Securing your network with Iptables - Proxy - NAT - IDS: PART 2

At previous post We saw the configuration of IPTables so that it works as a Firewall. Now we can see how to create those scripts so that the rules are executed automatically when the system starts, and also how we can eliminate or stop those rules for a moment.

Before doing the script and showing you how it looks, let's talk a little about NAT and the concept of what we want to do with this equipment.

NAT and Context of the example.

When we talk about NAT, we can confuse this with routing, since both are in charge of connecting two different networks to each other. The difference really is that the routing is applied to go from one local network to another and this other network can connect to a router and go out to the Internet.

Whereas, when we talk about NAT, we talk about routing packets from a local or private network to a public network or the Internet. It does this by masking the packets by putting the public IP with which it goes to the Internet. In other words, we don't need a router, because the public IP is directly owned by the GNU / Linux computer.

nat

We will work this with the slogan that we are using our Linux as a router / firewall to go out to the Internet from a local network. But here two scenarios can appear.

  • That our Linux is between the router of the service provider and the local network.

In this case, between the router and our Linux there would be a network, and between the Linux and the local network there would be another different network. This means that our router would not have to do NAT as such, with a simple traffic routing as explained in previous post It would be good.

  • That our Linux has an interface connected to the local network and through the other interface it receives directly a public IP with which it navigates.

This means that our Linux must do NAT so that the packets can reach the Internet.

For the purposes of this small laboratory then, we will say that our Linux receives a public IP directly and thus be able to test the effects of NAT.

To do NAT we then use the syntax

 iptables -t nat -A POSTROUTING -O eth1 -j MASQUERADE

Where eth1 is the interface where we receive the public IP, that is, where we go to the Internet.

MASQUERADE is used when the ip is public but it can vary over time (dynamic). Otherwise we can use SNAT –to-source ip

Creating iptables script

Suppose then that: 172.26.0.0 is our local network and 81.2.3.4 is the public IP with which we go to the Internet. (it is a static ip). I have the interfaces eth0 (Local network)

eth1 (Public network).

It basically consists of creating a script that can be called from /etc/init.d/firestop (for example). and from this script we can start, stop or check the status of our configuration, just as we do with any system daemon.

Suppose my IPTABLES rules ARE:

#! / bin / bash # Firewall of my home. # File name / etc / firewall_on # By Jlcmux Twitter: @Jlcmux # # Basic policy. iptables -P INPOUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP # #NAT to share Internet from eth0 to eth1 iptables -t nat -A POSTROUTING -O eth1 -j SNAT --to-source 81.2.3.4
# # Allow incoming connections initiated by my iptables -A FORWARD -m state --state ESTABLISHED, RELATED -j ACCEPT # # Authorized outgoing traffic iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport 80 -j ACCEPT iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport 443 -j ACCEPT iptables -A FORWARD -i eth0 -o eth1 -p udp --dport 53 -j ACCEPT
Let's not forget to give execution permissions

Explanation:

The script basically does the following:

  1. First restrict all navigation, connections and traffic. (Basic Firewall Policies)
  2. Then create the NAT with the destination eth1. indicating that we have a static public ip «81.2.3.4»
  3. It opens the ports necessary to receive the packets of connections initiated by me.
  4. Accepts outgoing HTTP, HTTPS, and DNS traffic.
The rules are destined for FORWARD traffic because we are using our Linux as a Router, so the policies are used for the traffic that PASSES through the Linux, that is, it acts as an intermediary. This means that our Linux can't really navigate or receive any data directly. It only applies to computers connected to it, but not to itself

If we wanted to use our equipment to navigate we should repeat the lines and change FORWARD to INPUT or OUTPUT as appropriate.

Cancel script.

Now we are going to create a script that overrides all the above and leaves the computer clean of all this. (For testing purposes or we just want to turn off the firewall).

#! / bin / bash # Firewall of my home. # File name / etc / firewall_off # By Jlcmux Twitter: @Jlcmux # #Deleting iptables Rules -F # #Applying default policies (all traffic accepted) iptables -P INPUT ACCEPT iptables -P OUTPUT ACCEPT iptables -P FORWARD ACCEPT

Automating.

Now we must create the script inside /etc/init.d/ and the service starts automatically and we can manage it in a more comfortable way.

#! / bin / bash # Firewall of my home. # File name /etc/init.d/ firewall # By Jlcmux Twitter: @Jlcmux case $ 1 in start) / etc / firewall_on ;; stop) / etc / firewall_off ;; status) iptables -L ;; *) echo "Wrong syntax. Valid = /etc/init.d/ firewall start | stop | status ;; esac

Explanation:

This last script we put in /etc/init.d/ with the name firewall. So if we want to manage the firewall we can use the command /etc/init.d/ firewall start. In the same way we can stop it or see the state.

Now we are going to edit the file /etc/rc.local and we put something like: /etc/init.d/ firewall start so that it starts with the system.

As well. This is the second part. I hope it brings something to all of you. In the next we see Proxy and IDS.


7 comments, leave yours

Leave a Comment

Your email address will not be published. Required fields are marked with *

*

*

  1. Responsible for the data: Miguel Ángel Gatón
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.

  1.   dhunter said

    If you are using Debian, there is a package in the repo (iptables-persistent) that does exactly that, it dumps the current rules in /etc/iptables/rules.v4 or v6 depending on what you use and then applies them to you when you lift the system.

  2.   OCZ said

    In practice, to clean the configuration of a conventional iptables firewall (and using NAT would not be so from my point of view), in most cases a rule flush and resetting the default policies to ACCEPT would suffice.
    But in theory, and as far as I know, in addition to this you also need to clear the non-default strings and reset the counters. Actions to be taken bearing in mind that in addition to "filter" there are other tables, (it is mandatory to read the file "/ proc / net / ip_tables_names" for this).

    By the way, orthodoxy says that a firewall must already be up before the network is. I do not know how it is achieved in the other Linux systems, but in the Debian type the script could be adapted and set in the directory "/etc/network/if-pre-up.d/".

    Good firewalling everyone. 😉

  3.   NauTiluS said

    Hello, the post is very good. I have read the entire 2 volumes.

    Waiting for the next 🙂

  4.   anonymous said

    A question from my ignorance, we continue with iptables, but for several kernel versions we have nftables, I am already testing, the questions are, is nftables something beta compared to iptables? Will iptables continue to be used for much longer?

    Thank you.

    1.    yukiteru said

      nftables includes all the functionalities of iptables, ip6tables, arptables and ebtables, all using a new infrastructure in both kernelspace and userspace, which ensures better performance and improved functionality. nftables will replace iptables and all the other tools mentioned but not for the time being, not at least until there is more widespread use of nftables as such.

  5.   Alejandro said

    very good post, I wanted to read more since it is very well explained .. greetings thanks great contribution

  6.   Avrah said

    Hello! Very good both post.
    As a contribution you could add to the end in this part:

    "Now we are going to edit the /etc/rc.local file and put something like: /etc/init.d/firestop start so that it starts with the system."

    Add this to rc.local.

    if [-x /etc/init.d/ firewall]; then
    /etc/init.d/ firewall start
    fi

    Which means that if "firewall" has execution permissions, execute it, if not.
    If you want the "firewall" not to start, you just have to remove the permissions.

    For example: chmod + x /etc/init.d/ firewall
    to make it run on every startup or ...
    chmod -x /etc/init.d/ firewall
    to completely disable it.

    Regards!