Firewalled Up (Part 1)

November 30, 2018

A system is only as strong as its weakest point of entry. If someone sets up a server with 12345 as the root password, the system is as good as compromised under an hour. It does not matter if the system runs malware detection scripts or alerting applications that warn of a breach. It is always recommended to seal all unwanted doors (ports) on your server. Setting up a strong firewall has an additional benefit, if you block outgoing email ports, even if your system is compromised, it will not churn out spam like it would on a system with no firewall

The first of the three part series on Firewalls will give you an introduction on iptables

IPTABLES

Firewall on the Linux platform is achieved through the iptables – a command line utility available on all Linux distributions. iptables is very useful to add enhanced networking security to your server. Behind the scenes, iptables interacts with the kernel’s networking stack (Netfilter) to carry out packet filtering. iptables can manage NAT (network address translation) as well as packet filtering (blocking/allowing traffic)

IPTABLES operates by using levels of organization – tables, chains and rules. There are five tables

Filter Table

As the default iptable, the chains in this table determine if a packet should reach its destination or not. A packet hitting this filter, goes through one of the following chains – input, output or forward.

Input Chain contain the rules for packets entering your system with your server as the destination

Output Chain contains the rules for packets exiting your system with an external destination

Finally, the forward chain is used for packets where your server is neither the source nor the destination. Typical scenarios when the forward chain is used is when the system acts as a router for traffic

To view all the rules in the filter table,

# iptables -t filter –list

NAT Table

The next table is the Network Address Translation table. The chains on this table are primarily for routing. To use the chains in this table, you must enable IP Forwarding.

# cat /proc/sys/net/ipv4/ip_forward

Should return a value of 1. If it returns 0, edit /etc/sysctl.conf with a text editor. Find the parameter net.ipv4.ip_forward and change it to 1. Restart the network by

# systemctl restart networking # Ubuntu/Debian

Or

# systemctl restart network # CentOS/Fedora/RHEL

The chains in this table are

Prerouting chain, which is used mostly for Destination NAT, i.e. change the destination of a packet entering the system to a different address

Postrouting chain, which is mostly used for Source NAT, changing the source information of a packet leaving the system to a different address

Finally, there is the Output chain which is primarily only for packets that are generated by local applications. In many cases, packets passing through the output chain also pass through the Postrouting chain.

To list all NAT rules enter the command

# iptables -t nat –list

Mangle Table

This is one of the less common tables that is used and is primarily ised to modify specific headers for IP packets such as the Type of Service (TOS), Time-to-Live (TTL) and MARK.

Adjusting the TTL controls the number of hops the packet can sustain. Adjusting the TOS could be used to setup up policies on the network on how it is routed. This is widely not implemented and should not be adjusted for packets going out to the internet.

The chains available on this table are PREROUTING, OUTPUT, FORWARD, INPUT and POSTROUTING

To view the mangle table list

# iptables -t mangle --list

Raw Table

The Raw table is used for marking packets to opt out of connection tracking. Iptables is stateful, i.e it processes data packets as a series of related data rather than discreet. This connection tracking happens at the very instance a packet hits the network interface. Therefore even if the protocol is stateless (such as UDP), iptables can relate packets as part of the same connection. You could setup a rule handle packets based on the connection states (NEW, ESTABLISHED, RELATED or INVALID). Chains that can be managed on this table are PREROUTING and OUTPUT.

Raw table rules provide a very specific functionality to mark packets to opt-out of connection tracking. Listing the raw table is done via the command

# iptables -t raw --list

Security Table

The Security table is related to SELINUX and is used to set internal SELinux security context marks on packets at a per-packet or per-connection basis. Seeting the security context marks define how the SELinux system handles the packet and can be used for implementing Mandatory Access Control. To display the contents of this table

# iptables -t security --list

Still to Come

In our next article we will talk about setting up common rules, allowing incoming connections, stopping outgoing connections and in general using iptables to improve server security

 


Ramesh Vishveshwar
Ramesh Vishveshwar

Ramesh Vishveshwar is a tech blogger who is always on the lookout for the next big thing. Having discovered his infatuation for various flavors of Linux, he spends his time tinkering with VPS nodes installing and trying out new applications. His interest in coding spans across multiple languages from PHP, shell scripting to remote old generation languages such as COBOL.