This site is now 100% read-only, and retired.

Question: A good iptables tutorial?

Posted by Schiz0 on Wed 24 Aug 2005 at 08:11

I run a few different types of servers, and I would like to know how I can use IPTables to restrict access to these servers, mostly my FTPd.

I did google around a bit and found a tutoral or two on IPTables, but I really didn't understand most of it.

I'm running Debian etch/testing, kernel 2.6.11-1-386, iptables v1.3.1.

If anyone knows of a nice, easy tutoral on IPTables or if someone could give me a few examples on how to block packets from a certain IP/hostname and/or port, that would be greatly appreciated.

Thanks,

~Steve (Not the owner..another Steve, haha)

 

 


Re: Question: A good iptables tutorial?
Posted by Steve (82.41.xx.xx) on Wed 24 Aug 2005 at 07:26
[ View Weblogs ]

Whilst it's true that using iptables can be confusing it's pretty straightforward once you get the hang of it.

To start off with there are three real "chains" which iptables uses:

  • INPUT
    • Which is used to grant or deny incoming connections to your machine.
  • OUTPUT
    • Which is used to grant or deny outgoing connections from your machine.
  • FORWARD

Each of those chains can contain rules which control what you allow, or disallow.

Usually your firewall script will start off by resetting (emptying) all the chains then adding new rules to them. Some machines will only care about what packets are coming into them, others will care about what packets are leaving the machine - so you might find INPUT, or OUTPUT, or both chains being used.

Here's a quick example which seems relevent to your question on FTP usage.

# First of all delete any existing rules.
#
# This means you're back to a known state:
#
/sbin/iptables -F
/sbin/iptables -t nat -F
/sbin/iptables -t mangle -F
/sbin/iptables -X


#
#  Block all access to port 21 (ftpd)
#
#  BUT allow host 11.22.33.44
#
/sbin/iptables -A INPUT -p tcp -m state --state NEW --dport 21 --source 11.22.33.44 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -m state --state NEW --dport 21 -j DROP

There we've done two things:

  • Delete any prior rules to make sure when we run this again we won't have any problems.
  • Add two rules to the INPUT chain, which means they will apply to incoming connections:
    • 1. Allow incoming connections to port 21 from one IP address 11.22.33.44.
    • 2. Deny all other incoming connections to port 21.

The general form of an IP tables command is:

iptables -A CHAIN -p tcp/udp [options] -j ACTION

The CHAIN we've briefly covered before, "INPUT", "OUTPUT", "FORWARD", etc. Here "-A INPUT" means "append this rule to the input chain".

The "-p tcp" means this rule applies only to TCP connections, not UDP. (To specify UDP connections you'd use "-p udp" instead.)

"[options]" is where you specify what you wish to match against.

Finally "-j ACTION" is used to specify what to do to packets which match your rule. Usually an action will be one of "-j DROP" to drop the package, "-j ACCEPT", to accept the packet or "-j LOG" to log it.

We used the "-m state --state NEW --dport 21" to match against new connections to port 21. Other options allow you to match against different things.

Really google is your friend; and if you're not able to search and experiment I'd suggest using an unstable distribution like Etch is going to be .. unwise. (Not trying to pick on you! Just thought it was worth mentioning.)

Actually if you're only concerned with access to your FTP server you might be better off seeing if that allows you to limit access on its own ..? Some of them do give configuration options to only allow particular IP addresses to use their services. If yours does then that could simplify things, as you won't need to learn anything new...

Steve
-- Steve.org.uk

[ Parent ]

Re: Question: A good iptables tutorial?
Posted by Anonymous (64.6.xx.xx) on Wed 24 Aug 2005 at 15:57
Yeah, a lot of FTPd's use tcp wrappers - so you could use /etc/hosts.deny and /etc/hosts.allow accordingly.

[ Parent ]

Re: Question: A good iptables tutorial?
Posted by teghem (84.194.xx.xx) on Wed 24 Aug 2005 at 11:11
a pretty good and relatively complete tutorial

http://iptables-tutorial.frozentux.net/iptables-tutorial.html

[ Parent ]

Re: Question: A good iptables tutorial?
Posted by K4sperl (212.33.xx.xx) on Wed 24 Aug 2005 at 15:43

[ Parent ]

Re: Question: A good iptables tutorial?
Posted by fugit (199.2.xx.xx) on Wed 24 Aug 2005 at 17:10
[ View Weblogs ]
http://www.netfilter.org/documentation/ has a good list of documentation including iptables.

You should also check out securing debian document:
http://www.debian.org/doc/manuals/securing-debian-howto/

[ Parent ]

Re: Question: A good iptables tutorial?
Posted by Anonymous (24.144.xx.xx) on Wed 24 Aug 2005 at 20:17

[ Parent ]

Bastille
Posted by Anonymous (20.137.xx.xx) on Wed 24 Aug 2005 at 22:21

All these are great comments--but the bastille hardening scripts are in apt, that might be faster for you, as long as you can follow instructions.

apt-get install bastille

Interactive-Bastille
... or something like that, I've forgotten.

[ Parent ]

Re: Question: A good iptables tutorial?
Posted by Schiz0 (68.163.xx.xx) on Thu 25 Aug 2005 at 04:59
To Steve:
No, it's not just for my FTP server, I was just using that because it's the one it will be most used for. I use a semi-anonymous (Aka a ton of people know the login) and I wanted to know how to ban people (FTPd doesn't support banning).

To Anonymous (The Bastille person):
I already run Bastille, and I might add that it is a very helpful and educational program, Thanks.

To Everyone else:
Thanks for your responses, I appreciate the help :-)

[ Parent ]

Re: Question: A good iptables tutorial?
Posted by Eirik (129.177.xx.xx) on Thu 25 Aug 2005 at 16:50
I use a script similar to the following, called from /etc/network/interfaces:
#/etc/network/interfaces
# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
auto eth0
#iface eth0 inet dhcp
iface eth0 inet static
  pre-up /etc/firewall-rules.sh eth0
  address x.x.x.x
  netmask 255.255.255.0
  gateway y.y.y.y
#!/bin/sh
#/etc/firewall-rules.sh

check() {
  if [[ ! -x "$1" ]]
  then
    echo "$1 not found or is not executable"
    exit 1
  fi
}

IPTABLES="/sbin/iptables"
check $IPTABLES

#IPTABLES=iptables_debug
rule_counter=1
function iptables_debug() {
   echo "doing ( $((rule_counter++)) ): \"/sbin/iptables $*\""
   /sbin/iptables $*
}

INTERFACE=$1
if [[ "$INTERFACE" == "" ]]
then
   echo "INTERFACE variable unset! Aborting"
   exit 1
fi

echo -n "Attempting to bring up firewall on $INTERFACE: "

#Flush old rules:
$IPTABLES -F
$IPTABLES -X

#Set DROP as standard policies. Default deny always makes
#the most sense.

$IPTABLES -P INPUT   DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT  DROP

#Additional rule chains:

#It's wrong, and creates all sorts of silly problems, if
#ICMP packets are dropped, so allow related ICMP traffic:
iptables -N icmp-chain
$IPTABLES -A icmp-chain -i $INTERFACE -p icmp --icmp-type echo-reply -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -A icmp-chain -i $INTERFACE -p icmp --icmp-type echo-request -m limit --limit 5/s -m state --state NEW -j ACCEPT

$IPTABLES -A icmp-chain -i $INTERFACE -p icmp --icmp-type destination-unreachable -m state --state NEW -j ACCEPT

$IPTABLES -A icmp-chain -i $INTERFACE -p icmp --icmp-type time-exceeded -m state --state NEW -j ACCEPT 

$IPTABLES -A icmp-chain -i $INTERFACE -p icmp --icmp-type timestamp-request -m state --state NEW -j ACCEPT 

$IPTABLES -A icmp-chain -i $INTERFACE -p icmp --icmp-type timestamp-reply -m state --state ESTABLISHED,RELATED -j ACCEPT 
#Drop everything else:
iptables -A icmp-chain -j DROP


#services - these are services run on the system:
#Uncomment and edit lines, to enable services. See the iptables
#documentation for various ways to specify addresses.
$IPTABLES -N services

#ssh from private lan:
#$IPTABLES -A services -p tcp -i $INTERFACE --dport 22 --#sport 1024:65535 -s x.x.x.x -m state --state NEW -j ACCEPT

#www from an ip-address
#$IPTABLES -A services -p tcp -i $INTERFACE --dport 80 --sport 1024:65535 -s y.y.y.y -m state --state NEW -j ACCEPT

#Default policy: drop
$IPTABLES -A services -j DROP

# Block fragments and Xmas tree as well as SYN,FIN and SYN,RST
$IPTABLES -A INPUT -i $INTERFACE -p ip -f -j DROP 
$IPTABLES -A INPUT -i $INTERFACE -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP 
$IPTABLES -A INPUT -i $INTERFACE -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP 
$IPTABLES -A INPUT -i $INTERFACE -p tcp --tcp-flags SYN,RST SYN,RST -j DROP 


# Allow all on loopback
$IPTABLES -A INPUT -i lo  -s 127.0.0.1 -j ACCEPT 
$IPTABLES -A OUTPUT -o lo  -d 127.0.0.1 -j ACCEPT 

#Allow established connections:
$IPTABLES -A INPUT   -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# Anti-spoofing rule
$IPTABLES -A INPUT -i $INTERFACE  -s 200.200.200.200 -j DROP 
$IPTABLES -A INPUT -i $INTERFACE  -s 192.168.0.0/24 -j DROP 
$IPTABLES -A INPUT -i $INTERFACE  -s 127.0.0.0/8 -j DROP 

# Block NEW without SYN
$IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j DROP 

#Allowing all outgoing connections -- I've found this makes
#the most sense -- you could limit this ofcourse, to make it
#more difficult to download exploit code etc -- but if an
#attacker is able to type text, there are many ways to install
#exploits.
$IPTABLES -A OUTPUT -m state --state NEW -j ACCEPT 

#Enable the ICMP chain
$IPTABLES -A INPUT -p icmp -j icmp-chain


#and the services chain:
$IPTABLES -A INPUT -i $INTERFACE -m state --state NEW -j services

echo "done."
If you add new rules, either do:
/etc/init.d/networking restart

  or

/sbin/ifdown ;/sbin/ifup 
The latter is usually fast enough that you won't lose ssh-connection to the server.

But always be careful when experimenting with iptables -- locking yourself out is a very real possibility.

The benefit of this approach, is that it makes it easy to add new services, as all established connections are allowed, all that is needed is to add a new rule allowing connections from a certain subnet to a certain port, and everything (should :) work.

You might want to define a few variables, such as $LAN, or $TRUSTED-HOSTS, to save some typing, and repeating addresses.

You could limit which hosts you send icmp-replies to -- but I don't recommend it. It adds very little real security to your setup; a ping flood would still eat all your upstream bandwidth, for instance, even if all you do is filter the pings.

[ Parent ]

Re: Question: A good iptables tutorial?
Posted by british (193.171.xx.xx) on Fri 30 Dec 2005 at 09:15
thx for your info! i just started to build my personal iptables-rules. your code was much help!

greetinx!
gottfried

[ Parent ]

Re: Question: A good iptables tutorial?
Posted by apeekaboo (85.226.xx.xx) on Thu 25 Aug 2005 at 21:44
Here's a way to slow down brute-force logins. Use iptables to check for new connections to ftp and ssh ports. After some failed attempts, DROP new connections from the connecting IP address for a limited time.

This is straight from my firewall.rc so you might need to modify the chain and interface to suit your needs:

# adds a new connection to a list of recent connections:
iptables -I net2fw -p tcp --dport 21:22 -i eth0 -m state --state NEW -m recent --set

# matches a new connection with the list of recent connections
# --seconds - how long a connection remains on the list of recent connections
# --hitcount - DROP connections when recent connections match this count
iptables -I net2fw -p tcp --dport 21:22 -i eth0 -m state --state NEW -m recent --update --seconds 180 --hitcount 4 -j DROP

[ Parent ]

Re: Question: A good iptables tutorial?
Posted by Steve (82.41.xx.xx) on Thu 25 Aug 2005 at 22:06
[ View Weblogs ]

We covered this upon the site previously, under the title using iptables to rate-limit incoming connections.

It is a useful technique and, as you say, can be applied to arbitary ports.

Steve
-- Steve.org.uk

[ Parent ]

Re: Question: A good iptables tutorial?
Posted by Anonymous (211.26.xx.xx) on Mon 29 Aug 2005 at 03:22
try www.fwbuilder.org
nice GUI interface for building your firewall rules. very friendly user interface, use to use.

[ Parent ]

Re: Question: A good iptables tutorial?
Posted by t0dd (216.254.xx.xx) on Tue 31 Jan 2006 at 23:17
http://www.shorewall.net/

sudo apt-get update
sudo apt-get install shorewall
zless /usr/share/doc/shorewall/README.Debian.gz

[ Parent ]