RFC1918 filtering

 C
1.0 RFC1918 filtering
1.1 RFC1918 filtering of packets with internal addresses as sources but coming through the
external interface.
In order to complete this requirement you need to know the reserved internal addresses that you
wish to block. This has to be obtained and the command can be a sequence of commands that
covers all the addresses one after the other. Use the following command replacing the ipaddr
with the IP address you need to block if coming through the external interface.
# iptables -A INPUT -s ipaddr –j DROP
ipaddr can be a single ip address or a range of ip addresses specified as (eg. 10.0.0.0/24 where 24
says which part of the ip address is significant1
.
1.2 RFC2827 filtering of packets from sources other than internal addresses flowing out of the
external interface or packets destined for internal addresses flowing out of the internal
interface.
For this process also the internal addresses need to be known. You may make an inversion rule
which will eliminate all addresses other than the internal addresses to be blocked if trying to flow
out of your subnet.
#iptables –A OUTPUT –s ! localhost –j DROP
#iptables –A OUTPUT –d localhost –j DROP 
Custom-Writing.co.uk
© 2009 Custom-Writing.co.uk
In the first of the commands, we say that any packet that comes to the firewall for OUTPUT that
has a source address which is not local address has to be dropped. Command 2 is any packet that
has the destination address as one of the local reserved addresses, then the packet needs to be
dropped and not carried forward2
.
1.3 Webserver access and State full filtering
We need to provide access to the web server only from the specified IP addresses 192.168.*.* .
Step 1: Let us eliminate access from all other addresses other than these.
#iptables –A INPUT –s ! 192.168.0.0/16 –d xxx.xxx.xxx.xxx --dport p –j DROP
Please replace the xxx.xxx.xxx.xxx with your webserver ip address and p with the port number
you have configured access in the webserver. Port address is normally 80 for http access and 443
for https. If you want to give access to both add one more --dport switch. The step 1 appends to
the list of rules. If the source of the packet is not one of 192.168.0.0 to 192.168.255.255 and if
the destination is your webserver, then do not allow the packet3
.
Step 2: We will use stateful filtering for reducing return traffic.
#iptables –A INPUT –m state --state ESTABLISHED, RELATED –j ACCEPT
This will make sure that all input to the firewall server comes from established or related
connections alone.
1.4 Allowing target machine to access external webservers
If the IP address of the target machine is xxx.xxx.xxx.xxx, then this would be the command that
you might have to give to get access to external webservers through iptables.
#iptables -A OUTPUT -s ! xxx.xxx.xxx.xxx -p tcp --dport www -j DROP 
Custom-Writing.co.uk
© 2009 Custom-Writing.co.uk
We have already given a stateful filter for return INPUT which has to be established, related to
get accepted by the firewall. If you have not given that you might have to append that rule as
well along with the ones already entered.
1.5 Access Firewall machine over SSH through internal machines only
#iptables –A INPUT –s ! localhost --dport 22 -j DROP
If it is not local host ip numbers and if the port number is 22 which is the number for SSH, then
the packet has to be dropped.
2.0 Port address translation
We need to implement a network address translation that would have any of the target machines
within the specified network trying to access the internet. Primarily a many-to-one NATing. This
would make sure that for all the machines within the protected network, the firewall would
reflect a single IP address. To have NAT to work properly, you need to have iptables_nat
module loaded along with the modprobe command4
. If you have not done it already, also enable
the IP forwarding by setting the /proc/sys/net/ipv4/ip_forward to 1 in lieu of the default value of
0.
This piece of code has been taken from http://www.siliconvalleyccie.com/linux-hn/iptablesintro.htm for NATing purposes.
#---------------------------------------------------------------
# Load the NAT module 
Custom-Writing.co.uk
© 2009 Custom-Writing.co.uk
#
# --------------------------------------------------------------

modprobe iptable_nat
#---------------------------------------------------------------
# Enable routing by modifying the ip_forward /proc filesystem file
#
# --------------------------------------------------------------

echo 1 > /proc/sys/net/ipv4/ip_forward

#---------------------------------------------------------------
# Allow masquerading
# - Interface eth0 is the internet interface
# - Interface eth1 is the local network interface
#---------------------------------------------------------------

iptables -A POSTROUTING -t nat -o eth0 -s 192.168.1.0/24 -d 0/0 \
 -j MASQUERADE

#-----------------------