ChinaNetCloud Training - iptables Intro

ChinaNetCloudRunning All the World's Internet Servers管理全世界的网络服务器

1

IP Tables Basics

June, 2014

By Steve Mushero

Copyright 2015 ChinaNetCloud

ChinaNetCloud


Copyright 2015 ChinaNetCloud 2

Introduction

● iptables is main server firewall● Layer 4 – all IP, Port, protocol-based

● Software-based● Built-into kernel● Powerful & fast● But difficult to use● We have a script :)



Basic Parts

● Kernel Module - netfilter● Kernel Module – conntrack

● Creates sysctrl items like conntrack_max

● Tool – iptables command● Run as root

● Save files – simple save file



Filtering Basics

● Filter on:● IP Address – Source or Destination● Ports – Source or Destination● Protocol – ICMP, UDP, TCP, etc.● Status – SYN, Established, Related

● Two main results – Allow or Block (drop)● Special functions

● Logging● Statistics



Tables

● Three Tables are built into kernel● Filter – Real firewall, always used● NAT – For NAT by Linux, rarely used● Mangle – Special use

● Filter is the default table, the one you will use● It’s the filter iptables shows/changes without -t



Chains

● Each Table has Chains● Three built-in Chains in Filter Table

● INPUT – For traffic coming INTO server● OUTPUT – For traffic LEAVING server● FORWARD – For routing, rarely used

● You can add more chains for ease of use● Such as logging, special protocols

● The Chains have the Rules● You will usually edit these



Chains

● That Chain can call other Chains● RedHat always includes a special RH chain● You can add more chains, such as for logging



Chains

● Iptables –vnL

Chain INPUT (policy ACCEPT )

Chain OUPPUT (policy ACCEPT)

Chain FORWARD (policy ACCEPT)



Tables & Chains & Rules

● Filter, NAT, Mangle Tables● Input and Output Chains in Filter Table

● Rules in Input Chain to protect server

● Firewall is a set of Tables, Chains, and Rules● Rules are most important



Basic Packet Flow

● Each input packet hits Filter Table, Input Chain● Packet is checked rule by rule, from top● If a rule is true, results happens

● Usually ACCEPT, DROP, or REJECT● Process ends (except for LOG result)● Statistic counters tell you which rules are hit/true



Basic Packet Flow

# Target prot in out source destination

1 ACCEPT all lo lo 0.0.0.0/0 0.0.0.0/0

2 ACCEPT TCP * * 1.2.3.4./32 0.0.0.0/0

3 DROP all * * 0.0.0.0/0 0.0.0.0/0



Basic Rule Structure

iptables -A INPUT -p tcp –i eth0 –s 0.0.0.0/0 -j ACCEPT

● Basic rule● Chain - INPUT● Protocol – TCP, UDP, IDCMP, ALL● Interface - * or lo or eth0, etc.● Action – ACCEPT, DROP, or REJECT



Basic Rule Options

iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT

● Ports and States● Destination Port – 22 (ssh)

● Very often used for services● Module – state (needed for next option)● Module Option – State NEW

● Always used for normal rules



Other Common Rule Options

● Logging – like -j LOG --log-prefix 'bad port: ’● Will log to syslog● Used to log bad or illegal packets



Accept Established / Related

iptables -I INPUT -m state --state ESTABLISHED, RELATED -j ACCEPT

● All systems have a rule like this● To pass ESTAB connections, always save● Managed by conntrack module● RELATED is for TCP like FTP or DNS UDP

● For DNS UDP it remembers out / in● Put this rule first in rule list, for better performance



Last Rule always Drop

● Always add -j DROP rule at end● So if we don't allow traffic, it's dropped● Even if Chain Policy is also DROP● Best practice is both DROP policy & Drop rule

● This ensures we drop everything we don’t want



Chain Policy

Chain INPUT (policy ACCEPT 7091K packets, 4852M bytes)

● Each Chain has a default action● Very important● Done automatically at end of Chain● Should be DROP on all major Chains● Should be ACCEPT for middle partial Chains

● To allow packets to continue to other chains



Using iptables command

● Can show, add, insert, delete rules● Easiest to show rules with numbers:

● iptables –vnL –line-numbers [Note L for list]● Will show current rules with numbers

● Other options to Add, Delete, Insert● Delete / Insert use line numbers



Iptables-save / restore

● Dump iptables in memory to file● Loaded by init when server starts

● Any changes not in file are LOST on reboot !!● File usually in /etc/sysconfig:

/etc/sysconfig/iptables

● Can be monitored by Zabbix, Nagios, etc.● Can run manually

● iptables-save > file



Iptables as a Service

● It's NOT a service, but looks like a service● Has init script to load save file on boot● Script just changes options

● Stop – Deletes all rules and allows all traffic● Start – Load iptables-save file /etc/sysconfig/iptables

● If you 'stop' iptables to test, don't forget to start



Advanced Use

● NAT● Used for ssh and Zabbix forwarding● Used as gateway for private LAN (DB, etc.)

● Port Changes● Can move port 80 traffic to 8080

● Routing between NIC● Xen Dom0 Use – Control VMs● Change packet data

● Quite Rare



Packet Flow



Summary

● Iptables very important● Used on every server● A bit complicated● Use a script to manage● Be careful



About ChinaNetCloud


ChinaNetCloud [email protected]

www.ChinaNetCloud.com

Beijing Office:

Lee World Business Building #305

57 Happiness Village Road,

Chaoyang District

Beijing, 100027 China

Silicon Valley Office:

California Avenue

Palo Alto, 94123 USA

Shanghai Headquarters:

X2 Space 1-601, 1238 Xietu Lu

Shanghai, 200032 China

T: +86-21-6422-1946 F: +86-21-6422-

4911

ChinaNetCloud Training - iptables Intro

Internet

Transcript of ChinaNetCloud Training - iptables Intro