You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

422 lines
13 KiB

5 years ago
= Iptables !
5 years ago
Apostolos rootApostolos@swarmlab.io
// Metadata:
:description: Intro and Install
:keywords: sec, tcpdump
:data-uri:
:toc: right
:toc-title: Πίνακας περιεχομένων
:toclevels: 4
:source-highlighter: highlight
:icons: font
:sectnums:
include::header.adoc[]
{empty} +
[[cheat-Docker]]
== Install swarmlab-sec (Home PC)
HowTo: See http://docs.swarmlab.io/lab/sec/sec.adoc.html
.NOTE
[NOTE]
====
Assuming you're already logged in
====
== iptables
5 years ago
**iptables** is a command line utility for configuring Linux kernel **firewall** implemented within the https://en.wikipedia.org/wiki/Netfilter[Netfilter] project. The term ''iptables'' is also commonly used to refer to this kernel-level firewall. It can be configured directly with iptables, or by using one of the many
https://en.wikipedia.org/wiki/Iptables[More: wikipedia]
5 years ago
- Console tools
and
- Graphical front-ends.
5 years ago
**iptables** is used for https://en.wikipedia.org/wiki/IPv4[IPv4] and ''ip6tables'' is used for ihttps://en.wikipedia.org/wiki/IPv6[IPv6]. Both ''iptables'' and ''ip6tables'' have the same syntax, but some options are specific to either IPv4 or IPv6.
5 years ago
=== Installation
The Swarmlab.io kernel is compiled with iptables support.
=== Front-ends
==== Console
5 years ago
- Shorewall, High-level tool for configuring Netfilter.
You describe your firewall/gateway requirements using entries in a set of configuration files.
http://www.shorewall.net/[shorewall]
- Arno's Secure firewall for both single and multi-homed machines.
5 years ago
Very easy to configure, handy to manage and highly customizable. Supports: NAT and SNAT, port forwarding, ADSL ethernet modems with both static and dynamically assigned IPs, MAC address filtering, stealth port scan detection, DMZ and DMZ-2-LAN forwarding, protection against SYN/ICMP flooding, extensive user definable logging with rate limiting to prevent log flooding, all IP protocols and VPNs such as IPsec, plugin support to add extra features.|
5 years ago
http://rocky.eld.leidenuniv.nl/[arno-iptables-firewall]
5 years ago
- FireHOL Language to express firewalling rules, not just a script that produces some kind of a firewall. It makes building even sophisticated firewalls easy - the way you want it.
http://firehol.sourceforge.net
- firewalld (firewall-cmd) Daemon and console interface for configuring network and firewall zones as well as setting up and configuring firewall rules.
https://firewalld.org[firewalld]
5 years ago
==== Graphical
5 years ago
- Firewall Builder
firewall configuration and management tool that supports iptables (netfilter), ipfilter, pf, ipfw, Cisco PIX (FWSM, ASA) and Cisco routers extended access lists. The program runs on Linux, FreeBSD, OpenBSD, Windows and macOS and can manage both local and remote firewalls.
http://fwbuilder.sourceforge.net[fwbuilder]
- firewalld
(firewall-config) Daemon and graphical interface for configuring network and firewall zones as well as setting up and configuring firewall rules.
https://firewalld.org[firewalld]
- FireStarter
High-level GUI Iptables firewall for Linux systems
http://www.fs-security.com[firestarter]
5 years ago
== Basic concepts
5 years ago
iptables is used to inspect, modify, forward, redirect, and/or drop IP packets.
- The code for filtering IP packets is already built into the kernel and is organized into a collection of **tables**, each with a specific purpose.
- The tables are made up of a set of predefined **chains**, and the chains contain **rules** which are traversed in order.
- Each rule consists of a predicate of potential matches and a corresponding action (called a **target**) which is executed if the predicate is true; i.e. the conditions are matched.
- If the IP packet reaches the end of a built-in chain, including an empty chain, then the chain's **policy** target determines the final destination of the IP packet.
5 years ago
5 years ago
iptables is the user utility which allows you to work with these chains/rules.
5 years ago
5 years ago
.Understanding how iptables works
[NOTE]
====
The key to understanding how iptables works is http://docs.swarmlab.io/lab/sec/tables_traverse.jpg[this chart].
5 years ago
The lowercase word on top is the **table** and the upper case word below is the **chain**.
5 years ago
5 years ago
- Every IP packet that comes in **on any network interface** passes through this flow chart from top to bottom.
5 years ago
**All interfaces are handled the same way; it's up to you to define rules that treat them differently.**
5 years ago
5 years ago
Some packets
5 years ago
5 years ago
- are intended for local processes, hence come in from the top of the chart and stop at **Local Proces**,
5 years ago
5 years ago
- while other packets are generated by local processes; hence start at **Local Process** and proceed downward through the flowchart.
5 years ago
5 years ago
A detailed explanation [https://www.frozentux.net/iptables-tutorial/iptables-tutorial.html#TRAVERSINGOFTABLES here].
5 years ago
====
In the vast majority of use cases you won't need to use the **raw**, **mangle**, or **security** tables at all.
Consequently, the following chart depicts a simplified network packet flow through **iptables**:
5 years ago
[source,bash]
----
XXXXXXXXXXXXXXXXXX
XXX Network XXX
XXXXXXXXXXXXXXXXXX
+
|
v
+-------------+ +------------------+
|table: filter| <---+ | table: nat |
|chain: INPUT | | | chain: PREROUTING|
+-----+-------+ | +--------+---------+
| | |
v | v
[local process] | **************** +--------------+
| +---------+ Routing decision +------> |table: filter |
v **************** |chain: FORWARD|
**************** +------+-------+
Routing decision |
**************** |
| |
v **************** |
+-------------+ +------> Routing decision <---------------+
|table: nat | | ****************
|chain: OUTPUT| | +
+-----+-------+ | |
| | v
v | +-------------------+
+--------------+ | | table: nat |
|table: filter | +----+ | chain: POSTROUTING|
|chain: OUTPUT | +--------+----------+
+--------------+ |
v
XXXXXXXXXXXXXXXXXX
XXX Network XXX
XXXXXXXXXXXXXXXXXX
----
=== Table
iptables contains five tables:
5 years ago
.Chains
[NOTE]
====
Tables consist of **chains**, which are lists of rules which are followed in order.
====
==== Filter
5 years ago
This is the default table.
5 years ago
5 years ago
.Its built-in chains are:
5 years ago
[source,bash]
----
Input: packets going to local sockets
Forward: packets routed through the server
Output: locally generated packets
----
==== Nat
5 years ago
5 years ago
When a packet creates a new connection, this table is used.
5 years ago
5 years ago
.Its built-in chains are:
5 years ago
[source,bash]
----
Prerouting: designating packets when they come in
Output: locally generated packets before routing takes place
Postrouting: altering packets on the way out
----
5 years ago
5 years ago
==== Mangle
5 years ago
5 years ago
Used for special altering of packets.
5 years ago
5 years ago
.Its built-in chains are:
5 years ago
[source,bash]
----
Prerouting: incoming packets
Postrouting: outgoing packets
Output: locally generated packets that are being altered
Input: packets coming directly into the server
Forward: packets being routed through the server
----
==== Raw
5 years ago
Primarily used for configuring exemptions from connection tracking.
5 years ago
5 years ago
.Its built-in chains are:
5 years ago
[source,bash]
----
Prerouting: packets that arrive by the network interface
Output: processes that are locally generated
----
==== Security
5 years ago
Used for Mandatory Access Control (MAC) rules. After the filter table, the security table is accessed next.
5 years ago
5 years ago
.Its built-in chains are:
5 years ago
[source,bash]
----
Input: packets entering the server
Output: locally generated packets
Forward: packets passing through the server
----
[NOTE]
====
In most common use cases you will only use two of these: **filter** and **nat**.
====
5 years ago
=== Rules
5 years ago
Packet filtering is based on **rules**, which are specified by multiple **matches** (conditions the packet must satisfy so that the rule can be applied), and one **target** (action taken when the packet matches all conditions).
5 years ago
5 years ago
The typical things a rule might match on are
- what interface the packet came in on (e.g eth0 or eth1),
- what type of packet it is (ICMP, TCP, or UDP),
- or the destination port of the packet.
Targets are specified using the **-j** or **--jump** option.
Targets can be either
- user-defined chains (i.e. if these conditions are matched, jump to the following user-defined chain and continue processing there), one of the special built-in targets,
- or a target extension.
[NOTE]
====
- Built-in targets are **ACCEPT**, **DROP**, **QUEUE** and **RETURN**
- target extensions are, for example, **REJECT** and **LOG**.
====
- If the target is a built-in target, the fate of the packet is decided immediately and processing of the packet in current table is stopped.
- If the target is a user-defined chain and the fate of the packet is not decided by this second chain, it will be filtered against the remaining rules of the original chain.
Target extensions can be either **terminating** (as built-in targets) or **non-terminating** (as user-defined chains)
5 years ago
=== Traversing Chains
5 years ago
A network packet received on any interface traverses the traffic control chains of tables in the order shown in the http://docs.swarmlab.io/lab/sec/tables_traverse.jpg[this chart]
- The first routing decision involves deciding if the final destination of the packet is the local machine (in which case the packet traverses through the **INPUT chains**
5 years ago
- or elsewhere (in which case the packet traverses through the **FORWARD chains**.
5 years ago
- Subsequent routing decisions involve deciding what interface to assign to an outgoing packet.
At each chain in the path, every rule in that chain is evaluated in order and whenever a rule matches, the corresponding target/jump action is executed.
5 years ago
The 3 most commonly used targets are **ACCEPT**, **DROP**, and **jump** to a user-defined chain.
5 years ago
[NOTE]
====
While built-in chains can have default policies, user-defined chains can not.
====
5 years ago
5 years ago
- If every rule in a chain that you jumped fails to provide a complete match, the packet is dropped back into the calling chain as illustrated
5 years ago
http://docs.swarmlab.io/lab/sec/images/table_subtraverse.jpg[here].
5 years ago
- If at any time a complete match is achieved for a rule with a **DROP** target, the packet is dropped and no further processing is done.
- If a packet is **ACCEPT**ed within a chain, it will be **ACCEPT**ed in all superset chains also and it will not traverse any of the superset chains any further.
5 years ago
5 years ago
However, be aware that the packet will continue to traverse all other chains in other tables in the normal fashion.
5 years ago
5 years ago
== Use iptables
5 years ago
5 years ago
=== Showing the current rules
5 years ago
5 years ago
[source,bash]
----
# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
----
If the output looks like the above, then there are no rules (i.e. nothing is blocked) in the default filter table
=== Resetting rules
You can flush and reset iptables to default using these commands:
[source,bash]
----
# iptables -F
# iptables -X
# iptables -t nat -F
# iptables -t nat -X
# iptables -t mangle -F
# iptables -t mangle -X
# iptables -t raw -F
# iptables -t raw -X
# iptables -t security -F
# iptables -t security -X
# iptables -P INPUT ACCEPT
# iptables -P FORWARD ACCEPT
# iptables -P OUTPUT ACCEPT
----
The -F command with no arguments flushes all the chains in its current table. Similarly, -X deletes all empty non-default chains in a table.
Individual chains may be flushed or deleted by following -F and -X with a [chain] argument.
=== Editing rules
Rules can be edited by
- appending -A a rule to a chain,
- inserting -I it at a specific position on the chain,
5 years ago
5 years ago
- replacing -R an existing rule,
5 years ago
5 years ago
- or deleting -D it.
The first three commands are exemplified in the following.
First of all, our computer is not a router (unless, of course, it is a router). We want to change the default policy on the FORWARD chain from ACCEPT to DROP.
[source,bash]
----
# iptables -P FORWARD DROP
----
5 years ago
[appendix]
5 years ago
== How to use iptables
5 years ago
This exercise will show you how to isolate traffic in various ways—from IP, to port, to protocol, to application-layer traffic—to make sure you find exactly what you need as quickly as possible.
https://danielmiessler.com/study/tcpdump[Origin]
:hardbreaks:
{empty} +
{empty} +
{empty}
:!hardbreaks:
'''
.Reminder
[NOTE]
====
:hardbreaks:
Caminante, no hay camino,
se hace camino al andar.
Wanderer, there is no path,
the path is made by walking.
*Antonio Machado* Campos de Castilla
====