Tuesday, April 14, 2015

Basic filter rules with Netfilter (iptables)

If you understood how Netfilter works after reading my previous article, you are able to configure some basic rules to filter traffic between two or more networks.

Let's suppose the following scenario: You've got a system with two network interfaces connected to an Intranet (eth0) and to the outside (eth1) and you want only traffic from the former to the later to be allowed, but only through a local proxy.

I'll show you how to do that with some iptables commands stored in a shell script that will use variables so you can easily modify it for your own network.

The file with this shell script must have execution permission for the root and shouldn't be readable for any one else. Save it in the directory /etc/network/if-pre-up.d/ if you're working with Debian or Ubuntu, as it's my case.

#!/bin/sh

# Variables
# Group 1
LOCALNET=192.168.111.0/24
LOCALPROXY=192.168.111.2
LANDEV=eth0
WANDEV=eth1

# Delete any previous ruleset
# Group 2
iptables -F
iptables -X
iptables -Z

# Set the default policy
# Group 3
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP

# Allow traffic for loopback interface
# Group 4
iptables -A INPUT -i lo -j ACCEPT

# Allow HTTP and HTTPS for the local proxy
# Group 5
iptables -A FORWARD -s $LOCALPROXY -p tcp --dport 80 -j ACCEPT
iptables -A FORWARD -d $LOCALPROXY -p tcp --sport 80 -j ACCEPT
iptables -A FORWARD -s $LOCALPROXY -p tcp --dport 443 -j ACCEPT
iptables -A FORWARD -d $LOCALPROXY -p tcp --sport 443 -j ACCEPT

# Allow DNS traffic (consider changing LOCALNET for LOCALPROXY)
# Group 6
iptables -A FORWARD -s $LOCALNET -p tcp --dport 53 -j ACCEPT
iptables -A FORWARD -d $LOCALNET -p tcp --sport 53 -j ACCEPT
iptables -A FORWARD -s $LOCALNET -p udp --dport 53 -j ACCEPT
iptables -A FORWARD -d $LOCALNET -p udp --sport 53 -j ACCEPT

# Masquerade local addresses
# Group 7
iptables -t nat -A POSTROUTING -s $LOCALNET -o $WANDEV -j MASQUERADE

# Allow routing through network interfaces
# Group 8
echo 1 > /proc/sys/net/ipv4/ip_forward


The lines in group 1 have to be changed with your own settings. Next, group 2 makes the ruleset to be completely deleted. In group 3, the default policy is setup for each chain in the filter table (iptables works with the filter table if no other table is specified). Users trying to reach the outside network won't be able to get a connection and no message will be sent back due to the DROP policy in the FORWARD chain.

After that, group 4 allows any loopback interface traffic (i.e. connections to localhost). Next, in group 5, web traffic is allowed for the local proxy, so users will have to use it in order to navigate. Last filter rules, in group 6, allow dns queries for all the Intranet, but you can consider allowing it for only the local proxy depending on your security policy.

The rules in groups 6 and 7 are coupled, for one allows the traffic from the Intranet to the outside network while the other allows the traffic back to the local network.

The rule in group 7 is the only one in the nat table in this example. It makes the source IP address to be changed for the outside network interface IP address, so the local addresses are masqueraded. This kind of Network Address Translation is named source NAT or SNAT.

Finally, in group 8, the traffic is allowed to be routed between the network interfaces.

Once the shell script is executed, you should get the following output from the command iptables -nL:

Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy DROP)
target     prot opt source               destination
ACCEPT     tcp  --  192.168.111.2        0.0.0.0/0            tcp dpt:80
ACCEPT     tcp  --  0.0.0.0/0            192.168.111.2        tcp spt:80
ACCEPT     tcp  --  192.168.111.2        0.0.0.0/0            tcp dpt:443
ACCEPT     tcp  --  0.0.0.0/0            192.168.111.2        tcp spt:443
ACCEPT     tcp  --  192.168.111.0/24     0.0.0.0/0            tcp dpt:53
ACCEPT     tcp  --  0.0.0.0/0            192.168.111.0/24     tcp spt:53
ACCEPT     udp  --  192.168.111.0/24     0.0.0.0/0            udp dpt:53
ACCEPT     udp  --  0.0.0.0/0            192.168.111.0/24     udp spt:53

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination


Now you can try to establish some connections. Execute telnet www.google.com 80 from the local proxy:



And watch for the incoming and outgoing connexions through the firewall with the command:
watch -n 1 'sudo iptables -nvL | grep 80'



The first column is a counter of packets and the second is a counter of bytes that matched that rule.

2 comments:

  1. Really a very good article... very helpful. Thanks for sharing.

    ReplyDelete
  2. You're welcome and thanks for your kind comment!

    ReplyDelete