Iptables - NAT/ DMZ example

Here is a basic script that acts as a very basic firewall. Note eth0 is the internet connection device. Eth1 is on the local network.

TYPES of attacks:

Attacks

When ever a server is open to the internet there is a risk of attack. These attacks can never be prevented with 100% certainty but they can be minimised. One of the best ways to do this is with a firewall such as the ones shown here. These can be used to limit openings and connections. It is important to know about these attacks so you can better protect your servers and networks against theses attacks.

DDoS

DDoS or distributed denial of service attack is an attack were many systems are used to attack a single target (normally a web server) with a huge amounts of bandwidth. The goal of theses attacks are to take the server offline or make it unusable for genuine users. These attacks are becoming more common and are important to guard against since they can be simple to launch and can be very successful if the proper measures are not taken to secure servers.

ICMP Flood

There are a few different types of ICMP attacks which all rely on miss-configured networks and can easily be prevented. They tend to rely on the Ping command and are used to overwhelm the target. For an attack to be successful the attacker needs to have more bandwidth than the victim. These attacks can easily be launched but can also are easily prevented.

SYN Flood

These are attacks launched were TCP connections are left open. The attacker(s) keep opening more and more connections without closing them which overwhelms the server. These attacks can be prevented with SYN cookies or limiting the number of new connections from a single source over a specified time frame.

Subpage Links:

NATing

DMZ

#---------------------------------------------------------------
# Initialize all the chains by removing all the rules
# tied to them
#---------------------------------------------------------------

iptables --flush
iptables -t nat --flush
iptables -t mangle --flush

#---------------------------------------------------------------
# The loopback interface should accept all traffic
# Necessary for X-Windows and other socket based services
#---------------------------------------------------------------

iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

#---------------------------------------------------------------
# Allow outbound DNS queries from the FW and the replies too
#
# - Interface eth0 is the internet interface
#
# Zone transfers use TCP and not UDP. Most home networks
# websites using a single DNS server won't require TCP statements
#
#---------------------------------------------------------------

iptables -A OUTPUT -p udp -o eth0 --dport 53 --sport 1024:65535 -j ACCEPT
iptables -A INPUT -p udp -i eth0 --sport 53 --dport 1024:65535 -j ACCEPT

#---------------------------------------------------------------
# Allow previously established connections
# - Interface eth0 is the internet interface
#---------------------------------------------------------------

iptables -A OUTPUT -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

#---------------------------------------------------------------
# Allow port 80 (www) and 22 (SSH) connections to the firewall
#---------------------------------------------------------------

iptables -A INPUT -p tcp -i eth0 --dport 22 --sport 1024:65535 -m state --state NEW -j ACCEPT

iptables -A INPUT -p tcp -i eth0 --dport 80 --sport 1024:65535 -m state --state NEW -j ACCEPT

#---------------------------------------------------------------
# Allow port 80 (www) and 443 (https) connections from the firewall
#---------------------------------------------------------------

iptables -A OUTPUT -o eth0 -p tcp --dport 80 --sport 1024:65535 -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --dport 443 --sport 1024:65535 -j ACCEPT
#---------------------------------------------------------------
# Allow previously established connections
# - Interface eth0 is the internet interface
#---------------------------------------------------------------

iptables -A INPUT -m state --state ESTABLISHED,RELATED -i eth0 -p tcp -j ACCEPT

#---------------------------------------------------------------
# If a packet doesn't match one of the built in chains, then
# The policy should be to drop it
#---------------------------------------------------------------

iptables -A INPUT -j DROP
iptables -A OUTPUT -j DROP
iptables -A FORWARD -j DROP

service iptables restart

#---------------------------------------------------------------

Continuing On:

With that out of the wa,y the process of getting NATign to work will comence. NAT is network address translation which was designed to help with the problem of not enough IP addresses world wide. In short it allows mulitple computers to sue the same IP address.

Note: the addresses with xxx are the internet addresses and yyy are internal.

vi /etc/sysconfig/network-scripts/ifcfg-eth0

and made it look like this:

DEVICE=eth0
BOOTPROTO=none
BROADCAST=xx.xx.xx.255 # Optional Entry
HWADDR=00:50:BA:88:72:D4 # Optional Entry
IPADDR=xx.xx.xx.xx
NETMASK=255.255.255.0 # Provided by the ISP
NETWORK=xx.xx.xx.0 # Optional
ONBOOT=yes
TYPE=Ethernet
USERCTL=no
IPV6INIT=no
PEERDNS=yes
GATEWAY=xx.xx.xx.1 # Provided by the ISP

vi /etc/sysconfig/network-scripts/ifcfg-eth1

BOOTPROTO=none
PEERDNS=yes
HWADDR=00:50:8B:CF:9C:05 # Optional
TYPE=Ethernet
IPV6INIT=no
DEVICE=eth1
NETMASK=255.255.0.0 # Specify based on your requirement
BROADCAST=""
IPADDR=192.168.2.1 # Gateway of the LAN
NETWORK=192.168.0.0 # Optional
USERCTL=no
ONBOOT=yes

Make sure there is something like this:

vi etc/hosts

127.0.0.1 nat localhost.localdomain localhost

DO this:

vi /etc/sysconfig/network

NETWORKING=yes
HOSTNAME=nat
GATEWAY=xx.xx.xx.1 # Internet Gateway, provided by the ISP

Check the following

vi /etc/resolv.conf
nameserver 203.145.184.13 # Primary DNS Server provided by the ISP
nameserver 202.56.250.5 # Secondary DNS Server provided by the ISP

**NOTE: those nameserver addresses will be different for you.

vi /etc/sysctl.conf

Change the following value from:
net.ipv4.ip_forward = 0

TO:

net.ipv4.ip_forward = 1

Change this baby:

vi /etc/sysconfig/iptables-config

IPTABLES_MODULES_UNLOAD, IPTABLES_SAVE_ON_STOP, and IPTABLES_SAVE_ON_RESTART

and change all of those values to yes, not no's for the above options.

No NATing yet? Add these lines to your code right above the drop section. Cheers.

echo 1 > /proc/sys/net/ipv4/ip_forward
/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
/sbin/iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT

And now you'll be doubling up.

SO what we want is is the following network:

Well What is happening? What we want is a DMZ where a webserver somewhere on the Internet is asking for some MySQL.

It would be dangerous to have that MySQL machine serving directly on the Internet so what should we do? Put it behind the firewall is the solution.

OK? So the the webserver hits the firewall and then the request is forwarded to a machine behind it and then the request is allowed back out.

The FINAL script

NOTE: the stuff in bold might mean something. PING packets are already dropped if they hit the firewall and logs are a definate. Note port 1056 on the firewall forwards you via ssh to the MySQL machine ;)

#---------------------------------------------------------------
# Initialize all the chains by removing all the rules
# tied to them
#---------------------------------------------------------------

iptables --flush
iptables -t nat --flush
iptables -t mangle --flush

#---------------------------------------------------------------
# The loopback interface should accept all traffic
# Necessary for X-Windows and other socket based services
#---------------------------------------------------------------

iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

#---------------------------------------------------------------
# Allow outbound DNS queries from the FW and the replies too
#
# - Interface eth0 is the internet interface
#
# Zone transfers use TCP and not UDP. Most home networks
# websites using a single DNS server won't require TCP statements
#
#---------------------------------------------------------------

iptables -A OUTPUT -p udp -o eth0 --dport 53 --sport 1024:65535 -j ACCEPT
iptables -A INPUT -p udp -i eth0 --sport 53 --dport 1024:65535 -j ACCEPT

#---------------------------------------------------------------
# Allow previously established connections
# - Interface eth0 is the internet interface
#---------------------------------------------------------------

iptables -A OUTPUT -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

#---------------------------------------------------------------
# Allow port 80 (www) and 22 (SSH) connections to the firewall
#---------------------------------------------------------------

iptables -A INPUT -p tcp -i eth0 --dport 22 --sport 1024:65535 -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp -i eth0 --dport 80 --sport 1024:65535 -m state --state NEW -j ACCEPT

#---------------------------------------------------------------
# Allow port 80 (www) and 443 (https) connections from the firewall
#---------------------------------------------------------------

iptables -A OUTPUT -o eth0 -p tcp --dport 80 --sport 1024:65535 -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --dport 443 --sport 1024:65535 -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --dport 3306 --sport 1024:65535 -j ACCEPT
#---------------------------------------------------------------
# Allow previously established connections
# - Interface eth0 is the internet interface
#---------------------------------------------------------------

iptables -A INPUT -m state --state ESTABLISHED,RELATED -i eth0 -p tcp -j ACCEPT

#---------------------------------------------------------------
# If a packet doesn't match one of the built in chains, then
# The policy should be to drop it
#---------------------------------------------------------------
#######################################################################

# DMZ webserver to mysql
#=====================================================================

echo 1 > /proc/sys/net/ipv4/ip_forward

/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

iptables -t nat -A PREROUTING -p tcp -d 142.25.97.89 --dport 80 -j DNAT --to 142.25.97.40
iptables -t nat -A POSTROUTING -d 142.25.97.40 -j MASQUERADE

#=====================================================================
#for MYSQL from DMZ to MYSQL server
#======================================================================

iptables -A INPUT -i eth0 -p tcp -m tcp --dport 3306 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -d 142.25.97.89 --dport 3306 -j DNAT --to 192.168.9.50
iptables -t nat -A POSTROUTING -d 192.168.9.50 -j MASQUERADE

iptables -A INPUT -p tcp -s 142.25.97.89 --sport 1024:65535 -d 142.25.97.89 --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -s 142.25.97.89 --sport 3306 -d 142.25.97.89 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT

iptables -A OUTPUT -p tcp -s 142.25.97.89 --sport 1024:65535 -d 0/0 --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 --sport 3306 -d 142.25.97.89 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT

#=======================================================================
#forward port 1056 to port 22 on the MYSql Server 9.50
#======================================================================

iptables -t nat -A PREROUTING -p tcp -i eth0 -d 142.25.97.89 --dport 1056 -j DNAT --to 192.168.9.50:22
iptables -A FORWARD -p tcp -i eth0 -d 192.168.9.50 --dport 22 -j ACCEPT

iptables -t nat -A PREROUTING -p tcp -i eth0 -d 142.25.97.89 --dport 1200 -j DNAT --to 192.168.9.50:3306
iptables -A FORWARD -p tcp -i eth0 -d 192.168.9.50 --dport 3306 -j ACCEPT

/sbin/iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT

#$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
# ATTACKS AND LOGGING
#$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$

#**Pings not allowed anyways

#Allows only 10 connections and 20 burst
#---------------------------------------------------------------------

iptables -t nat -A syn-flood -m limit --limit 10/s --limit-burst 20 -j RETURN

iptables -t nat -A syn-flood -j DROP

#LOGGING
#-------------------------------------------------------------------

/sbin/iptables -A INPUT -m limit --limit 15/minute -j LOG \
--log-level 7 --log-prefix "Dropped by firewall: "
/sbin/iptables -A OUTPUT -m limit --limit 15/minute -j LOG \
--log-level 7 --log-prefix "Dropped by firewall: "

#======================================================================
#DROPPS
#=====================================================================

#illegal packets

# Drop illegal packets
iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP# NULL packets
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP #XMAS
iptables -A INPUT -p tcp --tcp-flags FIN,ACK FIN -j DROP # FIN packet scans
iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP

iptables-save

iptables-save -c

iptables -A INPUT -j DROP
iptables -A OUTPUT -j DROP
iptables -A FORWARD -j DROP

service iptables restart

BACKUP and Restore

iptables is set to come back up off of restart

iptables is saved on another device and is a script which can be ran at any time.

Resources:

http://portfolio.itas.ca/~tassellb/firewall/endian.php

http://ubuntuforums.org/showthread.php?t=93420

http://security.maruhn.com/iptables-tutorial/x5017.html

http://www.wellho.net/solutions/general-firewall-fundamentals-linux.html

http://utcc.utoronto.ca/~cks/space/blog/linux/IptablesRedirection

http://morpheus.micc.unifi.it/alisi/2006/12/14/iptables-made-simple

CONCLUSION

Linux has produced something usefull and easy to use. It is easy to configure, easy to understand and there is lots of documentation once you get past the extra technical jargon. Iptables is a powerful firewall solution and can be used for a varity of things such as NATing.

Blog tags: 

Comments

Add new comment

Filtered HTML

  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <blockquote> <code> <ul> <ol> <li> <dl> <dt> <dd> <python> <c>
  • Lines and paragraphs break automatically.

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
By submitting this form, you accept the Mollom privacy policy.