Introduction to IPTables

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
in this video we'll talk about Linux firewalls specifically we'll talk about IP tables which is a front-end to the net filter add-on which is a kernel level firewall that's used in Linux we'll look at the syntax of firewalls specifically IP tables we will look at how to optimize firewalls what firewall rules should look like and finally we'll do a demonstration with three hosts only based networks specifically three versions of Linux running and we'll set up the firewalls on one Linux as a server and we'll see if our rules will actually allow us to connect or deny connection to that server so iptables is actually software and its really an interface and it's an interface to the netfilter firewall that is built into the linux kernel and there are previous versions of of IP tables that were called IP chains which is in the 2.2 kernel and IPF admin but those have been superseded by IP tables so essentially IP tables provides an administrator with a simple interface that can be used to add remove or modify packet rules and for more information about Nelnet filter you can go to dub dub dub net filter org so before we go in-depth in the IP tables let's look at default types of policies that you might want to apply to the incoming packets on your network so here we have one called a deny everything by default policy so here we have an IP packet coming into the network it hits the firewall chain and then we have our rules and so the IP packet coming in is matched against the first rule if it matches we accept that packet and we move it on to its final destination if it doesn't match it goes to rule - and now rule 2 is matched against the contents of the IP packet if that matches that's accepted if it doesn't it goes to rule 3 and so on notice here that the default policy is to deny and that is if no firewall rules are matched then we deny the IP packets access to its final destination on the other hand we could have an accept everything by default policy here we have the same scenario but notice the difference between the two types of policies the IP packet comes in to the firewall chain it's matched against role 1 if it does match we deny that packet access to the network if it doesn't match we go into role 2 if it matches yes we deny it and so on on through rule 3 if the pipe packet doesn't match any of the rules and our firewall set then we accept that packet and what are the potential problems with each of these types of policy well will the X did not accept everything by default policy if we happen to miss a critical firewall rule that we should have added in here then a malicious packet would be able to reverse the firewall chain and be accepted into the network so we have to make very sure then we have every single rule that we need to to have in order to allow only non malicious packets into the network now think for a second what would be the possible negative consequences of having a deny everything by default policy if in our rules we happen to miss something critical let's say for example we have we want the ability to have some some clients on network to be able to access an FTP server if we don't include that rule then they will be denied access to the server which can cause consternation on the clients but also essentially what you've set up is a denial of service attack liance so you have to be careful in both situations to make sure you have the necessary rules to allow access to those resources that are required by valid users on the network so which is best well it really depends on what you're trying to do so it depends upon the context and the circumstances of the organization's and its policies so netfilter is really a packet filtering firewall and it can do several things the first thing is it can protect against source address spoofing we'll see that just momentarily it's useful information revealed in response to porch scans it can identify malformed broadcast packets that are used to identify UNIX systems a lot of times we don't want to provide for the intruder or bad guy the fact that whether we're using a Windows system or a UNIX system might want to filter those packets so that the intruder doesn't know what type of system because it then gives them intelligence about what to target it protects against some forms of network mapping some denial of service attacks we'll see shortly source routed packets which is different from traditional routing but because source routed packets indicate within the the IP portion of the packet the exact route that a package should take rather than letting the routers handle that information some forms of fragmentation bombs that is when an IP frag internet packet is fragmented on purpose you can actually set up a situation where there's a denial of service attack if it's done on purpose it can also protect against the local mistakes that may affect a remote site and it can control access to private land services IP tables now comes with new features with respect to packet filtering including the ability to use source and destination port lists it gives it access to the TCP state Flags syn ACK reset push urgent fin and so on access to the TCP options field connection state maintenance for TCP UDP and ICMP exchanges and this will be important in creating our stateful packet filtering firewall which we will do it also provides access to the IP header fields as well as the macos or stress which means that we can filter according to the media access control or Hardware network interface card source address with our packet filter and this is one of the types of attacks it's a denial of service attack that packet filtering firewall can mitigate here you have the attacker over here here you have the server and what the attacker does is sends a stream of syn packets in rapid succession to a particular port let's say port 80 so there will running a web server on this computer and recall that once the syn packet comes in that the destination here will send back a syn ACK and then we'll and then we'll wait for the final act to create the three-way handshake well if these send packets are sent and no responding ACK has ever sent that causes an overload and a denial of service attack here because this can only hold so many connections at one time waiting for the final act to be responded to another type of protection afforded by the netfilter firewall is a ping flood and this is called a smurf attack here we have the attacker and we have the victim the attacker sends a ping echo request to the broadcast address of the network on which this victim resides however the victim has spoofed the source address here to be the destination address which means that this broadcast ping echo request goes out to all the computers on the network and then all those computers reply back to this victim due to the victim spoofed address being the destination address causing a denial of service attack the iptables has a standardized in a very simple syntax iptables - - flush which means to flush all the firewall rules that are already uploaded into the kernel we could type IP tables and then - a - a means to append - a input means to append to the input chain that is looking at all the incoming packets from the network - i stands for the interface in this instance we're looking at the loopback interface is used for inter-process communications within the computer so there's what those are going to be necessary and so here incoming on loop back and - j is that called the target and the target here means - is to accept these packets so anything incoming on the loopback address should be accepted our next rule says IP tables append to the output chain to the outgoing interface loopback which means that the there's inter process communication between the input and the output on the loopback interface we want to accept those as well and we should always do this I don't know of an occasion where you'd want to deny loopback access so you would always want to have these rule us in your set of firewall rules and finally we can identify our default policy here we've got three policies three firewall rules the first is is the policy the default policy for the incoming packets and that is to drop them so we're looking at a deny default deny everything policy this rule defines the policy for the outgoing packets and that is to deny everything that's going out and finally the forward rule is only necessary if you have two network interface cards and you're taking the input from one network interface card and forwarding it to another interface card for processing and there are three important IP tables target's accept means to let the packet through drop means to drop the packet quietly that is don't do anything with it just drop it and do not respond to the incoming packet finally we have reject and some people get these confused but they're handled differently reject means you you essentially don't do anything with the packet but you do return an ICMP port unreachable or other ICMP message to indicate back to the source computer that that port cannot be reached so what would be the difference between these two in terms of security well let's say somebody is trying to connect to our SSH server over port 22 if we don't want anybody to know that we're running SSH we could use the drop as the target which means that the intruder would never receive any packets back indicating whether the port is open or not however if we used reject that would tell the intruder that that port is up but is unreachable which could give the intruder some intelligence with respect to the kinds of services that we're running on our computer so there's consequences in terms of security as to whether we want to use drop or whether we use reject for incoming packets that we don't want to process into our network so let's look at our first simple example here in our firewall rules we've defined our server IP as 192 dot 168 0 3 so essentially the server IP is a variable and the reason we want to do this is if we ever change the server's IP address we can just simply change it one place at the top of the rules right here and then any time we refer to it later this value will be replaced where we ever see server IP so it's just like coding with variables so here what we're doing is we're dropping all ftp requests so IP tables so IP tables - i that's then is the input so - i means to insert the rule into the input chain - small i means the interface here it's each 0 - P stands for the protocol and here TCP because FTP runs over TCP - s stands for the source address notice here we've got 0/0 that essentially means any source IP address - d stands for the destination address and notice that we have a dollar sign prepended - server IP so when netfilter sees this it's going to evaluate server IP as one ninety two dot one sixty eight dot zero dot three notice here we have a - - anytime we have a single letter indicating a parameter in a firewall role we use a single letter we can use a single - if we use the longer version that's more than one character we have to use a - - so it's - - destination port 21 the target is to drop so int what this says is is any incoming packet is coming in to our eath zero network interface card that's a TCP packet that's coming from anywhere and the destination address is this address on or 21 we want to drop it so now let's look at how we would handle SSH connections so here we have IP tables we want to insert the role on the input chain for the interface eat zero for packets that are TCP source is coming from anywhere to the destination server IP on the destination port 22 which is ssh - j the target is to accept that packet now let's say we want to limit access to ssh to only computers on the same network what we can do is is we can find it define a new variable called network and so our new definition is 192 dot 168 0 0 slash 24 insider notation and then we can change the above rule to this so insert on the input chain on the interface e 0 packets thereof TCP and the source is coming from our network that is our internal private Class C Network to the destination server IP address to the destination port 22 SSH is to accept it so here what we've done is we've limited access to SSH to only clients with this source address now let's look at something a little different where we're going to allow incoming pin client requests so in this case IP tables insert on the input chain for the interface each 0 notice now our protocol is ICMP we also must specify an ICMP type because there's actually eight different types ICMP ICMP type 8 is an echo request so essentially that's a ping - s the source address is anybody - D is our destination server notice we've added something new here the - M eight and the - state new established and related recall that we talked about a stateful packet filtering firewall what we're doing here by adding the - M state and the - state new established er related says it this is valid for all new connections or whether they're established and related established and related means that they're going to be in the the connections table for existing already established and related connections and so this indicates that we should accept the packets that are asking for an ICMP echo request from anybody whether it's in a new connection or whether it's an established and related connection if we're going to allow outgoing pings we have to obviously also have a fire role that will allow for incoming responses and so we do that here here we're inserting on the output chain that interface eat zero the protocol is ICMP the ICMP type is zero and zero is echo reply - s notice now is the server IP notice now that the source address is the server IP because the source is going to be sending the echo replies back to the destination computer notice the dash D here is 0/0 meaning anything the - M state and the - state established and related means that now only previously established and related connections that are in our connections table for our stack stateful packet filtering firewall will that packet be accepted for egress packets that is packets outgoing from our network if we would like to disable all outgoing ICMP requests we can do it one of two ways we can notice here where so here rather than inserting a rule at the beginning of the firewall rules we're going to append to the last firewall chain the output chain for any packets that have a protocol of ICMP with an ICMP type echo request we're going to drop that packet which means there can be no outgoing echo requests so what don't we have here we have no source address nor destination address and it really doesn't matter because what we're saying here is that there's no ICMP echo requests that are going to be allowed outgoing on the output chain so they're all dropped alternatively we can use the same syntax here but instead of saying echo requests we can just say include the number eight which is a code type of echo request and we're going to drop that packet so that's a very simple way to drop all outgoing ICMP requests let's say we wanted to change this rule so that it would then it would drop all incoming requests how do we change this the only thing we need to change is is to change this output to input and again we would only need one of these rules so it would be iptables - a input and then the same syntax recall again that we talked about stateful packet inspection which means that once a packet leaves and establishes its three-way handshake in the connection that information is kept in a stateful filter table and so all related and established packets that come in or out of the network that are included in that stateful table won't need to be matched against all the firewall rules which takes time of course the more file the more firewall rules you have to be matched by a packet the longer it takes for that package to get to its destination so here what we're doing is is we're adding a statefulness to our firewall so the policy iptables append to the input chain - M State - - State established and related and accepted so anything that's already established any packet is part of an established and related connection that's in the stateful table will be allowed to the network and of course you'd want the same rule for the output chain obviously a simple standalone set of firewall rules first let's identify our variables server IP and typically you would do this just in case that the server IP might change at some point in time otherwise you would have to go through your firewall rules and change every instance of this and if you've ever coded and not used variables instead uses the actual values you know what a problem that can be notice that though we're indicating our interface we're calling an internet here each zero and doesn't matter what you call it over here as long as your you use it consistently throughout your firewall rules we've got an each zero single network interface the loopback interface is ello here we're referring to our actual network so the subnet base is 192 dot 168 does 0/24 notice that our loopback is going to be our typical blue back interface network side our notation and notice here we've also got private networks Class A B C D and E why would we identify private network addresses because if let's say if we're using a router at the edge of the network and we see any of these addresses being routed over the network into our network we know that these are spoofed addresses because these are unrouted addresses because they're private and therefore the router shouldn't be seeing them and if it does it should be dropping those packets so let's continue and so we've got iptables - - and that should be a - - that luckily when you do this in PowerPoint - - turns into a single long - thank you PowerPoint so this says we're going to flush our rules then we want to create unlimited traffic on our loopback interface we'll always need to add this and we'll eye this up front because we want this to be processed very quickly so on our input chain for the loopback interface except for the output output loopback the target is accept then we define our default policies and it is - drop in this instance recall that drop means that the package is gracefully and quietly dropped and no packet is sent back to the requesting client computer and then up front we want to make sure that we include our stateful packet inspection which we've just gone over so you have a stateful rule for the input chain and a stateful rule for the output change for established and related connections and then we want to check on source address spoofing and other bad addresses I just discussed previously so here we're appending to the input chain for our e0 if you recall that was eat zero and for the source address our own IP address we want to drop those because that's that's essentially a way to cause a denial of service attack is having a source and destination address they're the same and you get to this cyclical loop and it causes an on a denial of service attack and then you also want to refuse packets claiming to be from all the private network addresses to Class A B and C so notice here we have our variables Class A that was defined previously Class B Class C and of course the loopback interface coming in over each 0 because loopback anything coming of the loopback interface should only be sending packets to other loopback addresses not to our e0 or networking interface card address now of course there are many other firewall rules you'd want to create but let's stop right there now and let's talk about firewall optimization what we want to do is is we want to make sure that the rules are going to fire or going to be seeing the most traffic we want to put them as early as possible in the chain because those will be the ones that need to be processed quickly so the we want to place the loopback rules as early as possible as we did previously when our place forwarding rules as well in this instance that would require to network interface cards and we want to use the state and connection tracking that as a stateful firewall rules modules to bypass the firewall for established connection connections and we also want to use a state and connection tracking and that relates to a stateful packet filter modules to bypass the firewall for established connections because if something's already established and related it's already gone through all the firewall rules we don't want to have it to traverse the input and output change if it's not necessary we can also combine rules to standard TCP client-server connections into a single rule using Port lists and we'll show you how to do that brief shortly and also we want to place rules for heavy traffic services as early as possible and here I asked where would you place stateful packet inspection well you want to place those as early as possible so let's apply what we've learned thus far with a simple illustration so we've defined our policies our default input policy is to drop our default output policy is to accept anything going out unless it's denied by a rule and finally even though we're not going to use it we need to go ahead and define a default policy for Ford and we're going to keep that it's drop we're also going to create a stateful firewall and we set up a virtual host network which I'll show you how to do in another video but for right now let's keep it simple we've got a server yeah and I just changed some of this quickly so we have three computers on this virtual network we have a server and a both two server whose IP address is 1.1 30 we've got a met 9 client whose IP is 1.1 28 and for MIT 9 we're going to allow FTP access and we're also going to allow ICMP requests and finally we've got a third computer running Ubuntu 10 is 1.1 29 and a little later in the demonstration I'm going to allow SSH access from the Ubuntu 10 but we're going to reject ICMP requests so this see what that looks like create rules in any type of text editor or with the VI editor the visual editor VI comes with every distribution a Linux so it's very good to know that but I'm not going to force you to use that of course you're going to have to use some editor on on the server and you have to do this on the server by the way and you can either use Nano which looks something like this and it has helpful little screen down here where you can see what all the key shortcuts are and if you want to save the file you type a ctrl + O for write out I don't know why that include that as a capital S and say but anyway let's exit out of here but not every computer is going to have Nano every computer does have VI however I've installed a different package called vim which is a modified version of VI which gives you syntax highlighting and if you'd like to install that you type aptitude install vim okay and I've already done that so what I've done is I've created a shell script that includes all my IP tables firewall rules and first we'll go over the rules and I'll show you how and why I created the script so we type them and I name this firewall rules SH for shell script because this will be an executable if you want to see that it's an executable you'll see right here that's in green and notice it has to execute bit set normally we don't have the execute bit set for other files because we don't want to execute them however for this one we do and of course you should know how to do that but just in case you've forgotten from last week I'll show you how to do that so vim firewall rules and we see has nice bit of syntax highlighting if you want to take a shell script create a shell script you need to first include this line right here that has a number sign and a bang and then you need to indicate the shell that you want to use to execute this script which is the bourne shell so it's number bang or shebang ford slash bin ford slash sh that's the first thing you need to do to create a executable shell script i went on the head and identified the three computers on here because actually they were i was having difficulty remember what was what when i was creating the the IP addresses down here so i just went on ahead and i created them as variables so the server IP is dot one 130 mantis one dot 128 and a bun two is 1.1 twenty nine so the first thing that you do in the shell script is to flush the roles which i've done here on this line and then we need to identify our policies we have three policies we have a policy for the input which is drop policy for the output which is accept and a policy for ford which is drop although we won't use this just realize that if you don't include this the policy Ford defaults to accept which we probably don't want then we need to have two rules for our loopback interfaces we need to have for the input for the loopback is accept and output - oh here you see that the output interface for loopback is to accept as well and then let's create a stateful firewall and so any two rules for that we need to append to our input chain the - m4 state and the state of the state will be an established and related des J and except for our output we want to append the role - M state and the state will be established and accept as well and we need to change that a little bit let's go ahead and do that because that's not exactly correct clicking here let's see where we are this needs to be established instead of established let's go back type establish let's write that out so it's established and related we want to accept that and now this is where we start determining how mint and Ubuntu can connect to our server so the first rule in here says iptables - a so we're going to append to the input chain for the e0 or TCP protocol and the source is going to be mint 9 which is this IP address the destination is going to be our server IP which is this address and the destination port 21 - J except so I'm allowing the mint 9 client to connect via FTP and hopefully I remember to show you right after I get out of this that indeed that the FTP server is running and I'll show you how to do that also how to add that to your server notice here that we have a comment this number sign indicates that this is commented out it doesn't mean the same thing as it does here this acts means something different when you have the shebang right here but this is a comment and then later after we see that that a bun - can't connect will we'll take that out we'll change that rule and just take away the comment so that it can connect but let's see what it does so we append to the input chain on the interface eat zero the protocol TCP the source address is a bun to the destination address is our server IP and the destination port is 22 and we want to accept that but of course since this rule is coming it out it won't actually be included within the kernel which means that the bun too should not be able to connect to the ssh server and finally we have a couple more rules let me scroll down here a little bit to ICMP rules and so we've got IP tables - a append to the input chain for the interface 0 the protocol now is ICMP the is EMP type is a tour for echo request and the source is a bun - and the - D for the server IP and we're going to accept that and we have one more rule IP tables - a input chain we're going to append to - ID the interface - P ICMP for the protocol once again we're doing an echo request and we need to change this right here see what I've done confuse myself and we need to change this to mint here we go we write that out and so mint nine we're going to reject ICMP requests to the server IP notice this says reject right here notice that because the the output is to accept that if for example if we get an ICMP requests here from Ubuntu it's accepted then this the fact that this is the output is to accept is that we don't need a rule to have the server IP reply to the echo request because the default policy is accept okay let's get out of that okay I want you to be careful to when you're looking at this because notice the spacing in here the spacing and capitalization is important notice that sometimes it's not capitalized and sometimes it is some of these keywords need to be capitalized whenever you see stuff like this that means it must be capitalized also notice the spacing in here you need spaces who are appropriate and for example in here there's no spacing between established the comma and they're related so try to make sure that your spaces resemble what you see here okay let me get out of here right and quit and the way I made this executable is at first it was a text file but then I ran mod and I added the executes bit to everything so I wanted read/write/execute for me so that's a seven and then I want to execute bit for group and other actually I want in read and execute for other I'm just kidding for group and one for other and then the name of the file and then that made it executable okay so now let's see net stat that's GPA in and I'll show you what's listening so I've got 21 listening that's FTP and I've got 22 listening and that's SSH so I've got those two running and the way I install those was to type sudo attitude install vs SFTP D which allows you to install the FTP daemon for the FTP server and for SSH which you should have done already OpenSSH server and you can install that and after installed it it automatically starts so what we need to do now is is we need to execute that executable file and when you do that as root and so we type sudo and because our file is in our current directory we indicate that's in our current directory firewall rules SH hit enter there was no errors and now what we can do is that we can do sudo iptables - shell for list the rules and we'll see our rules will be listed and it might take a little while to show this I'm not sure why it's taking so long but anyway they work let's get out of that okay now let's test our firewall rules let's go to first let's go to MIT 9 let's move this over a little bit and recall that MIT 9 has capability of connecting to the FTP server so I want to go to the FTP server type 1.1 3 0 okay and there's the FTP server I give whoops name PC my password and I'm logged in there's my files and that work let's type by but so what maybe maybe IP table isn't working maybe just everything is being accepted so let's just test out connecting to ssh because there was no rule in there to allow meant to connect to f2a ssh and so let's ssh 192.168.1.1 30 and that's not going to work 130 essentially what's happening because those packets are being dropped it's not going to connect okay control see let's get out of that now our boon to system I was not allowed to connect to FTP but it was to it well not yet to SSH so let's go ahead and try to connect to FTP and that's not going to be able to connect either because if it was it would be instantaneous let's go back up to server and let's go back in into them and the firewall rules and let's take out this comment and so now the bun too should be able to connect to our port 22 save that and now we need to read the firewall rules back in and of course the first thing it's going to do is going to flush all the firewall rules and substitute the new ones now let's go back over to a bun - oh well I didn't connect to SSH well anyway you saw I didn't connect to FTP no SSH 192.168.1.1 three zero and there we go animals my password and um in remember also we were going to allow a bun to to ping but we weren't going to allow Mint to ping so let's see if we can ping the server we can just go over to MIT nine let's clear that and let's ping destination port unreachable which is exactly look at the BAM go to the bottom and we have reject so that ends this video on IP tables firewall and net filter we showed you how IP tables firewalls work how you want to set up and optimize your IP tables firewall rules the syntax you need to be very careful about the syntax because if you don't get it exactly right you will get errors I would go ahead and create a shell script it looks just like this in fact I'll load this up so you can use that as an example and you can set up your own little Network I will create another video that shows you how to create your own little host network system so everything is sitting on the same network and you can do that very easily in VMware
Info
Channel: Computer and Network Security
Views: 95,683
Rating: undefined out of 5
Keywords: Iptables (Software)
Id: XKfhOQWrUVw
Channel Id: undefined
Length: 42min 55sec (2575 seconds)
Published: Wed Jun 25 2014
Related Videos
Fundamentals of iptables
Rajnesh Kumar Siwal
81K
Special Lecture: F-22 Flight Controls
MIT OpenCourseWare
2.2M
iptables Demystified - Port Redirection and Forwarding HTTP Traffic to another machine (part 1)
Hussein Nasser
19K
Fundamental of IT - Complete Course || IT course for Beginners
Geek's Lesson
2.1M
IPTABLES [PART-1] : "UNDERSTANDING THE CONCEPT"
XPSTECH
65K
How a CPU Works
In One Lesson
6.8M
System administration complete course from beginner to advanced | IT administrator full course
Geek's Lesson
3.3M
Django Tutorial in Hindi | Django Tutorial for Beginners in 2021 | Python Django | Great Learning
Great Learning
34K
Explaining File Systems: NTFS, exFAT, FAT32, ext4 & More
ExplainingComputers
1M
Kubernetes Crash Course for Absolute Beginners [NEW]
TechWorld with Nana
272K
SSH Tunneling - Local & Remote Port Forwarding (by Example)
Hussein Nasser
104K
Introduction to Intrusion Detection
Computer and Network Security
37K
I Built This From A 1972 Popular Mechanics Magazine Plan. Does It Work?
Fireball Tool
2.2M
Introduction to Networking | Network Fundamentals Part 1
Network Direction
1.3M
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.