IPTABLES FIREWALL
- Layout for this exercise:
1 - Introduction to Iptables
- Iptables is a powerful firewall that provides a table based system for defining rules that can filter or transform packets.
- Iptables is integrated in the Linux kernel as part of the netfilter project, having the ip6tables version for IPv6.
- Iptables has 5 tables or zones where a string of rules can be applied:
a) raw: filters packets before any other table. It is mainly used to configure connection tracking exemptions in combination with the target NOTRACK.
b) filter: default table if not passed the -t option.
c) nat: used for network address translation. Due to limitations in iptables, filtering should not be done here.
d) mangle: used for altering specialized network packets (see Mangles packet).
e) security: used for Mandatory Access Control network connection rules.
- Tables contain chains which are lists of rules that handle the network packets.
- By default the filter table contains 3 built-in chains: INPUT, OUTPUT, FORWARD.
a) INPUT: all incoming traffic directed to the machine is passed through this chain.
b) OUTPUT: all outbound traffic generated locally passes through this chain.
c) FORWARD: all routed traffic which has not been supplied locally passes through this chain.
- Also, other often used built-in chains are PREROUTING and POSTROUTING:
a) PREROUTING: alters packets before routing.
b) POSTROUTING: alters packets after routing.
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjBFa1fik8nH56GnnmhwIGWVbiuttachXyudJjT_epFctEVuk1Cb5Tjey6A0i_Fpn3hyVyx1zdxs0R25zc51OgxAEvz8lZKREYKWpx4BSQ5utwlgfheG-hBPiK9RMi0YTUVLTlI73LORYx1/s640/screenshot.5.jpg)
- Users can define rules of the chains to make them more efficient. Compiled chains have a predefined target which is used if no rules are defined. Neither compiled nor user-defined chaina can be a predefined target.
- The filtering of network packets is based on rules which are specified by various matches or conditions that the packet must satisfy for the rule to apply, and a target or action to take when the package fully matches the condition. While individual conditions are often very simple, the specification of the entire rule can be very complex.
- Targets are specified by the -j or --jump option. Targets can be either user-defined chains, one of the special integrated targets, or a target extension.
- The integrated targets are ACCEPT, DROP, QUEUE, RETURN; the target extensions are for example REJECT and LOG.
- If the target is an integrated target the destination of the packet is decided immediately and the processing of the network packet in the current table is stopped.
- If the target is a chain defined by the user and the packet successfully overcomes the chain it will move to the next rule.
2 - Setting the lab
- To start with a blank slate the command iptables -F (flush) removes any possible iptables configuration:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjyWBXslBPjx90CdGZ8s0fuDXTP5eQp9sXy9mf1JAxGBGxwO8anhOMnIcHNBHzQo7Pp8ZA7IACZtmtkQvRwqfziJB256efDphDtbHuPSfI-jpRQxCfmWcWs2WDxjrfQtM3dXkhDwzPYT3uw/s1600/screenshot.42.jpg)
- Connection to the web server is available:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhaqNyj10GPhUo2Imqxuj3ScXym6r_jOV2HMmFBMpHdkaO_GO8VKd3HckWLL1cqXl-Jxo9GWPJRwIiDPVVC8XBYTXugDHW-IRdJJ7N4l7WuQ73dIq-UtMciWDXoR2fH1efeEUlBxn7hcVr_/s1600/screenshot.27.jpg)
- Also SSH connection is available:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhAwB-dkgdAX5XVhn-9zfJdnmj9hovRH1RQpKU5ZhrQtFn6h4dEjXBJ-F40xgT-7KxYCbPv_n8ELHNQFTlq66oSX8g0pmbFTLbtZHBuzym1na8bx0_E7fnDmz7wOvUXykSClZdTlVb6E3do/s1600/screenshot.44.jpg)
3 - Creating rules
- The first rule is added (-A option) and accepts any incoming packet directed to the web server or port 80:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhpjSSGIzIB9KqEWRDUWkgqEZ2i53hj1M8R-9kfJ_N7KnMLZvhx66S4AqFDXxNg56i4qMek8sLOlsWiBM4dsb4Hi8VuuXe4Xz14JvoLtXrWUL2CXlTpK5hxek8wgvsZ-Q88xbzmohZTM697/s1600/screenshot.31.jpg)
- Listing the rule with numbers (-nL):
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEio8kTHZHCBoBhGBcfNkWsmXP5WBh20BEy5V-5ecD1D0DSTXjTON9f65X7phY9zVqkwk3k-xfV7FNSunsBflxBjLl8SsQ3-sVfIy3hgwxkqCmNuNtT2U-M0pTTqW2ejYa7AebxFC0ZEgJhJ/s1600/screenshot.33.jpg)
- Adding another rule that accepts incoming packets from the local network (192.168.1.0/24) and directed to port 22, where SSH service is enabled:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEguH5CEcUpFjkYu3OGvPyV75lxZdc2QhuQSBevaCwFJPxx5EpvxnGfgi5fESiJ56M94V6vOvptXEQCR8PMWDiEQoygahmyIABu1yFk7cnyoDOxTfzSyJSTkG_B-qA0sdG1omAtlhTpTArxP/s1600/screenshot.34.jpg)
- Listing:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiiT1WFju_qfQSO5y7P6MSOccbp3EGOBjfl3YiIb0lsiXo86lKhEAYgm51bveO1B6bX42XUbYrSn3Q93XU4x_s9WFwVvCKces2I5eD40oZ5-GgOSGtW43h3UotOcCM_c1wbP7a6o6lcmzX-/s1600/screenshot.36.jpg)
- The third and last rule forces to drop any other type of packet that does not match the 2 previous rules:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhwXyzu5bKUnhNVDqr7rFENQ2q5O2SRRjdKjddPxnfPwPJ0PdODJa_EruEgkNt2Fjx-6cEwMHh_PUDEgRx4ddIxdSD3k7iZknb-Bbjj_NqSsu-fHtDawaczQ8VXmggyATzjIzl_hBuoVU0r/s1600/screenshot.37.jpg)
- Listing the 3 rules:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiPO4wPFQUie17xqzH2euH8Uj8BenbqFv32shXGLTt0dEvQ0cycFDNWPaM3u3AxDPy_pPcSHg3addPlgnuujajy_7ZYudkbOZqgRtSKKnuhq9N5kk1lAJqquKi7zDqbzfxfpw4mtZjo_2O5/s1600/screenshot.38.jpg)
- Now, let's check that the web connection is successful from the Kali system:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhRFSKMmhT1k9bd6oWEQpwqqCkc_NdlMPzkIIg1-yAacbmd-CM0x9ZLo3SPSRJriIUWcs1Ez6-PswlgQ4iIQUjh_VIBDNbapmN-bEaGStrtS5z6FLthMkiYkOx5HzbM0vdXfgUJxgmusL0D/s1600/screenshot.41.jpg)
- The SSH connection from Kali is also successful:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhT6Ms_FnxOSQztn5uu1z-7s7Hpv-n-hAE4JCScmQ8D7MjqgtBi5hcBjbKh1UvbAWdLykUqXn4yJPP2hMUrXLal9LUXpUD_zdKx_HW7VN-J6LSAatFqwtrx8DVlqbzBFyHFoOcn7TPSYJrS/s1600/screenshot.89.jpg)
- However a ping is not successful because it works with ICMP protocol, not included in the previously defined rules:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiuY6q3VyBVw-HQ-Rc_1H5GgeJxqdLA-mpN28dbngk06DHPtoII1boEJqNszmxXWZOXVzTerRvuokLVo_icQwz88vt6V1BMdJQqGYOCjRb8LKsV3zvH4l4YRtC7YiNgwLMKJ7ZhAAwDxQ4w/s1600/screenshot.39.jpg)
4 - Deleting rules
- The option -D can be used to delete individual rules. Using --line-numbers option we can see an ordered list of the rules:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgO7Hb2VO0kmCDQHEEUF6MTPoHIwO8hBJfDPituyibqgigAPx4h3ohyphenhyphenL5Oo-wifVjQUPSqlAKNhyphenhyphenx2n9raUpR2pj5Nvte-Wwm_8prubN-Vzifvqgu0ax9DHepGKayl1JrJWD0dezfPAgGli/s1600/screenshot.90.jpg)
- For instance, let's delete the first rule leaving untouched the other two rules.
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhzBRFTpCeLDideLixWmk5aDTAiEeEwYSI2-Tr_QjMw1huLp224C2Mv5kg41OZyZm-BH9aL98FoUaHXKAqzO-4ZD7BNy_6ddZ1d3-BcP9eQrnNq6GC4iYYb4F70UJTP2KllMGDji3X7ddCn/s1600/screenshot.91.jpg)
- Checking that the first rule has been deleted:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiGylASCQz7AEorx7at0huqoTVvuMo66vvWepvr19u9L45l4CsrRx_p3ljw5_LjFce5T2EIjg3vLv29nFt85c4yumlqO0T7MW9J-wvBhR-Sh6C3WvOL6U3w_FfVjo-KvoZ_jreHc2NqBzT3/s1600/screenshot.92.jpg)
- As a consequence, only packets from local network trying to access via SSH will be allowed, and any other protocol like HTTP or ICMP will be filtered:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj6tkGv-YOvF2pQr8lMvW28rXqbYox7scL4bzCxbjH_jNIzvLOeOLO8bfZ3pinMgNet-8mwodU7Pk3WGzouV9yONYLvDeqtm7wkp-zfWugxMZnbN8XiQ9AckwgVYbYGVLO2o1UgMYm4gP64/s1600/screenshot.94.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj5DGvGoKjrVKk57fvBx-lxzgrcm75kGcz8mm6qfZAp_DQLpxpH55e5uS2LbyLw9twt801BiKTyJlycafexmeSz4PyPW-faWsKs3VkVpJMSuIs5H7oxM9parvbkyz65UtQ3mzvKI0qd4go1/s1600/screenshot.93.jpg)
- As expected, only SSH service is avilable:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgvu0eVCFd6It8qgEwarHzkUSgN7BDBut28mHtnV98S5YFd9kcQsjt9ythJY6pKPIavQhnzTCJRYVVxmG3EJPxgYIlW2AAia7ul2X9K-ixGJ7ajIuqv5rvgOmdJtKiyNdJtHdZTf_g5HFEc/s1600/screenshot.95.jpg)
5 - Logging
- Flushing the tables:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg6pBP_tRcPYh82mL77gYGJ1njG4fqMj8aBnwXf2ITAOspGo1w43b48qpowKJUcmgcI4DKr3KE7bPDMa1EUt-eA2ekBPnfdDRjYblXKqwsoAiwxaNw3kybr8vjNKUP97fD9hv_TD7P8-_NN/s400/screenshot.55.jpg)
- Let's add these rules that enable logging of all packets not matching the first rule (packets to port 22 or SSH service):
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh5WuZHaJxgTyANVdPkoaG3MZ1dCOOZZDUETP8WEWz_qAEZvfofFwlUs-hyXxhM5lWEZObum4d92zjbjMIn5DoNIbgf4A9Ugm23OLY2ifrtOVAI0XqsQn_Xz5TmVlJ51KzOWzbSOzsVnNI7/s1600/screenshot.57.jpg)
- Tailing the syslog file to see what happens when an HTTP packet tries to arrive and it is blocked by the firewall:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgQ8YAW4RCqi0dl3zo5_16s8Xr6Jfxza1XOgMUxZXbVv0xu0v9zZCJ9EaHEdLSnepXA9D7ypV1TETayfBsCSNe03NiIhYmkxi6Pin3zJlF0WxXCbUQbV5QNp6WHfqlurVUZwUHO5utwZFGm/s1600/screenshot.58.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEinsIG1wh3NsxIqR9tq0oiyIf8IxuYP8800_ccLXJx2aXy4f7fOqXjV7suPd0lTDFZ2VJDZSL2CxKez7j1qE-sgb6h6vraz1TeVr86Xp3wQsZOexqM4ivoecluthwcDuUB13EQNgkogBPzR/s400/screenshot.59.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi_Xs-ZS9zKNes7IbZS9J7rLjx7HKFJoUE3mlJX-reN0wmg9jo2FFTXy_BBnkpIRzYQkr7j9PCBu_qQ992NHaYOqM0hb-LPcwjY-vr5xK44mMFvSI0vqCBjRijW00oiCNkO5S6MnD7bp-Jx/s1600/screenshot.61.jpg)
6 - REJECT versus DROP
- It is interesting to compare two types of firewall blocking: REJECT versus DROP.
- While REJECT sends back a message notifying the rejection, DROP just drops the incoming packets.
- Let's apply REJECT to packets coming from Kali Linux device and DROP to packets coming from a Windows device:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiHVr_MW-ELEbQ4jJkz5jpsl96yz6kXSZPmehHDJva5t-hLJVtZxLM_yOf4VrrKxZ3b6j7CNcIRJh1zXdlI_C9uY_o9Yu5UZKD9H0iFKuqHjjbshYSkeU3SrpdyCiRLw4I8dp9rZPmDG3BC/s1600/screenshot.66.jpg)
- Scanning the system all ports appear as filtered. While filtered means that a service is enabled but blocked by a firewall, close means that the service is disabled:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj99Yiy6707QjTZ5V3DJ389s8vKx_XRUEmzLeoHwEKVVmjrGU2Q8BDtGbdW2en5ykff0kNIzjCJPG-boUtonQeWhbZrsbQvkxeOzpYldd6jZq5MefZx9kvlHS_es1KIvihFQtWU-cqfuevA/s1600/screenshot.64.jpg)
- Pings from Kali are rejected and notified as unreachable:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhbTxXCYRFEOInsjED3TgI_xYOSKJrrBa9pWSudSM2RSlE2EQYgNXAWoXDK270QoJD-_oM0GPa8nxWTUXR1BgvfP7x503FVLTZuQbWdMwv_nx3q32GGy1dlscceZ7fUwunmLtXprgku9ctY/s1600/screenshot.72.jpg)
- However, pings from Windows are simply dropped without no notification:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEikSe30Bzpo91nQHXtDD4zpHUPOAgTeP8-2u5QyZNjMpe_BHkC_x8rLIpEY0jwIwCPvcxvzDtacXvyDh3yqFhqFdjh1HKDVTqd1_OmUHQQSB6-nF1uyO5gR5C6_nRaNN1qkrP4JkdMdnZ0l/s1600/screenshot.65.jpg)
- Also, SSH connection from Kali is notified as refused:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjBwGMo7cxw-62Gl7yja0Yl6VO6Fg15QGCEdEFUl6x1ju3vT3ssWVNlrruUgT5F0ZJK8YF4JumrleLbyACO9yXuZpMjhEq6pisqoeA4dlWk8NOBbL8kufReayQ-UQ1PNdelLn0EQWRzHZ2d/s1600/screenshot.67.jpg)
7 - Saving iptables configuration
- One way of saving and restoring iptables configuration is to use the commands iptables-save and iptables-restore and the file iptables.conf:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgY8ujD17u0nM2t2kYZqvWhdbq-dEgtJX5eJkSdJsI8RG439skbeg9v6nnasqmwP2elhw47Ry8YU5NAz15UTZiBMn_tZOJybXRy4o_r3nQwgL_huvS5Fnkd30K9ZJ6U7TkDD3Rs-8fEUQ-P/s1600/screenshot.80.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi765oA9pzvnoi7HtQ4NjcgeknmdAWcwmf-F9Vj0ZkKPUb7d4Frq3Q51E0wYI4PodrzwuQDU8ro_Jl0b7lSrbNfx71hld4uo4nqKGyj47HvsaZEEvGvCIrwcixRyVB0idJT-PS7WpSIDfU0/s1600/screenshot.81.jpg)