212.1. Configuring a router
212.1 Configuring a router
Weight: 3
Description: Candidates should be able to configure a system to forward IP packet and perform network address translation (NAT, IP masquerading) and state its significance in protecting a network. This objective includes configuring port redirection, managing filter rules and averting attacks.
Key Knowledge Areas:
iptables and ip6tables configuration files, tools and utilities
Tools, commands and utilities to manage routing tables.
Private address ranges (IPv4) and Unique Local Addresses as well as Link Local Addresses (IPv6)
Port redirection and IP forwarding
List and write filtering and rules that accept or block IP packets based on source or destination protocol, port and address
Save and reload filtering configurations
Terms and Utilities:
/proc/sys/net/ipv4/
/proc/sys/net/ipv6/
/etc/services
iptables
ip6tables
Like any other moder operating system, liunx has firewall. First lets see how linux firewalling is organized:
There is a firewalling functionality which is implemented in linux kernel with netfilter. netfilter is a kernel module and any network traffic which kernel forward to any interface(s), is pass through netfilter. This way netfilter can make decision wether incoming or out going traffic is allowed or not. The major interface to the netfilter module is iptables. iptables has been around for a long time and it let us to do any advanced configuration on linux firewalls.
While being able to do any advanced firewall configuration is count as iptables advantage, the biggest disadvantage of iptables is its complexity. This disadvantage has been caused other solutions have been invented like ufw , firewalld . They both work with iptables behind the scenes and make firewall configuration easier for us. For lpic2 exam we just talk about iptables.
iptables
iptables works with tables! There are at present three tables:
Filter : The filter table is used for packet filtering.
NAT : The nat table is used for address translation.
Mangle : The mangle table can be used for special-purpose processing of packets.
Within tables there are chains.chains are used to define what kind of packet follow shoud be filtered exactly.
PREROUTING: configured to block, redirect or allow th packet to the next chain.Commonly, used to redirect the packet to another address or/and port. (DNAT-Destination NAT). If destination is local ( this machine) sent to INPUT chain. If bound for another network, sent to the FORWARD chain.
INPUT: Configured to be blocked, logged or sent to the local system to be handled by the appropriate client, application or service.
OUTPUT: packet is sent from the firewall out to the network to its final destination.(Rules usually are not applied at this chain)
FORWARD : Configured to block, logged or sent to the POSTROUTING chain.
POSTROUTING: make changes to the packet as it exits the firewall, commonly used to do masquerading.
How tables and chain are related so ? All three tree tables (FILTER, NAT, MANGLE) can be present in chains(filter points) but not every chain has all three table represented:
PREROUTING ( NAT , MANGLE)
INPUT (FILTER , MANGLE )
FORWARD (FILTER , MANGLE )
OUTPUT (NAT , FILETR ,MANGLE)
POSTROUTING (NAT ,MANGLE)
How rules are broken down within the firewall system? chains are filtering points that we can create rules, and rules are applied to the packet passing trough. The rules define what exactly should happen to a packet.
When packets are filtered trough the iptables firewall it will go tough the rules one by one, and the idea is "exit on match". So if a packet matches specific rule , the rule will be applied and nothing else will be applied in that chain any more. So ordering in iptables is very important.
In every rule there us target, The typical target is ACCEPT:
ACCEPT : the package is allowed
DROP : The package is not allowed, the package will be sileintly dropped and the sender of package doesn't know anything.
REJECT : Do not allow package, the sender of package will get an ICMP warnnig message.
LOG : just LOGs
MASQUARATE : used for NAT.
the target indicated with -j option. we will talk about that.
In every chain there is a policy. The policy define the default behaviour. The default policy is ACCEPT but its isa good practice to have a policy that will drop every thing that doesn't match specific packet in a chain. to set chain default policy
please do notice that is upper case "P".
iptables commands
iptables commands can be pretty long, and sometimes hard to understand so lets defualt components in iptables commands to make it easier:
-A
appends to the end glowed by the name of the chain, [-i/-o interface]
incoming or outgoing interface,[ -s/-d ]
source address or destination address,-p
defines the protocol like tcp or udp, [--sport/--dport]
for setting source or destination port number, -j TARGET
which define what will happend to the packet that match this rule.
iptables command options outside of adding rules to chain:
Option
Description
-L <chain-name> -t <table-name>
Lists all of the rules in the specified chain and table. If not chain or table specified, shows all.
-D
Deletes a rule in a particular chain by number
-F (or --flush)
flushes all (or indicated chain) of rules
-P
change the default policy for the chain(can be set to DROP or ACCEPT)
-v
typically used with -F(or --flush) to provide additional output
-n
Display IP address and port in numeric format
For demonstration we use CentOS7, in RedHat the defualt solution is firewalld. We have to first stop and disable firewalld because firewalld interface and iptables can not work together:
Now lets install iptables and iptables-service packages which is required for systemd:
okey every thing is ready for starting, lets list everything wich is currently used:
we flush iptables rule : set the default chains policy to DROP for more security and see the results:
set the default chains policy to DROP for more security and see the results:
There is one note that we should never forget, linux uses loopback adapter for internel communication. But we have drope that:
So do not forget to ACCEPT loopback adapter packetes if you want to set chain default policy to drop:
and check:
Now lets ACCEPT ssh coonection to be stablished with our host:
it seems okey hah? but it doesn't work, check it from another computer(centos7-2):
The point is that do not forget to set reverse rules inorder to let incoming traffic to our server(centos7-1), can come back:
and check:
Saving iptables rules
iptables rules are not persistent and they are vanished after reboot. rules are stored in /etc/sysconfig/iptables . for saving rules we use iptables-save command,
now we clear the previous rules:
use iptables-restoreto restore the backup:
How to delete a rule ? There are two ways for deleting a rule, using -D option with full lenght of rule that we have specified:
or use iptables -L --line-numbers and delete a rule by using its number in the table:
Now more iptables examples:
Block TCP traffic from Specific IP Address:
Allow All tcp xxx incoming port:
some time we need to load special iptables module to do something special. Allow Multiple Ports :
Allow Specific Network Range on Particular Port:
Sometimes IP addresses may requests too many connections towards web ports on our website. This can cause number of issues and to prevent such problems, we can Block Network Flood on Apache Port using this rule:
Some time we want to just monitor network traffic or we want to trouble shoot our iptables firewall, best thing is logging:
and then see the logs with grep "IPtables DROPPED:" /var/log/messages
If our firewall has alot of rules, iptables log is used with iptables-save and iptables-restore . The trick is saving current rules, Allowing traffic, log it and then restoring rules and adding new required setting.
Port Redirection
Here we use two CentOS system, one as a web server which runs on port 80 and the other one as a web client. Every thing is working on port 80 smothly :
but we want to do something whith iptables which redirect requests from port 8080 to port 80 this way clients from CentOS2 should be able to visit out site on port 8080:
and check the result from CentOS7-2:
ip6tables
The introduction of the next-generation Internet Protocol, called IPv6, expands beyond the 32-bit address limit of IPv4 (or IP). IPv6 supports 128-bit addresses and, as such, carrier networks that are IPv6 aware are able to address a larger number of routable addresses than IPv4.
Linux supports IPv6 firewall rules using the Netfilter 6 subsystem and theip6tables
command. For example, SSH connections on a IPv6-aware network server can be enabled with the following rule:
NAT IP Forwarding
Private (None-Routable) Networks have been set aside for use inside corporate networks.They are not able to communicate directly with internet hosts and require a firewall or similar device to translate Network Address. NAT (Network Address Translation) is used to originate IP to a public IP that can forward the traffic on their behalf.
Ranges are:
10.0.0.0 to 10.255.255.255
172.16.0.0 to 172.31.255.255
192.168.0.0 to 192.168.255.255
How linux does that ? Linux uses Connection tracking, Connection tracking is a mechanism done by Linux machine's to keep track of TCP connections that are going out and coming inside. This connection tracking mechanism enables Linux machine's to accurately send packet's which are NATed to the exact internal machines, who initiated the connection.
connection tracking tables consists of the following things.
Ip addresses
Protocols
Port number's
Status of the connection
With the help of that table, stateful firewall can filter out traffic based on the status of the connection, Do NAT and many other stuff.
There are two different types of NAT:
Source NAT(SNAT)
Destination NAT (DNAT)
Masqueradeand SNAT in Linux
This is the most commonly used NAT. SNAT stands for Source Network Address Translation. It rewrites only the source address of the packets while nating. In the previously shown example of NAT many private ip addresses of the range 192.168.0.0/24 gets translated to the public source address of the Linux NAT router(4.4.7.23).
In this case the internal network hosts, with private ip addresses can reach the internet with the help of SNAT. But hosts from the internet cannot reach those internal hosts directly (It will only reach the internal hosts, if the source was NATed to the Linux router's public IP address.)
In other words, connection initiated by the internal hosts to the internet will only be fulfilled(not the reverse).
Static SNAT vs DynamicSNAT
Even SNAT can be classified into different types based on the translation it does. For example if many internal private IP addresses gets translated to one public ip address assigned to the Linux router, then its called as aStatic SNAT.If many internal private IP addresses gets translated to many different public IP addresses assigned to the Linux router, then its called as aDynamic SNAT. Please note that If we are using masquerading instead of SNAT, then we will be unable to specify the outgoing ip address. It will use the default IP address assigned to the outgoing interface.
What is DNAT?
In the above shown example of SNAT, the connection was initiated by the host inside the internal network. What if a host on the internet needs to initiate the connection. In that case we need to design our Linux router in such a way that traffic from internet to a particular public IP address on the router will be forwarded to one particular private IP address.
Such kind of a configuration is called as DNAT, or destination NAT. It is called a destination NAT because the first address rewriting done by the router is for destination address.
Lets make our hands dirty and do some configurations. Here we have two Ubuntu machine, and we want to give internet access to Ubuntu2 using Ubuntu1.
First we have to configure kernel to let forward traffic trough this machine:
now lets MASQUERADE:
and do not forget if we don't specify any tables by default it appends to "filter" table. Okey lets now checks Ubntu2:
That is all.
Last updated