212.1. Configuring a router

212.1 Configuring a router
Weight: 3
Description: Candidates should be able to configure a system to forward IP packet and perform network address translation (NAT, IP masquerading) and state its significance in protecting a network. This objective includes configuring port redirection, managing filter rules and averting attacks.
Key Knowledge Areas:
iptables and ip6tables configuration files, tools and utilities
Tools, commands and utilities to manage routing tables.
Private address ranges (IPv4) and Unique Local Addresses as well as Link Local Addresses (IPv6)
Port redirection and IP forwarding
List and write filtering and rules that accept or block IP packets based on source or destination protocol, port and address
Save and reload filtering configurations
Terms and Utilities:
/proc/sys/net/ipv4/
/proc/sys/net/ipv6/
/etc/services
iptables
ip6tables
Like any other moder operating system, liunx has firewall. First lets see how linux firewalling is organized:
There is a firewalling functionality which is implemented in linux kernel with netfilter. netfilter is a kernel module and any network traffic which kernel forward to any interface(s), is pass through netfilter. This way netfilter can make decision wether incomming or out going traffic is allowed or not. The major interface to the netfilter module is iptables. iptables has been around for a long time and it let us to do any advanced configuration on linux firewalls.
While being able to do any advanced firewall configuration is count as iptables advantage, the biggest disadvantage of iptables is its complexity. This disadvantage has been caused other solutions have been invented like ufw , firewalld . They both work with iptables behind the sence and make firewall configuration easier for us. For lpic2 exam we just talk about iptables.
iptables
iptables works with tables! There are at present three tables:
Filter :  The filter table is used for packet filtering.
NAT :  The nat table is used for address translation.
Mangle : The mangle table can be used for special-purpose processing of packets.
Within tables there are chains.chains are used to define what kind of packet follow shoud be filtered exactly.
PREROUTING: configured to block, redirect or allow th packet to the next chain.Commonly, used to redirect the packet to another address or/and port. (DNAT-Destination NAT).  If destination is local ( this machine) sent to INPUT chain. If bound for another network, sent to the FORWARD chain.
INPUT: Configured to be blocked, logged or sent to the local system to be handled by the appropriate client, application or service.
OUTPUT:  packet is sent from the firewall out to the network to its final destination.(Rules usually are not applied at this chain)
FORWARD : Configured to block, logged or sent to the POSTROUTING chain.
POSTROUTING:  make changes to the packet as it exits the firewall, commonly used to do masquerading. 
How tables and chain are related so ? All three tree tables (FILTER, NAT, MANGLE) can be present in chains(filter points) but not every chain has all three table represented:
PREROUTING ( NAT , MANGLE)
INPUT (FILTER , MANGLE )
FORWARD (FILTER , MANGLE )
OUTPUT (FILTER  ,  NAT , MANGLE)
POSTROUTING (NAT , MANGLE)
How rules are broken down within the firewall system? chains are filtering points that we can create rules, and rules are apllied to the packet passing trough. The rules define what exactly should happen to a packet.
When packets are filterd trough the iptables firewall it will go tough the rules one by one, and the idea is "exit on match". So if a packet matches specific rule , the rule will be applied and nothing else will be applied in that chain any more. So ordering in iptables is very important.
In every rule there us target, The typical target is ACCEPT:
ACCEPT : the package is allowed
DROP : The package is not allowed, the package will be sileintly dropped and the sender of package doesn't know anything.
REJECT :  Do not allow package, the sender of package will get an ICMP warnnig message.
LOG : just LOGs
MASQUARATE : used for NAT.
the target indicated with -j option. we will talk about that.
In every chain there is a policy. The policy define the default behaviour. The default policy is ACCEPT but its isa good practice to have a policy that will drop every thing that doesn't match specific packet in a chain. to set chain default policy
1
iptables -P drop INPUT
Copied!
please do notice that is upper case "P".
iptables commands
iptables commands can be pretty long, and sometimes hard to understand so lets defualt components in iptables commands to make it easier:
1
iptables -A chain [-i/-o interface] [-s/-d address] -p udp --sport/--dport 80  -j TARGET
Copied!
-A appends to the end gollowed by the name of the chain, [-i/-o interface] incomming or outgoing interface,[ -s/-d ] source address or destination address,-p defines the protocol like tcp or udp, [--sport/--dport]for setting source or destination port number, -j TARGET which define what will happend to the packet that match this rule.
iptables command options outside of adding rules to chain:
Option
Description
-L <chain-name> -t <table-name>
Lists all of the rules in the  specified chain and table. If not chain or table specified, shows all.
-D
Deletes a rule in a particular chain by number
-F (or --flush)
flushes all (or indicated chain) of rules
-P
change the default policy for the chain(can be set to DROP or ACCEPT)
-v
typically used with -F(or --flush) to provide additional output
-n
Display IP address and port in numeric format
For demonstration we use CentOS7, in RedHat the defualt solution is firewalld. We have to first stop and disable firewalld because firewalld interface and iptables can not work together:
1
[[email protected] ~]# systemctl stop firewalld
2
[[email protected] ~]# systemctl disable firewalld
3
Removed symlink /etc/systemd/system/multi-user.target.wants/firewalld.service.
4
Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
5
[[email protected] ~]# systemctl mask firewalld
6
Created symlink from /etc/systemd/system/firewalld.service to /dev/null.
Copied!
Now lets install iptables and iptables-service packages which is required for systemd:
1
[[email protected] ~]# yum install iptables
2
Loaded plugins: fastestmirror, langpacks
3
Loading mirror speeds from cached hostfile
4
 * base: mirror.metrocast.net
5
 * epel: fedora-epel.mirrors.tds.net
6
 * extras: mirror.mojohost.com
7
 * updates: mirror.teklinks.com
8
Package iptables-1.4.21-24.1.el7_5.x86_64 already installed and latest version
9
Nothing to do
10
​
11
[[email protected] ~]# yum install iptables-services
12
​
13
[[email protected] ~]# systemctl start iptables
14
[[email protected] ~]# systemctl enable iptables
15
Created symlink from /etc/systemd/system/basic.target.wants/iptables.service to /usr/lib/systemd/system/iptables.service.
Copied!
okey every thing is ready for starting, lets list everything wich is currently used:
1
[[email protected] ~]# iptables -L
2
Chain INPUT (policy ACCEPT)
3
target     prot opt source               destination         
4
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
5
ACCEPT     icmp --  anywhere             anywhere            
6
ACCEPT     all  --  anywhere             anywhere            
7
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:ssh
8
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited
9
​
10
Chain FORWARD (policy ACCEPT)
11
target     prot opt source               destination         
12
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited
13
​
14
Chain OUTPUT (policy ACCEPT)
15
target     prot opt source               destination
Copied!
we flush iptables rule : set the default chains policy to DROP for more security and see the results:
1
[[email protected] ~]# iptables -F -v
2
Flushing chain `INPUT'
3
Flushing chain `FORWARD'
4
Flushing chain `OUTPUT'
5
[[email protected] ~]# iptables -L
6
Chain INPUT (policy ACCEPT)
7
target     prot opt source               destination         
8
​
9
Chain FORWARD (policy ACCEPT)
10
target     prot opt source               destination         
11
​
12
Chain OUTPUT (policy ACCEPT)
13
target     prot opt source               destination
Copied!
set the default chains policy to DROP for more security and see the results:
1
[[email protected] ~]# iptables -P INPUT DROP
2
[[email protected] ~]# iptables -P FORWARD DROP
3
[[email protected] ~]# iptables -P OUTPUT DROP
4
[[email protected] ~]# iptables -L
5
Chain INPUT (policy DROP)
6
target     prot opt source               destination         
7
​
8
Chain FORWARD (policy DROP)
9
target     prot opt source               destination         
10
​
11
Chain OUTPUT (policy DROP)
12
target     prot opt source               destination
Copied!
There is one note that we should never forget, linux uses loopback adapter for internel communication. But we have drope that:
1
[[email protected] ~]# ping localhost 
2
PING localhost (127.0.0.1) 56(84) bytes of data.
3
ping: sendmsg: Operation not permitted
4
ping: sendmsg: Operation not permitted
5
ping: sendmsg: Operation not permitted
6
ping: sendmsg: Operation not permitted
7
^C
8
--- localhost ping statistics ---
9
4 packets transmitted, 0 received, 100% packet loss, time 3014ms
Copied!
So do not forget to ACCEPT loopback adapter packetes if you want to set chain default policy to drop:
1
[[email protected] ~]# iptables -A INPUT -i lo -j ACCEPT
2
[[email protected] ~]# iptables -A OUTPUT -o lo -j ACCEPT
Copied!
and check:
1
[[email protected] ~]# ping localhost -c3
2
PING localhost (127.0.0.1) 56(84) bytes of data.
3
64 bytes from localhost (127.0.0.1): icmp_seq=1 ttl=64 time=0.030 ms
4
64 bytes from localhost (127.0.0.1): icmp_seq=2 ttl=64 time=0.117 ms
5
64 bytes from localhost (127.0.0.1): icmp_seq=3 ttl=64 time=0.148 ms
6
​
7
--- localhost ping statistics ---
8
3 packets transmitted, 3 received, 0% packet loss, time 2006ms
9
rtt min/avg/max/mdev = 0.030/0.098/0.148/0.050 ms
Copied!
Now lets ACCEPT ssh coonection to be stablished with our host:
1
[[email protected] ~]# iptables -A INPUT -p tcp --dport 22 -j ACCEPT
Copied!
it seems okey hah? but it doesn't work, check it from another computer(centos7-2):
1
[[email protected] ~]# ssh centos7-1
2
​
3
^C
Copied!
The point is that do not forget to set reverse rules inorder to let incomming traffic to our server(centos7-1), can come back:
1
[[email protected] ~]# iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
2
[[email protected] ~]# iptables -L
3
Chain INPUT (policy DROP)
4
target     prot opt source               destination         
5
ACCEPT     all  --  anywhere             anywhere            
6
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh
7
​
8
Chain FORWARD (policy DROP)
9
target     prot opt source               destination         
10
​
11
Chain OUTPUT (policy DROP)
12
target     prot opt source               destination         
13
ACCEPT     all  --  anywhere             anywhere            
14
ACCEPT     tcp  --  anywhere             anywhere             tcp spt:ssh
Copied!
and check:
1
[[email protected] ~]# ssh centos7-1
2
The authenticity of host 'centos7-1 (192.168.10.133)' can't be established.
3
ECDSA key fingerprint is SHA256:QtfM2iXh5pxZeFdAUXEBEnRXNSP40MWIhnSYvpOBMoY.
4
ECDSA key fingerprint is MD5:27:db:c1:d0:da:35:80:92:81:fa:8f:1c:e5:d7:f3:2e.
5
Are you sure you want to continue connecting (yes/no)? yes
6
Warning: Permanently added 'centos7-1,192.168.10.133' (ECDSA) to the list of known hosts.
7
[email protected]'s password: 
8
Last login: Sun Jul 15 02:41:53 2018
9
Managed by ansible
Copied!
Saving iptables rules
iptables rules are not persisyent and they are vanished after reboot. rules are stored in /etc/sysconfig/iptables . for saving rules we use iptables-save command,
1
[[email protected] ~]# iptables-save > /etc/sysconfig/iptables.$(date +%d-%m-%y)
2
[[email protected] ~]# ls /etc/sysconfig | grep iptables
3
iptables
4
iptables.18-07-18
5
iptables-config
6
[[email protected] ~]# cat /etc/sysconfig/iptables.18-07-18 
7
# Generated by iptables-save v1.4.21 on Wed Jul 18 00:12:18 2018
8
*filter
9
:INPUT DROP [136:9925]
10
:FORWARD DROP [0:0]
11
:OUTPUT DROP [209:34216]
12
-A INPUT -i lo -j ACCEPT
13
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
14
-A OUTPUT -o lo -j ACCEPT
15
-A OUTPUT -p tcp -m tcp --sport 22 -j ACCEPT
16
COMMIT
17
# Completed on Wed Jul 18 00:12:18 2018
Copied!
now we clear the previous rules:
1
[[email protected] ~]# iptables -F
2
[[email protected] ~]# iptables -L
3
Chain INPUT (policy DROP)
4
target     prot opt source               destination         
5
​
6
Chain FORWARD (policy DROP)
7
target     prot opt source               destination         
8
​
9
Chain OUTPUT (policy DROP)
10
target     prot opt source               destination
Copied!
use iptables-restoreto restore the backup:
1
[[email protected] ~]# iptables-restore < /etc/sysconfig/iptables.18-07-18 
2
[[email protected] ~]# iptables -L
3
Chain INPUT (policy DROP)
4
target     prot opt source               destination         
5
ACCEPT     all  --  anywhere             anywhere            
6
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh
7
​
8
Chain FORWARD (policy DROP)
9
target     prot opt source               destination         
10
​
11
Chain OUTPUT (policy DROP)
12
target     prot opt source               destination         
13
ACCEPT     all  --  anywhere             anywhere            
14
ACCEPT     tcp  --  anywhere             anywhere             tcp spt:ssh
Copied!
How to delete a rule ? There are two ways for deleting a rule, using -D option with full lenght of rule that we have specified:
1
[[email protected] ~]# iptables -D OUTPUT -p tcp --sport 22 -j ACCEPT
2
[[email protected] ~]# iptables -L
3
Chain INPUT (policy DROP)
4
target     prot opt source               destination         
5
ACCEPT     all  --  anywhere             anywhere            
6
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh
7
​
8
Chain FORWARD (policy DROP)
9
target     prot opt source               destination         
10
​
11
Chain OUTPUT (policy DROP)
12
target     prot opt source               destination         
13
ACCEPT     all  --  anywhere             anywhere
Copied!
or use iptables -L --line-numbers and delete a rule by using its number in the table:
1
[[email protected] ~]# iptables -L --line-numbers
2
Chain INPUT (policy DROP)
3
num  target     prot opt source               destination         
4
1    ACCEPT     all  --  anywhere             anywhere            
5
2    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh
6
​
7
Chain FORWARD (policy DROP)
8
num  target     prot opt source               destination         
9
​
10
Chain OUTPUT (policy DROP)
11
num  target     prot opt source               destination         
12
1    ACCEPT     all  --  anywhere             anywhere      
13
[[email protected] ~]# iptables -D INPUT 2
14
[[email protected] ~]# iptables -L
15
Chain INPUT (policy DROP)
16
target     prot opt source               destination         
17
ACCEPT     all  --  anywhere             anywhere            
18
​
19
Chain FORWARD (policy DROP)
20
target     prot opt source               destination         
21
​
22
Chain OUTPUT (policy DROP)
23
target     prot opt source               destination         
24
ACCEPT     all  --  anywhere             anywhere
Copied!
Now more iptables examples:
Block TCP traffic from Specific IP Address:
1
iptables -A INPUT -p tcp -s xxx.xxx.xxx.xxx -j DROP
Copied!
Allow All tcp xxx incomming port:
1
iptables -A INPUT -p tcp --dport xxx -j ACCEPT
Copied!
some time we need to load special iptables module to do something special. Allow Multiple Ports :
1
iptables -A INPUT  -p tcp -m multiport --dports 22,80,443 -j ACCEPT
Copied!
Allow Specific Network Range on Particular Port:
1
iptables -A OUTPUT -p tcp -d 192.168.100.0/24 --dport 22 -j ACCEPT
Copied!
Sometimes IP addresses may requests too many connections towards web ports on our website. This can cause number of issues and to prevent such problems, we can Block Network Flood on Apache Port using this rule:
1
iptables -A INPUT -p tcp --dport 80 -m limit --limit 100/minute --limit-burst 200 -j ACCEPT
Copied!
Some time we want to just monitor network traffic or we want to trouble shoot our iptables firewall, best thing is logging:
1
iptables -A INPUT -i eth0 -j LOG --log-prefix "IPtables DROPPED:"
Copied!
and then see the logs with grep "IPtables DROPPED:" /var/log/messages
If our firewall has alot of rules, iptables log is used with iptables-save and iptables-restore . The trick is saving current rules, Allowing traffic, log it and then restoring rules and adding new required setting.
Port Redirection
Sometimes we may want to forward one service’s traffic to another port . Lets do this by an example:
​
Here we use two CentOS system, one as a web server which runs on port 80 and the other one as a web client. Every thing is working on port 80 smothly :
1
[[email protected] ~]# elinks http://192.168.10.133
Copied!
but we want to do something whith iptables which redirect requests from port 8080 to port 80 this way clients from CentOS2 should be able to visit out site on port 8080:
1
[[email protected] ~]# iptables -A INPUT -p tcp --dport 80 -j ACCEPT
2
[[email protected] ~]# iptables -t nat -A PREROUTING -i ens33 -p tcp --dport 8080 -j REDIRECT --to-port 80
Copied!
and check the result from CentOS7-2:
1
[[email protected] ~]# elinks http://192.168.10.133:8080
Copied!
ip6tables
The introduction of the next-generation Internet Protocol, called IPv6, expands beyond the 32-bit address limit of IPv4 (or IP). IPv6 supports 128-bit addresses and, as such, carrier networks that are IPv6 aware are able to address a larger number of routable addresses than IPv4.
Linux supports IPv6 firewall rules using the Netfilter 6 subsystem and theip6tablescommand. For example, SSH connections on a IPv6-aware network server can be enabled with the following rule:
1
ip6tables -A INPUT -i eth0 -p tcp -s 3ffe:ffff:100::1/128 --dport 22 -j ACCEPT
Copied!
NAT IP Forwarding
Private (None-Routable) Networks have been set aside for use inside corporate networks.They are not able to communicate directly with internet hosts and require a firewall or similar device to translate Network Address. NAT (Network Address Translation) is used to originate IP to a public IP that can forward the traffic on their behalf.
Ranges are:
10.0.0.0 to 10.255.255.255
172.16.0.0 to 172.31.255.255
192.168.0.0 to 192.168.255.255
How linux does that ? Linux uses Connection tracking, Connection tracking is a mechanism done by Linux machine's to keep track of TCP connections that are going out and coming inside. This connection tracking mechanism enables Linux machine's to accurately send packet's which are NATed to the exact internal machines, who initiated the connection.
connection tracking tables consists of the following things.
Ip addresses
Protocols
Port number's
Status of the connection
With the help of that table, stateful firewall can filter out traffic based on the status of the connection, Do NAT and many other stuff.
There are two different types of NAT:
Source NAT(SNAT)
Destination NAT (DNAT)
Masqueradeand SNAT in Linux
This is the most commonly used NAT. SNAT stands for Source Network Address Translation. It rewrites only the source address of the packets while nating. In the previously shown example of NAT many private ip addresses of the range 192.168.0.0/24 gets translated to the public source address of the Linux NAT router(4.4.7.23).
In this case the internal network hosts, with private ip addresses can reach the internet with the help of SNAT. But hosts from the internet cannot reach those internal hosts directly (It will only reach the internal hosts, if the source was NATed to the Linux router's public IP address.)
In other words, connection initiated by the internal hosts to the internet will only be fulfilled(not the reverse).
Static SNAT vs DynamicSNAT
Even SNAT can be classified into different types based on the translation it does. For example if many internal private IP addresses gets translated to one public ip address assigned to the Linux router, then its called as aStatic SNAT.If many internal private IP addresses gets translated to many different public IP addresses assigned to the Linux router, then its called as aDynamic SNAT. Please note that If we are using masquerading instead of SNAT, then we will be unable to specify the outgoing ip address. It will use the default IP address assigned to the outgoing interface.
What is DNAT?
In the above shown example of SNAT, the connection was initiated by the host inside the internal network. What if a host on the internet needs to initiate the connection. In that case we need to design our Linux router in such a way that traffic from internet to a particular public IP address on the router will be forwarded to one particular private IP address.
Such kind of a configuration is called as DNAT, or destination NAT. It is called a destination NAT because the first address rewriting done by the router is for destination address.
Lets make our hands dirty and do some configurations. Here we have two Ubuntu machine, and we want to give internet access to Ubuntu2 using Ubuntu1.
First we have to configure kernel to let forward traffic trough this machine:
1
[email protected]:~# cat /proc/sys/net/ipv4/ip_forward
2
0
3
[email protected]:~# echo "1" > /proc/sys/net/ipv4/ip_forward
4
[email protected]:~# cat /proc/sys/net/ipv4/ip_forward
5
1
Copied!
now lets MASQUERADE:
1
[email protected]:~# iptables --table nat --append POSTROUTING --out-interface ens33 -j MASQUERADE
2
[email protected]:~# iptables --append FORWARD --in-interface ens38 -j ACCEPT
Copied!
and do not forget if we don't specify any tables by default it appends to "filter" table. Okey lets now checks Ubntu2:
1
[email protected]:~# ip a s
2
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
3
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
4
    inet 127.0.0.1/8 scope host lo
5
       valid_lft forever preferred_lft forever
6
    inet6 ::1/128 scope host 
7
       valid_lft forever preferred_lft forever
8
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
9
    link/ether 00:0c:29:40:b1:ca brd ff:ff:ff:ff:ff:ff
10
    inet 192.168.5.129/24 brd 192.168.5.255 scope global ens33
11
       valid_lft forever preferred_lft forever
12
    inet6 fe80::47a6:91f0:8edb:9a49/64 scope link 
13
       valid_lft forever preferred_lft forever
14
[email protected]:~# ping 8.8.8.8
15
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
16
64 bytes from 8.8.8.8: icmp_seq=1 ttl=127 time=161 ms
17
64 bytes from 8.8.8.8: icmp_seq=2 ttl=127 time=179 ms
18
^C
19
--- 8.8.8.8 ping statistics ---
20
2 packets transmitted, 2 received, 0% packet loss, time 1002ms
21
rtt min/avg/max/mdev = 161.904/170.784/179.664/8.880 ms
Copied!
That is all.