IPTABLES

Firewalls are an important tool that can be configured to protect your servers and infrastructure. In the Linux ecosystem, iptables is a widely used firewall tool that interacts with the kernel’s netfilter packet filtering framework. We are going to learn how to modify or add the firewall rules on a particular system using iptables but also remember that IPTABLES isn’t just a firewall or  just responsible for filtering traffic on a system or a network , it also deals with the important aspects of networking such as routing packets like just what an actual router does , network address translation , they also have the ability to modify the packets . 

So in simple words netfilter is a firewall framework in linux and iptables is a utility that is used to manage and  control netfilter. And as I said iptables isn’t just a used for setting up firewall rules it also deals with nat,routing,port redirection and so on . 

 Firstly we need to have a brief  understanding about the structure of IPTABLE Fig : 1.0

Fig : 1.0

Each table is defined as a collection chains that serves a particular function and we can see in Fig : 1.0 that we are having three tables :

• FILTER TABLE
• NAT TABLE
• MANGLE TABLE

Each table is designed for a particular purpose . 

FILTER TABLE : 

As the name suggests the filter table is responsible for filtering  incoming and outgoing traffic . In simple words it help us to make decisions about whether should we allow a packet to reach the intended destination or just block the packet and this is the table we are going to have fun with.

NAT TABLE : 

Network address translation table will help us to modify the packet’s source or destination addresses . You could get a good understanding about it if know the network address translation done by the router as it replaces the private ip of an end device of its local area network with it’s own public ip to make the packet routable.

MANGLE TABLE : 

This table helps us  to alter the IP packet headers . For instance we can change the ttl value (time-to-live) of the packet .

So as said we are only going to discuss about FILTER TABLE

Now as you can see different types of CHAINS in each table they can be see as tags that define and match packets to their state they allow us to develop classes of firewall rules to which you may then add and remove hosts or networks .  

For instance within the filter table we have input , output and forward chain and each of them is responsible for processing packets based on their type . 

Fig : 1.1

In Fig : let’s say that we are using linux server on  the left side .

Packets that are being sent to into the linux server from the client machine are managed by the INPUT CHAIN , Where as packets being sent out of the linux server as taken care of OUTPUT CHAIN.

And packets that are sent to destination using your computer as proxy are managed by FORWARD CHAIN. Refer Fig : 1.2

Fig : 1.2

As of we are only interested in INPUT and OUTPUT CHAINS . Which basically means incoming and outgoing traffic

So when we want to block something we shall change the INPUT CHAIN and if we wanted to block the outgoing traffic we shall change the OUTPUT CHAIN.

**Every rule we add to the CHAINS are checked sequentially from top to bottom. If it finds the desired rule matching the packet then its going to stop further comparison and implements the rule for that specific packet.

Note :  within the debain based distributions the default firewall that is installed is ufw (uncomplicated firewall) and if you are on centos the default firewall is going to be firewalld. So it is recommended that you uninstall any of these services because you use the iptables as them might interfere with each other. 

Enough with the theory and let’s dive in !! .

Consider 192.168.0.105 as bob which is actually kali linux and 192.168.0.117 as alice which is actually Xubuntu linux through out the blog .

To list all the CHAINS in FILTER TABLE : 

Command : 

sudo iptables -L

Fig : 1.3

By default the FILTER TABLE is selected and So the CHAINS of the FILTER TABLE are displayed and not the NAT or MANGLE TABLE.And you can see the in Fig : the three CHAINS INPUT , OUTPUT , FORWARD .You can select the table specifically using -t attribute .

For instance to list the CHAINS of the NAT TABLE: 

sudo iptables -t nat -L

Fig : 1.4

In Fig : 1.4 you can see the CHAINS of the NAT TABLE

To add a rule to the INPUT CHAIN of the FILTER TABLE  in alice machine that blocks all the incoming connections  from bob: 

sudo iptables -I INPUT -s 192.168.0.105 -j DROP

         Flag :                                                                            meaning

      -I   INPUT                                      :                      insert into INPUT CHAIN

       

         -s    bob                                       :                     specifies the source ip address which is                                                                                                       the ip address of the bob (192.168.0.105)

        

           -j                                                :                            indicates the target 

Different types of targets available are : 

DROP       :   just drops the packet from reaching the destination without sending any feedback to the sender of the packet

ACCPET    :  It lets the packet reach the destination by accepting it

REJECT     :  This is same as DROP but this gives a feedback to the sender of the packet as the destination is unreachable 

Fig : 1.5

tip : By using -n option you can choose ip address instead of hostnames to be displayed 

specifying the CHAIN you wanted to add the rule into is mandatory whereas remaining aren’t mandatory to specify .Which as follows : 

Not selecting any particular source ip in the command leads selecting any source ip

Not selecting any particular target in the command will lead the machine to follow the policy(later in the blog).

Not selecting any particular destination ip in the command leads selecting any destination ip

whichi is the same with destination port , protocols and so on .

For instance :

In Fig : 1.5 we can see the target set to DROP , the prot which means protocol set to all , Source is set to the ip address mentioned and the destination isn’t mentioned so it is set to all . which literally means to block any packet which consists of 192.168.0.105 as source ip , with any destination ip and with any protocol as the parameters are not are mentioned in the command. 

It is also possible to block an entire subnet or just accept connections from a particular subnet :

To block a particular subnet : 

sudo iptables -I INPUT -s 192.168.0.0/24 -j DROP

Fig : 1.6

In Fig :1.6 we can see the rule added into the INPUT CHAIN of the FILTER TABLE. 

To block ssh connections to alice from bob :

sudo iptables -I INPUT -p tcp --syn -s 192.168.0.105 -d 192.168.0.117 --dport 22 -j DROP

Fig : show the after listing as well iptables -L

Tip : you can also specify the range of destination port :  --dport 80:90

--dport  :        used to specify the destination port 

 -p         :         species the protocol 

 --syn    :      let’s the iptables block TCP SYN packets .

 In a nutshell we wanted to match TCP SYN packet with source ip 192.168.0.105(bob) , destination ip 192.168.0.117(alice) with the destination port set to 22 , if it matches then DROP the packet .

Now if you try to connect to alice from bob’s machine through ssh you will just keep trying and neither you will be connected nor you will be displayed with any feedback or error. just blank and trying to connect until you terminate or timeout.

Fig : 1.7

In Fig : 1.7 you can see there is no feedback and we are simply sending packets TCP SYN packets  again and again.

But instead if you choose the action to be taken against the matched packet to REJECT you will be given a feedback in response or In simple words the target is set to REJECT and now try to connect to alice from bob via ssh you will be seeing something like “ssh: connect to host 192.168.0.117 port 22: Connection refused” because the feedback is given in response to the connection packet sent to alice from bob .

command : 

sudo iptables -I INPUT -p tcp --syn -s 192.168.0.105 -d 192.168.0.117 --dport 22 -j REJECT

Fig : 1.8

In Fig : 1.8 you can see what happens if the target is set to reject 

Wireshark analysis when the target is set to DROP : 

Fig : 1.9 

In Fig : 1.9 you can see the TCP Retransmissions sent again and again as there is no feedback from alice

Wireshark analysis when the target is set to REJECT : 

Fig : 2.0

In Fig : 2.0 you can see the icmp destination port unreachable message in response from alice to the TCP SYN packet sent from bob.

Now if we get any packet that doesn’t match up with the rules present in the CHAIN is it ACCPET by default ? . For instance let’s say that we wanted to ping alice machine from bob’s machine which means that icmp packets are sent and as of now there is not rule added to block icmp packet in the INPUT CHAIN of the FILTER TABLE so is the packet going to be accepted always? the answer is no and yes as well.

To know this we need to know about policy Fig : 2.1

Fig : 2.1 

Policy is something that every CHAIN has . In Fig :  you can see the policy set to ACCEPT . So if the packet doesn’t match up with the rules of any chain then it all depends on the policy . If policy is set to DROP then other packets that doesn’t match up with the rules mentioned in the CHAIN are dropped and same with other targets as well and by default the policy is set to ACCEPT and this is the reason I said its yes and no because it not always going to accept as it is dependent on policy .  

So to change the policy to DROP : 

sudo iptables --policy INPUT DROP

Fig : 2.2

In Fig : 2.2 you can see that the policy is change to DROP and now any packet that doesn’t match up the rules is just droped.However it is recommended to keep you policy to ACCPET and DROP or REJECT the packets you want to . and I am setting it back to ACCEPT again for explaining purposes

To clear or flush all the rules in the iptables : 

sudo iptables -F

Fig : 2.3 

In Fig : 2.3  We can see now the list is cleared . Isn’t this so satisfying !!

Atleast for me it is 😁

Did you observe that very time we insert a new rule it is always inserted at the first position and the remaining are accordingly shifted to their next positions. But can we add our rules to the last ? Absolutely ! Can we replace a existing rule with our new rule instead of inserting it at the top or bottom  ?  You know what life’s too short to be saying no. But what’s the point of where the rule is added ? Why all these facilities were created by humans ? thanos is correct .  

But no this is very important to know believe me you will realize why this is important soon. 

First let's start an apache webserver on alice (192.168.0.117) using the commad : 

sudo systemctl start apache2

Let’s say we wanted to append a rule to reject all http connections to alice from any machine.

sudo iptables -I INPUT -p tcp --syn --dport 80 -j REJECT

And now append a rule at the end to accept a http connection if it is from bob.

sudo iptables -A INPUT -p tcp --syn -s 192.168.0.105 --dport 80 -j ACCEPT

Fig : 2.4

In Fig : 2.4 you can see view the list of the current rules and their order.

Now let's try to connect to the webserver of alice from bob 

Fig : 2.5

In Fig : 2.5 we can see that we are not able to get the web pages of the bob .Why is that so even if have given the permission explicitly ! Well this is why the order of the rules are very important . Let me explain . I have already mention the reason in the blog but you might have not observed it that when ever a  packet is sent to a machine it checks the attributes of the packet against the rules mentioned and that's exactly the case here as well . When bob sends TCP SYN packet to desination port 80 , the machine checks it against the rules and the first rule matches it . As the first rule matches it the second rule is not checked , so the packet is rejected and bob is not able to get the web pages even the permission is granted.

Now let's delete the second rule and insert it first.

Here we can easily say that the rule we wanted to delete it is at second position but what if we have so many rules present and deleting something in the middle? should we count the position of the rule ? 

nope.

we can number the rules and display them using the command : 

sudo iptables -L --line-numbers

Fig : 2.6

In Fig : 2.6 we can see that the rule we wanted to delete is positioned at 2.

To delete a rule :

sudo iptables -D INPUT 2

Now let's add the same rule , but this time we are inserting it.

sudo iptables -I INPUT -p tcp --syn -s 192.168.0.105 --dport 80 -j ACCEPT

Fig : 2.7

In Fig : 2.7 we can see that we are sucessfully able to connect from bob but no other machine will be accepted by alice. And this is how the order of the rules really play an important rule.

Now lets play with tcp flags, shall we 

The --tcp-flags match option accepts two parameters. The first parameter is called mask, which is used to set the flags to be examined in the packet and the second parameter refers to the flag that must be set to match.

The possible flags are:

• ACK
• FIN
• PSH
• RST
• SYN
• URG
• ALL
• NONE

Didn’t make any sense ? well even I wouldn’t understand If I were you , let me give an example rule so that it makes sense : 

sudo iptables -I INPUT -p tcp --tcp-flags ALL SYN -s 192.168.0.105 -d 192.168.0.117 --dport 80 -j DROP

only matches TCP packets that have the SYN flag set and ACK,FIN,PSH,RST,URG unset.

sudo iptables -I INPUT -p tcp --tcp-flags SYN,ACK SYN -s 192.168.0.105 -d 192.168.0.117 --dport 80 -j DROP

Only matches TCP packets that have the SYN flag set and ACK flag unset.

Fig : 2.8

In Fig : 2.8 we can see that mask is set to FIN,SYN,ACK and the flag that shall is SYN.

We can also get the detailed view of the iptables rules using the command : 

 sudo iptables -L -v 

Fig : 2.9 

In Fig : 2.9 you can see the number of packets received that are blocked by the rule , interfaces and much more info.

We can also replace the existing rules with the rules new rules :

sudo iptables -R INPUT 1 -p icmp --icmp-type timestamp-request -j DROP

1 denotes the position of the rule. 

Fig : 3.0

In Fig : you can see the replacement of the rule.

avoid any problems of rules overlapping on other interfaces

We can also specify the interface while adding a rule :

sudo iptables -I INPUT -p tcp --tcp-flags ALL SYN --dport 80 -i enp0s3 -j DROP

If the -i parameter is used but no interface is specified, then every interface is affected by the rule.

Fig : 3.1

In Fig : 3.1 we can view the input interface as specified while adding the rule

-i : denotes the input interface

-o : denotes the output interface 

To modify the outgoing traffic we just need to change the INPUT CHAIN to OUTPUT CHAIN : 

To block  connection icmp packet through or from out computer alice.

sudo iptables -I OUTPUT -p icmp --icmp-type echo-request -d 192.168.0.105 -j DROP

Fig : 3.2

In Fig : 3.2 you can see the added rule in the OUTPUT CHAIN

Fig : 3.3

As you can see in Fig :3.3 we are not able to send icmp echo request to bob (192.168.0.105) from alice whereas we  can send icmp requests to other machines on the local area network or any remote host.

Now we have pretty decent understanding about the rules in iptables . You should now that rules of the iptables will be washed away or flushed automatically when we reboot the machine . 

So let to tell you one of many ways to save them  : 

Note : you must be root user to perform these commands 

firstly create a directory named iptabes inside etc directory

mkdir /etc/iptables

now we have to create a file in iptables directory and save the present rules into it and to do so

iptables-save > /etc/iptables/iptables1.conf

As you can see the filename is iptables1.conf 

Now after rebooting your system all the rules will be flushed

To can restore the rules  from the file we have saved previously : 

iptables-restore < /etc/iptables/iptables1.conf

and that's it we are done . you can list the iptables and see the rules added from the file you saved.

But should we do this all the time we reboot ? can’t we just reboot it and the rules be added already?

cause I am lazy as hell !

 

 Let me introduce to the almighty tool so called crontab !! 

I guess even movie heros don't have this great entry 🥵😁

command : 

crontab -e 

I have chosen nano editor or you can choose the editor of your convenience if you are opening it for the first time.

And now type this at the end of the file 

@reboot /sbin/iptables-restore < /etc/iptables/iptables1.conf

Which literally translates to execute the command when we reboot. And /sbin/ is the directory where the actual file is present.

Fig : 3.4

In Fig : 3.4 you can see the modification made . 

after adding the last line :

do ctrl+o and enter to save 

and ctrl + x to come out of the file

And that's it !! every time you reboot the command is executed automatically and rules are added . how cool is that !!

--------------------------------------------------------------------THANK YOU -----------------------------------------------------------------