Browse Source

iptables

master
test2 5 years ago
parent
commit
d9084a5089
  1. 176
      sec/ex-3_iptables.adoc
  2. BIN
      sec/tables_traverse.jpg

176
sec/ex-3_iptables.adoc

@ -78,19 +78,56 @@ https://firewalld.org[firewalld]
==== Graphical ==== Graphical
* {{App|Firewall Builder|GUI firewall configuration and management tool that supports iptables (netfilter), ipfilter, pf, ipfw, Cisco PIX (FWSM, ASA) and Cisco routers extended access lists. The program runs on Linux, FreeBSD, OpenBSD, Windows and macOS and can manage both local and remote firewalls.|http://fwbuilder.sourceforge.net/|{{Pkg|fwbuilder}}}} - Firewall Builder
* {{App|[[Wikipedia:firewalld|firewalld]] (firewall-config)|Daemon and graphical interface for configuring network and firewall zones as well as setting up and configuring firewall rules.|https://firewalld.org/|{{Pkg|firewalld}}}}
* {{App|[[Uncomplicated_Firewall#Gufw|Gufw]]|GTK-based front-end to {{Pkg|ufw}} which happens to be a CLI front-end to iptables (gufw->ufw->iptables), is super easy and super simple to use.|https://gufw.org/|{{Pkg|gufw}}}} firewall configuration and management tool that supports iptables (netfilter), ipfilter, pf, ipfw, Cisco PIX (FWSM, ASA) and Cisco routers extended access lists. The program runs on Linux, FreeBSD, OpenBSD, Windows and macOS and can manage both local and remote firewalls.
* {{App|[[PeerGuardian Linux|PeerGuardian]] GUI (pglgui)|Privacy oriented firewall application. It blocks connections to and from hosts specified in huge block lists (thousands or millions of IP ranges).|https://sourceforge.net/projects/peerguardian/|{{AUR|pgl}}}}
* {{App|FireStarter|High-level GUI Iptables firewall for Linux systems|http://www.fs-security.com/|{{AUR|firestarter}}}} http://fwbuilder.sourceforge.net[fwbuilder]
- firewalld
(firewall-config) Daemon and graphical interface for configuring network and firewall zones as well as setting up and configuring firewall rules.
https://firewalld.org[firewalld]
- FireStarter
High-level GUI Iptables firewall for Linux systems
http://www.fs-security.com[firestarter]
== Basic concepts == Basic concepts
iptables is used to inspect, modify, forward, redirect, and/or drop IP packets. The code for filtering IP packets is already built into the kernel and is organized into a collection of ''tables'', each with a specific purpose. The tables are made up of a set of predefined ''chains'', and the chains contain rules which are traversed in order. Each rule consists of a predicate of potential matches and a corresponding action (called a ''target'') which is executed if the predicate is true; i.e. the conditions are matched. If the IP packet reaches the end of a built-in chain, including an empty chain, then the chain's ''policy'' target determines the final destination of the IP packet. iptables is the user utility which allows you to work with these chains/rules. Most new users find the complexities of linux IP routing quite daunting, but, in practice, the most common use cases (NAT and/or basic Internet firewall) are considerably less complex. iptables is used to inspect, modify, forward, redirect, and/or drop IP packets.
- The code for filtering IP packets is already built into the kernel and is organized into a collection of **tables**, each with a specific purpose.
- The tables are made up of a set of predefined **chains**, and the chains contain **rules** which are traversed in order.
- Each rule consists of a predicate of potential matches and a corresponding action (called a **target**) which is executed if the predicate is true; i.e. the conditions are matched.
- If the IP packet reaches the end of a built-in chain, including an empty chain, then the chain's **policy** target determines the final destination of the IP packet.
The key to understanding how iptables works is [https://www.frozentux.net/iptables-tutorial/images/tables_traverse.jpg this chart]. The lowercase word on top is the table and the upper case word below is the chain. Every IP packet that comes in ''on any network interface'' passes through this flow chart from top to bottom. A common source of confusion is that packets entering from, say, an internal interface are handled differently than packets from an Internet-facing interface. All interfaces are handled the same way; it's up to you to define rules that treat them differently. Of course some packets are intended for local processes, hence come in from the top of the chart and stop at <Local Process>, while other packets are generated by local processes; hence start at <Local Process> and proceed downward through the flowchart. A detailed explanation of how this flow chart works can be found [https://www.frozentux.net/iptables-tutorial/iptables-tutorial.html#TRAVERSINGOFTABLES here]. iptables is the user utility which allows you to work with these chains/rules.
In the vast majority of use cases you won't need to use the '''raw''', '''mangle''', or '''security''' tables at all. Consequently, the following chart depicts a simplified network packet flow through ''iptables'':
.Understanding how iptables works
[NOTE]
====
The key to understanding how iptables works is http://docs.swarmlab.io/lab/sec/tables_traverse.jpg[this chart].
The lowercase word on top is the table and the upper case word below is the chain.
- Every IP packet that comes in **on any network interface** passes through this flow chart from top to bottom.
A common source of confusion is that packets entering from, say, an internal interface are handled differently than packets from an Internet-facing interface.
All interfaces are handled the same way; it's up to you to define rules that treat them differently.
Of course some packets are intended for local processes, hence come in from the top of the chart and stop at <Local Process>, while other packets are generated by local processes; hence start at <Local Process> and proceed downward through the flowchart.
A detailed explanation can be found [https://www.frozentux.net/iptables-tutorial/iptables-tutorial.html#TRAVERSINGOFTABLES here].
====
In the vast majority of use cases you won't need to use the **raw**, **mangle**, or **security** tables at all.
Consequently, the following chart depicts a simplified network packet flow through **iptables**:
[source,bash] [source,bash]
---- ----
@ -135,37 +172,128 @@ Routing decision |
iptables contains five tables: iptables contains five tables:
# {{ic|raw}} is used only for configuring packets so that they are exempt from connection tracking. .Chains
# {{ic|filter}} is the default table, and is where all the actions typically associated with a firewall take place. [NOTE]
# {{ic|nat}} is used for [[Wikipedia:Network address translation|network address translation]] (e.g. port forwarding). ====
# {{ic|mangle}} is used for specialized packet alterations. Tables consist of **chains**, which are lists of rules which are followed in order.
# {{ic|security}} is used for [[Mandatory Access Control]] networking rules (e.g. SELinux -- see [http://lwn.net/Articles/267140/ this article] for more details). ====
==== Filter
This is the default table. Its built-in chains are:
[source,bash]
----
Input: packets going to local sockets
Forward: packets routed through the server
Output: locally generated packets
----
==== Nat
In most common use cases you will only use two of these: '''filter''' and '''nat'''. The other tables are aimed at complex configurations involving multiple routers and routing decisions and are in any case beyond the scope of these introductory remarks. When a packet creates a new connection, this table is used. Its built-in chains are:
=== Chains [source,bash]
----
Prerouting: designating packets when they come in
Output: locally generated packets before routing takes place
Postrouting: altering packets on the way out
----
Tables consist of ''chains'', which are lists of rules which are followed in order. The default table, {{ic|filter}}, contains three built-in chains: {{ic|INPUT}}, {{ic|OUTPUT}} and {{ic|FORWARD}} which are activated at different points of the packet filtering process, as illustrated in the [http://www.frozentux.net/iptables-tutorial/chunkyhtml/images/tables_traverse.jpg flow chart]. The nat table includes {{ic|PREROUTING}}, {{ic|POSTROUTING}}, and {{ic|OUTPUT}} chains. ==== Mangle
See {{man|8|iptables}} for a description of built-in chains in other tables. Used for special altering of packets. Its chains are:
By default, none of the chains contain any rules. It is up to you to append rules to the chains that you want to use. Chains ''do'' have a default policy, which is generally set to {{ic|ACCEPT}}, but can be reset to {{ic|DROP}}, if you want to be sure that nothing slips through your ruleset. The default policy always applies at the end of a chain only. Hence, the packet has to pass through all existing rules in the chain before the default policy is applied. [source,bash]
----
Prerouting: incoming packets
Postrouting: outgoing packets
Output: locally generated packets that are being altered
Input: packets coming directly into the server
Forward: packets being routed through the server
----
==== Raw
Primarily used for configuring exemptions from connection tracking. The built-in chains are
[source,bash]
----
Prerouting: packets that arrive by the network interface
Output: processes that are locally generated
----
==== Security
Used for Mandatory Access Control (MAC) rules. After the filter table, the security table is accessed next. The built-in chains are:
[source,bash]
----
Input: packets entering the server
Output: locally generated packets
Forward: packets passing through the server
----
[NOTE]
====
In most common use cases you will only use two of these: **filter** and **nat**.
====
User-defined chains can be added to make rulesets more efficient or more easily modifiable. See [[Simple stateful firewall]] for an example of how user-defined chains are used.
=== Rules === Rules
Packet filtering is based on ''rules'', which are specified by multiple ''matches'' (conditions the packet must satisfy so that the rule can be applied), and one ''target'' (action taken when the packet matches all conditions). The typical things a rule might match on are what interface the packet came in on (e.g eth0 or eth1), what type of packet it is (ICMP, TCP, or UDP), or the destination port of the packet. Packet filtering is based on **rules**, which are specified by multiple **matches** (conditions the packet must satisfy so that the rule can be applied), and one **target** (action taken when the packet matches all conditions).
Targets are specified using the {{ic|-j}} or {{ic|--jump}} option. Targets can be either user-defined chains (i.e. if these conditions are matched, jump to the following user-defined chain and continue processing there), one of the special built-in targets, or a target extension. Built-in targets are {{ic|ACCEPT}}, {{ic|DROP}}, {{ic|QUEUE}} and {{ic|RETURN}}, target extensions are, for example, {{ic|REJECT}} and {{ic|LOG}}. If the target is a built-in target, the fate of the packet is decided immediately and processing of the packet in current table is stopped. If the target is a user-defined chain and the fate of the packet is not decided by this second chain, it will be filtered against the remaining rules of the original chain. Target extensions can be either ''terminating'' (as built-in targets) or ''non-terminating'' (as user-defined chains), see {{man|8|iptables-extensions}} for details. The typical things a rule might match on are
- what interface the packet came in on (e.g eth0 or eth1),
- what type of packet it is (ICMP, TCP, or UDP),
- or the destination port of the packet.
Targets are specified using the **-j** or **--jump** option.
Targets can be either
- user-defined chains (i.e. if these conditions are matched, jump to the following user-defined chain and continue processing there), one of the special built-in targets,
- or a target extension.
[NOTE]
====
- Built-in targets are **ACCEPT**, **DROP**, **QUEUE** and **RETURN**
- target extensions are, for example, **REJECT** and **LOG**.
====
- If the target is a built-in target, the fate of the packet is decided immediately and processing of the packet in current table is stopped.
- If the target is a user-defined chain and the fate of the packet is not decided by this second chain, it will be filtered against the remaining rules of the original chain.
Target extensions can be either **terminating** (as built-in targets) or **non-terminating** (as user-defined chains)
=== Traversing Chains === Traversing Chains
A network packet received on any interface traverses the traffic control chains of tables in the order shown in the [http://www.frozentux.net/iptables-tutorial/chunkyhtml/images/tables_traverse.jpg flow chart]. The first routing decision involves deciding if the final destination of the packet is the local machine (in which case the packet traverses through the {{ic|INPUT}} chains) or elsewhere (in which case the packet traverses through the {{ic|FORWARD}} chains). Subsequent routing decisions involve deciding what interface to assign to an outgoing packet. At each chain in the path, every rule in that chain is evaluated in order and whenever a rule matches, the corresponding target/jump action is executed. The 3 most commonly used targets are {{ic|ACCEPT}}, {{ic|DROP}}, and jump to a user-defined chain. While built-in chains can have default policies, user-defined chains can not. If every rule in a chain that you jumped fails to provide a complete match, the packet is dropped back into the calling chain as illustrated [http://www.frozentux.net/iptables-tutorial/images/table_subtraverse.jpg here]. If at any time a complete match is achieved for a rule with a {{ic|DROP}} target, the packet is dropped and no further processing is done. If a packet is {{ic|ACCEPT}}ed within a chain, it will be {{ic|ACCEPT}}ed in all superset chains also and it will not traverse any of the superset chains any further. However, be aware that the packet will continue to traverse all other chains in other tables in the normal fashion. A network packet received on any interface traverses the traffic control chains of tables in the order shown in the http://docs.swarmlab.io/lab/sec/tables_traverse.jpg[this chart]
- The first routing decision involves deciding if the final destination of the packet is the local machine (in which case the packet traverses through the **INPUT chains**
- or elsewhere (in which case the packet traverses through the **FORWARD}} chains**.
- Subsequent routing decisions involve deciding what interface to assign to an outgoing packet.
At each chain in the path, every rule in that chain is evaluated in order and whenever a rule matches, the corresponding target/jump action is executed.
The 3 most commonly used targets are **ACCEPT**, **DROP**, and jump to a user-defined chain.
[NOTE]
====
While built-in chains can have default policies, user-defined chains can not.
====
=== Modules - If every rule in a chain that you jumped fails to provide a complete match, the packet is dropped back into the calling chain as illustrated
[http://www.frozentux.net/iptables-tutorial/images/table_subtraverse.jpg here].
- If at any time a complete match is achieved for a rule with a **DROP** target, the packet is dropped and no further processing is done.
- If a packet is **ACCEPT**ed within a chain, it will be **ACCEPT**ed in all superset chains also and it will not traverse any of the superset chains any further.
There are many modules which can be used to extend iptables such as connlimit, conntrack, limit and recent. These modules add extra functionality to allow complex filtering rules. However, be aware that the packet will continue to traverse all other chains in other tables in the normal fashion.

BIN
sec/tables_traverse.jpg

Binary file not shown.

After

Width:  |  Height:  |  Size: 169 KiB

Loading…
Cancel
Save