≡ Menu

Iptables

Introduction to Firewall Builder 4.0

This is an user contributed article.

This is the first article in the mini-series of two articles about Firewall Builder.

Systems administrators have a choice of modern Open Source and commercial firewall platforms at their disposal. They could use netfilter/iptables on Linux, PF, ipfilter, ipfw on OpenBSD and FreeBSD, Cisco ASA (PIX) and other commercial solutions. All these are powerful implementations with rich feature set and good performance. Unfortunately, managing security policy manually with all of these remains non-trivial task for several reasons. Even though the configuration language can be complex and overwhelming with its multitude of features and options, this is not the most difficult problem in my opinion. Administrator who manages netfilter/iptables, PF or Cisco firewall all the time quickly becomes an expert in their platform of choice. To do the job right, they need to understand internal path of the packet inside Linux or BSD kernel and its interaction with different parts of packet filtering engine. Things get significantly more difficult in the installations using different OS and platforms where the administrator needs to switch from netfilter/iptables to PF to Cisco routers and ASA to implement coordinated changes across multiple devices. This is where making changes get complicated and probability of human error increases. Unfortunately typos and more significant errors in firewall or router access list configurations lead to either service downtime or security problems, both expensive in terms of damage and time required to fix.
[click to continue…]

MAC Filtering (layer 2 address filtering) refers to a security access control methodology whereby the 48-bit address assigned to each network card is used to determine access to the network. Iptables, pf, and IPFW can block a certain MAC address on a network, just like an IP. One can deny or allow from MAC address like 00:1e:2a:47:42:8d using open source firewalls. MAC address filtering is often used to secure LAN or wireless network / devices. Is this technique effective?
[click to continue…]

Iptables provides the option to log both IP and TCP headers in a log file. This is useful to:
=> Detect Attacks

=> Analyze IP / TCP Headers

=> Troubleshoot Problems

=> Intrusion Detection

=> Iptables Log Analysis

=> Use 3rd party application such as PSAD (a tool to detect port scans and other suspicious traffic)

=> Use as education tool to understand TCP / IP header formats etc.

How do I turn on Logging IP Packet Header Options?

Add the following command to your iptables script beo:

iptables -A INPUT -j LOG --log-ip-options
iptables -A INPUT -j DROP

How do I turn on Logging TCP Packet Header Options?

Add the following command to your iptables script:

iptables -A INPUT -j LOG --log-tcp-options
iptables -A INPUT -j DROP

You may need to add additional filtering criteria such as source and destination ports/IP-address and other connection tracking features. To see IP / TCP header use tail -f or grep command:
# tail -f /var/log/messages

Recommended readings:

Y'day I got a chance to play with Squid and iptables. My job was simple : Setup Squid proxy as a transparent server.

Main benefit of setting transparent proxy is you do not have to setup up individual browsers to work with proxies.

My Setup:

i) System: HP dual Xeon CPU system with 8 GB RAM (good for squid).
ii) Eth0: IP:192.168.1.1
iii) Eth1: IP: 192.168.2.1 (192.168.2.0/24 network (around 150 windows XP systems))
iv) OS: Red Hat Enterprise Linux 4.0 (Following instruction should work with Debian and all other Linux distros)

Eth0 connected to internet and eth1 connected to local lan i.e. system act as router.
[click to continue…]

No Route to Host error and solution

I am getting error that read as No Route to Host. I am trying to ping my ISP gateway as well as DNS server but I am getting this error. How do I solve this problem?

This problem indicate networking conflicts or some sort of networking configuration problem.

Here are things to check:

Can you ping to your local router interface (such as 192.168.1.254)?

Make sure your card (eth0) is properly configured with correct IP address and router address. Use ifconfig command to configure IP address and route command to setup correct router address. If you prefer to use GUI tools:

  • redhat-config-network - Works on Red Hat and Fedora Linux/Cent OS.
  • network-admin - Debian and Other Linux distribution use this GUI too

Use above two GUI tools to setup correct IP address, DNS address and router address.

b) Make sure firewall is not blocking your access

iptables is default firewall on Linux. Run following command to see what iptables rules are setup:
# /sbin/iptables -L -n

You can temporary clear all iptables rules so that you can troubleshoot problem. If you are using Red Hat or Fedora Linux type command:
# /etc/init.d/iptables save
# /etc/init.d/iptables stop

If you are using other Linux distribution type following commands:
# iptables -F
# iptables -X
# iptables -t nat -F
# iptables -t nat -X
# iptables -t mangle -F
# iptables -t mangle -X

c) Finally make sure you are using a router and not a proxy server. Proxy servers are good for Internet browsing but not for other work such as ftp, sending ICMP request and so on.

See also:

Iptables Restricting Access By Time Of The Day

Recently I was asked to control access to couple of services based upon day and time. For example ftp server should be only available from Monday to Friday between 9 AM to 6 PM only. It is true that many services and daemons have in built facility for day and time based access control. [click to continue…]

Iptables MAC Address Filtering

LAN or wireless access can be filtered by using the MAC addresses of the devices transmitting within your network. A mac address is acronym for media access control address, is a unique address assigned to almost all-networking hardware such as Ethernet cards, routers, mobile phones, wireless cards and so on (see mac address at wikipedia for more information). This quick tutorial explains how to block or deny access using MAC address using iptables - Linux administration tool for IPv4 packet filtering and NAT.
[click to continue…]