Setting up a Firewall — IP Tables

Image

Big Picture 

Linux firewalls provide a security mechanism to filter incoming and outgoing traffic based on predefined rules, protocols, ports, and other criteria. IPtables is the current de facto standard for Linux firewalls and is implemented into the Netfilter framework of the Linux Kernel. Within IPtables the Tables are used to organize/categorize firewall rules. 

Chains

The way you make rules is through chains. Chains are used to group a set of rules to specific network traffic. Rules define criteria for filtering network traffic and actions (Targets) to take if packets meet said criteria (Matches). Within the table you can filter based on IP, ports, protocols, source destination. As well as modify header fields of packets. 

There are many actions you can take on a packet: 

  • INPUT: Handles packets destined for the local system (incoming traffic to your machine)
  • OUTPUT: Handles packets originating from the local system (outgoing traffic from your machine)
  • FORWARD: Handles packets being routed through the system (traffic passing through your machine to another destination, relevant when acting as a router/gateway)

NAT Table Built-in Chains:

  • PREROUTING: Modifies packets as soon as they arrive, before the routing decision is made. Primarily used for Destination NAT (DNAT) – changing where packets are going (e.g., port forwarding from public IP to internal server)
  • POSTROUTING: Modifies packets just before they leave the system, after the routing decision. Primarily used for Source NAT (SNAT) – changing where packets appear to come from (e.g., masquerading internal private IPs to your public IP)
  • OUTPUT: Handles locally-generated packets that need NAT before leaving the system

Here are some of the actions that you can take on some incoming traffic: 


ACCEPT – Allows the packet to pass through the firewall and continue to its destination

DROP – Drops the packet, effectively blocking it from passing through the firewall

REJECT – Drops the packet and sends an error message back to the source address, notifying them that the packet was blocked

LOG – Logs the packet information to the system log

SNAT – Modifies the source IP address of the packet, typically used for Network Address Translation (NAT) to translate private IP addresses to public IP addresses

DNAT – Modifies the destination IP address of the packet, typically used for NAT to forward traffic from one IP address to another

MASQUERADE – Similar to SNAT but used when the source IP address is not fixed, such as in a dynamic IP address scenario

REDIRECT – Redirects packets to another port or IP address

MARK – Adds or modifies the Netfilter mark value of the packet, which can be used for advanced routing or other purposes

There are different modifiers to determine whether a firewall rule should be applied to a packet or connection: 
-p or –protocol – Specifies the protocol to match (e.g. tcp, udp, icmp)

–dport – Specifies the destination port to match

–sport – Specifies the source port to match

-s or –source – Specifies the source IP address to match

-d or –destination – Specifies the destination IP address to match

-m state – Matches the state of a connection (e.g. NEW, ESTABLISHED, RELATED)

-m multiport – Matches multiple ports or port ranges

-m tcp – Matches TCP packets and includes additional TCP-specific options

-m udp – Matches UDP packets and includes additional UDP-specific options

-m string – Matches packets that contain a specific string

-m limit – Matches packets at a specified rate limit

-m conntrack – Matches packets based on their connection tracking information

-m mark – Matches packets based on their Netfilter mark value

-m mac – Matches packets based on their MAC address

-m iprange – Matches packets based on a range of IP addresses

Example IPTables commands

Here are some of the commands you can use to set firewall rules 

  • Launch webserver on TCP/8080 & block traffic
    • Using python3’s built in http server
      • python3 -m http.server 8080
    • Blocking the incoming traffic
      • Sudo iptables -A INPUT tcp –dport 8080 -j DROP
  • Changing rules to allow incoming 8080 traffic
    • Sudo iptables -I INPUT -p tcp –dport 8080 -j ACCEPT
  • Blocking traffic from specific IP address
    • Sudo iptables -A INPUT -s 192.168.1.50 -j DROP
  • Allow from specific address
    • Sudo iptables -A INPUT -s 192.168.1.50 -f ACCEPT
  • Block based on protocol (icmp = ping requests)
    • Sudo iptables -A INPUT -p imcp -d DROP
  • Allow based on protocol
    • Sudo iptables -A INPUT -p tcp -j ACCEPT
  • Create a new chain
    • Iptables -N WEB_TRAFFIC
  • Forward traffic to specific chain (port 80=http traffic)
    • Sudo iptables -A INPUT -p tcp –dport 80 -j WEB_TRAFFIC
    • Add rules to custom chain (Acceptable ip range)
      • Sudo iptables -A WEB_TRAFFIC -s 192.168.1.0/24 -j ACCEPT
  • List all rules for a specific table
    • Sudo iptables -L -t nat -n -v –line-numbers