C 1.0 RFC1918 filtering 1.1 RFC1918 filtering of packets with internal addresses as sources but coming through the external interface. In order to complete this requirement you need to know the reserved internal addresses that you wish to block. This has to be obtained and the command can be a sequence of commands that covers all the addresses one after the other. Use the following command replacing the ipaddr with the IP address you need to block if coming through the external interface. # iptables -A INPUT -s ipaddr –j DROP ipaddr can be a single ip address or a range of ip addresses specified as (eg. 10.0.0.0/24 where 24 says which part of the ip address is significant1 . 1.2 RFC2827 filtering of packets from sources other than internal addresses flowing out of the external interface or packets destined for internal addresses flowing out of the internal interface. For this process also the internal addresses need to be known. You may make an inversion rule which will eliminate all addresses other than the internal addresses to be blocked if trying to flow out of your subnet. #iptables –A OUTPUT –s ! localhost –j DROP #iptables –A OUTPUT –d localhost –j DROP Custom-Writing.co.uk © 2009 Custom-Writing.co.uk In the first of the commands, we say that any packet that comes to the firewall for OUTPUT that has a source address which is not local address has to be dropped. Command 2 is any packet that has the destination address as one of the local reserved addresses, then the packet needs to be dropped and not carried forward2 . 1.3 Webserver access and State full filtering We need to provide access to the web server only from the specified IP addresses 192.168.*.* . Step 1: Let us eliminate access from all other addresses other than these. #iptables –A INPUT –s ! 192.168.0.0/16 –d xxx.xxx.xxx.xxx --dport p –j DROP Please replace the xxx.xxx.xxx.xxx with your webserver ip address and p with the port number you have configured access in the webserver. Port address is normally 80 for http access and 443 for https. If you want to give access to both add one more --dport switch. The step 1 appends to the list of rules. If the source of the packet is not one of 192.168.0.0 to 192.168.255.255 and if the destination is your webserver, then do not allow the packet3 . Step 2: We will use stateful filtering for reducing return traffic. #iptables –A INPUT –m state --state ESTABLISHED, RELATED –j ACCEPT This will make sure that all input to the firewall server comes from established or related connections alone. 1.4 Allowing target machine to access external webservers If the IP address of the target machine is xxx.xxx.xxx.xxx, then this would be the command that you might have to give to get access to external webservers through iptables. #iptables -A OUTPUT -s ! xxx.xxx.xxx.xxx -p tcp --dport www -j DROP Custom-Writing.co.uk © 2009 Custom-Writing.co.uk We have already given a stateful filter for return INPUT which has to be established, related to get accepted by the firewall. If you have not given that you might have to append that rule as well along with the ones already entered. 1.5 Access Firewall machine over SSH through internal machines only #iptables –A INPUT –s ! localhost --dport 22 -j DROP If it is not local host ip numbers and if the port number is 22 which is the number for SSH, then the packet has to be dropped. 2.0 Port address translation We need to implement a network address translation that would have any of the target machines within the specified network trying to access the internet. Primarily a many-to-one NATing. This would make sure that for all the machines within the protected network, the firewall would reflect a single IP address. To have NAT to work properly, you need to have iptables_nat module loaded along with the modprobe command4 . If you have not done it already, also enable the IP forwarding by setting the /proc/sys/net/ipv4/ip_forward to 1 in lieu of the default value of 0. This piece of code has been taken from http://www.siliconvalleyccie.com/linux-hn/iptablesintro.htm for NATing purposes. #--------------------------------------------------------------- # Load the NAT module Custom-Writing.co.uk © 2009 Custom-Writing.co.uk # # -------------------------------------------------------------- modprobe iptable_nat #--------------------------------------------------------------- # Enable routing by modifying the ip_forward /proc filesystem file # # -------------------------------------------------------------- echo 1 > /proc/sys/net/ipv4/ip_forward #--------------------------------------------------------------- # Allow masquerading # - Interface eth0 is the internet interface # - Interface eth1 is the local network interface #--------------------------------------------------------------- iptables -A POSTROUTING -t nat -o eth0 -s 192.168.1.0/24 -d 0/0 \ -j MASQUERADE #-----------------------
Get 20% discount on your first order