Configuring a Stateful Linux Firewall with IPTables / NetFilter

Linux Packet Filtering Implementations

  • 1st Generation – Alan Cox’s port of BSD UNIX’s ipfw to Linux 1.1
  • 2nd Generation – Jos Vos and others added the ipfwadm tool in Linux 2.0.
  • 3rd Generation – Rusty Russel and Michael Neuling made significant changes to ipfw, and ipchains was released in Linux 2.2.
  • 4th Generation – Rusty Russel and others implemented a modular packet filter/mangler infrastructure called NetFilter for Linux 2.4.

Routing Packets with SNAT

  • Source Network Address Translation enables you to get access to an external network (usually the Internet) from behind the firewall.
  • Enable Packet Forwarding
    • echo 1 > /proc/sys/net/ipv4/ip_forward
    • Allows kernel-level IP Forwarding
    • Disabled by default in most distros
    • service network restart resets ip_forward to 0 (unless you’ve h4×0red /etc/init.d/network)
  • Enable Masquerading
    • Dynamic IP: iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
    • Static IP: iptables -t nat -A POSTROUTING -o eth0 -j SNAT -to 24.0.0.0
    • This allows machines to masquerade from behind the firewall.

Default Policies / Output Port Blocking

  • Default Policies
    • iptables -P INPUT DROP

      • This is a highly recommended as default.
      • Basically drop everything unless told otherwise
    • iptables -P OUTPUT ACCEPT
      • Some suggest to default OUTPUT to DROP
      • It’s not really necessary though.
    • iptables -P FORWARD ACCEPT
    • This is needed for NAT / MASQUERADING
  • Output Port Blocking
    • Be careful blocking output ports. Blocking port 80 doesn’t only stop hackers, it also stops IE, Netscape, Galeon, from accessing most web servers.
    • iptables -A OUTPUT -o eth0 -p tcp -dport 31337 -j DROP
    • iptables -A OUTPUT -o eth0 -p tcp -sport 31337 -j DROP

Output Port Blocking / External Port Blocking

  • Output Port Blocking Continued
    • Ports to block: 31337 , 31335, 27444, 27665, 20034 NetBus, 9704, 137-139 (smb), 1433, 2049, 5432, 5999, 6063, 5900-5910 (vnc)
  • External Port Blocking
    • Reject Ident Requests (ircers will probably want to accept ident
    • iptables -A FORWARD -i eth0 -p tcp -dport 113 -j REJECT
    • iptables -A OUTPUT -o eth0 -p tcp -dport 113 -j REJECT
    • Allow Nortel IPSEC Rekey Packets (IBM VPN)
    • iptables -A FORWARD -i eth0 -p tcp -dport 500 -j ALLOW
    • iptables -A OUTPUT -o eth0 -p tcp -dport 500 -j ALLOW

Drop Bogus Packets / Log & Limit Suspicious Traffic

  • Drop Bogus Packets

    • RESERVED_NET="0.0.0.0/8 1.0.0.0/8 2.0.0.0/8 5.0.0.0/8 7.0.0.0/8 ... "
      for NET in $RESERVED_NET; do
      iptables -A FORWARD -d $NET -j DROP
      done
  • Log Suspicious Packets

    • Create a new chain called CHECK_FLAGS
    • iptables -N CHECK_FLAGS
    • iptables -A CHECK_FLAGS -p tcp -tcp-flags ALL FIN,URG,PSH -m limit -limit 5/minute -j LOG -log-level 6 -log-prefix "NMAP-XMAS:"
    • iptables -A CHECK_FLAGS -p tcp -tcp-flags ALL FIN,URG,PSH -j DROP

Jump to a Custom Chain / Define Stateful Rules

  • Jump to a Custom Chain
    • iptables -A INPUT -i eth0 -j CHECK_FLAGS
    • iptables -A FORWARD -i eth0 -j CHECK_FLAGS
  • Define Stateful Rules
    • iptables -A OUTPUT -m state -state INVALID -j DROP
    • iptables -A OUTPUT -m state -state RELATED, ESTABLISHED -j ACCEPT
    • iptables -A OUTPUT -i ! eth0 -m state

      -state NEW -j ACCEPT
    • ACCEPT packets whose input interface is anything but the external interface.

Blocking ICMP / Port Forwarding with DNAT

  • Port Forwarding
    • Port Forwarding an IPSEC client/server on 500 using protocol 17 (needed for VPN access)
    • iptables -t nat -A PREROUTING -i eth0 -p 17 -dport 500 -j DNAT -to 192.168.0.2:500
    • Port Forwarding WWW on Port 80
    • iptables -t nat -A PREROUTING -i eth0 -p tcp -dport 80 -j DNAT -to 192.168.0.2:80
  • Blocking ICMP
    • Using Default DROP for input blocks ICMP (Ping)
    • iptables -A OUTPUT -i eth0 -p icmp -icmp-type 8 -j DROP
    • iptables -A FORWARD -i eth0 -p icmp -icmp-type 8 -j DROP
    • iptables -A OUTPUT -i eth0 -p icmp -icmp-type 8 -j ACCEPT

ToS Packet Mangling / MAC Addresses as Filtering Criteria

  • ToS Packet Mangling

    • Allows for Type-Of-Service Parameters to be set per protocol
    • iptables -t mangle -A FORWARD -p tcp -dport 22 -j TOS -set-tos 16
    • iptables -t mangle -A FORWARD -p tcp -dport 80 -j TOS -set-tos 8
  • MAC Addresses as Filtering Criteria
    • iptables -A FORWARD -m state -state NEW -m mac -mac-source 00:C7:8F:72:14 -j ACCEPT
    • Allows a known MAC Address to be forwarded

Nortel VPN Access

## OPENS NORTEL EXTERNAL PORT 500
iptables -A OUTPUT -i eth0 -p tcp –dport 500 -j ACCEPT
iptables -A FORWARD -i eth0 -p tcp –dport 500 -j ACCEPT
## PORT FORWARD FOR IPSEC “REKEYING”
iptables -t nat -A PREROUTING -i eth0 -p 17 –dport 500 -j DNAT –to 192.168.0.2:500

  • Assumes 192.168.0.2 is the computer you are running the VPN client, and eth0 is external

Configuring dhcpd 

#filename: /etc/dhcpd.conf

default-lease-time 86400;
max-lease-time 86400;

subnet 192.168.0.0 netmask 255.255.255.0 {
  range 192.168.0.2 192.168.0.250;
  option subnet-mask 255.255.255.0;
  option broadcast-address 192.168.0.255;
  option routers 192.168.0.1;
  option domain-name-servers 192.168.0.4,
  12.24.250.39, 12.24.250.40, 206.25.127.40;
  option domain-name "chartermi.net";
}
  • On Redhat boxes do a “service dhcpd start” to start the dhcpd daemon.
Comments

Leave a response

  1. tommy Mon, 24 Aug 2009 05:54:55 UTC

    a great firewall based on red hat linux 2.4 is ideco gateway , it’s an all-in -one thing – web server, mail, firewall etc

Comments