How to Turn a Unix Computer into a Router and Firewall Using IPTables

Transcription

1 How to Turn a Unix Computer into a Router and Firewall Using IPTables by Dr. Milica Barjaktarovic Assistant Professor of Computer Science at HPU Lecture from CENT370 Advanced Unix System Administration course at HCC

2 Linux Access Lists: IP Tables Firewalls References: Red Hat Linux Bible, Ch.16 Practical Guide to RH Linux, Ch.25 Red Hat Linux Firewalls, Red Hat Press 2003 frozentux.net/iptables-tutorial/iptables-tutorial.html

3 Assumptions You know some Unix? Syntax of Unix commands: command [options] [arguments] Basic Unix commands: ls, vi, cat, chmod, >, You know some networking? IP address, NAT, DMZ, private and public networks,

4 The issue: Protect Networks SOHO solution: network behind the main router/firewall More secure solution: DMZ configuration, private network behind the NAT Any Unix machine can be turned into a (100% software-based) router and/or firewall

5 Step 1: Turn your Unix box into a router Make sure the computer has at least two NICs installed and configured Enable routing Different syntax on different Unixes. Examples below. Temporary change: echo 1 > /proc/sys/net/ipv4/ip_forward Permanent change: Set net.ipv4.ip_forward = 1 in /etc/sysctl.conf OR: Set FORWARD_IPV4=true in /etc/sysconfig/network OR

6 CentOS6 Example external interface is eth0 and the internal eth1 # cat /etc/sysconfig/network-scripts/ifcfg-eth0 DEVICE="eth0" NM_CONTROLLED= no" ONBOOT=yes TYPE=Ethernet BOOTPROTO=none DEFROUTE=yes IPV4_FAILURE_FATAL=yes IPV6INIT=no NAME="System eth0" IPADDR=xxx.yyy PREFIX=24 GATEWAY=xxx.yyy DNS1=xxx.yyy.1.4 DNS2=xxx.yyy.8.3 DOMAIN="mydomain.net" HWADDR=00:25:90:60:27:96 UUID=5fb06bd0-0bb0-7ffb-45f1-d6edd65f3e03 # cat /etc/sysconfig/network-scripts/ifcfg-eth1 DEVICE="eth1" NM_CONTROLLED= no" ONBOOT=yes TYPE=Ethernet BOOTPROTO=none IPADDR= PREFIX=24 DEFROUTE=yes IPV4_FAILURE_FATAL=yes IPV6INIT=no NAME="System eth1" UUID=9c92fad9-6ecb-3e6c-eb4d-8a47c6f50c04 GATEWAY=xxx.yyy HWADDR=00:25:90:60:27:97 # cat /etc/sysconfig/network NETWORKING=yes HOSTNAME=myhost.mydomain.net FORWARD_IPv4= yes

7 Step 2: Turn your Unix box into a firewall The firewall is implemented in software, using IPTables access lists Logically, IPTables is a generic table structure that defines rules and commands as part of the netfilter framework that facilitates Network Address Translation (NAT), packet filtering, and packet mangling in the Linux 2.4 and later operating systems. i.e. IP tables is a set of access rules used for routing, firewalls, NAT, proxy servers, etc. Physically, IPTables is implemented using iptables command (chek it out: man iptables)

8 Each RH box already has a default IPTables firewall built in If iptables service is on, the default firewall is running! The default firewall allows everything The default IPTables is implemented as the script located in /etc/sysconfig/iptables file Default IPTables can be configured: via GUI use System Settings Security Level utility, or /usr/bin/redhatconfig-securitylevel GUI tool to choose a preconfigured firewall (High, Medium or no firewall) OR manually the default configuration file with firewall rules is /etc/sysconfig/iptables, read by the init script /etc/rc.d/init.d/iptables

9 Best: Create Custom IPTables scripts Create and/or manipulate IPTables manually from the command line using the iptables command Put commands into a script, chmod u+x Manually configuring IPTables is a better choice bc: It allows more control than default firewall, which provides a limited number of configuration options Default firewall will automatically override any changes you make to IPTables manually

10 The history: Linux Access Lists in RH Family IP Chains Default access list technology before Red Hat Linux 7.1 Provides basic syntax for access lists Not included in Fedora IP Tables Default access list mechanism for Linux kernel 2.4.x- 2.6.x, Red Hat Linux and Fedora 1,2,3 More complex access list syntax => more capabilities General purpose tool that experienced system administrators must be able to use.

11 Basics of Packet-Filtering Firewalls Inspect every packet passing through firewall Check access list rules against the packet Each rule is in form: if packet satisfies condition, then action Typically, action is: pass or drop the packet Typically, there are several dozen rules Rules are executed from top to bottom The first rule that fires is taken There is one default rule, applied to packets that don t satisfy any other rule.

12 Example Conceptually If packet is going out, pass it Else If packet is coming in, drop it Else If packet is passing through, drop it IPTables implementation iptables P OUTPUT j ACCEPT iptables P INPUT j DROP iptables P FORWARD j DROP In IPTables, there are default rules for packets going out (OUTPUT), coming in (INPUT) and passing through (FORWARD)

13 Sneak Preview: IPTables examples Example: default firewall lets everything in /out /through iptables -P INPUT j ACCEPT iptables -P FORWARD ACCEPT iptables -P OUTPUT ACCEPT Example: block pings SERVER_IP=" " iptables -A INPUT -p icmp --icmp-type 8 -s 0/0 -d $SERVER_IP -j DROP iptables -P INPUT j ACCEPT iptables -P FORWARD ACCEPT iptables -P OUTPUT ACCEPT The consequence: must specifically address every item to be dropped unrealistic Still unrealistic

14 Example: real firewall lets only allowed packets in iptables -P INPUT j DROP iptables -P FORWARD DROP iptables -P OUTPUT ACCEPT # Accept packets from trusted IP addresses iptables -A INPUT -s j ACCEPT # Accept tcp packets on destination port 22 (SSH) iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -i lo -j ACCEPT This script wont allow internal users to surf the web, query DNS, etc.. Why. Example: desktop firewall lets in only responses initiated by requests from the inside net iptables -P INPUT j DROP iptables -P FORWARD j DROP iptables -P OUTPUT j ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT #allow internal users to get response from outside servers iptables -A INPUT -i lo -j ACCEPT

15 IPTables inherits chains from IPChains, so there are total of 6 chains, including 3 main userdefined chains: INPUT for packets coming in from outside OUTPUT - for packets going outside FORWARD for packets being forwarded The 3 chains are grouped in 3 tables IPTables Syntax: IPTables Chains A chain is a list of rules, i.e. an access list, to be applied to certain packets A rule has a condition to match and a target action to perform

16 3 tables used IPTables tables ;) filter table (default table for firewalls) used for packet filtering access lists used to control forwarding packets between network interfaces nat table used for network address translation (destination NAT aka DNAT source NAT aka SNAT, and masquerading) mangle table used for modifying packet header fields enables modifying Type of Service and Time To Live fields of packet header enables marking packets for later recognition not usually required for firewall designs

17 Filter Table Used to create firewalls based on packet filtering Uses 3 chains similar to the main chains: INPUT, OUTPUT, FORWARD Rules are stateful They can test whether a packet is associated with or related to an established connection.

18 NAT Table Used for source and destination NAT (SNAT and DNAT) and masquerading DNAT: proxying, port forwarding SNAT: accessing host on private net Masquerading: simple case of SNAT NAT table uses 2 chains: PREROUTING for DNAT operations (i.e. modify the destination IP address or port) POSTROUTING for SNAT and masquerading (i.e. modify the source IP or port)

19 IPTables Packet Paths

20 Syntax for IPTables Rules iptables -A INPUT -i eth0 -p tcp -s /8 -d /24 -j DROP Command name: iptables Operation to perform: -A, -I, -D, -R Chain to apply operation to: INPUT,OUTPUT,FORWARD Interface to apply rule to: -i eth0 Protocol to test: -p tcp Source address/network: -s /8 Destination address/network: -d /24 Action to take: -j DROP

21 IPTables Operations (evoked via options of iptables command) Chain Operations List the rules associated with a chain (-L) Flush a chain (i.e., delete its rules) (-F) Zero counters associated with a chain (-Z) Create a user chain (must be associated with a table) (-N) Delete a user chain (-X) Set the default policy associated with a chain (-P) Rename a user chain (-E) Rule Operations Add a rule at the head of a chain (insert) (-I) Add a rule at the end of a chain (append) (-A) Delete a rule (-D) Replace a rule (-R)

22 Operations for Chains List a chain iptables -L chain iptables -L --line-numbers chain iptables -L -v chain List and display line-numbers iptables -L --line-numbers chain Flush a chain - delete all associated rules iptables -F chain Set default policy (ACCEPT, REJECT, DROP) iptables -P chain policy (e.g. iptables -P INPUT DROP) Create a user-defined chain iptables -N chain Delete a user-defined chain iptables -X chain

23 Operations for Rules Insert a rule at the head of the chain iptables -I INPUT specifiers target Add a rule at the end of the chain iptables -A INPUT specifiers target Delete a rule iptables -D INPUT specifiers target iptables -D chain line-number Replace a rule iptables -R chain line specifiers

24 iptables specifiers Packet characteristics For example: Protocol (-p) -p tcp, -p udp, -p icmp Source IP address (-s) -s /24 Destination IP address (-d) -d Input interface (-i) -i eth0, -i lo Output interface (-o) -o lo, -o eth0 Header characteristics TCP datagrams: Source port (--sport), destination port (--dport), SYN or other TCP flags, TCP options UDP datagrams: Source port (--sport), destination port (--dport) ICMP Messages ICMP type and code Use! to indicate negation or exclusion (spaces required) -p! tcp -s! s! /24

25 IPTables Targets (actions to perform) Possible actions for IPTables rules ACCEPT - packet is passed to next chain DROP - packet is discarded aka blocked without any response aka in stealth mode) REJECT - sends an error packet to sender - unsafe LOG - logs packet using syslog RETURN - returns from user chain SNAT, DNAT, MASQUERADE Invoke chain using -j chain-name Examples -j ACCEPT -j DROP -j mychain

26 Non-routable aka private IP addresses class A /8 ( ) class B /12 ( ) class C /16 ( )

27 Specify Protocol -p tcp, -p udp IPTables Rules Options Specify Source/Destination -s / or -s! /8 -d / or -d! /8 Specify Interface -i eth0 or -i eth+ (input, forward chains) -o eth0 or -o eth+ (output, forward chains) Specify Fragment Flag -f or! -f (fragment flag set or not set)

28 IPTables Rules Options Protocols and Ports -p udp --sport 53 or -p udp -dport 53 -p tcp, udp --sport 0:1023 or -p tcp, udp --dport 0:1023 -p tcp, udp --sport :1023 or -p tcp, udp --dport :1023 -p tcp, udp --sport 1024: or -p tcp, udp -dport 1024: Protocol and control flags -p tcp --syn (SYN set, but ACK and FIN not set) -p tcp! --syn (SYN not set, or SYN and ACK or FIN set) -p tcp --tcp-flags SYN, ACK, FIN SYN (same as --syn) -p tcp --tcp-flags ALL NONE ALL = ACK, FIN, RST, PSH, SYN, URG

29 IPTables Rules Options ICMP protocol -p icmp --icmp-type echo-request -p icmp --icmp-type echo-reply -p icmp -icmp-type host-unreachable

30 IPTables Rules Connection State Connection States NEW - no connection established yet ESTABLISHED - 2-way exchange completed RELATED - associated with a new connection related to an established connection (e.g., ftp) INVALID - associated with a connection that has a problem (malformed packet or header) To test for connection state, do: -m state --state ESTABLISHED,RELATED

31 MAC source address use in filter FORWARD and INPUT chains -m mac --mac-source 00:05:69:00:04:BA

32 Multiple ports -p tcp -m multiport --source-port 21,22,25,80 -p tcp -m multiport --destination-port 20,21

33 -m ttl --ttl 1 Time to Live

34 Process owner -m owner --uid-owner uid-owner-id -m owner --gid-owner gid-owner-id

35 User Chains User chains are user-defined chains and must be associated with the FILTER, NAT, or MANGLE table. User chains can be used to create chain components that can be called from other chains to perform specific actions. To create a user chain use iptables -N chain where chain is the name of the chain being created. To delete a user chain use: iptables -X chain To rename a user chain, use iptables -E old new

36 Creating a User Chain (log_badip) # create a chain to log and drop bad IP addresses iptables -N log_badip iptables -A log_badip -p tcp --dport 137:139 -j DROP iptables -A log_badip -p udp --dport 137:139 -j DROP iptables -A log_badip -j LOG --log-prefix "IPT BAD" iptables -A log_badip -j DROP

37 Creating a User Chain (using a script) #create a chain to test for bad IP addresses BADIP=" / / / /16 \ / / /16 \ / / " iptables -N test_badip for ip in $BADIP do iptables -A test_badip -s $ip -j log_badip iptables -A test_badip -d $ip -j log_badip done

38 Invoking User-Chains from INPUT chain #Uses INPUT chain to invoke the # user-defined chains, test_badip and log_badip iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -j test_badip iptables -A INPUT -j log_badip

39 Starting and Stopping IPTables service To start/stop/restart (pick only one choice) the IPTables service use: /sbin/service iptables start/stop/restart To save the IPTables rules for reuse: /sbin/service iptables save

40 Setting IPTables to Start by default display iptables runlevel settings /sbin/chkconfig --level iptables change iptables runlevel settings /sbin/chkconfig --level 345 iptables on

41 IPTables as a shell script Can create very complex, operational firewalls using the iptables command with shell variables and shell scripts The IP tables rules and configuration are stored in file /etc/sysconfig/iptables This file must exist in order to use the iptables command to modify the rules in your access list. But don t put your IPTables into this file.

42 Creating IPTables rules Method 1 (recommended) Use the iptables command. Put all commands into a custom script and run it. The first command should be flushing the existing default IPTables with iptables F. Review: how do we make and run a script? Method 2 (NOT recommended) Edit the default iptables file /etc/sysconfig/iptables

43 Put all rules into a script: (too) Simple IPTables Firewall #flush old rules iptables -F iptables X # Replace xxx.xxx.xxx.xxx with IP address of name server MYSERVER= xxx.xxx.xxx.xxx #these rules are checked first, in exactly this order; packet is treated according to the first rule that matches iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -p udp -s $MYSERVER --sport 53 -j ACCEPT iptables -A INPUT -p tcp --syn -j REJECT iptables -A INPUT -p udp -j REJECT #default rules, applied last (usually they are specified on top of file) iptables -P INPUT ACCEPT What is the problem iptables -P OUTPUT ACCEPT iptables -P FORWARD ACCEPT with this script?

44 Simple IPTables Firewall: allow in only DNS responses #flush old rules iptables -F iptables X # Replace xxx.xxx.xxx.xxx with IP address of name server MYSERVER= xxx.xxx.xxx.xxx #no hardwiring; work with variables #these rules are checked first, in exactly this order; packet is treated according to the first rule that matches iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -p udp -s $MYSERVER --sport 53 -j ACCEPT #iptables -A INPUT -p tcp --syn -j REJECT #iptables -A INPUT -p udp -j REJECT #default rules, applied last (usually they are specified on top of file) iptables -P INPUT DROP iptables -P OUTPUT ACCEPT iptables -P FORWARD DROP

45 Advanced IPTables Firewall Implementation Two basic network flavors: private network behind a NAT, or servers in DMZ IPTables can do: Packet Forwarding Network Address Translation (NAT) Destination NAT Source NAT Masquerading Enabling Linux Routing

46 DMZ Setup SOHO Setup Private network NAT Public network

47 Public and Private Firewall F has: prf: private IP on internal interface IIF pubf: public IP on external interface EIF Server S is DNATed; it has: prs: private IP pubs: public IP where pubs = pubf Client C is SNATed; it has: prc: private IP pubc: public IP where pubc = pubf

48 Packet Forwarding Multi-homed hosts Filter packets traversing network interfaces Routing host or router Forwarded packets traverse the IPTables FORWARD chain associated with the filter table. Add rules to the FORWARD chain to control flow of traffic between networks. IIF=eth0 #internal interface EIF=eth1 #external interface iptables -P FORWARD DROP iptables -A FORWARD -i $IIF -o $EIF -j ACCEPT iptables -A FORWARD -i $EIF -o $IIF -j ACCEPT

49 Packet Forwarding Example iptables -P FORWARD j DROP iptables -A FORWARD -i eth0 -o eth1 -s d j ACCEPT iptables -A FORWARD -i eth1 -o eth0 -s d j ACCEPT iptables -A FORWARD -j LOG --log-prefix "IPT FWD Drop "

50 Another Packet Forwarding Example iptables -P FORWARD j DROP iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT iptables -A FORWARD -i eth0 -o eth1 -m state -- state ESTABLISHED, RELATED -j ACCEPT iptables -A FORWARD -j LOG --log-prefix "IPT FWD DROP"

51 Network Address Translation (NAT) Flavors NAT Modifies either source or destination IP addresses. Source NAT (SNAT) Modifies the source IP address of a packet Performed in POSTROUTING chain of the nat table (outbound direction) Destination NAT (DNAT) Modifies the destination IP address of a packet Performed in the PREROUTING chain of the nat table (inbound direction)

52 NAT Packet Path

53 Uses for Destination NAT (DNAT) Transparent proxying Clients request services using surrogate IP address Port forwarding Modification of destination port Enables clients to access a service via a surrogate destination port Load balancing Specify multiple IP addresses in DNAT rule Each host in range receives a proportional share of the traffic

54 DNAT General Form iptables -t nat -A PREROUTING -i intf specifiers \ -j DNAT --to-destination ip[-ip][:port[-port]] Example: iptables -t nat -A PREROUTING -i eth0 -o eth1 \ -p tcp -d dport 80 -j DNAT \ --to-destination :8080 Caveat: also must have forwarding rules

55 DNAT 1. Transparent proxying: access a host on a private network E.g. Client refers to server as , the actual address is : iptables -t nat -A PREROUTING -i eth0 \ -d j DNAT --to-destination Port forwarding E.g. Reach a web server running on port 8080 via destination port 80: iptables -t nat -A PREROUTING -i eth0 -p tcp \ -d dport 80 -j DNAT \ -- to-destination : Load balancing: for selecting one of many servers

56 Uses of Source NAT (SNAT) Enable hosts with nonroutable addresses to communicate with Internet hosts Enable multiple hosts to share a single IP address Hide the true IP address of a host Resolve certain problems with DNAT

57 SNAT Enabling private IPs to access Internet; hiding the true IP; enabling multiple clients to share a single IP E.g. Client's actual address is ; firewall performs NAT; servers sees client as : iptables -t nat -A POSTROUTING -o eth0 \ -s j SNAT --to-source Many clients can share one (or more) SNATs: iptables -t nat -A POSTROUTING -o eth0 \ -s /24 -j SNAT \ --to-source (or only one IP)

58 SNAT Examples iptables -t nat -A POSTRTOUTING -o eth0 \ -s j SNAT --to-source iptables -t nat -A POSTROUTING -o eth0 \ -s /24 -j SNAT --to-source iptables -t nat -A POSTROUTING -o eth0 \ -s /24 -j SNAT --to-source iptables -t nat -A POSTROUTING -o eth0 \ -s /24 -j SNAT --to-source : iptables -t nat -A POSTROUTING -o eth0 \ -s /24 -j MASQUERADE [--to-ports ] Caveat: also must include forwarding rules

59 IP Masquerading Simplified form of SNAT, but slower-to-run Packets receive IP address of output interface as their source address. Useful when the IP address of the output interface is not fixed (i.e., obtained via DHCP) and cannot be embedded in firewall rules. Example (applied on routing host): E.g. Client's actual address is ; firewall's actual address is ; server sees client's packets as coming from : iptables -t nat -A POSTROUTING -o eth0 \ -s j MASQUERADE

60 Reply Packets IPTables automatically de-nats reply packets associated with a connection established via SNAT. For DNAT, IPTables automatically re-nats reply packets associated with a connection established using DNAT.

61 Accessing a DNAT Host from the local network If a local host can be accessed from Internet, it can be a problem to access it from the LAN For example: If internal client accesses WebServer using the WebServer's public address, the routing host performs DNAT and forwards request to WebServer. WebServer sees unmodified source address and sends replies directly to the requestor. Client does not properly associate replies with requests, since IP addresses don't match.

62 Accessing a DNAT Host from the local network, cntd. Example: server at is DNATed as So: When a local host contacts the server at , firewall DNATs it to and gives it to the server; the server replies directly to the client instead of replying via the firewall, using source IP of , so the client cannot associate this reply with its original request. Fixes Split-horizon DNS DNS server configured to handle internal requests differently from external requests. Router performs both SNAT and DNAT when handling internal requests, so responses are sent via the router.

63 Accessing a DNAT Host from the local network cntd. Solution1: substitute the IP address of the firewall as the source IP of packets destined to the server; server replies to firewall ; firewall gives to the client iptables -t nat -A PREROUTING \ -i eth0 -o eth1 -d \ -j DNAT --to-destination iptables -t nat -A POSTROUTING -s /24 -d \ -j SNAT --to-source

64 Accessing a DNAT Host from the local network general formula In general: Firewall F has private IP prf and public IP pubf Server S is DNATed; it has private IP prs and public IP pubs, where pubs = pubf Client C is SNATed; it has private IP prc and public IP pubc, where pubc = pubf Problem: Client C contacts server at pubs, so the packet ends at F and F forwards to prs. Since the packet has sourceip = prc, S replies directly to prc, so sourceip =prs, and C cannot tell that the reply is associated with the request to pubs.

65 Accessing a DNAT Host from the local network general formula cntd. Recap: Firewall F has private IP prf and public IP pubf Server S is DNATed; it has private IP prs and public IP pubs, where pubs = pubf Client C is SNATed; it has private IP prc and public IP pubc, where pubc = pubf Solution: Client C contacts server at pubs but with sourceip=prf; F forwards to prs. Since the packet has sourceip = prf, S replies to prf and firewall forwards to C.

66 Firewall Maintenance Maintain record of changes to firewall Keep backup copy of firewall code Include a command in firewall script that mails a copy of the firewall to a designated user on your local network. mail -s "Firewall backup" user@host.domain < script Encrypt the file before sending Flush old rules first; if the firewall is accessed remotely, put in a rule for allowing incoming SSH packets, in case you flush the IPTables and lock yourself out iptables -A INPUT -p tcp --dport 22 -j ACCEPT

67 Enabling Linux Routing Define a default gateway or default gateway device in the /etc/sysconfig/network file GATEWAY= GATEWAYDEV=eth0 Turn on IP packet forwarding in /etc/sysctl.conf file: net.ipv4.ip_forward = 1 Restart network and iptables /etc/init.d/network restart /etc/init.d/iptables restart Verify network netstat -r

68 Summary of Forwarding Define forwarding rules (FORWARD chain) Define NAT translation rules nat table, PREROUTING and POSTROUTING chains Save changes to iptables service iptables save #if you are working with default Define default gateway or gateway device Enable packet forwarding Restart network and iptables

69 IPTables Specifics To use NAT, we must set up forwarding first: the firewall has forwarding enabled IPTables has FORWARD chain rules that specify from interface to what interface we want to forward and how to deal with forwarded packets Local hosts have to be configured to have the private side of the firewall listed as their gateway (and the DNS server is the DNS server of the firewall - optional)

70 IPTables at-a-glance 1. Put all iptables commands into a script: 1) flush all old iptables and also nat iptables (those are separate options) 2) Specify INPUT, OUTPUT, FORWARD, and/or nat rules (nat requires FORWARD rules first) 3) Specify default policy 1) If default policy is to DROP then the rules should be about ACCEPT, and vice versa. Why? 2. Configure the firewall 3. Configure the local hosts 4. Run the script

71 Example: A simple firewall for a NAT and DMZ network and