Internet Security – IP Tables Firewall configuration
Internet Security – IP Tables Firewall configuration
(Instructions)
1.0 RFC1918 filtering
1.1 RFC1918 filtering of packets with internal addresses as sources but coming through the
external interface.
In order to complete this requirement you need to know the reserved internal addresses that you
wish to block. This has to be obtained and the command can be a sequence of commands that
covers all the addresses one after the other. Use the following command replacing the ipaddr
with the IP address you need to block if coming through the external interface.
# iptables -A INPUT -s ipaddr –j DROP
ipaddr can be a single ip address or a range of ip addresses specified as (eg. 10.0.0.0/24 where 24
says which part of the ip address is significant1
.
1.2 RFC2827 filtering of packets from sources other than internal addresses flowing out of the
external interface or packets destined for internal addresses flowing out of the internal
interface.
For this process also the internal addresses need to be known. You may make an inversion rule
which will eliminate all addresses other than the internal addresses to be blocked if trying to flow
out of your subnet.
#iptables –A OUTPUT –s ! localhost –j DROP
#iptables –A OUTPUT –d localhost –j DROP
Custom-Writing.co.uk
© 2009 Custom-Writing.co.uk
In the first of the commands, we say that any packet that comes to the firewall for OUTPUT that
has a source address which is not local address has to be dropped. Command 2 is any packet that
has the destination address as one of the local reserved addresses, then the packet needs to be
dropped and not carried forward2
.
1.3 Webserver access and State full filtering
We need to provide access to the web server only from the specified IP addresses 192.168.*.* .
Step 1: Let us eliminate access from all other addresses other than these.
#iptables –A INPUT –s ! 192.168.0.0/16 –d xxx.xxx.xxx.xxx --dport p –j DROP
Please replace the xxx.xxx.xxx.xxx with your webserver ip address and p with the port number
you have configured access in the webserver. Port address is normally 80 for http access and 443
for https. If you want to give access to both add one more --dport switch. The step 1 appends to
the list of rules. If the source of the packet is not one of 192.168.0.0 to 192.168.255.255 and if
the destination is your webserver, then do not allow the packet3
.
Step 2: We will use stateful filtering for reducing return traffic.
#iptables –A INPUT –m state --state ESTABLISHED, RELATED –j ACCEPT
This will make sure that all input to the firewall server comes from established or related
connections alone.
1.4 Allowing target machine to access external webservers
If the IP address of the target machine is xxx.xxx.xxx.xxx, then this would be the command that
you might have to give to get access to external webservers through iptables.
#iptables -A OUTPUT -s ! xxx.xxx.xxx.xxx -p tcp --dport www -j DROP
Custom-Writing.co.uk
© 2009 Custom-Writing.co.uk
We have already given a stateful filter for return INPUT which has to be established, related to
get accepted by the firewall. If you have not given that you might have to append that rule as
well along with the ones already entered.
1.5 Access Firewall machine over SSH through internal machines only
#iptables –A INPUT –s ! localhost --dport 22 -j DROP
If it is not local host ip numbers and if the port number is 22 which is the number for SSH, then
the packet has to be dropped.
2.0 Port address translation
We need to implement a network address translation that would have any of the target machines
within the specified network trying to access the internet. Primarily a many-to-one NATing. This
would make sure that for all the machines within the protected network, the firewall would
reflect a single IP address. To have NAT to work properly, you need to have iptables_nat
module loaded along with the modprobe command4
. If you have not done it already, also enable
the IP forwarding by setting the /proc/sys/net/ipv4/ip_forward to 1 in lieu of the default value of
0.
This piece of code has been taken from http://www.siliconvalleyccie.com/linux-hn/iptablesintro.htm for NATing purposes.
#---------------------------------------------------------------
# Load the NAT module
Custom-Writing.co.uk
© 2009 Custom-Writing.co.uk
#
# --------------------------------------------------------------
modprobe iptable_nat
#---------------------------------------------------------------
# Enable routing by modifying the ip_forward /proc filesystem file
#
# --------------------------------------------------------------
echo 1 > /proc/sys/net/ipv4/ip_forward
#---------------------------------------------------------------
# Allow masquerading
# - Interface eth0 is the internet interface
# - Interface eth1 is the local network interface
#---------------------------------------------------------------
iptables -A POSTROUTING -t nat -o eth0 -s 192.168.1.0/24 -d 0/0 \
-j MASQUERADE
#---------------------------------------------------------------
# Prior to masquerading, the packets are routed via the filter
# table's FORWARD chain.
Custom-Writing.co.uk
© 2009 Custom-Writing.co.uk
# Allowed outbound: New, established and related connections
# Allowed inbound : Established and related connections
#---------------------------------------------------------------
iptables -A FORWARD -t filter -o eth0 -m state \
--state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -t filter -i eth0 -m state \
--state ESTABLISHED,RELATED -j ACCEPT
This would provide the required NATing; following this, you may conduct the required tests to
check out the results.
3.0 Static address translation for Webserver access within the protected network
Our target is to have the multiple accesses from external internet to access the webserver in our
protected network through the ip address of the firewall. In order to do this the following steps
need to be followed4
.
modprobe iptable_nat
#---------------------------------------------------------------
# Enable routing by modifying the ip_forward /proc filesystem file
#
Custom-Writing.co.uk
© 2009 Custom-Writing.co.uk
#---------------------------------------------------------------
echo 1 > /proc/sys/net/ipv4/ip_forward
#---------------------------------------------------------------
# NAT ALL traffic:
###########
# REMEMBER to create aliases for all the internet IP addresses below
###########
#
# TO server: FROM: FW server
# xxx.xxx.xxx.xxx Anywhere yyy.yyy.yyy.yyy (1:1 NAT - Inbound)
#
# PREROUTING:
# NATs destination IP addresses. Frequently used to NAT
# connections from the Internet to your home network
#
# - Interface eth0 is the internet interface
# - Interface eth1 is the private network interface
#---------------------------------------------------------------
# PREROUTING statements for 1:1 NAT
# (Connections originating from the Internet)
Custom-Writing.co.uk
© 2009 Custom-Writing.co.uk
iptables -t nat -A PREROUTING -d yyy.yyy.yyy.yyy -i eth0 \
-j DNAT --to-destination xxx.xxx.xxx.xxx
# POSTROUTING statements for 1:1 NAT
# (Connections originating from the home network servers)
iptables -t nat -A POSTROUTING -s xxx.xxx.xxx.xxx -o eth0 \
-j SNAT --to-source yyy.yyy.yyy.yyy
# Allow forwarding to each of the servers configured for 1:1 NAT
# (For connections originating from the Internet. Notice how you
# use the real IP addresses here)
iptables -A FORWARD -p tcp -i eth0 -o eth1 -d xxx.xxx.xxx.xxx \
-m multiport --dport 80,443,22 \
-m state --state NEW -j ACCEPT
# Allow forwarding for all New and Established SNAT connections
# originating on the home network AND already established
# DNAT connections
iptables -A FORWARD -t filter -o eth0 -m state \
Custom-Writing.co.uk
© 2009 Custom-Writing.co.uk
--state NEW,ESTABLISHED,RELATED -j ACCEPT
# Allow forwarding for all 1:1 NAT connections originating on
# the Internet that have already passed through the NEW forwarding
# statements above
iptables -A FORWARD -t filter -i eth0 -m state \
--state ESTABLISHED,RELATED -j ACCEPT
4.0 Static Address translation for FTP server access within the protected network
In addition to the webserver if you require a similar translation for FTP server in addition to the
existing webserver access, the same could be provided following this procedure.
modprobe iptable_nat
#---------------------------------------------------------------
# Enable routing by modifying the ip_forward /proc filesystem file
#---------------------------------------------------------------
echo 1 > /proc/sys/net/ipv4/ip_forward
Custom-Writing.co.uk
© 2009 Custom-Writing.co.uk
#---------------------------------------------------------------
# NAT ALL traffic:
###########
# REMEMBER to create aliases for all the internet IP addresses below
###########
#
# TO FTP server: FROM: internet IP:
# xxx.xxx.xxx.xxx Anywhere yyy.yyy.yyy.yyy (1:1 NAT - Inbound)
#
# SNAT is used to NAT all other outbound connections initiated
# from the protected network to appear to come from
# IP address yyy.yyy.yyy.yyy
#
# POSTROUTING:
# NATs source IP addresses. Frequently used to NAT connections from
# your home network to the Internet
#
# PREROUTING:
# NATs destination IP addresses. Frequently used to NAT
# connections from the Internet to your home network
#
# - Interface eth0 is the internet interface
# - Interface eth1 is the private network interface
Custom-Writing.co.uk
© 2009 Custom-Writing.co.uk
#---------------------------------------------------------------
# PREROUTING statements for 1:1 NAT for ftp
# (Connections originating from the Internet)
iptables -t nat -A PREROUTING -p ftp -d yyy.yyy.yyy.yyy -i eth0 \
-j DNAT --to-destination xxx.xxx.xxx.xxx
# POSTROUTING statements for 1:1 NAT
# (Connections originating from the home network servers)
iptables -t nat -A POSTROUTING -p ftp -s xxx.xxx.xxx.xxx -o eth0 \
-j SNAT --to-source yyy.yyy.yyy.yyy
iptables -A FORWARD -p tcp -i eth0 -o eth1 -d yyy.yyy.yyy.yyy \
-m multiport --dport 80,443,22 \
-m state --state NEW -j ACCEPT
iptables -A FORWARD -t filter -o eth0 -m state \
--state NEW,ESTABLISHED,RELATED -j ACCEPT
Custom-Writing.co.uk
© 2009 Custom-Writing.co.uk
iptables -A FORWARD -t filter -i eth0 -m state \
--state ESTABLISHED,RELATED -j ACCEPT
4.1 Other minor rules
Here is the rule to deactivate the icmp reply echo.
# Allow pings, but reject the rest
$iptables -A INPUT -i eth0 -p icmp -j ACCEPT
$iptables -A INPUT -i eth0 -j REJECT
$iptables -A INPUT -p udp -i $INET_IFACE -j DROP
$iptables -A INPUT -p icmp -i $INET_IFACE -j DROP
These are for blocking bad udp and icmp packets.
Bibliography
1. Y.Rekhter, B.Moskovitz, D.Karrenberg, G.J.DeGroot & E.Lear, 1996, Address
Allocation for Private Internets, Network Working Group, available at
http://www.ietf.org/rfc/rfc1918.txt
2. P.Ferguson & D.Senie, 2000, Network Ingress Filtering: Defeating Denial of Service
Attacks which employ IP Source Address Spoofing, Network Working Group, available at
http://www.ietf.org/rfc/rfc2827.txt
Custom-Writing.co.uk
© 2009 Custom-Writing.co.uk
3. Peter Harrison, Linux Firewalls Using iptables, Linux Home Networking, available at
http://www.siliconvalleyccie.com/linux-hn/iptables-intro.htm
4. Beret, 2004, iptables: Creating an open source firewall, Enterprise Linux Resource,
available at http://tips.linux.com/print.pl?sid=04/11/23/2022252
Custom-Writing.co.uk
© 2009 Custom-Writing.co.uk
Internet Security – IP Tables Firewall configuration
(Report)
1.0 Network Address Translation
Every packet header comes with the source and destination address. On receiving this at the
firewall, this is routed to the destination IP address. Most of the local intranet has addresses
that are defined by RFC1918 rules for private networks. When we access from these local
nodes to an external internet IP, then the local address needs to be translated to an acceptable
internet IP address. Similarly when the packet comes from the external internet addresses, it
needs to be translated and distributed to the node that requested for the packet or to which the
packet is destined. This is called Network Address Translation or NAT.
2.0 Masquerading
Masquerading happens when the firewall computer ‘acts’ as the source IP address for all the
packets sent out from the network. This is also called as a Many to One NAT-ting. All
computers in the intranet reflect the same IP address of the firewall to the external internet.
When you configure iptables to DHCP, it takes the firewall’s ip address as the IP address to
be reflected in case of all OUTPUT NAT-ting.
Masquerade can be used as follows:
iptables -A POSTROUTING -t nat -o eth0 -s 192.168.1.0/24 -d 0/0 \
-j MASQUERADE
Custom-Writing.co.uk
© 2009 Custom-Writing.co.uk
The reverse of the masquerade explanation given above should also be true. Once you
configure your firewall to masquerade, then all the machines inside should use the firewall’s
IP address as their gateway address.
3.0 NAT and FORWARD
Port forwarding is used when we require forwarding an INPUT packet to a specific web
server within our network. Destination ip need to be NAT-ted using the PREROUTING and
then using the FORWARD-ing chain to forward to the required web server’s internal IP
address.
A typical rule list is given below2
:
#---------------------------------------------------------------
# Load the NAT module
#---------------------------------------------------------------
modprobe iptable_nat
#---------------------------------------------------------------
# Get the IP address of the Internet interface eth0
#
# This is best when your firewall gets its IP address using DHCP.
# The external IP address could just be hard coded ("typed in
# normally")
#---------------------------------------------------------------
external_int="eth0"
external_ip="`ifconfig $external_int | grep 'inet addr' | \
awk '{print $2}' | sed -e 's/.*://'`"
#---------------------------------------------------------------
# Enable routing by modifying the ip_forward /proc filesystem file
#
#---------------------------------------------------------------
echo 1 > /proc/sys/net/ipv4/ip_forward
Custom-Writing.co.uk
© 2009 Custom-Writing.co.uk
#---------------------------------------------------------------
# Allow port forwarding for traffic destined to port 80 of the
# firewall's IP address to be forwarded to port 8080 on server
# xxx.xxx.xxx.xxx
#
# - Interface eth0 is the internet interface
# - Interface eth1 is the private network interface
#---------------------------------------------------------------
iptables -t nat -A PREROUTING -p tcp -i eth0 -d $external_ip \
--dport 80 --sport 1024:65535 -j DNAT --to xxx.xxx.xxx.xxx:8080
#---------------------------------------------------------------
# After DNAT, the packets are routed via the filter table's
# FORWARD chain.
# Connections on port 80 to the target machine on the private
# network must be allowed.
#---------------------------------------------------------------
iptables -A FORWARD -p tcp -i eth0 -o eth1 -d xxx.xxx.xxx.xxx \
--dport 8080 --sport 1024:65535 -m state --state NEW -j ACCEPT
iptables -A FORWARD -t filter -o eth0 -m state \
--state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -t filter -i eth0 -m state \
--state ESTABLISHED,RELATED -j ACCEPT
The xxx.xxx.xxx.xxx is the web server IP address inside the network. Here all INPUT to the
firewall if it is NEW, ESTABLISHED or RELATED are forwarded to the web server IP
address. All the OUTPUT only if ESTABLISHED or RELATED are forwarded to the
required address.
4.0 Network Ranges and NAT
A typical requirement of a many to one NAT is to assign a range or the entire intranet to a
specific IP address as the source. This is achieved in a NAT by using the following
POSTROUTING statements2
.
Custom-Writing.co.uk
© 2009 Custom-Writing.co.uk
# POSTROUTING statements for Many:1 NAT
# (Connections originating from the entire home network)
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 \
-j SNAT -o eth0 --to-source 97.158.253.29
Network range specification that we give here, as 24 mean 24 bits on the LSB to be varied
from 0 to the maximum. When we say 24, the last three units are varied from 0 to 255.
5.0 Tripwire installation and operation
To get your tripwire installation going, you need to first set your system for running the
same. You should be the supervisor or root to do the job. You might also have to set the
LOOSEDIRECTORYCHECKING to true in the configuration file before commencing the
installation process. You need to set two passwords or two key pass phrases which will be
asked during the installation process.
You need to run the install script ( ./twinstall.sh). Once the installation is completed, you
need to initialize the database3
.
tripwire --init
In case you face errors while running this command, you may run it under verbose mode by
adding the -v switch to the command given above.
Installing of tripwire alone does not start off any protection measure for your network.
Periodic checks need to be run using :
tripwire --check
Custom-Writing.co.uk
© 2009 Custom-Writing.co.uk
This needs to be run repeatedly to know the status.
6.0 Snort
Snort needs to be downloaded and then installation process may be started4
. Snort is an
intrusion deduction system (IDS) while tripwire is an activity monitor. As per the topology
that snort advocates, the IDS may be put either before the firewall or at NAT. If it is put
ahead of the firewall, we will be able to monitor even those attempts which failed. If we
monitor at the NAT point, we will be able to get the source IP address of the packet, enabling
us to trace the origin of the attempt. Possibly both the sensors together would be better
choice.
Apart from the Apache Web Server and MySQL database, snort would require Webmin and
ACID ( Analysis Console for Intrusion Detection ). If the system is already set for installing
snort, then we need to start snort using
# /etc/rc.d/init.d/snortd start
Snort may be stopped by issuing the same command with stop in place of start. If the server
is not set for the operation then configurations need to be altered to put these in place as in
the reference 4 of the bibliography.
Bibliography
5. Beret, 2004, iptables: Creating an open source firewall, Enterprise Linux Resource,
available at http://tips.linux.com/print.pl?sid=04/11/23/2022252
Custom-Writing.co.uk
© 2009 Custom-Writing.co.uk
6. Peter Harrison, Linux Firewalls Using iptables, Linux Home Networking, available at
http://www.siliconvalleyccie.com/linux-hn/iptables-intro.htm
7. Meryll Larkin, 2003, How To Linux - Setting Tripwire, Alwanza: How To Linux,
available at http://www.alwanza.com/howto/linux/tripwire.html
8. Steven. J. Scott, 2002, Snort Installation Manual, available at
http://home.earthlink.net/~sjscott007/
Enjoy big discounts
Get 20% discount on your first order
