Home » Portfolio » Linux

HOWTO CentOS IPTables, Configuring a Firewall

1.0 INTRODUCTION
Firewalls are one of the most important elements of a network. It allows server administrators jobs much easier. Not only do they keep unwanted traffic from invading their networks, it also allows them to contain traffic, users and information inside. It allows access to certain areas of the network for specific IP address or MAC address. The following technical document is not necessarily a walkthrough or a HOWTO, but it is a tool that can be used to configure your firewall to meet your own specific needs. We will be setting all firewall rules from a script that is run from a terminal in Linux. With that said it is important to have some running knowledge of Linux and terminal commands.
2.0 IP TABLE CONFIGURATION
I. Requirements
 Linux box with 2 NIC cards for Firewall
Eth0 - 142.25.97.239
Eth1 - 10.0.0.1
 Computer for Network with MySQL installed
10.0.0.3
 DMZ Web Server
142.25.97.201
II. Adding the Proper Modules
A module is a piece of code that makes certain parts of Linux functional. Modules are very important because they allow the Linux Kernel to stay small and flexible. There are 7 modules that we will be loading. They are as follows.
1. ip_tables – the core netfilter module
2. ip_conntrack – the stateful connection tracking module
3. iptables_filter – the filter table module
4. iptable_mangle – the mangle table module
5. ipt_REJECT – the module that drops the packet and returns an ICMP response
6. ipt_LOG – the target log module
7. iptable_nat – the nat table module
III. Flushing the IP TABLES
It is important to flush or clear the current firewall rules. This is down with three different commands.

1. iptables –flush
– clears the iptable

2. iptables –t nat –flush
– clears the nat table

3. iptables –t mangle –flush
– clears the mangle table

IV. Allowing Local Communication
The firewall computer has two NIC cards. A red one, that is on the internet or dangerous side, and the green side, the one on the network or safe side. Rules need to be set to allow the two to communicate with each other and eventually allow communication to and from both sides of the firewall.

1. iptables -A INPUT –i lo –j ACCEPT
– accepts input on lo and if they match (-j) then it is accepted.

2. Iptables –A OUTPUT –o lo –j ACCEPT
– the same as above but it is outgoing instead of incoming.

V. Allowing UPD and TCP Communication
UPD and TCP communication need to be routed through the firewall and back again. The following lines of code will allow this traffic in and out.

1. iptables -A OUTPUT -p udp -o eth0 --dport 53 --sport 1024:65535 -j ACCEPT
– this allows the udp traffic leaving on port 53 to be forwarded to any port between 1024 and 65535.

2. iptables -A INPUT -p udp -i eth0 --sport 53 --dport 1024:65535
– this allows udp traffic coming in port 53 to be forward to any port between 1024 and 65535

3. iptables -A OUTPUT -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
– this allows packets that have states that have previously been established or related to a previous connection

4. iptables -A INPUT -p tcp -i eth0 --dport 80 --sport 1024:65535 -m state --state NEW -j ACCEPT
- this allows udp traffic coming in port 80 to be forward to any port between 1024 and 65535

5. iptables -A OUTPUT -p tcp -o eth0 --dport 80 --sport 1024:65535 -j ACCEPT
- this allows the tcp traffic leaving on port 80 to be forwarded to any port between 1024 and 65535.

6. iptables -A INPUT -p tcp -i eth0 --dport 22 --sport 1024:65535 -m state --state NEW -j ACCEPT
- this allows udp traffic coming in port 22 to be forward to any port between 1024 and 65535

7. iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
- this allows packets that have states that have previously been established or related to a previous connection

VI. Configure NAT Routing
Network Address Translation, this is how multiple computers on a network share a single outbound IP. It does the difficult task of remember which computer made the request and which one is being sent info. This next section will set up the firewall so it can route the traffic in and out to where it needs to go. There are a few things that need to be configured before we get back to our firewall script.

1. Edit the following files

a) vi /etc/sysctl.conf
net.ipv4.ip_forward = 1

b) vi /etc/sysconfig/iptables-config
IPTABLES_MODULES_UNLOAD=”yes”
IPTABLES_SAVE_ON_STOP=”yes”
IPTABLES_SAVE_ON_RESTART=”yes”

*note if something goes wrong change these to no and restart the computer, it will reset the firewall*

Back to the script

2. echo 1 > /proc/sys/net/ipv4/ip_forward – configures ip_forward

3. iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
– this allows the iptables to work with nat

4. /sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
– this forwards the http traffic to the DMZ Web Server

5. iptables -t nat -A PREROUTING -p tcp -d 142.25.97.239 --dport 80 -j DNAT --to 142.25.97.201
- this forwards the http traffic to the DMZ Web Server

6. iptables -t nat -A POSTROUTING -d 142.25.97.201 -j MASQUERADE
– this allows the Web Server to appear to have the same IP as the firewall

VII. Using the DMZ Web Server to Connect to MySQL PC
Many organizations have MySql Servers behind a firewall and users must somehow get access to them. Since you do not want to have the SQL traffic coming straight through the firewall as this poses too much of a security risk, so we will route it through the DMZ zone, allow connections only from it and from the computers behind the firewall.

1. iptables -s europa.ita.ca -A INPUT -p eth0 -i tcp -m tcp --dport 3306 -s 142.25.97.201 -j ACCEPT
– this allows the source IP (eupopa.itas.ca) to connect through the eth0 with tcp on port 3306 (SQL)

2. iptables -t nat -s europa.itas.ca -A PREROUTING -p tcp -d 142.25.97.239 --dport 3306 -j DNAT --to 10.0.0.3
– this provides nat support and sets up the prerouting to the SQL server (10.0.0.3)

3. iptables -t nat -A POSTROUTING -d 10.0.0.3 -j MASQUERADE
– this allows the SQL server to appear to have the same IP as the firewall

8. iptables -A INPUT -p tcp -s 142.25.97.239 --sport 1024:65535 -d 142.25.97.239 --dport 3606 -m state --state NEW,ESTABLISHED -j ACCEPT
- this allows packets that have states that have previously been established or related to a previous connection to connect

9. iptables -A OUTPUT -p tcp -s 142.25.97.239 --sport 3306 -d 142.25.97.239 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
- this allows packets that have states that have previously been established or related to a previous connection to leave and reconnect to the user

10. iptables -A OUTPUT -p tcp -s 142.25.97.239 --sport 1024:65535 -d 0/0 --dport 3606 -m state --state NEW,ESTABLISHED -j ACCEPT
– This allows only traffic from the Web Server to connect.

VIII. Setting up Logging
Logging is always important so you can see what is going on when there is trouble or you suspect trouble. The following code allows logging.

1. /sbin/iptables -A INPUT -m limit --limit 15/minute -j LOG \
--log-level 7 --log-prefix "Dropped by firewall: " – setting the incoming traffic logs

2. /sbin/iptables -A OUTPUT -m limit --limit 15/minute -j LOG \
--log-level 7 --log-prefix "Dropped by firewall: " – setting the incoming traffic logs

IX. Drop Unwanted Traffic to Limit DOS and SYN Attacks
So what do you do with the traffic you do not want, or the traffic that is being sent to cause the network grief? What do you do, you drop the traffic into cyberspace. The following code will do just that.

1. iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP

2. iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP

3. iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP

4. iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP

5. iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP

6. iptables -A INPUT -p tcp --tcp-flags FIN,ACK FIN -j DROP

7. iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP

X. Save, Final Drops and IP Table Restart

1. iptables-save – saves the iptables

2. iptables -A INPUT -j DROP

3. iptables -A OUTPUT -j DROP

4. iptables -A FORWARD -j DROP

5. service iptables restart

XI. The Final Script

!/bin/bash

# Kyle Corey
# September 30th 2008
# Version 1.3

clear

echo "-------------"
echo "|Here we go!|"
echo "-------------"

echo

echo "Adding Modules..."
echo

echo "0"
/sbin/modprobe ip_tables
echo "1"
/sbin/modprobe ip_conntrack
echo "2"
/sbin/modprobe iptable_filter
echo "3"
/sbin/modprobe iptable_mangle
echo "4"
/sbin/modprobe ipt_REJECT
echo "5"
/sbin/modprobe ipt_LOG
echo "6"
/sbin/modprobe iptable_mangle
echo "7"
/sbin/modprobe iptable_nat
echo "next"

echo "Flushing Firewall Rules..."
echo

iptables --flush
iptables -t nat --flush
iptables -t mangle --flush

echo "Allowing local communication on lo..."
echo

iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

echo "Allowing udp communication eth0..."
echo

iptables -A OUTPUT -p udp -o eth0 --dport 53 --sport 1024:65535 -j ACCEPT
iptables -A INPUT -p udp -i eth0 --sport 53 --dport 1024:65535

iptables -A OUTPUT -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

echo "Allowing tcp communication on eth0..."
echo

iptables -A INPUT -p tcp -i eth0 --dport 22 --sport 1024:65535 -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp -i eth0 --dport 80 --sport 1024:65535 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -p tcp -o eth0 --dport 80 --sport 1024:65535 -j ACCEPT

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

echo "Allowing NAT Postrouting..."
echo

echo 1 > /proc/sys/net/ipv4/ip_forward

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

iptables -t nat -A PREROUTING -p tcp -d 142.25.97.239 --dport 80 -j DNAT --to 142.25.97.201
iptables -t nat -A POSTROUTING -d 142.25.97.201 -j MASQUERADE

echo "Configuring Web Server to appear to have same IP as FW..."
echo

iptables -t nat -A POSTROUTING -p tcp -d 142.25.97.201 -j ACCEPT

echo "Configuring MYSQL -> DMZ -> MySQL Server..."
echo

iptables -s europa.ita.ca -A INPUT -p eth0 -i tcp -m tcp --dport 3306 -s 142.25.97.201 -j ACCEPT
iptables -t nat -s europa.itas.ca -A PREROUTING -p tcp -d 142.25.97.239 --dport 3306 -j DNAT --to 10.0.0.3
iptables -t nat -A POSTROUTING -d 10.0.0.3 -j MASQUERADE

iptables -A INPUT -p tcp -s 142.25.97.239 --sport 1024:65535 -d 142.25.97.239 --dport 3606 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -s 142.25.97.239 --sport 3306 -d 142.25.97.239 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT

iptables -A OUTPUT -p tcp -s 142.25.97.239 --sport 1024:65535 -d 0/0 --dport 3606 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -s europa.itas.ca -p tcp -s 0/0 --sport 3306 -d 142.25.97.239 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT

echo "Forwarding Port 1056 to 22 on the SQL Server for ssh access..."
echo

iptables -t nat -A PREROUTING -p tcp -i eth0 -d 142.25.97.239 --dport 1056 -j DNAT --to 10.0.0.3:22
iptables -A FORWARD -p tcp -i eth0 -d 10.0.0.3 --dport 22 -j ACCEPT

iptables -t nat -A PREROUTING -p tcp -i eth0 -d 142.25.97.239 --dport 1200 -j DNAT --to 10.0.0.3:3306
iptables -A FORWARD -p tcp -i eth0 -d 10.0.0.3 --dport 3306 -j ACCEPT

/sbin/iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT

echo "Creating Logging capibilites..."

/sbin/iptables -A INPUT -m limit --limit 15/minute -j LOG \
--log-level 7 --log-prefix "Dropped by firewall: "
/sbin/iptables -A OUTPUT -m limit --limit 15/minute -j LOG \
--log-level 7 --log-prefix "Dropped by firewall: "

echo "Erecting Rules to Drop Bad Things, like SYN Flooding..."
iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP #XMAS
iptables -A INPUT -p tcp --tcp-flags FIN,ACK FIN -j DROP # FIN packet scans
iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP

iptables-save

#iptables-save -c

iptables -A INPUT -j DROP
iptables -A OUTPUT -j DROP
iptables -A FORWARD -j DROP

service iptables restart

echo "Thanks to Ronnie Brash, Derek Ulrich, Gordie Lawlor, and many other sources....."

3.0 SUMMARY
As you can see this is not an easy thing to configure but it is an important part of any networks arsenal. There are other options such as hardware firewalls, and GUI firewalls. Please see my report on FireStarter for a GUI firewall interface for Linux
4.0 REFERENCES

http://derekulrich.com/itas/firewall.php

http://orangespike.com/?q=node/13

http://gogordie.ca/ITAS280_PROJECT1_LAWLORG.php

A Practical Guide to Red Hat Linux by Sobell