IPTables Tips and Tricks: More Than Just ACCEPT and DROP

Slides:



Advertisements
Similar presentations
Ipchains and Iptables Linux operating system natively supports packet-filtering rules: Kernel versions 2.2 and earlier support the ipchains command. Kernel.
Advertisements

CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.
Nada Abdulla Ahmed.  SmoothWall Express is an open source firewall distribution based on the GNU/Linux operating system. Designed for ease of use, SmoothWall.
Firewalls and Intrusion Detection Systems
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Lesson 19: Configuring Windows Firewall
Honeypots. Building Honeypots Commercial honeypots-emulating services Specter,Honeyed,Deception Toolkit. Setting up of dedicated firewall (data control.
COEN 252: Computer Forensics Router Investigation.
CCNA2 Routing Perrine modified by Brierley Page 18/6/2015 Module 11 Access Control Non e0e1 s server.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
Reconnaissance & Enumeration Baseline, Monitor, Detect, Analyze, Respond, & Recover Hervey Allen Chris Evans Phil Regnauld September 3 – 4, 2009 Santiago,
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.
ADMINISTRATION HANDS-ON. Page 2 About the Hands-On This hands-on section is structured in a way, that it allows you to work independently, but still giving.
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
NetFilter – IPtables Firewall –Series of rules to govern what Kind of access to allow on your system –Packet filtering –Drop or Accept packets NAT –Network.
07/11/ L10/1/63 COM342 Networks and Data Communications Ian McCrumRoom 5B18 Tel: voice.
Karlstad University Introduction to Vulnerability Assessment Labs Ge Zhang Dvg-C03.
Chapter 6: Packet Filtering
Firewall and Internet Access Mechanism that control (1)Internet access, (2)Handle the problem of screening a particular network or an organization from.
Access Control List ACL. Access Control List ACL.
Packet Filtering Chapter 4. Learning Objectives Understand packets and packet filtering Understand approaches to packet filtering Set specific filtering.
Access Control List (ACL)
Beginning Network Security Monitor and control flow into and out of the LAN Ingress Egress Only let in the good guys Only let out the corp. business.
NETWORK SECURITY USING IPTABLES. TOPICS OF DISCUSSION NETWORK TRAFFIC IN PRESENT SCENARIO !! WHY WE NEED SECURITY ? T TYPE OF ATTACKS & WAYS TO TACKLE.
Firewalling With Netfilter/Iptables. What Is Netfilter/Iptables? Improved successor to ipchains available in linux kernel 2.4/2.6. Netfilter is a set.
IPtables Objectives Contents Practicals Summary
Firewall Tutorial Hyukjae Jang Nc lab, CS dept, Kaist.
© 2006 Cisco Systems, Inc. All rights reserved. Cisco IOS Threat Defense Features.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Filtering Traffic Using Access Control Lists Introducing Routing and Switching.
CSN09101 Networked Services Week 6 : Firewalls + Security Module Leader: Dr Gordon Russell Lecturers: G. Russell.
Firewalls & Network Monitoring Advanced Registry Operations Curriculum.
1 Linux Security. 2 Linux is not secure No computer system can ever be "completely secure". –make it increasingly difficult for someone to compromise.
Firewalls Group 11Group 12 Bryan Chapman Richard Dillard Rohan Bansal Huang Chen Peijie Shen.
Module 10: Windows Firewall and Caching Fundamentals.
IPTABLES -FIREWALL. IPTABLES IPTABLE BASIC IMPORTANT FILES SIMPLE SECURITY IMPLEMENTATION (GRAPHICAL WAY) IMPLEMENTING FIREWALL RULE WITH EXAMPLE (COMMAND.
Introduction to Linux Firewall
Network Router Security Packeting Filtering. OSI Model 1.It is the most commonly refrenced protocol model. It provides common ground when describing any.
CCNA4 Perrine / Brierley Page 12/20/2016 Chapter 05 Access Control Non e0e1 s server.
Access Control List (ACL) W.lilakiatsakun. Transport Layer Review (1) TCP (Transmission Control Protocol) – HTTP (Web) – SMTP (Mail) UDP (User Datagram.
IP packet filtering Breno de Medeiros. Florida State University Fall 2005 Packet filtering Packet filtering is a network security mechanism that works.
LINUX® Netfilter The Linux Firewall Engine. Overview LINUX® Netfilter is a firewall engine built into the Linux kernel Sometimes called “iptables” for.
Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Access Control Lists Accessing the WAN – Chapter 5.
25/09/ Firewall, IDS & IPS basics. Summary Firewalls Intrusion detection system Intrusion prevention system.
Routing with Linux 'cause you really love the command line
Introduction to Vulnerability Assessment Labs Ge Zhang Dvg-C03.
Basic Linux Desktop Security © Konrad Rosenbaum this presentation is protected by the GNU General Public License version 2 or any newer.
Securing your network But still be able to access it Hugh Mahon.
Firewalls. A Firewall is: a) Device that interconnects two networks b) Network device that regulates the access to an internal network c) Program that.
Firewalls and DMZ Dr. X. Firewalls Filtering traffic based on policy Policy determines what is acceptable traffic Access control over traffic Accept or.
Top 5 Open Source Firewall Software for Linux User
Firewalls Dr. X (Derived from slides by Prof. William Enck, NCSU)
Working at a Small-to-Medium Business or ISP – Chapter 8
FIREWALL configuration in linux
The Linux Operating System
Securing the Network Perimeter with ISA 2004
Firewall – Survey Purpose of a Firewall Characteristic of a firewall
CIT 480: Securing Computer Systems
Introduction to Networking
Introduction to Networking
Firewall Exercise.
Lab 7 - Topics Establishing SSH Connection Install SSH Configure SSH
Setting Up Firewall using Netfilter and Iptables
OPS235: Configuring a Network Using Virtual Machines – Part 2
Firewalls By conventional definition, a firewall is a partition made
Honeypots.
Presentation transcript:

IPTables Tips and Tricks: More Than Just ACCEPT and DROP 4/21/2017 IPTables Tips and Tricks: More Than Just ACCEPT and DROP Gary Smith, Pacific Northwest National Laboratory PowerPoint_Title_Master.jpg

A Little Context The Five Golden Principles of Security Know your system Principle of Least Privilege Defense in Depth Protection is key but detection is a must. Know your enemy. 2

Avoiding Locking Yourself Out Scenario: You are going to make changes to the IPTables policy rules. You want to avoid locking yourself, and potentially everybody else out too (this costs time and money). Tips #1: Take a backup of your IPTables configuration before you ever start working on it. /sbin/iptables-save > /root/iptables-works Even better, include a timestamp as part of the file name: /sbin/iptables-save > /root/iptables-works-`date +%F` You get a file with a name like /root/IPTablesworks-2014-04-14. If you do something that prevents your system from working, you can quickly restore it. /sbin/iptables-restore < /root/iptables-works-2014-04-14 3

Avoiding Locking Yourself Out (2) Tip #2: Every time you create a backup copy of the IPTables policy, create a link to the file with ‘latest’ as part of the name. ln –s /root/iptables-works-`date +%F` /root/iptables-works-latest Create a cron script that will reload to your ‘latest’ working saved policy every 5 minutes during testing. 4

Avoiding Locking Yourself Out (3) Tip #3: Have an IPMI/KVM console ready and waiting. If you’re working on a physical server, connect to the IPMI port on the server and log into the server. If you’re working on a VM, start up a console session on the VM and log into the VM. 5

Avoiding Locking Yourself Out (4) Tip #4: Put specific rules at the top of the policy and generic rules at the bottom. The more criteria you specify in the rule, the less chance you will have of locking yourself out. iptables -A INPUT -p tcp --dport 22 –s 10.0.0.0/8 –d 192.168.100.101 -j DROP Avoid generic rules like this at the top of the policy rules: iptables -A INPUT -p tcp --dport 22 -j DROP There are plenty of ways that you can be more specific. For example, using "-i eth0" will limit the processing to a single NIC in your server. This way, it will not apply the rule to eth1. 6

Avoiding Locking Yourself Out (5) Tip #5: Whitelist your IP address at the top of your policy rules. This is a very effective method of not getting locked out. Everybody else, not so much. iptables -I INPUT -s <your IP> -j ACCEPT You need to put this as the FIRST rule in order for it to work properly. Remember, "-I" inserts it as the first rule; "-A" appends it to the end of the list. 7

Avoiding Locking Yourself Out (6) Tip #6: Know and understand all of the rules in your current policy. Not making the mistake in the first place is half the battle. If you understand the inner workings behind your IPTables policy, it will make your life easier. Draw a flow chart if you must. Also remember: What the policy does and what it is supposed to do can be two different things. 8

Setting Up a Workstation Firewall Policy Scenario: You want to set up a workstation with a restrictive firewall policy: Tip #1: Set the default policy as DROP. Tip #2: Allow only the minimum amount of services needed to let the user get work done. # Set a default policy of DROP *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT DROP [0:0] 9

Setting Up a Workstation Firewall Policy (2) # Accept any related or established connections -I INPUT 1 -m state --state RELATED,ESTABLISHED -j ACCEPT -I OUTPUT 1 -m state --state RELATED,ESTABLISHED -j ACCEPT # Allow all traffic on the loopback interface -A INPUT -i lo -j ACCEPT -A OUTPUT -o lo -j ACCEPT # Allow outbound DHCP request -A OUTPUT –o eth0 -p udp --dport 67:68 --sport 67:68 -j ACCEPT 10

Setting Up a Workstation Firewall Policy (3) # Allow inbound SSH -A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT # Allow outbound email -A INPUT -i eth0 -p tcp -m tcp --dport 25 -m state --state NEW -j ACCEPT # Outbound DNS lookups -A OUTPUT -o eth0 -p udp -m udp --dport 53 -j ACCEPT # Outbound PING requests -A OUTPUT –o eth0 -p icmp -j ACCEPT # Outbound Network Time Protocol (NTP) request -A OUTPUT –o eth0 -p udp --dport 123 --sport 123 -j ACCEPT 11

Setting Up a Workstation Firewall Policy (4) # Outbound HTTP -A OUTPUT -o eth0 -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT -A OUTPUT -o eth0 -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT COMMIT 12

Restricting an IP Address Range Scenario: You’re employees are spending too much time on Facebook and not getting their work done. You want to block access to Facebook. Tip: Use this process to block access to Facebook. Find out all ip addresses of facebook.com: host -t a www.facebook.com www.facebook.com is an alias for star.c10r.facebook.com. star.c10r.facebook.com has address 31.13.65.17 whois 31.13.65.17 | grep inetnum inetnum: 31.13.64.0 - 31.13.127.255 13

Restricting an IP Address Range (2) Convert that range to CIDR notation (http://www.ipaddressguide.com/cidr) and you get 31.13.64.0/18. To prevent outgoing access to www.facebook.com, do iptables -A OUTPUT -p tcp -i eth0 –o eth1 –d 31.13.64.0/18 -j DROP 14

Regulating by Time Scenario: The backlash from your employees over denying access to Facebook is causes you to relent (a little). You decide to allow access to facebook.com only at lunch time (1200 to 1300). Tip: Use the time features of IPTables to open up the access. iptables –A OUTPUT -p tcp -m multiport –dport http,https -i eth0 -o eth1 -m time --timestart 12:00 --timestop 13:00 –d 31.13.64.0/18 -j ACCEPT This presumes a default policy of DROP. 15

Regulating by Time (2) Scenario: Drop all TCP/UDP traffic during service hours (between 02:00 and 03:00), that is, for maintenance’s tasks which should not be disrupted by incoming traffic. iptables -A INPUT -p tcp -m time --timestart 02:00 --timestop 03:00 -j DROP iptables -A INPUT -p udp -m time --timestart 02:00 --timestop 03:00 -j DROP 16

Limiting Connections with IPTables Scenario: You suspect a bad actor is attempting to DoS your webserver. Tip #1: You can restrict the number of connections a single IP address can have to your webserver. iptables –A INPUT –p tcp –syn -m multiport -–dport 80,443 –m connlimit -–connlimit-above 20 –j REJECT -–reject-with-tcp-reset 17

Limiting Connections by Time (2) Tip #2: You can drop incoming connections if the IP address makes more than 10 connections to port 80/443 in 100 seconds. iptables –A INPUT –p tcp -m multiport -–dport 80,443 –m state d–state NEW –m recent -–set iptables –A INPUT –p tcp -m multiport -–dport 80,443 –m state -–state NEW –m recent -–update -–seconds 100 –hitcount 10 –j DROP 18

Monitoring IPTables Scenario: You would like to monitor what’s going on with IPTables in real time, sort of like with “top”. Tip #1: Issue this command as root: watch --interval=5 ’iptables -nvL | grep -v "0 0"’ Note: the spacing on the “grep” command is important. The result looks like this: 19

Monitoring IPTables (2) 20

Monitoring IPTables (3) Tip #2: Use this Perl script from perlmonks.org http://www.perlmonks.org/?node_id=513732. It does a more comprehensive display. 21

Monitoring IPTables (4) 22

Reporting on IPTables Scenario: You (Your boss) think(s) this dynamic stuff is just great, but a daily activity report would also be great. Tip: Use FWReport (http://fwreport.sourceforge.net/). FWReport is a log parser and reporting tool for IPTables. It generates daily and monthly summaries of the log files, allowing the security administrator to free up substantial time, maintain better control over security of the network, and reduce unnoticed attacks. 23

Reporting on IPTables (2) 24

Visualizing IPTables Log Files Scenario: It’s almost time for the monthly operations review and you would like to have a really great graphical representation of the activity on the firewall for the past month. Tip: There is an excellent tutorial on how to use psad, afterglow, and graphviz to visualize the activity in your IPTables firewall logs (http://lintut.com/use-afterglow-to-visualize-iptables-logs-on-centos-rhel-fedora/) Here are some examples: 25

Visualizing IPTables Firewall Input 26

Visualizing IPTables Firewall Output 27

In Conclusion… We’ve covered many facets of IPTables; all the way from making sure you don’t lock yourself out when working with IPTables to monitoring IPTables to visualizing the activity of an IPTables firewall. These are just some of the tips and tricks that exist for IPTables. These will get you started down the path to realizing even more IPTables tips and tricks. There REALLY is more to IPTables than just ACCEPT and DROP. 28

References Convert an address range to CIDR - www.ipaddressguide.com/cidr Real-time IPTables Monitor - www.perlmonks.org/?node_id=513732 FWReport - http://fwreport.sourceforge.net Using Afterglow to Visualize IPTables Logs - http://lintut.com/use-afterglow-to-visualize-IPTables-logs-on-centos-rhel-fedora/ IPTables - http://www.netfilter.org/ 29

Questions? Gary Smith Information System Security Officer, Molecular Science Computing, Pacific Northwest National Laboratory Richland, WA gary.smith@pnnl.gov 30

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.