Make your firewall do far more than filter packets with iptables
iptables is the next generation of firewall software for the netfilter project. It provides all of the functionality of its predecessor, ipchains, in addition to support for stateful firewalling. iptables also supports a framework for extending its capabilities with loadable modules. Here are a few tricks you can use with the base distribution of iptables, as well as some of the extensible modules available for iptables.
For these examples, we'll assume that the following environment variables are already set:
# Create syn-flood chain for detecting Denial of Service attacks iptables -t nat -N syn-flood # Limit 12 connections per second (burst to 24) iptables -t nat -A syn-flood -m limit --limit 12/s --limit-burst 24 \ -j RETURN iptables -t nat -A syn-flood -j DROP # Check for DoS attack iptables -t nat -A PREROUTING -i $EXT_IFACE -d $DEST_IP -p tcp --syn \ -j syn-flood
These rules limit new inbound TCP connections (packets with SYN bit set) to 12 per second after 24 connections per second have been seen.
Using iptables, a transparent Squid proxy can be set up. This will transparently cache and log all outbound HTTP requests to the Internet. It requires no modification to the user's browser and is useful for blocking unwanted content. This is accomplished with the following iptables rule at the top of the PREROUTING chain:
# Setup transparent Squid proxy for internal network # # For details on setting up Squid, see: # http://www.linuxdoc.org/HOWTO/mini/TransparentProxy.html # iptables -t nat -A PREROUTING -i $INT_IFACE -p tcp --dport 80 \ -j REDIRECT --to-port 3128
This rule redirects outgoing requests on TCP port 80 to a Squid proxy running on TCP port 3128 on the firewall.
# DROP XMAS & NULL TCP packets iptables -t nat -A PREROUTING -p tcp --tcp-flags ALL ALL -j DROP iptables -t nat -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP
iptables has introduced several advanced firewall features that are available by patching the Linux kernel. These patches can be obtained from http://www.netfilter.org/ by downloading the patch-o-matic version corresponding to the iptables version you are using. Patch-o-matic patches are iptables patches that are not yet available in the mainstream Linux kernel. Some of the patches are experimental and should be used with caution.
# DROP inbound port scans iptables -t nat -A PREROUTING -i $EXT_IFACE -d $DEST_IP -m psd -j DROP
# DROP packets from hosts with more than 16 active connections iptables -t nat -A PREROUTING -i $EXT_IFACE -p tcp --syn -d $DEST_IP -m iplimit --iplimit-above 16 -j DROP
One of the most powerful netfilter patches allows you to match packets based on their content. The experimental string-matching patch allows you to filter out packets that match a certain string. This is helpful to filter out the CodeRed or Nimda viruses before they hit your web server. The following rules achieve this:
# DROP HTTP packets related to CodeRed and Nimda viruses silently iptables -t filter -A INPUT -i $EXT_IFACE -p tcp -d $DEST_IP --dport http \ -m string --string "/default.ida?" -j DROP iptables -t filter -A INPUT -i $EXT_IFACE -p tcp -d $DEST_IP --dport http \ -m string --string ".exe?/c+dir" -j DROP iptables -t filter -A INPUT -i $EXT_IFACE -p tcp -d $DEST_IP --dport http \ -m string --string ".exe?/c+tftp" -j DROP
Port forwarding is now native to iptables . The nat table uses a feature called Destination NAT in the PREROUTING chain to accomplish this. The following rule can be used to port forward HTTP requests to a system (10.0.0.3) on the internal network:
# Use DNAT to port forward http iptables -t nat -A PREROUTING ! -i $INT_IFACE -p tcp --destination-port \ 80 -j DNAT --to 10.0.0.3:80
You can also port forward UDP packets. If you port forward traffic for a particular port, you do not need to have a corresponding rule in the INPUT chain to accept inbound connections on that port. This will only work if the destination is on a network on a locally attached interface (that is, not to destinations on foreign networks). Take a look at tools like rinetd ([Hack #48]) or nportredird if you need traffic to forward to remote networks.
If you port forward your HTTP requests to an internal host, you can filter out the CodeRed virus in the FORWARD chain with this rule:
iptables -t filter -A FORWARD -p tcp --dport http \ -m string --string "/default.ida?" -j DROP
Using iptables can be challenging at first, but its flexibility makes it a tremendously useful tool. If you ever get stuck while developing your rule set (and you will), remember that your two best friends are iptables -L -n and tcpdump (maybe followed by a quick session with ethereal).