Analysis of an iptables configuration

Module by: Pat Shuff

Summary: In this module we will look at a typical setup file used to configure iptables on a Linux system and the tools to verify that the system is properly secure and operational.

One of the steps in securing a system is making sure that applications are restricted from connecting to the internet and systems on the internet are prohibited from connecting to our system. For a Linux system the application iptables can be configured to act as a firewall and enable or disable connections. In this section we will look a typical configuration and analyze the option flags and operation of the operating system with the given configuration.

The configuration file for iptables can be found in /etc/sysconfig/iptables. A sample file looks like:

# Generated by iptables-save v1.2.8 on Wed Aug 10 11:11:18 2005

*filter

:INPUT DROP [0:0]

:FORWARD DROP [0:0]

:OUTPUT ACCEPT [0:0]

-A INPUT -i lo -j ACCEPT

-A INPUT -p tcp -m state --state ESTABLISHED -j ACCEPT

-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT

-A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT

-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT

-A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT

-A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT

-A INPUT -p icmp -m icmp --icmp-type 30 -j ACCEPT

-A INPUT -p udp -m state --state ESTABLISHED -j ACCEPT

-A INPUT -p icmp -m state --state RELATED,ESTABLISHED -j ACCEPT

COMMIT

# Completed on Wed Aug 10 11:11:18 2005

The first line is a comment line. All comment lines start with a “#†character. The first and last lines of this file are comments generated by the iptables-save command. The second line defines a table that will be used. We can define multiple tables that perform different functions. These tables can be accessed using the –t option on the command line. The default table is filter. Note that each filter has chains associated with it and can be configured to do a variety of simple or complex configurations.

The three chains that we have defined are INPUT, FORWARD, and OUTPUT. These three rules by themselves will drop all incoming packets and all forward requests. All packets initiated by this host will be allowed. All three of these chains do not have any restrictions on IP addresses or ranges so by default all incoming packets will be dropped and outgoing packets will be allowed.

The –A extensions that follow the OUTPUT chain are exceptions to the drop all packets. Since all of these apply to the INPUT chain, this machine is configured to not act as a router and drop all forward requests. If the machine in question has only one Ethernet connection, the default is to drop all forward requests. If the machine has multiple Ethernet connections, the iptables configuration file tells the kernel to drop the request for routing.

The –i option tells the kernel module which Ethernet interface should be filtered. The default is the Ethernet interface that is the primary interface as defined by the operating system. The lo interface is the loop back interface that is used for all local traffic typically associated with 127.0.0.1. The naming convention used for the Ethernet interface names is the same as that for the ifconfig command. The one that is most common is the eth0 interface. The command line

-A INPUT –I lo –j ACCEPT

says that the kernel should accept anything received through the local loopback interface and allow it to be used by user applications. This overrides the global drop command that we started with.

The –p option defines the protocol that the rule will apply to. The protocols are listed in the /etc/protocols file. Looking at this file on a Linux 2.4 system we see that there are 132 different supported protocols. Typically, we are only concerned with three, UDP, TCP, and ICMP. The line

-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT

for example, defines a rule for a data packet arriving with a TCP header addressed to port 22. The –dport command specifies the port number and the –m option is a directive for matching. The packet must contain and TCP header and be a valid TCP packet. We can make this example a little more complex by adding the notion of state

-A INPUT -p tcp -m state --state ESTABLISHED -j ACCEPT

This match directive says that only connections defined by the kernel will be created. The kernel maintains state of connection definitions and no new connection types can be constructed or defined because they will be rejected. There are four states that can be used; INVALID, ESTABLISHED, NEW, and RElATED. Invalid means that the packet is associated with no know stream or connection and could be a partial or corrupted header. Established means that the packet is part of an already established connection and is also a valid packet. New means that the packet has or will start a new connection and that the connection previously did not exist. Related means that the packet is starting a new connection and is associated with an already established connection. An example of this would be the FTP protocol. When a control ftp connection is created, it correlates to a new connection. When a file is transferred via ftp a second connection, or related connection, is created to transfer the data across the wire.

The last command line example that we need to study is

-A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT

With this declaration we introduce the icmp type to match. This type can be specified either by their numeric values or by their names. To get a complete list of icmp types we can execute

iptables –p icmp –help

The Internet Control Message Protocol (ICMP) has many messages that

are identified by a "type" field.

TypeNameReference

--------------------------------------

0Echo Reply [RFC792]

1Unassigned [JBP]

2Unassigned [JBP]

3Destination Unreachable [RFC792]

4Source Quench [RFC792]

5Redirect [RFC792]

6Alternate Host Address [JBP]

7Unassigned [JBP]

8Echo [RFC792]

9Router Advertisement[RFC1256]

10Router Solicitation[RFC1256]

11Time Exceeded [RFC792]

12Parameter Problem [RFC792]

13Timestamp [RFC792]

14Timestamp Reply [RFC792]

15Information Request [RFC792]

16Information Reply [RFC792]

17Address Mask Request [RFC950]

18Address Mask Reply [RFC950]

19Reserved (for Security) [Solo]

20-29Reserved (for Robustness Experiment) [ZSu]

30Traceroute[RFC1393]

31Datagram Conversion Error[RFC1475]

32 Mobile Host Redirect [David Johnson]

33 IPv6 Where-Are-You [Bill Simpson]

34 IPv6 I-Am-Here [Bill Simpson]

35 Mobile Registration Request [Bill Simpson]

36 Mobile Registration Reply [Bill Simpson]

37 Domain Name Request [RFC1788]

38 Domain Name Reply [RFC1788]

39 SKIP [Markson]

40 Photuris [RFC2521]

41 ICMP messages utilized by experimental [RFC-ietf-seamoby-iana-02.txt]

mobility protocols such as Seamoby

42-255 Reserved [JBP]

The –p icmp is a generic definition, the –m icmp is also a generic definition. The –icmp-type 0 –j ACCEPT says to accept all echo requests.

Comments, questions, feedback, criticisms?

Send feedback

• E-mail the author of the module, Analysis of an iptables configuration

Footer

More about this content: Metadata | Version History

• How to reuse and attribute this content
• How to cite and attribute this content

This work is licensed by Pat Shuff under a Creative Commons Attribution License (CC-BY 2.0).

Last edited by Pat Shuff on Aug 12, 2005 2:58 pm GMT-5.