OUTLINE Cynicism: How can I secure my linux box with iptables? What is a firewall? What is iptables for? filtering: dropping or rejecting certain kinds of packets from going in and/or out of your linux box -- as a router, protecting other computers -- as an end computer masquarading (NAT): -- sharing an external IP address by many internal computers -- optionally, mapping ports to ports behind masquarade -- "DMZ" mangle & other tricks: swiss army knife! example: source-address-based routing decisions (my LAN party) example: fixing TCP MSS for broken computers auditing: logging suspicious packets counting packets Internet Packet review IP: protocol, source address, dest address ICMP: type, code UDP: source port, dest port TCP: source port, dest port, flags (SYN, FIN, ACK, ...), connected state (ESTABLISHED, RELATED, ...) Addresses and netmasks number of number of slash dotted addresses subnet bits notation quad in subnet notation 4 2 /30 255.255.255.252 8 3 /29 255.255.255.248 16 4 /28 255.255.255.240 32 5 /27 255.255.255.224 64 6 /26 255.255.255.192 128 7 /25 255.255.255.128 256 8 /24 255.255.255.0 first and log base 2 = 32 - last number is last of number number of 256 - number of usually of addresses subnet bits addresses in unusable in subnet subnet Network Interfaces eth0 eth1 lo ppp0 (point-to-point) tun0 (point-to-point) tun1 (point-to-point) Related commands modprobe ip_tables modprobe iptable_filter modprobe ip_conntrack modprobe ip_conntrack_ftp modprobe ip_nat_ftp ipconfig eth0 204.4.4.4 netmask 255.255.255.0 up ;# to the world ipconfig eth1 10.1.1.1 netmask 255.255.255.0 up ;# to local network route del default route add default gw 204.4.4.1 ;# for dest with no interface ;# nor other route echo 1 > /proc/sys/net/ipv4/ip_forward ;# enable kernel forwarding arp -Ds 204.4.4.5 eth0 pub ;# proxy arp for an apparent neighbor /etc/rc.d/rc.local nameif tcpdump -tni eth0 -c 500 -s 999 netcat nmap Redhat: /etc/sysconfig/network /etc/sysconfig/network-scripts/ifcfg-* /etc/sysconfig/iptables lokkit Three Tables (Linux 2.4) -t filter // the default -t nat // for masquerade and other NAT -t mangle // swiss army knife, many experimental modules Special Chains Which tables have them? Can match interface with INPUT filter mangle -i OUTPUT filter nat mangle -o FORWARD filter mangle -i -o PREROUTING nat mangle -i? POSTROUTING nat mangle ? -o Special Target (Chains) ACCEPT DROP DENY LOG RETURN QUEUE MASQUERADE ROUTE Main Commands in iptables -N chain // create new chain -X chain // delete chain -- only if empty -L [chain] // list chain ( recommend adding -v ) -Z [chain] // zero the counters ( combines with -L ) -F chain // flush (delete) all rules in chain -P chain target // default policy target -I chain rule.... // insert at beginning of chain -A chain rule.... // append to end of chain // also -E, -D, -R Listing options -v // verbose -- required for "extended" options! -n // numeric -- dont look up IP addresses --line-numbers // number the rules Basic Packet Matching -p [!] tcp // protocol: tcp udp icmp -s [!] 127.0.0.1 // source address (or range) -d [!] 10.1.1.0/24 // destination address (or range) -i [!] eth0 // input interface -o [!] eth1 // output interface [!] -f // second and later ip fragments Extended Packet Matching Modules -m udp -sport [!] 2049 -dpost [!] 0:1023 -m tcp -sport [!] 2049 -dpost [!] 0:1023 [!] --syn // also --tcp-flags, --tcp-options, --mss -m icmp --icmp-type [!] typename // iptables -p icmp -h // also mac, limit, state, length, ttl, owner, ... Examples Examine Redhat Lokkit Build a masquarade firewall Declare a DMZ Route a Party Lan