ChinaNetCloud Training - iptables Intro

ChinaNetCloudRunning All the World's Internet Servers
管理全世界的网络服务器
IP Tables Basics
June, 2014
By Steve Mushero
Copyright 2015 ChinaNetCloud
ChinaNetCloud
1

Copyright 2015 ChinaNetCloud 2
Introduction
● iptables is main server firewall
● Layer 4 – all IP, Port, protocol-based
● Software-based
● Built-into kernel
● Powerful & fast
● But difficult to use
● We have a script :)

Basic Parts
● Kernel Module - netfilter
● Kernel Module – conntrack
● Creates sysctrl items like conntrack_max
● Tool – iptables command
● Run as root
● Save files – simple save file

Filtering Basics
● Filter on:
● IP Address – Source or Destination
● Ports – Source or Destination
● Protocol – ICMP, UDP, TCP, etc.
● Status – SYN, Established, Related
● Two main results – Allow or Block (drop)
● Special functions
● Logging
● Statistics

Tables
● Three Tables are built into kernel
● Filter – Real firewall, always used
● NAT – For NAT by Linux, rarely used
● Mangle – Special use
● Filter is the default table, the one you will use
● It’s the filter iptables shows/changes without -t

Chains
● Each Table has Chains
● Three built-in Chains in Filter Table
● INPUT – For traffic coming INTO server
● OUTPUT – For traffic LEAVING server
● FORWARD – For routing, rarely used
● You can add more chains for ease of use
● Such as logging, special protocols
● The Chains have the Rules
● You will usually edit these

Chains
● That Chain can call other Chains
● RedHat always includes a special RH chain
● You can add more chains, such as for logging

Chains
● Iptables –vnL
Chain INPUT (policy ACCEPT )
Chain OUPPUT (policy ACCEPT)
Chain FORWARD (policy ACCEPT)

Tables & Chains & Rules
● Filter, NAT, Mangle Tables
● Input and Output Chains in Filter Table
● Rules in Input Chain to protect server
● Firewall is a set of Tables, Chains, and Rules
● Rules are most important

Basic Packet Flow
● Each input packet hits Filter Table, Input Chain
● Packet is checked rule by rule, from top
● If a rule is true, results happens
● Usually ACCEPT, DROP, or REJECT
● Process ends (except for LOG result)
● Statistic counters tell you which rules are hit/true

Basic Packet Flow
# Target prot in out source destination
1 ACCEPT all lo lo 0.0.0.0/0 0.0.0.0/0
2 ACCEPT TCP * * 1.2.3.4./32 0.0.0.0/0
3 DROP all * * 0.0.0.0/0 0.0.0.0/0

Basic Rule Structure
iptables -A INPUT -p tcp –i eth0 –s 0.0.0.0/0 -j ACCEPT
● Basic rule
● Chain - INPUT
● Protocol – TCP, UDP, IDCMP, ALL
● Interface - * or lo or eth0, etc.
● Action – ACCEPT, DROP, or REJECT

Basic Rule Options
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT
● Ports and States
● Destination Port – 22 (ssh)
● Very often used for services
● Module – state (needed for next option)
● Module Option – State NEW
● Always used for normal rules

Other Common Rule Options
● Logging – like -j LOG --log-prefix 'bad port: ’
● Will log to syslog
● Used to log bad or illegal packets

Accept Established / Related
iptables -I INPUT -m state --state ESTABLISHED, RELATED -j ACCEPT
● All systems have a rule like this
● To pass ESTAB connections, always save
● Managed by conntrack module
● RELATED is for TCP like FTP or DNS UDP
● For DNS UDP it remembers out / in
● Put this rule first in rule list, for better performance

Last Rule always Drop
● Always add -j DROP rule at end
● So if we don't allow traffic, it's dropped
● Even if Chain Policy is also DROP
● Best practice is both DROP policy & Drop rule
● This ensures we drop everything we don’t want

Chain Policy
Chain INPUT (policy ACCEPT 7091K packets, 4852M bytes)
● Each Chain has a default action
● Very important
● Done automatically at end of Chain
● Should be DROP on all major Chains
● Should be ACCEPT for middle partial Chains
● To allow packets to continue to other chains

Using iptables command
● Can show, add, insert, delete rules
● Easiest to show rules with numbers:
● iptables –vnL –line-numbers [Note L for list]
● Will show current rules with numbers
● Other options to Add, Delete, Insert
● Delete / Insert use line numbers

Iptables-save / restore
● Dump iptables in memory to file
● Loaded by init when server starts
● Any changes not in file are LOST on reboot !!
● File usually in /etc/sysconfig:
/etc/sysconfig/iptables
● Can be monitored by Zabbix, Nagios, etc.
● Can run manually
● iptables-save > file

Iptables as a Service
● It's NOT a service, but looks like a service
● Has init script to load save file on boot
● Script just changes options
● Stop – Deletes all rules and allows all traffic
● Start – Load iptables-save file /etc/sysconfig/iptables
● If you 'stop' iptables to test, don't forget to start

Advanced Use
● NAT
● Used for ssh and Zabbix forwarding
● Used as gateway for private LAN (DB, etc.)
● Port Changes
● Can move port 80 traffic to 8080
● Routing between NIC
● Xen Dom0 Use – Control VMs
● Change packet data
● Quite Rare

Packet Flow

Summary
● Iptables very important
● Used on every server
● A bit complicated
● Use a script to manage
● Be careful

About ChinaNetCloud

ChinaNetCloud
Sales@ChinaNetCloud.com
www.ChinaNetCloud.com
Beijing Office:
Lee World Business Building #305
57 Happiness Village Road,
Chaoyang District
Beijing, 100027 China
Silicon Valley Office:
California Avenue
Palo Alto, 94123 USA
Shanghai Headquarters:
X2 Space 1-601, 1238 Xietu Lu
Shanghai, 200032 China
T: +86-21-6422-1946 F: +86-21-
6422-4911

ChinaNetCloud Training - iptables Intro

More Related Content

What's hot (20)

Viewers also liked (14)

Similar to ChinaNetCloud Training - iptables Intro (20)

More from ChinaNetCloud (20)

Recently uploaded (20)

ChinaNetCloud Training - iptables Intro