Configuring NetFilter

Configuring NetFilter The NetFilter packet filter is configured through the iptables command utility. Like its predecessor, ipchains, iptables enables firewall administrators to control a wide variety of features in the NetFilter packet filter
Nội dung trích xuất từ tài liệu:
Configuring NetFilterConfiguring NetFilterThe NetFilter packet filter is configured through the iptables command utility. Like itspredecessor, ipchains, iptables enables firewall administrators to control a wide variety offeatures in the NetFilter packet filter. Chief among these are adding or inserting filterrules within a preexisting set of rules, defining the policy of the various chains in thefilter, or creating userdefined chains for specific purposes such as testing fordenialofservice (DoS) attacks or other specific attacks.The path a packet takes through the NetFilter process depends on whether it is destinedfor the firewall host itself or whether it is being forwarded to a second interface. For mostpackets that traverse the firewall, the sequence of tables and chains is as follows: 1. Mangle PREROUTING 2. NAT PREROUTING 3. Filter FORWARD 4. NAT POSTROUTINGAs shown in Figure 7-4, the process of forwarding packets to the second interfaceinvolves a routing decision by the firewall. If a packet is destined for the firewall itself, itmust traverse the filter INPUT chain before reaching the local process on the firewall.Packets sent by local processes on the firewall must traverse the filter OUTPUT chainand might traverse the NAT POSTROUTING chain but only if some form of destinationNAT is being conducted. Overall, the process through the NetFilter tables and chains isvery logical in order and efficiency. Figure 7-4. Packet Traversal of NetFilter Tables and Chains [View full size image]Packets need not traverse every chain in the NetFilter system. It all depends on thedestination of the packet as well as what rules are applicable and whether NAT isinvolved.Although the configuration of NetFilter firewalls using the iptables utility may appear tobe a daunting task, you can also configure NetFilter through a variety of graphicalinterface tools such as Firewall Builder, Firestarter, or Webmin. Some examples tofollow show how you can configure NetFilter using the iptables utilities as well as thesegraphical tools. This discussion is not meant to be a detailed method of how to use thesetools but rather a brief introduction to these tools. You must further explore and decidewhich tool you are most comfortable using to manage Linux-based firewalls.IPTables CommandLine ToolThe iptables commandline tool works very much like the older ipchains tool. The iptablesutility provides for several commonly used actions (known as targets) for packets thatmatch the filter rules: • ACCEPT Let the packet through. • DROP Drop the packet. • QUEUE Pass the packet to userspace. • RETURN Stop processing this chain and resume at the next rule in the previous chain. • REJECT Send an error packet when a matched packet is detected. • MASQUERADE Map the source IP address to the IP address of the interface that the packet is going out. You should use this only with dynamic connections such as dialup or a DHCPassigned provider IP address. Otherwise, use SNAT. • DNAT Specifies that the destination address of the packet should be modified. • SNAT Specifies that the source address of the packet should be modified. • LOG Turn on kernel logging of packets that match the rule. • ULOG Provides for userspace logging of packets that match the rule.NoteThese are the most commonly used targets. For additional information about these andother targets, check out http://www.netfilter.org.In addition, you can specify a userdefined chain as a target, too. Example 7-1 shows howyou can configure a basic firewall filter.Example 7-1. Basic Linux Firewall Filter Configuration# iptables P INPUT ACCEPT# iptables P OUTPUT ACCEPT# iptables P FORWARD ACCEPT# iptables A INPUT i lo j ACCEPT# iptables A INPUT p tcp s 0.0.0.0/0 --dport 22 m state --state NEW jACCEPT# iptables A INPUT p tcp s 0.0.0.0/0 --dport 25 m state --state NEW jACCEPT# iptables A INPUT p tcp s 0.0.0.0/0 --dport 80 m state --state NEW jACCEPT# iptables A INPUT p tcp s 0.0.0.0/0 --dport 5900 m state --state NEW jACCEPT# iptables A INPUT p tcp s 0.0.0.0/0 --dport 5901 m state --state NEW jACCEPT# iptables A INPUT m state --state ESTABLISHED,RELATED -j ACCEPT# iptables A INPUT --reject-with icmp-host-prohibited j REJECTFirewall Builder, Firestarter, and Webmin also come in handy when configuringNetFilter.Firewall BuilderYou can find the Firewall Builder software at http://www.fwbuilder.org. Unlike otherfirewall management software, Firewall Builder provides a policy compiler for LinuxsNetFilter firewall as well as for FreeBSDs and OpenBSDs packet filter (pf) firewall, theIPFilter (IPF) firewall, and the Cisco PIX Firewall. IPF is another open source firewallsoftware package that can be built in to a variety of operating systems, including SunSolaris, NetBSD, FreeBSD, OpenBSD, HPs HPUX, and SGIs IRIX operating systems.Building a firewall policy with Firewall Builder is exceptionally easy and flexible. Youcan build a simple packet filter using Firewall Builder much more easily than with theiptables commandline utility, as shown in Figure 7-5. The filter in Figure 7-5 is partiallybased on the filter given in Example 7-1. The services allowed in are Secure Shell(SSH:TCP/22), Simple Mail Transport Protocol (SMTP:TCP/25), Hypertext TransferProtocol (HTTP:TCP/80), two Virtual Network Computing connections(VNC0:TCP/5900, VNC1:TCP/5901), and TCP traffic that is part of a previouslyestablished connection. All other traffic is denied. Figure 7-5. Using Firewall Builder to Define Firewall Policy [View full size image]Firewall Builder is available as packages for a variety of operating systems, includingRed Hat 9, Fedora Core 3 and 4, Slackware Linux, MacOS X, and Windows 2 ...