LINUX AS A ROUTER

What exactly is a firewall?

As in the non-computer world, a firewall acts as a physical barrier to prevent fires from spreading. In the computer
world too, the firewall acts in a similar manner, only the fires that they prevent from spreading are the attacks,
which crackers generate when the computer is on the Internet. Therefore, a firewall can also be called a packet
filter, which sits between the computer and the Internet, controlling and regulating the information flow.

Most of the firewalls in use today are the filtering firewalls. They sit between the computer and the Internet and
limit access to only specific computers on the network. It can also be programmed to limit the type of
communication, and selectively permit or deny several Internet services.

Organizations receive their routable IP addresses from their ISPs. However, the number of IP addresses given is
limited. Therefore, alternate ways of sharing the Internet services have to be found without every node on the LAN
getting a public IP address. This is done commonly by using private IP addresses, so that all nodes are able to
access properly both external and internal network services.

Firewalls are used for receiving incoming transmissions from the Internet and routing the packets to the intended
nodes on the LAN. Similarly, firewalls are also used for routing outgoing requests from a node on the LAN to the
remote Internet service.

This method of forwarding the network traffic may prove to be dangerous, when modern cracking tools can spoof
the internal IP addresses and allow the remote attacker to act as a node on the LAN. In order to prevent this, the
iptables provide routing and forwarding policies, which can be implemented for preventing abnormal usage of
networking resources. For example, the FORWARD chain lets the administrator control where the packets are
routed within a LAN.

LAN nodes can communicate with each other, and they can accept the forwarded packets from the firewall, with
their internal IP addresses. However, this does not give them the facility to communicate to the external world and
to the Internet.

For allowing the LAN nodes that have private IP addresses to communicate with the outside world, the firewall has
to be configured for IP masquerading. The requests that LAN nodes make, are then masked with the IP addresses
of the firewall’s external device, such as eth0.

How IPtables can be used to Configure your Firewall

Whenever a packet arrives at the firewall, it will be either processed or disregarded. The disregarded packets
would normally be those, which are malformed in some way or are invalid in some technical way. Based on the
packet activity of those that are processed, the packets are enqueued in one of the three builtin ‘tables.’ The first
table is the mangle table. This alters the service bits in the TCP header. The second table is the filter queue, which
takes care of the actual filtering of the packets. This consists of three chains, and you can place your firewall policy
rules in these chains (shown in the diagram below):

- Forward chain: It filters the packets to be forwarded to networks protected by the firewall.

- Input chain: It filters the packets arriving at the firewall.

LINUX AS A ROUTER

- Output chain: It filters the packets leaving the firewall.

The third table is the NAT table. This is where the Network Address Translation or NAT is performed. There are two
built-in chains in this:

- Pre-routing chain: It NATs the packets whose destination address needs to be changed.

- Post-routing chain: It NATs the packets whose source address needs to be changed.

Whenever a rule is set, the table it belongs has to be specified. The ‘Filter’ table is the only exception. This is
because most of the 'iptables’ rules are the filter rules. Therefore, the filter table is the default table.

The diagram below shows the flow of packets within the filter table. Packets entering the Linux system follow a
specific logical path and decisions are made backed on their characteristics. The path shown below is independent
of the network interface they are entering or exiting:

The Filter Queue Table

Network interface (eth0, eth1 etc)

State of the packet

Target for the rule:

ACCEPT
DROP
REJECT
QUEUE
RETURN
LOG
 LINUX AS A ROUTER

As mentioned previously, the table of NAT rules consists mainly of two chains: each rule is examined in order until
one matches. The two chains are called

PREROUTING (for Destination NAT, as packets first come in), and

POSTROUTING (for Source NAT, as packets leave).

IPTABLES BASIC Functions

 /etc/init.d/iptables INIT script to start|stop|restart the service (and save rulesets).

 /etc/sysconfig/iptables RedHat's file for the iptables-save counter files (i.e. The saved rulesets).
 /sbin/iptables The administration utility/binary.

A Little About IPTables

To see what rulesets we currently have in place, execute:

# iptables --list
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)

target prot opt source destination

Chain OUTPUT (policy ACCEPT)

target prot opt source destination

This is what you will see when there are no rule sets in place. Looking at this we see 3 'Chains'.

 INPUT - Holds rules for traffic directed at this server.

 FORWARD Holds rules for traffic that will be forwarding on to an IP behind this server (i.e. If this box serves as a
firewall for other servers).
 OUTPUT Holds rules for traffic that is coming from this server out to the internet.

Mainly we will be dealing with traffic directed at this server, and will be issuing rules for the INPUT Chain. When
traffic passes through the kernel, it determines a “TARGET� based on whether the packet matches a rule or
not. General targets are:

 ACCEPT Traffic is accepted for delivery.

 REJECT Traffic is rejected, sending a packet back to the sending host.
 DROP The traffic is dropped. Nothing is sent back to the sending host.
 LINUX AS A ROUTER

Configuring Rule Sets

So, lets get down to it. Its important to note that the order in which rules are appended is very important. For
example, if your first rule is to deny everything... then no matter what you specifically allow, it will be denied.

Also to note is that nothing you do is saved on disk until you execute 'iptables-save' (or use the init script to save).
All counters/rulesets are in memory. Once the server reboots, or you execute 'iptables --flush' everything you've
worked on is gone. Personally I work out of a bash script file called 'iptables-rules.sh', which allows me to keep
everything organized and commented. If I make a mistake, I have no worries if I just want to flush all the rules out,
I just go right back to my bash script and start editing again, save it out and execute the script (this however will
not run at startup... that will be covered in the next section).

Its very important that if you are working on this server remotely through ssh, that you make every effort to not
lock yourself out. Therefore, our first rule will be to ensure that no matter what, I can still access ssh from my IP
address.

# iptables -A INPUT -s 192.168.1.10 -d 10.1.15.1 -p tcp --dport 22 -j ACCEPT

Lets break that down:

 -A => Tells iptables to 'append' this rule to the INPUT Chain
 -s => Source Address. This rule only pertains to traffic coming FROM this IP. Substitute with the IP address you are
SSHing from.
 -d => Destination Address. This rule only pertains to traffic going TO this IP. Substitute with the IP of this server.
 -p => Protocol. Specifying traffic which is TCP.
 --dport => Destination Port. Specifying traffic which is for TCP Port 22 (SSH)
 -j => Jump. If everything in this rule matches then 'jump' to ACCEPT

Next, we will want to use some standard rules for general network traffic. This goes a bit beyond the basic stuff,
however iptables can determine the 'state' that a packet is in. This has to do with standard TCP communication.
For example, the 3 way handshake between two hosts when transmitting data.

 NEW => Server1 connects to Server2 issuing a SYN (Synchronize) packet.

 RELATED => Server 2 receives the SYN packet, and then responds with a SYN-ACK (Synchronize Acknowledgment)
packet.
 ESTABLISHED => Server 1 receives the SYN-ACK packet and then responds with the final ACK (Acknowledgment)
packet.

After this 3 way handshake is complete, the traffic is now ESTABLISHED. In order for this type of TCP
communication, something similar to these three rules are necessary:

# iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# iptables -A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
# iptables -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

The last rule obviously allows any traffic the leave the server.

Now that we have our basics set in place, lets see what iptables lists for our rulesets:
# iptables –list
LINUX AS A ROUTER

Chain INPUT (policy ACCEPT)

target prot opt source destination

ACCEPT tcp -- 192.168.1.10 10.1.15.1 tcp dpt:ssh

ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED

Chain FORWARD (policy ACCEPT)

target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED

Chain OUTPUT (policy ACCEPT)

target prot opt source destination
ACCEPT all -- anywhere anywhere state NEW,RELATED,ESTABLISHED

The NAT Table

At each of the points above, when a packet passes we look up what connection it is associated with. If it's a new
connection, we look up the corresponding chain in the NAT table to see what to do with it. The answer it gives will
apply to all future packets on that connection.

The most important option here is the table selection option, `-t'. For all NAT operations, you will want to use `-t
nat' for the NAT table. The second most important option to use is `-A' to append a new rule at the end of the
chain (e.g. `-A POSTROUTING'), or `-I' to insert one at the beginning (e.g. `-I PREROUTING').
LINUX AS A ROUTER

The following command enables NAT for all outgoing packets. Eth0 is our WAN interface:

# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

If you rather implement static NAT, mapping an internal host to a public IP, here's what the command would look
like:

# iptables -A POSTROUTING -t nat -s 192.168.0.3 -o eth0 -d 0/0 -j SNAT --to 203.18.45.12

With the above command, all outgoing packets sent from internal IP 192.168.0.3 are mapped to external IP
203.18.45.12.

Taking it the other way around, the command below is used to enable port forwarding from the WAN interface, to
an internal host. Any incoming packets on our external interface (eth0) with a destination port (dport) of 80, are
forwarded to an internal host (192.168.0.5), port 80:

# iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 80 -j DNAT --to 192.168.0.5:80

INIVIDUAL REJECTS FIRST:

-----------------------------------------------------------------------

BAD GUYS (Block Source IP Address):

# iptables -A INPUT -s 172.34.5.8 -j DROP

NO SPAMMERS (notice the use of FQDN):

# iptables -A INPUT -s mail.spammer.org -d 10.1.15.1 -p tcp --dport 25 -j REJECT

-----------------------------------------------------------------------

THEN OPEN IT UP

MYSQL (Allow Remote Access To Particular IP):

# iptables -A INPUT -s 172.50.3.45 -d 10.1.15.1 -p tcp --dport 3306 -j ACCEPT

SSH:
# iptables -A INPUT -d 10.1.15.1 -p tcp --dport 22 -j ACCEPT
LINUX AS A ROUTER

Sendmail/Postfix:
# iptables -A INPUT -d 10.1.15.1 -p tcp --dport 25 -j ACCEPT

FTP: (Notice how you can specify a range of ports 20-21)

# iptables -A INPUT -d 10.1.15.1 -p tcp --dport 20:21 -j ACCEPT

Passive FTP Ports Maybe: (Again, specifying ports 50000 through 50050 in one
rule)
# iptables -A INPUT -d 10.1.15.1 -p tcp --dport 50000:50050 -j ACCEPT

HTTP/Apache
# iptables -A INPUT -d 10.1.15.1 -p tcp --dport 80 -j ACCEPT

SSL/Apache
# iptables -A INPUT -d 10.1.15.1 -p tcp --dport 443 -j ACCEPT

IMAP
# iptables -A INPUT -d 10.1.15.1 -p tcp --dport 143 -j ACCEPT

IMAPS
# iptables -A INPUT -d 10.1.15.1 -p tcp --dport 993 -j ACCEPT

POP3
# iptables -A INPUT -d 10.1.15.1 -p tcp --dport 110 -j ACCEPT

POP3S
# iptables -A INPUT -d 10.1.15.1 -p tcp --dport 995 -j ACCEPT

Any Traffic From Localhost:

# iptables -A INPUT -d 10.1.15.1 -s 127.0.0.1 -j ACCEPT

ICMP/Ping:
# iptables -A INPUT -d 10.1.15.1 -p icmp -j ACCEPT
LINUX AS A ROUTER

GLOBAL REJECTS LAST:

-----------------------------------------------------------------------

Reject everything else to that IP:

# iptables -A INPUT -d 10.1.15.1 -j REJECT

Or, reject everything else coming through to any IP:

# iptables -A INPUT -j REJECT
# iptables -A FORWARD -j REJECT

Notice the we do the global REJECT lines last! These must be last.