IPTables Setup: Case Studies

Setup is a package and kernel module for Linux that uses network interceptors in the Linux kernel to provide filtering, network address translation, and packet switching. IPTables is a powerful tool for turning a regular Linux system into a simple or functional firewall.

Network packets entering or leaving a Linux network computer contain several tables in the kernel. Each has zero or simpler rules, which indicate the IP address or certain properties of the package. It can be ignored, accepted, rejected or redirected to another table using rules. Although the principle of this firewall system is simple, it is often quite difficult to configure it to fit the specific situation. An existing problem can be resolved by setting up IPTables.

Firewall and IPTables Basics

The program allows you to view and change the capabilities of the built-in network filter of the Linux kernel. The user can provide or deny access to certain network services, such as SSH, HTTP, and also allow or block certain addresses when turned on. To do this, he establishes many rules that are grouped in chains. By default, IPTables setup uses three chains:

1. Incoming INPUT Packets.
2. Forwarding packages FORWARD.
3. Outgoing OUTPUT packets.

The program is included in most major Linux distributions by default, including Debian, Ubuntu, CentOS, and Fedora. In IPTables, the rules are listed. When a packet is processed, a list of rules is read. The first one that matches this package is fully executed.

For example, if there is a rule set:

1. Allow all SSH connections.
2. Reject all connections.
3. Allow all http connections.

When an SSH packet arrives, it will be allowed because it complies with rule No. 1, Http traffic will be rejected, because it complies with both rules No. 2 and No. 3.

Two filtering policies

When creating IPTables configuration filtering rule sets, there are two methods: explicitly allow or explicitly deny. The first method uses the default failure policy. When creating these types of rules, the basic policy is to prohibit everything. When there is a basic policy that prohibits all traffic, the user must add rules that allow access.

Explicit permission by default is safer because only allowed traffic enters the system. The trade-off is that it is driven by a complex set of rules. If this set is wrong, you can lock your system.

Explicit denial of IPTables settings uses the default permissions policy. When creating these types of rules, the underlying policy should allow everything. In this case, you can create additional rules that explicitly prohibit access. When using such traffic, traffic that is specially blocked is stopped. This means that the system is more vulnerable if the user forgot to block a port due to security conditions. However, this also means that he will not be able to block himself in the system by mistake.

Network Hardware Functionality

Most of the available firewall implementations are presented as a series of rules. This makes it difficult for people to understand the functionality and decision-making for a particular situation, and also makes it difficult to make changes to the firewall settings without disrupting the system.

Without additional configuration, five rules are predefined in the kernel:

1. PREROUTING is the first chain for incoming packets. From here, packets are either redirected to INPUT or to FORWARD.
2. ENTRANCE - chain for packets that must be delivered locally.
3. FORWARD - the chain is used only on computers on which routing is allowed. This causes packets to be forwarded to another destination, rather than to the local computer.
4. OUTPUT - chains are used to process packets received from the local computer.
5. POSTROUTING brings network packages for remote delivery.

In configuring IPTables, CentOS 7 focuses only on incoming traffic. It may also be necessary to shield outgoing traffic, for example, to block certain applications for connecting to remote computers. Therefore, firewall rules are defined that apply to both the INPUT chain and the FORWARD chain, and the OUTPUT chain is left untouched.

Protection performance adjustment

The implementation of the Linux firewall consists of several tables with rules that are sequentially analyzed. The time required to verify the packet will increase in proportion to the number of rules. This can lead to performance problems on heavily loaded computers, where a large number of packets must be checked per second.

There are several ways to solve performance problems in the firewall in configuring IPTables CentOS 7. First, you need to arrange the rules so that those that have the highest probability of matching are located at the beginning of the tables. In addition, tables should be organized for different types of packages, which would be processed in such a way that the necessary ones were accepted at an early stage.

Download system configuration settings

The IPTables Ubuntu Server configuration that should be loaded at startup is stored in the / etc / sysconfig directory. The IPTables file contains a list of rules for the firewall.

And further

The first block gives the names of the chains to be used together with the initial values ​​of the packet and byte counters. With these settings, the counters are reset each time the firewall configuration is loaded. The default action for the three internal circuits INPUT, FORWARD, and OUTPUT is set to ACCEPT. This means that a packet is received by each of these chains, unless the rule in the chain allows the other.

Five user-defined chains do not have a default action. Therefore, the firewall logic will continue to process other rules when the rules within these chains do not give a definite answer on what to do with the packet. The next two blocks add four filtering rules to the INPUT and FORWARD chains. Each of them causes an unconditional transition to a user-defined chain. The sequence in which these commands are listed in the IPTables file is important, since it will also be the sequence in which the rules will be processed in the kernel.

Configuring IPTables Linux provides a packet received or sent from Linux with at least one table. However, a packet can be subject to several rules in each table until it appears at the end of the chain. The structure and purpose of these rules may vary, but they usually tend to identify a packet coming from or entering a specific IP address, as well as a set of addresses when using the protocol and network service. The following figure shows how the packet flow is checked by the IPTables subsystem.

Adding and Removing Packages

"Friends" (useful packages) come and go, but "enemies" (harmful packages) accumulate in the system. Many "enemies" are temporary. These are computers infected with malware or servers with configuration flaws, such as open mail or Web Proxy. Once these problems are fixed, the "enemy" can again become a "friend." In many implementations, configuring the IPTables Nat firewall is very difficult. You must have a complete understanding of the firewall before making any changes to it.

To do this, separate the “enemies” from other rules in the firewall, keeping all the rules associated with the “enemy” in a separate chain. Using two shell scripts, you can add or remove rules for this chain.

These scripts first dump the current firewall rules and check if the IP address or IP range matches the existing rule. If so, a warning is displayed. If no matching rule is found, the IP address or IP range is added to the list of "enemies". By checking the entire list of rules for a new IP address, basic protection is enabled against adding one of the IP addresses to the firewall, because this script will fail if it finds an IP address or range in the friends table.

Creating a rule set for a core web server

Before you start writing Debian IPTables configuration rules, you need to check if the package is installed and if the IPTables module is loaded.

Once it is confirmed that it is loaded and ready, you can start creating rules. When implementing, there are two methods. Rules can be added to a file that is loaded when the services are rebooted or in real time, and then saved to a file loaded at the reboot. The main teams:

1. A - Add this rule to the chain. Valid targets for this are INPUT, FORWARD, and OUTPUT, but mainly use INPUT, which only affects incoming traffic.
2. L - List the current filtering rules.
3. M conntrack - allows matching filtering rules depending on the state of the connection and use of the ctstate option.
4. Ctstate - Defines a list of states to match the rule.
5. Dport is the destination port required for this rule.
6. J - go to the specified goal. By default, IPTables Ubuntu configuration has four goals: ACCEPT - accept a packet and stop processing rules in this chain; REJECT - reject the packet and notify the sender; DROP - silently ignore the packet and stop processing the rules in this chain; LOG - register the package and continue processing more rules in this chain. Allows the use of the -log-prefix and -log-level options.
7. Log-prefix - when registering, put this text before the log message. Use double quotes around used text.
8. Log-level - log in using the specified syslog level.
9. I - only a match if the packet enters the specified interface.

Setting firewall rules

Firewall configurations (especially for those new to Linux) may seem complicated and hard to understand. As soon as the user understands the basics of the commands, he will be able to write his own script instead of using ready-made ones that are not always suitable for his needs. Experts recommend always checking the rules three times before applying them. First, they edit the / etc / network / iptables file to set the firewall rules:

sudo nano / etc / network / iptables.

Next, add the following lines to the file:

Then you need to save the IPTables settings with [Ctrl] + [X]> Y> [Enter]. Then you need to load the rules into IPTables:

sudo iptables-restore / etc / network / iptables.

Be sure to check if they work by typing:

sudo iptables-save.

DNS resolution

Web server rules are added using the default policy and SSH rules, as well as by adding rules for other services that need to be made available. The first rule that is added will accept and allow all traffic destined for port 80 and port 443 for web traffic.

DNS-based traffic is not as complex as FTP, but it is mainly used by UDP, not TCP. To allow DNS traffic, you need to specify two Centos IPTables configuration commands that open the port for TCP and UDP.

If the user notices a lot of fictitious DNS traffic, it needs to be blocked.

The easiest way is to use IPTables to block packets containing a specific string. The problem with this approach is that the DNS packets do not contain the actual string. Instead, they are encoded this way: X domain, Y TLD. Here X is the number of bytes in the domain part, and Y is the number of bytes of characters in the TLD part.

IP Blocking

Sometimes the Internet is not as friendly as we would like. The user may need to block a specific IP address or range of IP addresses.

The above rule is a bit more complicated than the others, because there is already another one that accepts all traffic on port 80. It consists in blocking all traffic from the IP range 192.168.123.0/24. For this to be blocked, it is indicated at a specific place in the ruleset.

When using IPTables, the first rule corresponding to the packet will be applied. For it to work, you need to add it for port 80, otherwise iprange will still be able to connect to port 80. The number 3 after INPUT is a specification that reports the placement of the third rule in the list. Since no protocol is specified, this rule blocks all protocols from the specified ip range.

Saving reload rules

Every Linux distribution has a way to save and restore IPTables rules for rebooting. On Red Hat distributions, you can save the current Live IPTables rules using the init script. This saves them in the / etc / sysconfig / iptables file. The file is later read by the init script during server reboot or by a simple restart specified by the initialization script.

Saving active rules: # /etc/init.d/iptables save

To load the ip_conntrack_ftp module, you will need to edit the / etc / sysconfig / iptables-config file, which is used by the initialization script to load any associated modules:

# vi / etc / sysconfig / iptables-config.

Management teams

The iptables / ip6tables commands provide a way to insert, delete, and manage rules. However, the workflow is not very simple. First you need to list the existing rules. Then find out where the new should go, and then write a command to insert it.

Fortunately, the package comes with two iptables-save and iptables-restore commands that download rules from all chains and filters to standard output. You can redirect it to a file as follows: iptables-save> iptables.rules. Now you need to edit this file using a text editor. When everything is ready, you can apply the following rules: iptables-restore.

Unfortunately, it turns out that the IPTables rules are not permanent - they are lost when the system reboots. On distributions such as RHEL and CentOS, there is a package called “iptables-services” that can be installed using: sudo yum install iptables-services.

Inside, both of these packages run iptables-save / restore commands to save the configuration to a file. If the distribution does not have such a package, you can simply write a service file.

Protecting Asterisk with IP Tables

AsteriskNOW is a complete CentOS distribution with Asterisk and FreePBX installed . The most important part of it is to block the “bad packets” from the Asterisk server, giving access to legitimate users. First you need to make sure that strong passwords for root, all Asterisk extensions are installed, the CentOS, Asterisk, FreePBX modules are updated and the Pin code is used for certain routes. This approach is used on Asterisk servers with SIP protocol.

Procedure:

1. Apply a DNS host name from a dynamic IP service provider, for example, YOUR_HOSTNAME.no-ip.com.
2. After setting up the Asterisk server, inform all its users that the host name is selected. Do not allow them to directly use the IP address of the server.
3. Based on the IPTables rules add the following:

Configuring IPTables Asterisk for server security will be carried out using customizable chains, starting with a simple secure configuration, expanding to several users and addressing the problem of dynamic IP addresses. This ensures that anyone who is not related to the user's system does not see the server.

As a default policy, any INPUT that does not comply with the rules is deleted. FORWARD is always discarded because the machine is not used as a router. OUTPUT is always accepted, allowing the server to make any outgoing connections.