Penguin
Blame: HowFirewallingWorks
EditPageHistoryDiffInfoLikePages
Annotated edit history of HowFirewallingWorks version 11, including all changes. View license author blame.
Rev Author # Line
10 PerryLorier 1 This is paraphrased, in part, from the PacketFiltering HowTo, which can probably be found somewhere on the Wiki, but should be read at [netfilter.org|http://www.netfilter.org/documentation/HOWTO//packet-filtering-HOWTO.html].
2
3 !What are packets?
4
5 For firewalling, all you need to know is that a transmission is broken up (encapsulated) into a number of packets, each with a header containing information on the type of packet, it's source address and port, eventual destination address and port, and other flags.
6
7 !What is packet filtering?
8
9 Packet filtering (netfilter) is part of the Linux kernel. You need to ensure your kernel is compiled with CONFIG_NETFILTER enabled (and that you're running 2.3.15 onwards.) Then you'll need to make sure that CONFIG_IP_NF_IPTABLES is modular and/or compiled into the kernel.
10
11 netfilter allows you to define 'callback functions' - functions that are called every time a network packet is processed by the system. You don't have to deal with it at a low level however - there's an entire infrastructure provided called __iptables__.
12
13 !What is iptables?
14
15 iptables is a generic table structure for the definition of rulesets. Each rule within an IP table consists of a number of classifiers (things that will cause a packet to match) and one connected action (target).
16
17 The tool that influences the kernel's filtering rules is called iptables(8). (You may have seen other documentation referencing ipchains or ipfwadm. In 2.2 series kernels you used ipchains(8), in 2.0 series kernels you used ipfwadm(8). Documents that talk of either are too old to help specifically, but the concepts will still apply. If you really have to use ipchains/ipfwadm rules, you can compile support for them into the kernel, but not alongside iptables. It's one or the other.)
18
19 Packet filtering also provides transparent proxying, masquerading (NetworkAddressTranslation), and anything else related to rewriting packets.
20
21 netfilter, iptables and the connection tracking as well as the NAT subsystems together build the whole framework.
22
23 !Main Features
24
25 * stateful packet filtering (connection tracking)
26 * all kinds of network address translation
27 * flexible and extensible infrastructure
28 * large number of additional features as patches
29
30 !What can I do with netfilter/iptables ?
31
32 * build internet firewalls based on stateless and stateful packet filtering
33 * use NAT and masquerading for sharing internet access where you don't have enough addresses
34 * use NAT for implementing transparent proxies
35 * build sophisticated QualityOfService routers
36 * do further packet manipulation (mangling) like altering the TOS (TypeOfService) field of the IP header
37 * Log errant packets for closer inspection later.
38
39 !Permanence of rules
40
41 The kernel boots up with __no firewalling rules__. If you manually add a rule with iptables(8), it will not be there next time you boot. You will need a firewall script that runs on boot.
42
43 !What are chains?
44
45 A chain is a checklist of rules. Each rule says `if the packet header looks like this, then here's what to do with the packet'. If the rule doesn't match the packet, then the next rule in the chain is consulted. Finally, if there are no more rules to consult, then the kernel looks at the chain policy to decide what to do. In a security-conscious system, this policy usually tells the kernel to DROP or REJECT the packet. You can create your own chains.
46
47 !What are tables?
48 A table is a collection of chains that perform a related task such as filtering, address rewriting (nat) or modifying packet charactoristics (mangle). You cannot create your own tables without modifying the kernel.
49
50 The kernel starts out with three chains in the "filter" (main) table: INPUT, FORWARD and OUTPUT.
11 JohnMcPherson 51 <verbatim>
52 _ _ _
53 Incoming / \ Outgoing
10 PerryLorier 54 -->[[Routing ]--->|FORWARD|------->
55 [[Decision] \_ _ _/ ^
56 | |
57 v _ _
58 _ _ / \
59 / \ |OUTPUT|
60 |INPUT| \_ _ /
61 \_ _/ ^
62 | |
63 ----> Local Process ----
11 JohnMcPherson 64 </verbatim>
10 PerryLorier 65
66 The three circles represent the three chains. When a packet reaches a circle in the diagram, that chain is examined to decide the fate of the packet. If the chain says to DROP the packet, it is killed there, but if the chain says to ACCEPT the packet, it continues traversing the diagram. The chain can say other things too like "LOG" (log this packet to syslog and continue processing), or jump to a user specified chain, or return from a user specified chain.
67
68 # When a packet comes in to the computer (normally from an ethernet card) the kernel first looks at the __destination__ of the packet: this is called __`routing'__.
69 # If the destination is this computer, the packet passes downwards in the diagram, to the INPUT chain. If it passes this, the packet will be passed onto your computer and is has 'penetrated the firewall'. Remember, this isn't a bad thing - you want to be able to allow requests to access your web server, for example
70 # Otherwise, if the kernel does not have forwarding enabled, or it doesn't know how to forward the packet, the packet is dropped. If forwarding is enabled, and routing has decided the packet can go out on another network interface (eg an ADSL connection), then the packet goes rightwards on the diagram to the FORWARD chain. If it is ACCEPT-ed, it will be sent out.
71 # Finally, a program running on the box can send network packets. These packets pass through the OUTPUT chain immediately: if it says ACCEPT, then the packet continues out to whatever interface it is destined for.
72
73 !Your own chains
74
75 For whatever reason, you can create your own chains. These are created with
76 $ iptables -N chain
77
78 Then, you can define some rules in your chain:
79 $ iptables -A chain -j DROP
80
81 This tells your firewall that as part of chain 'chain', jump to the DROP target. (See targets below)
82
83 Why would you want to use a chain? Same reason you might use a function in a programming language. To do anything you might do more than once. Logging is a good example, so is defining rules for an interface that you want called on both the OUTPUT and FORWARD chains.
84
85 !Targets
86
87 Once a rule matches, you then have to jump somewhere else. If not, control will just pass to the next rule.
88
89 Some good places to jump:
90
11 JohnMcPherson 91 ~-j ACCEPT:
92 Automatically accept this packet and stop traversing any chains for it
93 ~-j DROP:
94 Automatically drop this packet
95 ~-j REJECT:
96 Send back a message saying that this packet was not allowed
10 PerryLorier 97
11 JohnMcPherson 98 !!!Examples
10 PerryLorier 99 !The world's simplest firewall and what it does
11 JohnMcPherson 100 <verbatim>
101 # Create a new chain which blocks new connections on the ppp0 interface,
102 # except if coming from inside.
103 iptables -N block
104 iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
105 iptables -A block -m state --state NEW -i ! ppp0 -j ACCEPT
106 iptables -A block -j DROP
10 PerryLorier 107
11 JohnMcPherson 108 # Jump to that chain from INPUT and FORWARD chains.
109 iptables -A INPUT -j block
110 iptables -A FORWARD -j block
111 </verbatim>
10 PerryLorier 112
113 When a packet comes into the machine, it will either go to INPUT or FORWARD depending on where the destination is (See above.) Then, when any other rules in the chain have completed, we will jump to the 'block' chain, executing all the rules up until we either ACCEPT or DROP the packet.
11 JohnMcPherson 114
115 !Restrict incoming [SSH] traffic
116 <verbatim>
117 # set up a new chain for ssh traffic
118 iptables -N ssh_syn
119 # filter the start of incoming ssh connections (includes forwarded!)
120 iptables -A INPUT -p tcp --syn --dport 22 -j ssh_syn
121 # allow these packets from local addresses
122 iptables -A ssh_syn -s 10.0.0.0/8 -j ACCEPT
123 iptables -A ssh_syn -s 192.168.0.0/16 -j ACCEPT
124 # university of waikato
125 iptables -A ssh_syn -s 130.217.0.0/16 -j ACCEPT
126 # hoiho.wlug.org.nz
127 iptables -A ssh_syn -s 203.97.10.50/32 -j ACCEPT
128 # default is to deny incoming ssh connections
129 iptables -A ssh_syn -j LOG
130 # the LOG target returns, so now either drop or reject these packets
131 iptables -A ssh_syn -j DROP
132 </verbatim>