcp flags:RST/RST 18    0     0 LOG        all  --  any    any     anywhere             \       anywhere           LOG level warning

The default policy for the OUTPUT chain is DROP. Denied packets are simply dropped without any notification being returned to the local program. There are 18 rules on the chain:

  • Line 1 Any packet going out the loopback interface is allowed.

  • Line 2 Any packet that is recognized as being part of a previously ESTABLISHED connection or exchange, or a packet that is RELATED to one, is allowed.

  • Line 3 Local DNS requests that are forwarded to the local name server in the DMZ, server to server, are allowed.

  • Line 4 Local DNS client requests over UDP to the local name server in the DMZ are allowed.

  • Line 5 Local DNS client requests over TCP to the local name server in the DMZ are allowed.

  • Line 6 The local host, the LAN router, is allowed for established connections to local SSH, HTTP, HTTPS, auth, and FTP servers in the private LAN.

  • Line 7 The local host, the choke firewall, is allowed for established connections to local SSH servers in the DMZ.

  • Line 8 The local host, the choke firewall, is allowed for established connections to SSH, HTTP, HTTPS, auth, and FTP servers anywhere.

  • Line 9 The local host, the choke firewall, is allowed to send mail to the mail gateway in the DMZ.

  • Line 10 The local host, the choke firewall, is allowed to send client ntp time requests to a specific remote server.

  • Line 11 The local host, the choke firewall, is allowed to send ICMP Type 3 fragmentation-needed messages anywhere as part of MTU size discovery.

  • Line 12 The local host, the LAN router, is allowed to send ICMP ping requests to hosts in the private LAN.

  • Line 13 The local host, the LAN router, is allowed to send ICMP ping responses to hosts in the private LAN.

  • Line 14 The local host, the choke firewall, is allowed to send ICMP ping requests to hosts in the DMZ.

  • Line 15 The local host, the choke firewall, is allowed to send ICMP ping responses to the public firewall between the DMZ and the Internet.

  • Line 16 The local host, the LAN router, is allowed to access the networked printer in the private LAN.

  • Line 17 The local host is allowed to send TCP RST messages anywhere.

  • Line 18 All other outgoing packets are logged before being dropped by the default policy.

Checking the Forwarding Rules

The forwarding rules apply to packets passing or being routed through the machine. Forwarded packets are inspected only by the rules defined for the FORWARD chain. These packets are not inspected against rules on the INPUT or OUTPUT chains. If the packet's destination address is something other than the address of the interface on which the packet arrived, the packet is inspected by the FORWARD chain. If the packet matches a FORWARD acceptance rule, the packet is sent out the appropriate interface, after being inspected by any rules defined for the POSTROUTING chains.

For the purposes of illustration, the firewall rule pair shown next forwards all TCP connections from the internal network. UDP traffic is not routed. Related ICMP traffic is routed:

 iptables -A FORWARD -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i $LAN_INTERFACE -o $EXTERNAL_INTERFACE -p tcp \          -s $INTERNAL_LAN_ADDRESSES -m state --state NEW -j ACCEPT

This section is based on a representative sample of forwarding rules. The INPUT and OUTPUT rules are mostly ACCEPT rules when the default policy is DROP. Everything is denied, by default, and you explicitly define what will be accepted:

 > iptables -v -L FORWARD   Chain FORWARD (policy DROP 0 packets, 0 bytes)    pkts bytes target     prot opt in     out     source               \       destination 1   67  6050 ACCEPT     all  --  any    any     anywhere             \       anywhere           state RELATED,ESTABLISHED 2    0     0 ACCEPT     tcp  --  eth1   eth0    selected.remote.host \       host1.private.lan  tcp spts:1024:65535 dpt:ssh                  \       flags:SYN,RST,ACK/SYN state NEW 3    0     0 ACCEPT     tcp  --  eth0   eth1    .private.lan         \       mailserver.dmz.lan multiport dports smtp,pop3 tcp spts:1024:65535 \       flags:SYN,RST,ACK/SYN state NEW 4    1    60 ACCEPT     tcp  --  eth0   eth1    .private.lan         \       web-proxy.dmz.lan  multiport dports http,https tcp spts:1024:65535 \       flags:SYN,RST,ACK/SYN state NEW 5    1    60 ACCEPT     tcp  --  eth0   eth1    .private.lan         \       anywhere           tcp spts:1024:65535 dpts:ssh                 \       flags:SYN,RST,ACK/SYN state NEW 6    0     0 ACCEPT     tcp  --  eth0   eth1    .private.lan         \       news-server.net    tcp spts:1024:65535 dpt:nntp                 \       flags:SYN,RST,ACK/SYN state NEW 7    0     0 REJECT     tcp  -- eth1   any     anywhere             \       .private.lan       tcp spts:1024:65535 dpt:auth                 \       reject-with icmp-port-unreachable 8    0     0 ACCEPT     icmp --  any    any     anywhere             \       anywhere           icmp fragmentation-needed 9    2   168 ACCEPT     icmp --  eth0   eth1    .private.lan         \       anywhere           icmp echo-request 10    0     0 ACCEPT     tcp  --  any    any     anywhere             \       anywhere           tcp flags:FIN,ACK/FIN,ACK 11    0     0 ACCEPT     tcp  --  any    any     anywhere             \       anywhere           tcp flags:RST/RST 12    0     0 LOG        all  --  any    any     anywhere             \       anywhere           LOG level warning

The default policy for the FORWARD chain is DROP. Denied packets are simply dropped without any notification being returned to either the local or the remote program. There are 12 rules on the chain:

  • Line 1 Any packet recognized as being part of a previously ESTABLISHED connection or exchange, or a packet that is RELATED to one, is allowed in either direction.

  • Line 2 Incoming SSH connections from a particular remote host to host1 in the private LAN are allowed.

  • Line 3 Outgoing client connections to the mail gateway and pop server in the DMZ are allowed.

  • Line 4 Outgoing client connections, both HTTP and HTTPS, are allowed to the web proxy in the DMZ.

  • Line 5 Outgoing client connections to remote SSH servers anywhere are allowed.

  • Line 6 Outgoing client connections to a specific remote news server are allowed.

  • Line 7 Incoming auth requests to local identd servers are rejected.

  • Line 8 ICMP Type 3 fragmentation-needed messages are allowed in both directions as part of MTU size discovery.

  • Line 9 Outgoing ping ICMP echo-requests are allowed to anywhere.

  • Line 10 FIN/ACK packets are accepted in either direction.

  • Line 11 TCP RST packets are accepted in either direction.

  • Line 12 All other packets in either direction are logged before being dropped by the default policy.

In this case, the -v option is generally helpful to see the incoming and outgoing network interface names. eth0 is the internal interface to the .private.lan network. etH1 is the external interface to the .dmz.lan and the Internet beyond. Remember that FORWARD rules are necessary with or without NAT. Also remember that any NAT rules are defined in the nat table. These rules are defined in the default filter table.

TESTING AN INDIVIDUAL PACKET AGAINST THE FIREWALL RULES

The rule-checking command, the -C command in ipchains, is not yet implemented in iptables.




Previous page
Table of content
Next page
Linux Firewalls
Linux Firewalls: Attack Detection and Response with iptables, psad, and fwsnort
ISBN: 1593271417
EAN: 2147483647
Year: 2005
Pages: 163
Authors: Michael Rash
BUY ON AMAZON
ERP and Data Warehousing in Organizations: Issues and Challenges
A+ Fast Pass
Mastering Delphi 7
GO! with Microsoft Office 2003 Brief (2nd Edition)
Visual Studio Tools for Office(c) Using C# with Excel, Word, Outlook, and InfoPath
Cultural Imperative: Global Trends in the 21st Century
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy