Archive

Posts Tagged ‘iptables’

Saving Changes for iptables

May 26, 2009 4 comments

Whenever you make a change to your firewall, on a Fedora/CentOS type system, you will want to save the changes.

The output can be redirected to a file.

# iptables-save > /root/firewall-rules
The following command line restores all rules from /root/firewall-rules assuming that the file /root/firewall-rules exists.

# iptables-restore < /root/firewall-rules

By default, iptables-restore deletes all existing rules before restoring the saved rules. If the saved rules are to be appended to existing rules, use the -n or –noflush option.

Save Your Firewall and Load on Restart

You will need to edit the /etc/sysconfig/iptables-config as root to help iptables save and reload your firewall correctly. Be sure the following settings are changed to “yes”.

# Unload modules on restart and stop
# Value: yes|no, default: yes
# This option has to be ‘yes’ to get to a sane state for a firewall
# restart or stop. Only set to ‘no’ if there are problems unloading netfilter
# modules.
IPTABLES_MODULES_UNLOAD=”yes”

# Save current firewall rules on stop.
# Value: yes|no, default: no
# Saves all firewall rules to /etc/sysconfig/iptables if firewall gets stopped
# (e.g. on system shutdown).
IPTABLES_SAVE_ON_STOP=”yes”

# Save current firewall rules on restart.
# Value: yes|no, default: no
# Saves all firewall rules to /etc/sysconfig/iptables if firewall gets
# restarted.
IPTABLES_SAVE_ON_RESTART=”yes”

iptables Configuration Files

CentOS and other Red Hat based distributions set iptables rules in /etc/sysconfig/iptables, which may be generated by redirecting the output of iptables-save as follows.

# iptables-save > /etc/sysconfig/iptables
The rules are automatically restored by the script /etc/init.d/iptables at startup. No modification to /etc/init.d/iptables is required.

Note that Red Hat based distributions place iptables and related executables in /sbin, not in /usr/sbin.

iptables is not a daemon but it does load rules into memory. This means that rules will not be persistent over a restart. However, if you do the save command it will save the currently loaded rules into a file called: /etc/sysconfig/iptables

service iptables save

Understanding Network Address Translation, NAT

January 31, 2009 Leave a comment

Network Address Translation (NAT) is one of the basic functions of a circuit level gateway. The simple purpose of NAT is to hide the IP addresses of a private network from the outside world.

Normally, when a router forwards a packet from one segment to another, the packet is unchanged. With NAT, as a packet crosses from a trusted segment of a circuit level gateway to an untrusted segment, the packet is rewritten so that the packet’s source address as it appears on the private segment is replaced by a translated source address. The translated source address is what the outside world sees. Thus, the private address remains hidden from the outside world.
nat1

When a host on a public network transmits a packet to a host on the private network, the source host addresses the packet to the private host’s publicly translated address. The sender on the public side does not know the destination host’s true address. As the packet crosses the circuit level gateway, the gateway rewrites the packet so that the destination address is translated to the destination host’s private address.

nat2

This image illustrates the changes in source and destination addresses as packets cross a circuit level gateway performing network address translation

nat3

One to One Translation
One form of NAT establishes a one to one translation between an equal number of private and public host addresses. For example, each host address on a Class C network on the private side of a circuit level gateway is uniquely mapped to a corresponding host address on a Class C network on the public side of the gateway. If 10.1.1.0/24 is the private network address and 172.19.19.0/24 is the public network address, then outbound packets with a source address of 10.1.1.5 can always be rewritten with a translated source address of 172.19.19.5, and inbound packets with a destination address of 172.19.19.5 can be rewritten with a translated destination address of 10.1.1.5. The mapping is persistent and bi-directional. Therefore, connections may be initiated from either side of the circuit level gateway unless a default deny policy is applied.

Pool of Translated Addresses
One form of NAT maps a large block of addresses from the private network to a small pool of addresses on the public segment. Multiple Class A addresses may be mapped to part of a Class C network block. If 10.0.0.0/4 is the private segment’s network address and 172.19.19.0/28 is the public pool of addresses, then an outbound packet with a source address of 10.1.1.5 may be rewritten to have a translated source address of any host address in the pool of 172.19.19.0/28. The NAT gateway will then create a temporary entry in its internal translation table to track the mapping. An inbound packet’s destination address cannot be translated unless a corresponding entry exists in the NAT table. If a current translation exists in the NAT table, the inbound packet’s destination address will be rewritten in accordance with the NAT table entry. The mapping is not persistent and is only temporarily bi-directional. An inbound connection may be accepted only until the NAT table entry expires.

Single Translated Addresses
The form of NAT commonly (but not exclusively) used in commercial circuit level gateways maps any number of addresses from the private network to a single address on the public segment. Given a private segment with the network address 10.0.0.0/8 and a NAT policy that sets 172.19.19.130 as the public address, all outbound packets from the private network will be rewritten to have a translated source address of 172.19.19.130. To correctly map replies to the private host that initiated the connection, the source port number of the outbound packet must also be translated. The NAT gateway will then create a temporary entry in its internal translation table to track the translated source address and port number. An inbound packet’s destination address and port number cannot be translated unless a corresponding entry exists in the NAT table. If a current translation exists in the NAT table, the inbound packet’s destination address and port number will be rewritten in accordance with the NAT table entry. The mapping is not persistent and is only temporarily bi-directional. An inbound connection may be accepted only until the NAT table entry expires.

This image illustrates the changes in IP addresses and port numbers as packets cross a circuit level gateway performing network address and port translation.

nat Chains
netfilter implements network address translation in the nat table. This pre-defined table consists of three built-in chains, the PREROUTING, OUTPUT and POSTROUTING chains. Rules in the PREROUTING chain apply to inbound packets (packets arriving at the gateway from any direction). Rules in the OUTPUT chain apply to locally generated packets (packets that are generated on the gateway itself). Rules in the POSTROUTING chain apply to outbound packets (packets leaving the gateway in any direction).

nat Targets
The nat table includes the built-in targets MASQUERADE, SNAT, DNAT, NETMAP and REDIRECT.

The MASQUERADE target is available in the POSTROUTING chain. MASQUERADE is intended to be used where a firewall’s public side IP address is dynamically assigned, such as where an ISP assigns IP addresses by DHCP. MASQUERADE translates all private network addresses to the single address of the external interface as illustrated, performing port translation as needed and rewriting the destination address and port of replies as needed. When the firewall’s external IP address is released or changed, all translations are dropped.

The SNAT target is available in the POSTROUTING chain. SNAT may be used on a firewall with statically assigned IP addresses. SNAT provides outbound (more trusted to less trusted) network address translation to a pool of public side addresses such that the source address of each outbound packet is translated to an address from the pool, with port translation being performed as needed and the destination address and port of replies being rewritten as needed.

SNAT can use a single public side address as an alternative to a pool of addresses, making SNAT comparable to MASQUERADE. However, SNAT should not be used with dynamically assigned public addresses.

Conversely to SNAT, the DNAT target is available in the PREROUTING and OUTPUT chains and provides inbound (less trusted to more trusted) network address translation. When a connection is initiated from a less trusted network, the destination address is the address of the firewall interface that faces the originating network. DNAT translates the destination address to the address of a host on a more trusted segment. Optionally, the destination port may also be translated. The source address and port of replies from the more trusted segment will be rewritten as needed.

DNAT can use a pool of destination addresses and ports, providing a simple circuit level method of performing load balancing across a number of hosts such as a farm of web servers.

The NETMAP target provides static one to one translation between two network blocks of equal size.

The REDIRECT target is available in the PREROUTING and OUTPUT chains. REDIRECT translates the destination IP address of each packet arriving on any interface to the IP address of the interface on which the packet arrived. For example, REDIRECT will translate the destination address of any packet arriving at eth2. Optionally, the destination port may also be translated. Among other uses, REDIRECT facilitates use of transparent proxies whereby client software such as web browsers may be automatically redirected through the firewall to a proxy server without reconfiguration on the client side.

Build a Simple iptables Firewall

June 16, 2008 2 comments

Simple iptables Firewall
This simple firewall is OK for a desktop system so that you can use it and then modify it later and in the process learn iptables. The script will work with basically any Linux distro and of course you must make all modifications as root. Be sure to test your set up before you depend upon it.

Create the script with a text editor and save it in /etc/rc.d/rc.firewall . Change the permissions so that it is executable:
chmod 755 /etc/rc.d/rc.firewall

One modification you must make is to place the IP Address of the DNS server you want to use and replace:
your_dns_server_ip

Here is the script:
#!/bin/sh
#
# Simple firewall placed in /etc/rc.d/rc.firewall
# chmod 755 /etc/rc.d/rc.firewall
#

iptables -F
iptables -X
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p udp -s your_dns_server_ip –sport 53 -j ACCEPT
iptables -A INPUT -p tcp –syn -j REJECT
iptables -A INPUT -p udp -j REJECT

Explanation of the Script:
This script will clean out all previous rules when it starts and will provide you security in that it will not allow any computer to initiate a connection to your box. This is the line that shows no –syn connections.
iptables -A INPUT -p tcp –syn -j REJECT

That way you have a simple firewall and you can add to it later.

If you want the script to start automatically on boot edit your /etc/rc.local file and add the line:
sh /etc/rc.d/rc.firewall

Here is an example of rc.local.

#!/bin/sh -e
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will “exit 0″ on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.
sh /etc/rc.d/rc.firewall
exit 0

Follow

Get every new post delivered to your Inbox.

Join 53 other followers