Iptables

From Gentoo Wiki
Jump to: navigation, search
External resources

iptables[1] is a program used to configure and manage the kernels netfilter modules.

Installation

Prerequisites

First off, you will need to configure your kernel with netfilter support. If you want to be able to add rules based on IP filtering like black listing IP addresses based on a live feed [1], do not forget to add IPSet support to your kernel and merge net-firewall/ipset package.

Kernel

Kernel for Client

For client computers some basic options need to be activated in the kernel. This configuration does not provide network address translation or any other high sophisticated features. In "Network packet filtering framework" only the tables "filter" are needed with connection tracking support and with REJECT target support.

Kernel configuration

[*] Networking support  --->
    Networking options  --->
        ...
        [*] TCP/IP networking
        [ ]   IP: multicasting
        [ ]   IP: advanced router
        [ ]   IP: kernel level autoconfiguration
        < >   IP: tunneling
        < >   IP: GRE demultiplexer
        [ ]   IP: TCP syncookie support
        < >   Virtual (secure) IP: tunneling
        < >   IP: AH transformation
        < >   IP: ESP transformation
        < >   IP: IPComp transformation
        <*>   IP: IPsec transport mode
        <*>   IP: IPsec tunnel mode
        < >   IP: IPsec BEET mode
        < >   Large Receive Offload (ipv4/tcp)
        <*>   INET: socket monitoring interface
        < >     UDP: socket monitoring interface
        [ ]   TCP: advanced congestion control  ----
        [ ]   TCP: MD5 Signature Option support (RFC2385)
        <*>   The IPv6 protocol  --->
        [ ] Security Marking
        [ ] Timestamping in PHY devices
        [*] Network packet filtering framework (Netfilter)  --->
            --- Network packet filtering framework (Netfilter)
            [ ]   Network packet filtering debugging
            [ ]   Advanced netfilter configuration
                  Core Netfilter Configuration  --->
                      <M> Netfilter LOG over NFNETLINK interface
                      <*> Netfilter connection tracking support
                      [ ]   Supply CT list in procfs (OBSOLETE)
                      < >   FTP protocol support
                      < >   IRC protocol support
                      < >   NetBIOS name service protocol support
                      < >   SIP protocol support
                      < >   Connection tracking netlink interface
                      < > Netfilter nf_tables support
                      -*- Netfilter Xtables support (required for ip_tables)
                            *** Xtables combined modules ***
                      < >   nfmark target and match support
                            *** Xtables targets ***
                      < >   LOG target support
                      < >   "NFLOG" target support
                      < >   "TCPMSS" target support
                            *** Xtables matches ***
                      <*>   "conntrack" connection tracking match support
                      < >   IPsec "policy" match support
                      < >   "state" match support
            < >   IP set support  ----
            < >   IP virtual server support  ----
                  IP: Netfilter Configuration  --->
                      <*> IPv4 connection tracking support (required for NAT)
                      <*> IP tables support (required for filtering/masq/NAT)
                      <*>   Packet filtering
                      <*>     REJECT target support
                      < >   ULOG target support (obsolete)
                      < >   IPv4 NAT
                      < >   Packet mangling
                      < >   raw table support (required for NOTRACK/TRACE)
                  IPv6: Netfilter Configuration  --->
                      <*> IPv6 connection tracking support
                      <*> IP6 tables support (required for filtering)
                      < >   "ipv6header" IPv6 Extension Headers Match
                      <*>   Packet filtering
                      <*>     REJECT target support
                      < >   Packet mangling
                      < >   raw table support (required for TRACE)


Kernel for Router

You need to activate the following kernel options:

Kernel configuration

[*] Networking support  --->
    Networking options  --->
        [*] TCP/IP networking
        [*]   IP: multicasting
        [*]   IP: advanced router
        ...
        [*]   IP: ARP daemon support
        [*]   IP: TCP syncookie support
        <M>   IP: AH transformation
        <M>   IP: ESP transformation
        <M>   IP: IPComp transformation
        <M>   IP: IPsec transport mode
        <M>   IP: IPsec tunnel mode
        <M>   IP: IPsec BEET mode
        <*>   Large Receive Offload (ipv4/tcp)
        <*>   INET: socket monitoring interface
        <M>     UDP: socket monitoring interface
        [ ]   TCP: advanced congestion control  --->
        ...
        <M>   The IPv6 protocol  --->
        ...
        [*] Network packet filtering framework (Netfilter)  --->
            [*]   Advanced netfilter configuration
            Core Netfilter Configuration  --->
                <M>   "addrtype" address type match support
                <M>   "comment" match support
                <M>   "hl" hoplimit/TTL match support
                <M>   "limit" match support
                <M>   "multiport" Multiple port match support
                <M>   "recent" match support

One can setup IPv6 support category to <M> to be safe and enable almost all Netfilter sub category as the following. Or else, enable only what you need and leave the other modules unset. You certainly would want almost all IP virtual server support core components (scheduler are certainly optional), IP: Netfilter Configuration support, IPv6: Netfilter Configuration for IPv6 support, IP set support for IP filtering based on IP, MAC, ports and then pick up what you need in Core Netfilter Configuration with at least: Netfilter: NFQEUE, LOG; Connection tracking: flow, mark, events, netlink; Netfilter Xtables: NFQEUE, LOG, conn{bytes,mark,state}, state helper with Xtables match: conn{bytes,mark,state}... you get the idea.

Kernel configuration

[*] Networking support  --->
    Networking options  --->
        [*] Network packet filtering framework (Netfilter)  --->
            --- Network packet filtering framework (Netfilter)
            [ ]   Network packet filtering debugging
            [*]   Advanced netfilter configuration
            [*]     Bridged IP/ARP packets filtering
                    Core Netfilter Configuration  --->
            <M>   IP set support  --->
            <M>   IP virtual server support  --->
                  IP: Netfilter Configuration  --->
                  IPv6: Netfilter Configuration  --->
                  DECnet: Netfilter Configuration  --->
            <M>   Ethernet Bridge tables (ebtables) support  --->

Iptables

Install net-firewall/iptables:

→ Information about USE flags
USE flag Default Recommended Description
ipv6 Yes Adds support for IP version 6
netlink No Build against libnfnetlink which enables the nfnl_osf util
static-libs No No Build static libraries
root # emerge --ask iptables

Firewall

First Run

For some services such as sshguard & fail2ban you need a running firewall. We will save a blank firewall rule set and start the firewall.

ip v4

root # rc-service iptables save
root # rc-service iptables start

to start upon reboot

root # rc-update add iptables default

ip v6

root # rc-service ip6tables save
root # rc-service ip6tables start

to start upon reboot

root # rc-update add ip6tables default

General Rules

To create firewall rules, we are going to use ipt=$(type -p iptables) or ipt=$(type -p ip6tables). For IPv6 support to write down a few rules that will be loaded using "$ipt-restore" <"$rules". (rules file are usally saved to /var/lib/"${ipt##*/}"/rules-save so that whenever your machine is powered on, the rules set will be loaded automatically with /etc/init.d/"${ipt##*/}".

Lets begin with a little example:

root # "$ipt" -P INPUT DROP

If you're looking into the perfect firewall, the previous command will set up the policy for INPUT chain and will satisfy the more paranoid. However, the previous will drop every packet that will be sent to the local host. And usually nobody wants that to be a default policy.

That example shows how we will be generating firewall rules.

Stateless firewall

Traditional firewall uses stateless firewall rules like:

root # "$ipt" -A INPUT --dport 80 -j ACCEPT

That simply opens a local port, to accept HTTP requests (`--dport' switch means destination port, and HTTP servers listen on port 80).

Stateful firewall

In a stateful firewall approach, the previous example will be handled like:

root #
"$ipt" -P INPUT                                                                                       DROP
"$ipt" -A INPUT -i eth0 -p tcp --dport 80 --syn -m conntrack --ctstate --state NEW                 -j ACCEPT
"$ipt" -A INPUT                                 -m conntrack --ctstate --state ESTABLISHED,RELATED -j ACCEPT

First, we will drop everything like a hot potato, then accept only incoming traffic depending on the state of the state of the packets (stated NEW here), and then establish the connection. Even better, we could place the last line before the second to avoid going into complicated filtering chain for already related and established connections.

This is how a stateful firewall operates to avoid opening unneeded holes and accept in/outbound packets based on the state of the packets.

Generating firewall rules

Generating firewall rules for client

A script as simple as shown here should be sufficient for most client computers. Store it in a save place. You only need it for setting up or for changing the firewall rules. Absolutely no need to run it on boot or shutdown.

#!/bin/bash

iptables -F
iptables -X
iptables -Z

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 3 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 11 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 12 -j ACCEPT
iptables -A INPUT -p tcp --syn --dport 113 -j REJECT --reject-with tcp-reset

ip6tables -F
ip6tables -X
ip6tables -Z

ip6tables -P INPUT DROP
ip6tables -P FORWARD DROP
ip6tables -P OUTPUT ACCEPT

ip6tables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type 3 -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type 11 -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type 12 -j ACCEPT
ip6tables -A INPUT -p tcp --syn --dport 113 -j REJECT --reject-with tcp-reset

An example of a higher sophisticated rule set with logging is shown in the forum discussion.[2]

Generating firewall rules for server

This section will try to build up a script that will generate a set of rules with internal and external interfaces.

IconClipboardTask.png This article has some todo items:
  • finish this section: generating firewall rules with scripts




Show firewall Rules & Status

ip v4

root # iptables -L -n

ip v6

root # ip6tables -L -n

References