- Layout for this exercise:
1 - Introduction to Iptables
- Iptables is a powerful firewall that provides a table based system for defining rules that can filter or transform packets.
- Iptables is integrated in the Linux kernel as part of the netfilter project, having the ip6tables version for IPv6.
- Iptables has 5 tables or zones where a string of rules can be applied:
a) raw: filters packets before any other table. It is mainly used to configure connection tracking exemptions in combination with the target NOTRACK.
b) filter: default table if not passed the -t option.
c) nat: used for network address translation. Due to limitations in iptables, filtering should not be done here.
d) mangle: used for altering specialized network packets (see Mangles packet).
e) security: used for Mandatory Access Control network connection rules.
- Tables contain chains which are lists of rules that handle the network packets.
- By default the filter table contains 3 built-in chains: INPUT, OUTPUT, FORWARD.
a) INPUT: all incoming traffic directed to the machine is passed through this chain.
b) OUTPUT: all outbound traffic generated locally passes through this chain.
c) FORWARD: all routed traffic which has not been supplied locally passes through this chain.
- Also, other often used built-in chains are PREROUTING and POSTROUTING:
a) PREROUTING: alters packets before routing.
b) POSTROUTING: alters packets after routing.
- Users can define rules of the chains to make them more efficient. Compiled chains have a predefined target which is used if no rules are defined. Neither compiled nor user-defined chaina can be a predefined target.
- The filtering of network packets is based on rules which are specified by various matches or conditions that the packet must satisfy for the rule to apply, and a target or action to take when the package fully matches the condition. While individual conditions are often very simple, the specification of the entire rule can be very complex.
- Targets are specified by the -j or --jump option. Targets can be either user-defined chains, one of the special integrated targets, or a target extension.
- The integrated targets are ACCEPT, DROP, QUEUE, RETURN; the target extensions are for example REJECT and LOG.
- If the target is an integrated target the destination of the packet is decided immediately and the processing of the network packet in the current table is stopped.
- If the target is a chain defined by the user and the packet successfully overcomes the chain it will move to the next rule.
2 - Setting the lab
- To start with a blank slate the command iptables -F (flush) removes any possible iptables configuration:
- Connection to the web server is available:
- Also SSH connection is available:
3 - Creating rules
- The first rule is added (-A option) and accepts any incoming packet directed to the web server or port 80:
- Listing the rule with numbers (-nL):
- Adding another rule that accepts incoming packets from the local network (192.168.1.0/24) and directed to port 22, where SSH service is enabled:
- The third and last rule forces to drop any other type of packet that does not match the 2 previous rules:
- Listing the 3 rules:
- Now, let's check that the web connection is successful from the Kali system:
- The SSH connection from Kali is also successful:
- However a ping is not successful because it works with ICMP protocol, not included in the previously defined rules:
4 - Deleting rules
- The option -D can be used to delete individual rules. Using --line-numbers option we can see an ordered list of the rules:
- For instance, let's delete the first rule leaving untouched the other two rules.
- Checking that the first rule has been deleted:
- As a consequence, only packets from local network trying to access via SSH will be allowed, and any other protocol like HTTP or ICMP will be filtered:
- As expected, only SSH service is avilable:
5 - Logging
- Flushing the tables:
- Let's add these rules that enable logging of all packets not matching the first rule (packets to port 22 or SSH service):
- Tailing the syslog file to see what happens when an HTTP packet tries to arrive and it is blocked by the firewall:
6 - REJECT versus DROP
- It is interesting to compare two types of firewall blocking: REJECT versus DROP.
- While REJECT sends back a message notifying the rejection, DROP just drops the incoming packets.
- Let's apply REJECT to packets coming from Kali Linux device and DROP to packets coming from a Windows device:
- Scanning the system all ports appear as filtered. While filtered means that a service is enabled but blocked by a firewall, close means that the service is disabled:
- Pings from Kali are rejected and notified as unreachable:
- However, pings from Windows are simply dropped without no notification:
- Also, SSH connection from Kali is notified as refused:
7 - Saving iptables configuration
- One way of saving and restoring iptables configuration is to use the commands iptables-save and iptables-restore and the file iptables.conf: