Here’s a run-down of iptables, a Linux utility for configuring a host-based firewall.

Fundamentals

Syntax

iptables <table> <action> <chain> <protocol> <rule>

Tables

iptables -t filter	# default; it is not required to explicitly specify this table
iptables -t nat 	# helpful in managing connection re-directs (based on src/dst IP)
iptables -t mangle	# used for stripping and modifying outbound traffic
iptables -t raw
iptables -t security

Actions (applicable to all tables)

iptables -t filter -A 	# append
iptables -t filter -C	# check; compares user provided rule against what is configured
iptables -t filter -D 	# delete
iptables -t filter -L	# list; use this to review configured rules

Chains (for the “filter” table)

iptables -t filter -A INPUT	# traffic destined for the localhost
iptables -t filter -A FORWARD	# traffic allowed through the localhost
iptables -t filter -A OUTPUT	# traffic outbound from localhost

Protocols

iptables -t filter -A INPUT -p tcp
iptables -t filter -A INPUT -p udp
iptables -t filter -A INPUT -p icmp
iptables -t filter -A INPUT -p ip 

Rules

iptables -t filter -A INPUT -p icmp -j DROP
iptables -t filter -A INPUT -p icmp -j REJECT
iptables -t filter -A INPUT -p icmp -j ACCEPT  


Append (adding) to your rule-set

Syntax

iptables -t <table> -A <chain> <rule>

Deny and respond to inbound ICMP packets

iptables -t filter -A INPUT -p icmp -j REJECT

Do not respond to ICMP packet (safer)

iptables -t filter -A INPUT -p icmp -j DROP


Checking your rule-set

List currently configured rules

iptables -L

Show sockets listening for IPv4 connections (open ports)

netstat -l4	

Show live stream of inbound traffic from a specific host (“-n” is numbers only)

tcpdump -n src host <ip address>


Delete rules

Syntax

iptables -t <table> -D <chain> <rule>

Flush all previously configured rules

iptables -F

Delete a rule

iptables -t filter -D INPUT -p icmp -j DROP


Example rule-set

iptables -A INPUT -p ip -m iprange --src-range 10.0.0.0-10.255.255.255 -j DROP 
iptables -A INPUT -p ip -m iprange --src-range 172.16.0.0-172.31.255.255 -j DROP 
iptables -A INPUT -p ip -m iprange --src-range 192.168.0.0-192.168.255.255 -j DROP 
iptables -A INPUT -p tcp 23 -j DROP	# deny Telnet connections
iptables -A OUTPUT -p tcp 80 -j DROP	# deny HTTP requests
iptables -A INPUT -p icmp -j DROP	# deny ICMP traffic
iptables -A INPUT -p tcp 22 -j ACCEPT	# accept SSH connections
iptables -A INPUT -p ip -j DROP		# deny ip any any; explicit deny all statement


Firewall Principles

  • Build firewall rules like a pyramid (put as much specificity upfront/at the top as possible)
  • Block source addresses using private IP ranges
  • Block inbound traffic with 255.255.255.255 as destination
  • Block inbound traffic with 0.0.0.0 as destination
  • Block inbound traffic destined for ports that facilitate un-encrypted services (Telnet, HTTP, etc.)
  • Block outbound traffic that is not from your network (spoofed IP addresses)
  • Permit authorized inbound/outbound IP traffic
  • Block everything else (an explicit “deny all” statement)

Practical Exercise

Using the knowledge provided here, perform the following exercise for a “check-on learning.”

Tools required: ifconfig, nc, netstat, iptables, tcpdump, telnet, ping

  1. Verify configured IP addresses of both boxes
  2. Open ports on target box
  3. Verify open ports on target box
  4. Verify current iptables rule set on target box
  5. Flush and re-verify current iptables rule set
  6. Configure and re-verify iptables rule set
  7. Start “live stream” on target box
  8. Send traffic to target ports using Telnet, SSH, and Ping

References