Archive:Docs/Drafts/AdministrationGuide/Servers/Firewall

Managing Netfilter (IP Tables) Firewall
A firewall is a networking device which is used to separate private networks from external access by providing a level of security rules and controls.

A simple firewall can be configured to block all access to networks, workstations and communication ports. A more complex firewall is capable of inspecting each individual packet that attempts to pass through it and ensures that they are correctly formatted and appropriate to the services provided for (or by) the internal network. This type of firewall is called a packet filtering firewall.

This chapter explains some of the concepts for Netfilter or, firewall implementation provided by Fedora and packet forwarding which can be used to secure a private network. The example configurations provided in each section are only designed to provide an introduction into each of those specific sections, while the included example firewall script provides a simple but effective security for a networked system.

is not a daemon. Upon the service start, all the firewall rules are loaded into memory and there is no "listening daemon". By default, rules are not persistent across reboot. However,  start-up can be managed as any other SysV init script, using   and   commands.

rules are created using  command. Once the rules are entered, use:

su -c '/sbin/service iptables save'

This creates the  file, which preserves the rules across reboot. Any additional rules are created and added to the file in a same way.

Effective firewall configuration can also be created using graphical interface. This application is quite capable of creating simple firewall in a very convenient way. However, to configure more advanced options using this utility, familiarity with the  riles syntax is necessary.

Packet Forwarding
Packet forwarding is a simple concept where the server allows data packets to pass from one network to another. As per diagram below, packets from the private network are allowed to be forwarded through the server and out to the ISP and vice versa.

/---\ /-\     |   Server (Routing)    |      /-\ \-/     | eth0 : 123.123.123.2  |--| 123.123.123.1   | \---/     \-/
 * Private Network |--| eth1 : 192.168.1.1   |      | ISP Connection  |
 * 192.168.1.0/24 |      |---|      | REMOTE IP ADDR  |

There are a few initial considerations. First, the server must have networks or gateways defined in its routing table so it can make an informed decision where the packet needs to be passed to. Second, the server must have packet forwarding enabled. Thirdly, if the routed packets came from a private, non-routable subnet, they must be translated into globally routed IP addresses, before they will be accepted on the Internet.

To enable packet forwarding manually, run:

su -c '/bin/echo 1 > /proc/sys/net/ipv4/ip_forward'

This change takes the effect immediately but is not preserved on reboot. However, reboot is not required to disable IP forwrding - it can be done in a similar way:

su -c '/bin/echo 0 > /proc/sys/net/ipv4/ip_forward'

To enable IP forwarding permantly, change the parameter in  file to:

net.ipv4.ip_forward = 1

Packet Filtering
Packet filtering is usually confusing concept for users new to system administration.

In packet forwarding the kernel is either allowed to move packets between different subnets or is not, and if it is, the decisions are made from the kernel's routing table.

In packet filtering, the application  stores a list of pre-programmed rules which are individually tested against every packet that either tries to enter, pass through, or exit any of the system's network devices. Each rule is used to test the packet in a sequential order and if the packet matches any of the rules it is either accepted or rejected depending on the global policy and rule definitions.

The  firewall stores the rulesets in a group of three tables. Each provide different capabilities depending on the rules and the order they are applied. We will only examine the filter and nat tables here, the mangle table is used for specialised packet alteration which is beyond our scope. The following table displays the filter table and the three built-in chains.

To list the filter table and its rules, first stop the  service:

su -c '/sbin/service iptables stop'

and then use the following command:

su -c '/sbin/iptables -t filter -nvL'

Admonition("Tip","The filter table is the default table when working with, so the command option   is not necessary but is a good practice.")

The output will look similar to:

Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target    prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target    prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target    prot opt in     out     source               destination

The listing shows the three built in chains, and their default policies are all set to ACCEPT, which means the firewall is inactive.

To populate the table with the set of rules, enter the following commands at the terminal line by line and press Enter after each line:

01- su -c '/sbin/iptables -P INPUT DROP' 02- su -c '/sbin/iptables -P FORWARD DROP' 03- su -c '/sbin/iptables -P OUTPUT DROP' 04- su -c '/sbin/iptables -A INPUT -i lo -j ACCEPT' 05- su -c '/sbin/iptables -A OUTPUT -o lo -j ACCEPT' 06- su -c '/sbin/iptables -A INPUT -i ppp0 -p tcp --sport 80 -j ACCEPT' 07- su -c '/sbin/iptables -A OUTPUT -o ppp0 -p tcp --dport 80 -j ACCEPT' 08- su -c '/sbin/iptables -A INPUT -i eth1 -s 192.168.1.0/24 -p tcp --dport 3128 -j ACCEPT' 09- su -c '/sbin/iptables -A OUTPUT -o eth1 -d 192.168.1.0/24 -p tcp --sport 3128 -j ACCEPT'

Admonition("Note","Do not type the numbers at the beginning of each line. Start the actual command with  - numbers are shown here to explain the process more clearly.")

List the rules again:

su -c '/sbin/iptables -t filter -nvL'

The output is now:

01-	Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target    prot opt in     out     source               destination 04-   0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0 06-   0     0 ACCEPT     tcp  --  ppp0   *       0.0.0.0/0            0.0.0.0/0           tcp spt:80 08-   0     0 ACCEPT     tcp  --  eth1   *       192.168.1.0/24       0.0.0.0/0           tcp dpt:3128

02- Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target    prot opt in     out     source               destination

03- Chain OUTPUT (policy DROP 0 packets, 0 bytes) pkts bytes target    prot opt in     out     source               destination 05-   0     0 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0 07-   0     0 ACCEPT     tcp  --  *      ppp0    0.0.0.0/0            0.0.0.0/0           tcp dpt:80 09-   0     0 ACCEPT     tcp  --  *      eth1    0.0.0.0/0            192.168.1.0/24      tcp spt:3128

Each command above corresponds to the line in the output preceded with the same number and the rules are set according to the following:

Lines 01-03:: The first three commands set the default ( ) policy on all the chains to   everything, unless suitable rules inside the chain will ACCEPT them. This is the most secure method of filtering, because every packet now must have a specific rule written for it to be accepted by firewall and passed on.

Lines 04-05:: These two commands have ( ) appended to two   rules. The   rule ( ) allows any packet to ( ) leave via the loopback device and the   rule ( ) allows packets to re-enter ( ) via the loopback interface.

Because the chains are using a default  policy, they restrict the server from accessing any of its own services running on the local host, such as DNS. A basic rule like this allows the server to access all services on the loopback interface without restriction.

Lines 06-07:: The next two ( ) appended rules are more specific. The   rule ( ) specifies that any packet going out ( ) through ppp0 interface using ( ) protocol   is accepted if the destination port is 80. The   rule ( ) specifies that any packet coming through the ( ) interface ppp0 using ( ) protocol   is accepted if the source port is 80.

In other words, local server is allowed to access external web servers through ppp0 connection.

Lines 08-09:: The last   rule ( ) which has been ( ) appended to the chain allows any   packets from the ( ) source network of 192.168.1.0/24, coming through the ( ) interface eth1 and are going to the ( ) destination port 3128. The matching   rule ( ) has been ( ) appended to the chain allows any packets that are going out ( ) through the eth1 interface to ( ) destination network 192.168.1.0/24 using the   ( ) protocol, if the ( ) source port is 3128.

These two are fairly detailed rules, they say that anyone on the internal network (192.168.1.0/24) is allowed to send packets to the squid proxy server (3128) through the internal eth1 interface and the results can be returned to the workstation.

Admonition("Tip","If using a strict DROP policy as above, it is important to note that you may need two rules that complement each other in order for packets to flow out and back in again.")

Source Network Address Translation
Source Network Address Translation (SNAT) provides the ability to change the source or destination IP address of data packets on-the-fly, so that the packet appears as coming from or going to a different address than the original. This feature also works with port numbers.

There are many reasons to use SNAT:


 * It allows packets from a private (RFC1918) network to be globally routed on the Internet and vice versa.
 * It allows inbound traffic to be sent to different internal hosts (bastions) depending on the resources requested.
 * It does not disclose any security details of the internal private network.

The  firewall provides support for SNAT and has a built-in nat table for that purpose. The following table displays the nat tables and the three built-in chains associated with it:

As the naming suggests, the PREROUTING and POSTROUTING chains are applied before or after any kernel routing decisions are made, so the packets can then be routed to match any new changes which have been made to the destination or source addresses.

The following example explains how   and   tables work together. To populate the table with the set of rules, enter the following commands at the terminal line by line and press Enter after each line:

01- su -c '/sbin/iptables -P INPUT ACCEPT' 02- su -c '/sbin/iptables -P FORWARD DROP' 03- su -c '/sbin/iptables -P OUTPUT ACCEPT' 04- su -c '/sbin/iptables -A FORWARD -i eth1 -o ppp0 -s 192.168.1.0/24 -p tcp --dport 80 -j ACCEPT' 05- su -c '/sbin/iptables -A FORWARD -i ppp0 -o eth1 -d 192.168.1.0/24 -p tcp --sport 80 -j ACCEPT' 06- su -c '/sbin/iptables -t nat -A POSTROUTING -o ppp0 -s 192.168.1.0/24 -j SNAT --to-source 123.123.123.2' 07- su -c '/bin/echo 1 > /proc/sys/net/ipv4/ip_forward'

Admonition("Note","Do not type the numbers at the beginning of each line. Start the actual command with  - numbers are shown here to explain the process more clearly.")

To list the rules in both tables, run:

su -c '/sbin/iptables -t filter -nvL' ; su -c '/sbin/iptables -t nat -nvL'

The output is:

01- Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target    prot opt in     out     source               destination

02- Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target    prot opt in     out     source               destination 04-    0     0 ACCEPT     tcp  --  eth1   ppp0    192.168.1.0/24       0.0.0.0/0           tcp dpt:80 05-    0     0 ACCEPT     tcp  --  ppp0   eth1    0.0.0.0/0            192.168.1.0/24      tcp spt:80

03- Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target    prot opt in     out     source               destination

Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target    prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target    prot opt in     out     source               destination 06-    0     0 SNAT       all  --  *      ppp0    192.168.1.0/24       0.0.0.0/0           to:123.123.123.2

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target    prot opt in     out     source               destination

Each command above corresponds to the line in the output preceded with the same number and the rules are set according to the following:

Lines 01-03:: The first three commands have now defined the global policies for the three built-in chains for the filter table. Firewall accepts everything that is classed as   or  , and for security it drops anything trying to pass through ( ) the SNAT unless it is explicitly allowed.

Lines 04-05:: The two forward rules are quite specific. Rule 04 says that any incoming packet on the eth1 interface from the source network of 192.168.1.0/24, that goes out through the ppp0 device is accepteded if its destination port is 80. Rule 05 is the matching rule allowing the packet to return back through the NAT.

Line 06:: This rule is responsible for re-writing of the source IP address. It is applied after the routing decisions have been made and the packet is on its way to the Internet. According to the rule, any outgoing packet through the ppp0 interface from the 192.168.1.0/24 network is re-written, so that the source IP address becomes 123.123.123.2. When the packet reaches the Internet web server, it can be processed normally and returned to 123.123.123.2 (the NAT device), where it will automatically be re-written again and sent back to the workstation on the private network, where the packet originated.

Line 07:: This command enables packet forwarding between local network interfaces.

IP Masquerading
IP masquerading is a form of NAT most commonly used for all interfaces with dynamically assigned IP address. Without the masquerading ability, firewall rules will have to be re-written every time the IP address changes. SNAT (static NAT) from the previous section, remembers, to a degree, the connection state information when the connection becomes inactive. Using masquerading, the connection state information is reset each time the interface is deactivated and subsequently reactivated. Masquerading automates SNAT for dynamic IP connections.

The following example explains masquerading. To populate the tables with the set of rules, enter the following commands at the terminal line by line and press Enter after each line:

01- su -c '/sbin/iptables -P INPUT ACCEPT' 02- su -c '/sbin/iptables -P FORWARD DROP' 03- su -c '/sbin/iptables -P OUTPUT ACCEPT' 04- su -c '/sbin/iptables -A FORWARD -i ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT' 05- su -c '/sbin/iptables -A FORWARD -i eth1 -o ppp0 -s 192.168.1.0/24 -j ACCEPT' 06- su -c '/sbin/iptables -t nat -A POSTROUTING -o ppp0 -s 192.168.1.0/24 -j MASQUERADE' 07- su -c '/bin/echo 1 > /proc/sys/net/ipv4/ip_forward'

Admonition("Note","Do not type the numbers at the beginning of each line. Start the actual command with  - numbers are shown here to explain the process more clearly.")

To list the rules in both tables, run:

su -c '/sbin/iptables -t filter -nvL' ; su -c '/sbin/iptables -t nat -nvL'

The output is:

01- Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target    prot opt in     out     source               destination

02- Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target    prot opt in     out     source               destination 04-    0     0 ACCEPT     all  --  ppp0   *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 05-    0     0 ACCEPT     tcp  --  eth1   ppp0    192.168.1.0/24       0.0.0.0/0

03- Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target    prot opt in     out     source               destination

Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target    prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target    prot opt in     out     source               destination 06-    0     0 MASQUERADE all  --  *      ppp0    192.168.1.0/24       0.0.0.0/0

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target    prot opt in     out     source               destination

Each command above corresponds to the line in the output preceded with the same number and the rules are set according to the following:

Lines 01-03:: The first three commands define the global policies for the three built-in chains for the filter table. Firewall accepts everything that is classed as INPUT or OUTPUT, and it drops anything trying to pass through (FORWARD) the NAT unless explicitly allowed.

Line 04:: This rule handles connection state. According to the rule, any incoming packet through ppp0 interface must ( ) match a state, ie. must be in response to an already RELATED or ESTABLISHED connection. This rule denies any NEW connections to be initiated from the external network.

Line 05:: This rule allows packet forwarding of any incoming packets through the eth1 interface from the source network 192.168.1.0/24 to the ppp0 device. This rule allows internal workstations to create new connections, and matches rule 4 which allows the response packets to return.

Line 06:: This rule does the exact same as if it were a SNAT rule, however it will use the IP address that is currently assigned to the ppp0 interface when the packet passes through the NAT device. Any packets that now pass from the internal private network to the Internet will have their source address re-written as the external IP address of the NAT device.

Line 07:: This command enables packet forwarding between local network interfaces.

Admonition("Tip","Always use masquerading for dynamically assigned Internet interfaces.")

Admonition("Warning","Always specify an (-o) out interface parameter to make sure the masquerading rule works in one direction only!")

Destination NAT
Destination NAT deals with changing the destination address of any packets before they are subjected to any routing decisions. This allows specific packets to be re-written so they conform to a particular rule and can then be redirected, depending on the global policies and destinations required.

In its most typical application, DNAT is used to change the incoming packets that are destined for a particular service or host, and it rewrites the destination addresses, so the packets can pass to a different host located inside the private network, normally a DMZ.

When DNAT occurs, the original external host is not aware that the packets have been redirected and that the returning data is from a different host. This process is transparent to the originator.

The following example explains masquerading. To populate the tables with the set of rules, enter the following commands at the terminal line by line and press Enter after each line:

01- su -c '/sbin/iptables -P INPUT ACCEPT' 02- su -c '/sbin/iptables -P FORWARD DROP' 03- su -c '/sbin/iptables -P OUTPUT ACCEPT' 04- su -c '/sbin/iptables -A FORWARD -i eth1 -o ppp0 -s 192.168.1.0/24 -j ACCEPT' 05- su -c '/sbin/iptables -A FORWARD -i ppp0 -o eth1 -p tcp --dport 80 -j ACCEPT' 06- su -c '/sbin/iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 80 -j DNAT --to-destination 192.168.1.2:80' 07- su -c '/bin/echo 1 > /proc/sys/net/ipv4/ip_forward'

Admonition("Note","Do not type the numbers at the beginning of each line. Start the actual command with  - numbers are shown here to explain the process more clearly.")

To list the rules in both tables, run:

su -c '/sbin/iptables -t filter -nvL' ; su -c '/sbin/iptables -t nat -nvL'

The output is:

01- 	Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target    prot opt in     out     source               destination

02- Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target    prot opt in     out     source               destination 04-    0     0 ACCEPT     all  --  eth1   ppp0    192.168.1.0/24       0.0.0.0/0 05-    0     0 ACCEPT     tcp  --  ppp0   eth1    0.0.0.0/0            192.168.1.0/24      tcp dpt:80

03- Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target    prot opt in     out     source               destination

Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target    prot opt in     out     source               destination 06-    0     0 DNAT       tcp  --  ppp0   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:80 to:192.168.1.2:80

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target    prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target    prot opt in     out     source               destination

Each command above corresponds to the line in the output preceded with the same number and the rules are set according to the following:

Lines 01-03:: The first three commands define the global policies for the three built-in chains for the filter table. Firewall accepts everything that is classed as INPUT or OUTPUT, and it drops anything trying to pass through the NAT unless explicitly allowed.

Line 04-05:: The first FORWARD rule (04) allows any incoming packets through the eth1 interface, from the source network 192.168.1.0/24, going out through the ppp0 interface. The second FORWARD rule (05) allows any incoming TCP packets through the ppp0 interface if their destination port is 80.

Line 06:: This is a PREROUTING rule that forces any incoming TCP packets through the ppp0 interface with the destination port 80, to be re-written and routed to the host 192.168.1.2.

Line 07:: This command enables packet forwarding between local network interfaces.

DNAT declarations are reasonably easy because the destination header can be rewritten before the routing table is queried. Some important points to remember are:


 * DNAT can re write packets as they enter the Firewall (before routing).
 * If the new destination host is compromised, the Firewall host is not affected.
 * Do not DNAT a packet to another system that will DNAT it back (routing loops).
 * The "--to-destination" address does not have to be on the internal network.

Example Firewall Script
The following is an example firewall script which uses all of the concepts covered already in this chapter. It should therefore be relatively easy to understand, implement and maintain.

The firewall script  is designed to separate and secure the private network (eth1) from the Internet traffic (ppp0), while providing some flexibility for the internal network which is being masqueraded.


 * 1) !/bin/sh

EXT_DEV=ppp0 INT_DEV=eth1 INT_NET=192.168.1.0/24

modprobe ip_conntrack modprobe ip_conntrack_ftp

echo 1 > /proc/sys/net/ipv4/ip_forward

iptables -F iptables -X iptables -t nat -F iptables -t nat -X

iptables -P INPUT  DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP

iptables -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT iptables -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT

iptables -A INPUT  -p icmp --icmp-type any -j ACCEPT iptables -A OUTPUT -p icmp --icmp-type any -j ACCEPT iptables -A FORWARD -p icmp --icmp-type any -j ACCEPT

iptables -A INPUT -i $INT_DEV -s $INT_NET -d $INT_NET -j ACCEPT iptables -A OUTPUT -o $INT_DEV -s $INT_NET -d $INT_NET -j ACCEPT

iptables -A OUTPUT -o $EXT_DEV -j ACCEPT iptables -A FORWARD -i $INT_DEV -o $EXT_DEV -j ACCEPT

iptables -t nat -A POSTROUTING -o $EXT_DEV -s $INT_NET -j MASQUERADE

iptables -A INPUT  -i $EXT_DEV -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -i $EXT_DEV -m state --state RELATED,ESTABLISHED -j ACCEPT





iptables -A INPUT -i $EXT_DEV -m state --state NEW -m tcp -p tcp --syn --dport 20 -j ACCEPT iptables -A INPUT -i $EXT_DEV -m state --state NEW -m tcp -p tcp --syn --dport 21 -j ACCEPT

iptables -A INPUT -i $EXT_DEV -m state --state NEW -m tcp -p tcp --syn --dport 22 -j ACCEPT

iptables -A INPUT -i $EXT_DEV -m state --state NEW -m tcp -p tcp --syn --dport 25 -j ACCEPT iptables -A INPUT -i $EXT_DEV -m state --state NEW -m tcp -p tcp --syn --dport 465 -j ACCEPT

iptables -A INPUT -i $EXT_DEV -m state --state NEW -m tcp -p tcp --syn --dport 80 -j ACCEPT iptables -A INPUT -i $EXT_DEV -m state --state NEW -m tcp -p tcp --syn --dport 443 -j ACCEPT

iptables -A INPUT -i $EXT_DEV -m state --state NEW -m tcp -p tcp --syn --dport 636 -j ACCEPT

iptables -A INPUT -i $EXT_DEV -m state --state NEW -m tcp -p tcp --syn --dport 993 -j ACCEPT





To run the script, save the text above as a file  and run:

su -c '/bin/sh /path/to/firewall.sh'

and apply changes to the firewall:

su -c '/sbin/service iptables save'

Restart the  service...:

su -c '/sbin/service iptables restart'

...and check the output:

su -c '/sbin/iptables -t filter -nvL' ; su -c '/sbin/iptables -t nat -nvL'

To automatically start the  service at boot time, firewall kernel modules that are needed must also be loaded at startup. To configure this, add the following to the  file:

IPTABLES_MODULES="ip_conntrack ip_conntrack_ftp"

To check whether all the necessary modules have loaded automatically, run:

su -c '/sbin/lsmod'

Related Websites

 * The official Netfilter web site