Feeds:
Posts
Comments

Archive for September 27th, 2007

Playing with iptables in Ubuntu Terminal

I’ve been trying to figure out how to explain the iptables in a easy way. I’ve read so many articles about iptables but none of it mention to run iptables chain rules through command lines in Ubuntu console terminal.

I know the reason, because chain rules will be temporary. But, it’s not good for a begginer.

So, I try to discribe it in another way.

Hopefull, it will make you easier to understand the iptables’ chain rules.

 

Actually, the most popular firewall and NAT (Network Address Translation) in Linux was Ipchains.

After that, Netfilter Organization created a new product called Iptables and gave more features in it.

 

Compare to Ipchains, Iptables is better integration with the linux, Stateful packet inspection, Filtering packets based on MAC address and the values of the flags in packets, better network address translation, integration with Squid and block DoS (Denial of service) attacks.

I’ll divide my explanation into 4 parts.

  • practice with command line in Ubuntu terminal

  • sample rules which you can use for router, webserver, server etc.

  • masquerading (many to one NAT)

  • run iptables automatically (create a script and put it in runlevel mode).

I’ve just finished the first part (this posting). Hopefull, it will make you easier to understand the iptables.

 

 

Determining the status of iptables

You can check your current iptables rules with:

taufanlubis@zyrex:~$ sudo iptables -L

Chain INPUT (policy ACCEPT)

target prot opt source destination

 

Chain FORWARD (policy ACCEPT)

target prot opt source destination

 

Chain OUTPUT (policy ACCEPT)

target prot opt source destination

taufanlubis@zyrex:~$

 

option -L:

List all rules in the selected chain. If no chain is selected, all chains are listed. As every other iptables command, it applies to the specified table (filter is the default), so NAT rules get listed by iptables -t nat -n -L

 

Packet Processing in iptables

All packets inspected by iptables pass through a sequence of built-in tables (queues) for processing. Each of these queues is dedicated to a particular type of packet activity and is controlled by an associated packet transformation/filtering chain.

 

There are three tables in total:

  • Responsible for packet filtering.

  • Forward chain (filters packet to servers)

  • Input chain (filters packet destined to the firewall)

  • Output chain (filters packets originating from the firewall)

  • Responsible for the alteration of quality of service bits in the TCP header (Mangle).

  • Responsible for NAT (network address translation).

  • Pre-routing chain

  • Post-routing chain

 

I like to use Iptables because I can set my firewall to be what I want. I can set which packet of data that can go in to my machine, forwarded or go out from my machine. I can set which ports are opened or closed. But, need days, for me to understand how it works.

 

In this practice we will do all the setup from linux console.

First, open your linux console.

Applications>Accessories>Terminal or press Alt-F2 and type ‘xterm’.

 

Now, let’s try for practice. Check your iptables’s rules.

taufanlubis@zyrex:~$ sudo iptables -L

Chain INPUT (policy ACCEPT)

target prot opt source destination

 

Chain FORWARD (policy ACCEPT)

target prot opt source destination

 

Chain OUTPUT (policy ACCEPT)

target prot opt source destination

taufanlubis@zyrex:~$

If you see the rules as mentioned above, it means that there are no rules in your iptables firewall.

 

Task1 : Accept packet data (tcp) through ethernet card no.1 via port 80 (http)

taufanlubis@zyrex:~$ sudo iptables -A INPUT -p tcp -i eth0 –dport http -j ACCEPT

taufanlubis@zyrex:~$

Check again, our setting.

taufanlubis@zyrex:~$ sudo iptables -L

Chain INPUT (policy ACCEPT)

target prot opt source destination

ACCEPT tcp — anywhere anywhere tcp dpt:www

 

Chain FORWARD (policy ACCEPT)

target prot opt source destination

 

Chain OUTPUT (policy ACCEPT)

target prot opt source destination

taufanlubis@zyrex:~$

Well, you got your first rule in your iptables. It says that accept only tcp packet data via http(port 80) from any ip address to any ip address.

 

Task 2: Do same rules as Task1 for ‘https’(port 443), ‘pop3′(port 110) and ‘smtp’(port 25)

Type again in your console.

taufanlubis@zyrex:~$ sudo iptables -A INPUT -p tcp -i eth0 –dport https -j ACCEPT

taufanlubis@zyrex:~$ sudo iptables -A INPUT -p tcp -i eth0 –dport pop3 -j ACCEPT

taufanlubis@zyrex:~$ sudo iptables -A INPUT -p tcp -i eth0 –dport smtp -j ACCEPT

 

Check again the rules.

taufanlubis@zyrex:~$ sudo iptables -L

Chain INPUT (policy ACCEPT)

target prot opt source destination

ACCEPT tcp — anywhere anywhere tcp dpt:www

ACCEPT tcp — anywhere anywhere tcp dpt:https

ACCEPT tcp — anywhere anywhere tcp dpt:pop3

ACCEPT tcp — anywhere anywhere tcp dpt:smtp

 

Chain FORWARD (policy ACCEPT)

target prot opt source destination

 

Chain OUTPUT (policy ACCEPT)

target prot opt source destination

taufanlubis@zyrex:~$

Now, you’ve already setup the rules for ACCEPTed access.

 

Let us continue with the task 3.

Task 3: Drop all data that forwarded or output from your machine except the ports that we’ve set to be allowed.

taufanlubis@zyrex:~$ sudo iptables -A FORWARD -o eth0 -j DROP

taufanlubis@zyrex:~$ sudo iptables -A OUTPUT -o eth0 -j DROP

taufanlubis@zyrex:~$ sudo iptables -A INPUT -p tcp -i eth0 -j DROP

 

Check again, your iptables rules.

taufanlubis@zyrex:~$ sudo iptables -L

 

Chain INPUT (policy ACCEPT)

target prot opt source destination

ACCEPT tcp — anywhere anywhere tcp dpt:www

ACCEPT tcp — anywhere anywhere tcp dpt:https

ACCEPT tcp — anywhere anywhere tcp dpt:pop3

ACCEPT tcp — anywhere anywhere tcp dpt:smtp

DROP tcp — anywhere anywhere

 

Chain FORWARD (policy ACCEPT)

target prot opt source destination

DROP 0 — anywhere anywhere

 

Chain OUTPUT (policy ACCEPT)

target prot opt source destination

DROP 0 — anywhere anywhere

taufanlubis@zyrex:~$

 

Well, you see the same screen as above, mean you’ve just created iptables’ chain rules.

 

This setup is temporary. Mean, you will lost it after you shutdown or restart.

It’s ok. It’s only a practice. I just want to show how iptables works.

 

Read Full Post »

Follow

Get every new post delivered to your Inbox.

Join 75 other followers