Securing your network with Iptables - Proxy - NAT - IDS: PART 1

@Jlcmux

Comments

This post tries to clarify a little about how networks work and how to turn our Linux equipment into a Router that ensures a little more our network, whether at home or even business. So let's get down to business:

This content is based on the book "Linux - System Administration and Network Services Operation" - Sébastien BOBILLIER

Routing and filtering

To talk and understand about routing we can first define what is the function of the router? For this we can say that a router, in addition to creating a network and allowing connection with other equipment (knowing that we can do this with an AP, Switch, Hub or others) has the ability to connect two different networks to each other.

router

As we can see in the image, there is a local network "10.0.1.0" that is created by the router, and reaches one of its two interfaces. Then the router on its other interface, has another network, with its public IP with which it can connect to the Internet. The routing function is basically to serve as an intermediary between these two networks so that they can communicate.

Linux as a router.

Naturally, the Linux Kernel already has the ability to do "forwarding", but by default it is disabled, so if we want our Linux to do this work we must go to the file.

/proc/sys/net/ipv4/ip_forward

There we will find that it is a file that only contains a zero "0", what we must do is change it to a one "1" to activate this behavior. This unfortunately is deleted when we restart the computer, to leave it activated by default we must use the command:

sysctl net.ipv4.ip_forward=1

Or edit it directly in the file /etc/sysctl.conf. Depending on the distribution this configuration can also be in a file in  /etc/sysctl.d/.

By default our Linux must have a routing table, which is generally the configuration of our lan network and connection to the router. If we want to see this routing we can use two commands:

route -n

o

netstat -nr

Both commands should return the same.

Screenshot from 2014-09-30 18:23:06

In general, this configuration is enough for your Linux to serve as a Gateway and other computers can navigate through our computer. Now, if we want our Linux to connect two or more networks, whether local or not, for example, we can make use of static routes.

Suppose my Linux has two network interfaces, the first one has an Internet connection whose network is 172.26.0.0 and the second one (10.0.0.0) has some computers from another local network. If we want to route packets to that other network we can use:

route add -net 10.0.0.0 netmask 255.0.0.0 gw 172.26.0.8

In general it is:

route add -net REDDESTINO netmask MASCARA gw IPDELLINUX

if we give route regardless of whether this network exists or not, this routing will be fixed in our table.

Screenshot from 2014-09-30 18:31:35

If we want to eliminate said routing we can use

route del -net 10.0.0.0 netmask 255.0.0.0

iptables.

Basically iptables is used for filtering packets, outgoing, incoming or others, this makes it a great tool for managing our network traffic. Well, iptables, just as it allows us to filter the traffic from the same computer, it also allows us to filter the traffic that passes through it. (Forwarding). Iptables can be divided into tables, chains, and actions.

  • Boards:  basically there can be two tables, filters, to filter packets and  nat to translate addresses, that is, to move from one network to another.
  • Cadenas: The chain refers to the type of traffic that we want to filter or swim, that is, to which traffic are we going to apply the tables? and they can be:  INPUT: Incoming traffic, OUTPUT: outbound traffic or FORWARD: Traffic that passes through it, but it is not a proper connection.
  • It may also appear POST-ROUTING, which is used to treat the packet in a certain way after it has been routed.
  • Actions: Actions are basically the action to be performed with the chain. This action can be Dropp that just destroys that traffic or ACCEPT. that allows traffic to do that action.

IPTABLES rules are saved and executed in the order that they were created, and if a rule deletes a previous rule, the last rule in the order is always applied.

Firewall Policies.

In general, firewalls naturally work in two ways:

  1. Allow all traffic except, or
  2. Do not allow any traffic except ...

To apply policies use IPTABLES - P ACTION CHAIN

Where the string represents the type of traffic (INPUT, OUTPUT, FORWARD, POSTROUTING ...) and the action is DROP OR ACCEPT.

Let's look at an example.

Screenshot from 2014-09-30 18:53:23

Here we see that at first I was able to ping, then I told IPTABLES that all OUTPUT traffic was DROP or not allowed. Then I told IPTABLES to accept it.

If we are going to build a firewall from scratch we must always apply the rules of (Do not allow any traffic except ... For this then we apply the rules

iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP
If these policies apply, they will not have any type of connection
.

To return we write the same and replace DROP with ACCEPT.

At this point, since all traffic is denied, we begin to tell our IPTABLES what traffic it can have.

The syntax is:

iptables -A cadena -s ip_orgigen -d ip_destino -p protocolo --dport puerto -j acción

Where:

String = INPUT, OUTPUT or FORWARD

origin_ip = Origin of the packets, this can be a single IP or a network and in this case we must specify the mask).

destination_ip = where the packets are going. this can be a single IP or a network and in this case we must specify the mask).

protocol = indicates the protocol used by the packets (icmp, tcp, udp ...)

port = destination port of the traffic.

action = DROP or ACCEPT.

Example:

Screenshot from 2014-09-30 19:26:41

ALL restricted policies apply.

Screenshot from 2014-09-30 19:27:42

Then we add the rules to be able to have traffic through port 80 HTTP and 443 HTTPS, with the TCP protocol. Then port 53 It is applied for the DNS client to resolve the domains, otherwise you will not navigate. This works with udp protocol.

The line:

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

It is because of the following: When you make an HTTP request for example, you connect to port 80 of the server, but the server to return the information needs to connect to you through any port. (Generally greater than 1024).

As all our ports are closed this will not be achieved unless we open all ports higher than 1024 (Bad idea). What this says is that all incoming traffic that comes from a connection that I established myself is accepted. I mean, a connection that in principle I started.

When putting OUTPUT in the rules, this only applies to the equipment in question, if we are using our equipment as a router to allow these connections, we must change OUTPUT to FORWARD. Since traffic passes through the computer but is not initiated by it
All these rules are deleted after the restart, so you have to create scripts so that they start by default. But we will see this in the next

I hope you liked this information. In the next one I will talk about NAT, Proxy and scripts for Firewal.


12 comments, leave yours

Leave a Comment

Your email address will not be published. Required fields are marked with *

*

*

  1. Responsible for the data: Miguel Ángel Gatón
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.

  1.   Rogelio pinto said
    ago 10 years

    This is the basis that many entrepreneurs take to manufacture their own firewalls, that is why there are so many brands of firewalls with embedded linux on the market, some good and others not so much.

    Reply to Rogelio Pinto
  2.   lifter said
    ago 10 years

    Excellent article. I look forward to the second part.

    Reply to Heber
  3.   Milton said
    ago 10 years

    Very good explanation, it helped me to understand the proxy of my work. Thank you

    Reply to Milton
  4.   faustod said
    ago 10 years

    Hello Jlcmux,

    Excellent, I really liked it, when will the other party be available?

    Greetings and thanks for sharing

    Reply to faustod
    1.    @Jlcmux said
      ago 10 years

      Thanks for the comment.

      I sent the other part yesterday, in the course of the day I think they will be publishing it.

      Greetings.

      Reply to @Jlcmux
  5.   Israel said
    ago 10 years

    Very good article friend @ Jlcmux, I really learned with him since he clarified some doubts that I had for some time, by the way you would not mind sharing the book of the source of the article, that of Sébastien BOBILLIER, well slau2s and now to see the 2nd part, salu2s.

    Respond to Israel
    1.    @Jlcmux said
      ago 10 years

      Hello Thanks for commenting Israel.

      It turns out that I have the book in physical form. But I found this link on Google Books. http://books.google.com.co/books?id=zxASM3ii4GYC&pg=PA356&lpg=PA356&dq=S%C3%A9bastien+BOBILLIER+Linux+%E2%80%93+Administraci%C3%B3n+del+sistema+y+explotaci%C3%B3n+de+los+servicios+de+red#v=onepage&q=

      I think it's complete.

      Reply to @Jlcmux
  6.   Ariel said
    ago 10 years

    Very good article, I add a query: What would be the advantage of using linux as a router, if there is any, with respect to hardware dedicated to it? Or is it just for exercise? I know there are dedicated distros but I don't know if they are to salvage old PCs or provide more flexibility in configuration.

    Reply to Ariel
    1.    @Jlcmux said
      ago 10 years

      Well, I think the advantages and disadvantages depend on the scenario where you are going to implement this. Why surely you are not going to buy a UTM or something like that for your house? And maybe for a small business that can't afford it either. It is also good as an exercise, as it helps you understand all the logic of this and you can better configure a dedicated FWall. In addition to that almost all these devices really what they have is Embedded Linux.

      Greetings.

      Reply to @Jlcmux
  7.   Ariel said
    ago 9 years

    Hello, a question, can you generate an "artificial" interface in linux for similar routing between networks? (packet tracer style) to work with virtual machines? eg if I have eth0 (because I have a single card of course) can I create eth1 to make another network? Very good tutor!

    Reply to Ariel
    1.    elav said
      ago 9 years

      In Linux you can create virtual interfaces, of course. If you have eth0, you can have eth0: 0, eth0: 1, eth0: 2 ... etc

      Reply to elav
  8.   chinoloco said
    ago 9 years

    So good, thanks for sharing

    Reply to chinoloco