getting started iptables
TRANSCRIPT
-
8/3/2019 Getting Started Iptables
1/17
Getting Started: Using FirewallBuilder to Configure Linux iptables
-
8/3/2019 Getting Started Iptables
2/17
Getting Started: Using Firewall Builder to Configure Linux iptables
$Id$
Copyright 2003,2011 NetCitadel, LLC
The information in this manual is subject to change without notice and should not be construed as a commitment by NetCitadel LLC. NetCitadel
LLC assumes no responsibility or liability for any errors or inaccuracies that may appear in this manual.
-
8/3/2019 Getting Started Iptables
3/17
iii
Getting Started: Configuring Linux iptables Firewalls ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... 1
1. How Firewall Builder works with Linux iptables firewalls ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... . 1
2. Firewall Builder GUI Layout ..... ...... ..... ..... ...... ..... ...... ..... ...... ...... ..... ...... ..... ...... ...... . 2
3. Example Linux iptables Deployment ...... ..... ...... ..... ..... ...... ..... ...... ..... ...... ...... ..... ...... .. 2
4. Creating a Linux iptables Firewall ..... ...... ..... ...... ...... ..... ...... ..... ...... ...... ..... ...... ..... ..... 3
5. Working With Objects ...... ...... ..... ...... ..... ...... ...... ..... ...... ..... ..... ...... ..... ...... ..... ...... .... 5
6. Configuring iptables Policy Rules ..... ...... ..... ..... ...... ..... ...... ..... ...... ...... ..... ...... ..... ...... . 66.1. Additional Tips For Working with Rules ......................................................... 10
7. Configuring NAT Rules ..... ...... ..... ..... ...... ..... ...... ..... ...... ...... ..... ...... ..... ...... ...... ..... . 11
8. Compile and Install ..... ...... ..... ...... ..... ..... ...... ..... ...... ..... ...... ...... ..... ...... ..... ...... ...... . 12
-
8/3/2019 Getting Started Iptables
4/17
1
Getting Started: Configuring Linuxiptables Firewalls
Firewall Builder is a configuration management application that can be used to configure and managefirewall rules for multiple types of firewalls. This guide will go through the steps of creating a Linux
iptables firewall in Firewall Builder and then creating and installing rules created in Firewall Builder onto
the firewall.
1. How Firewall Builder works with Linuxiptables firewalls
Conceptually Firewall Builder works the same way no matter what type of firewall is being configured.
Firewall Builder is based on the idea of using objects to represent rule elements, such as IP networks Host
addresses, and then using these objects to define firewalll rules.
For Linux iptables firewalls after the firewall rules have been created Firewall Builder will generate a
shell script file that includes all the iptables commands required to implement the user defined security
policy. This script file can also include information required to configure interfaces, static routes and other
configuration options.
Once the firewall script file has been created Firewall Builder can use the secure SSH and SCP protocols
to transfer the script file to the Linux firewall server and to activate it, or user's can copy the the script file
themselves to the server and run it to activate the firewall rules.
Figure 1. Basic Workflow for Configuring Linux iptables with Firewall Builder
-
8/3/2019 Getting Started Iptables
5/17
Getting Started: Configuring
Linux iptables Firewalls
2
2. Firewall Builder GUI Layout
Before we get started configuring our example firewall, let's take a minute to orient ourselves with the
Firewall Builder application. The GUI is comprised of three primary panels shown in the screenshot below.
Figure 2. Firewall Builder GUI Layout
Object Panel. Objects in the active Library are displayed in an object tree in the Object Panel. Empty
folders are defined for all possible object types that a user can create in the User library.
Rules Panel. When a Policy object is opened for editing it is displayed in the Rules Panel. Clicking on
the '+' button at the top of the panel creates a new rule.
Editor Panel. Double-clicking on objects opens them for editing in the Editor Panel. Changes to object
attribute fields take effect immediately.
Panels open dynamically based on what activity the user is performing. For example, double-clicking
an object to edit it will open the Editor Panel if it is not already open. Now we are ready to get started
configuring our firewall example.
3. Example Linux iptables DeploymentThis Getting Started Guide is based on configuring a Linux iptables firewall to match the network
deployment shown in the diagram below.
-
8/3/2019 Getting Started Iptables
6/17
Getting Started: Configuring
Linux iptables Firewalls
3
Figure 3. Example Linux iptablesConfiguration
The goal of the Getting Started Guide is to help users become familiar with the basic process of configuring
a Linux iptables firewall using Firewall Builder, so there are many advanced features that won't be covered
here. The Users Guide [http://www.fwbuilder.org/4.0/docs/users_guide/index.html] has a complete listing
of all Firewall Builder features.
4. Creating a Linux iptables FirewallTo create a firewall object to represent your Linux iptables firewall click on the Create new firewall icon
on the main window of Firewall Builder or right-click on the Firewalls system folder in the object tree
and select "New Firewall". Either of these methods will launch a wizard that walks you through creating
your firewall object.
Enter a name for the firewall object, in this example we will use linux-1. Change the drop down menu for
software that is running on the firewall to be iptables.
Figure 4. New Firewall Dialog
Click the "Next >" button to continue to the next step in the wizard.
When creating a firewall in Firewall Builder you have a choice of configuring interfaces manually, or youcan use SNMP discovery if you have SNMP enabled on your firewall and you have know the Read-Only or
Read-Write community string. For this example we are going to configure the firewall interfaces manually.
Figure 5. Select Interface Configuration Method
Click the "Next >" button to continue to the next step.
http://www.fwbuilder.org/4.0/docs/users_guide/index.htmlhttp://www.fwbuilder.org/4.0/docs/users_guide/index.html -
8/3/2019 Getting Started Iptables
7/17
Getting Started: Configuring
Linux iptables Firewalls
4
The firewall that you create in Firewall Builder needs to match the Linux server that you want to deploy
the iptables rules on. This means that the interface names andIP addresses in the firewall object that you
are creating must match exactly to what is configured on the Linux server.
Click the green icon to add a new interface to the firewall. Enter the name of the interface exactly
as it is shown on the Linux server when you run the ifconfig" command. In our example the interfaces
are eth0, eth1 and lo.
Set the interface name as eth0 and set the label to outside. Click on the Add address button and set the IP
address to 192.0.2.1 with a netmask of 255.255.255.240.
Figure 6. Set Interface IP Address
Click the green icon to add another interface to the firewall. Enter the information in to the wizard
to match the second interface as follows:
Figure 7. Interface Tabs
Click the green icon to add another interface to the firewall. Enter the information for the "lo" interface
with label "loopback", IP address 127.0.0.1 and netmask 255.0.0.0.
Click the "Finish >" button to create the firewall object.
After you create the firewall object representing the Linux server the firewall object will be displayed
in the object tree on the left side. The Policy object, which is where the iptables rules are configured, is
automatically opened in the main window.
Figure 8. Firewall Displayed in Object Tree
-
8/3/2019 Getting Started Iptables
8/17
Getting Started: Configuring
Linux iptables Firewalls
5
Before moving on you should save our data file that contains the new firewall object that you just created.
Do this by going to the File -> Save As menu item. Choose a name and location to save the file.
5. Working With Objects
Firewall Builder is based on the concept of objects. There are a variety of different object types that canbe used to define IP objects that can be used as the Source and Destination in your firewall rules. Two of
the most common IP objects used in firewall rules areNetworks andAddresses.
Network Objects
To create a Network object, for example a network to represent the internal 10.10.10.0/24 network shown
in the diagram on the previous page, go to the object tree on the left side of the screen and double-click the
folder labeled Objects to expand it. Right click on the folder calledNetworks and select New Network.
This creates a new network object. In the lower portion of your screen, called the Editor Panel, you can
modify the properties of this object.
Change the object name to something that matches the function, in this example we are going to call itInternal Network to represent the network connected to our "inside" interface. The address is set to
10.10.10.0 and the netmask is 255.255.255.0.
Figure 9. New Network Object
Note
When editing the attributes of an object there is no Apply or Submit button. Once you edit an
attribute as soon as you move away from the field you were editing the change will take effect
immediately.
Address ObjectsTo create an object that represents a single IP address, similar to the host parameter in a Cisco access
list, go to the object tree and right-click on theAddresses folder and select "New Address". In the Editor
Panel change the name of the object to something that reflects its function, for example POP3 Server,
and set the IP address.
-
8/3/2019 Getting Started Iptables
9/17
Getting Started: Configuring
Linux iptables Firewalls
6
Figure 10. New Address Object
You may have noticed that we did not create any objects for the TCP services, like HTTP and SSH, that
will be needed for the firewall rules shown in the example. This is because Firewall Builder comes with
hundreds of predefined objects for commonly used objects like TCP services.
6. Configuring iptables Policy Rules
After you have created a firewall object and network objects you can start to configure the firewall's rules.
When you create a firewall object, for example linux-1 from our previous example, it will be opened
automatically in the object tree and its Policy object is opened in the main window for editing. The Policy
object is where access list rules are configured.
To add a new rule to the Policy, click on the green icon at the top left of the main window. This
creates a new rule with default values set to deny all.
Figure 11. Default Rule
Every rule includes the following sections:
Source - this can be one or more IP objects. Default value is Any which is the same as the "0/0" iptables
parameter that matches all IP addresses.
Destination - this can be one or more IP objects. Default value is Any which is the same as the "0/0"
parameter in iptables that matches all IP addresses.
Service - this can be one or more Service object. Example services include the TCP and UDP protocols
like HTTP and DNS. Default value is Any which matches any IP service.
Interface - this can be one or more interfaces configured on the firewall object. Default value is All
which means the rule will be applied to all interfaces.
Direction - options are Inbound, Outbound and Both. This roughly translates to the iptables INPUT,
OUTPUT and FORWARD chains. Default value is Both.
Action - Options are:
Accept - matches iptables -j ACCEPT target
Deny - matches iptables -j DROP target
-
8/3/2019 Getting Started Iptables
10/17
Getting Started: Configuring
Linux iptables Firewalls
7
Reject - matches iptables -j REJECT target
Accounting - traffic goes through additional user defined chain with -j RETURN target
Queue - matches iptables -j QUEUE target
Tag - matches iptables -j MARK target with --set-mark set to tag value
Classify - matches iptables -j CLASSIFY target with --set-class set to user defined string
Custom - user can define a custom string
Branch - matches iptables target of user defined chain
Routing - matches iptables target -j ROUTE
Continue - continue processing even if rule matches
Options - options are Logging On and Logging Off. Setting Logging On matches the iptables -j LOG
target. Default value is Logging On.
Configuring a Rule
In the examples below the fields in the rule will be set to the values that match the first rule from our
example scenario (scenario rules shown in figure below). This rule controls SSH access to the firewall
itself.
Figure 12. Scenario Rules
Setting the Source
To set the Source of a rule, drag-and-drop at least one IP object from the tree to the Source field of your
rule. For example, drag the Network object called Internal Network that you created earlier to the Source
column of the rule as shown below.
Figure 13. Setting the Source
After you drop the network object into the rule the Source fields will change from Any to Internal Network.
Figure 14. After Source is Set
-
8/3/2019 Getting Started Iptables
11/17
Getting Started: Configuring
Linux iptables Firewalls
8
Note
You can have more than one IP object in the Source and Destination fields. When Firewall
Builder generates the iptables commands it will automatically split the rule in to multiple lines
if necessary.
Setting the DestinationSetting the Destination is exactly the same as setting the Source, except you drag-and-drop IP objects in
to the Destination field of the rule. For our first example rule we want the Destination to be the "inside"
interface of the firewall object. Drag-and-drop the eth1 object from the object tree to the Destination
column.
Figure 15. Setting the Destination
After you drop the interface object into the rule the Destination field will change from Any to "inside"
which is the label of the eth1 interface.
Figure 16. After Destination is Set
Setting the Service
Firewall Builder comes with hundreds ofpredefinedobjects including Service objects for almost all
standard protocols. To access these objects switch to the Standard library by selecting it from the drop
down at the top of the Object tree window.
Figure 17. Switching Libraries
Services are located in the Services folder. In this rule we want to set the service to SSH, so you would
navigate to the SSH service by opening the Services folder, then opening the TCP folder and scrolling
down until you find the "ssh" object.
Once you find the ssh object, drag-and-drop from the tree on the left in to the Service section of the rule
in the Rules window.
-
8/3/2019 Getting Started Iptables
12/17
Getting Started: Configuring
Linux iptables Firewalls
9
Figure 18. Setting the Service
Note
To switch back to the User library, which contains the objects that you created, click on the drop
down menu that says Standard and select User from the list of libraries.
Setting the Interface
If desired, set the Interface for the rule by dragging-and-dropping an interface object from the firewall
object to the Interface section of the rule. This, combined with the Direction setting, will cause thegenerated iptables rules to include -i or -o .
Figure 19. Setting the Interface
Setting the Direction
The direction of the rule is based on the traffic you want to filter. Traffic coming in to an interface should
have the rule Direction set to Inbound and traffic going out of an interface should have the rule Direction
set to Outbound. In our example the direction of the rule will be Inbound since it is controlling access to
the firewall itself on the "inside" interface.
Setting the Action
The action controls whether traffic matching the rule should be permitted or denied. Firewall Builder setsthe default action for INPUT, OUTPUT and FORWARD chains to deny, so any traffic that has not matched
a rule that permits the traffic will be dropped. Right-click and set the action to "Accept" to allow the SSH
traffic from the local network to the firewall.
Setting the Options
Logging for rule matches is set in the Options section. By default logging is turned on. To turn logging
off, right-click in the Options section and select Logging Off.
-
8/3/2019 Getting Started Iptables
13/17
Getting Started: Configuring
Linux iptables Firewalls
10
Example of a Complete Rule
The following is the first rule from our example which allows traffic from the internal network to the
firewall's inside interface that has a traffic type of SSH.
Figure 20. New Rule with Fields Set
6.1. Additional Tips For Working with Rules
Adding a Rule
To add a new rule click the icon at the top of the Rules Editor window. This will insert a new rule
above the current rule. To add a new rule below the current rule right-click on a rule and select "Add New
Rule Below".
Figure 21. Adding Rules
Copy-and-Paste
In addition to drag-and-drop you can also copy-and-paste objects. For example, you can right-click on the
Internal Network object in the first rule and select Copy. Navigate to the Source section of the new rule
you just created and right-click and select Paste.
Using Filters to Find Objects
Filters provide a way to quickly find objects in the tree without having to open multiple folders and scroll.
For example, if you wanted to use the POP3 protocol in a rule you could use the filter to find it.
The POP3 protocol object is located in the Standard library, so select it from the dropdown menu at the top
of the Object Window. Type pop3 in to the filter field. This will display all objects in the current library
that contain pop3.
Figure 22. Using Filter to Find Objects
-
8/3/2019 Getting Started Iptables
14/17
Getting Started: Configuring
Linux iptables Firewalls
11
Note
After you are done with the filtered object, clear the filter field by clicking the X to the right of
the input box and then switch back to the User library by selecting it in the dropdown menu at
the top of the object panel.
Example of Completed RulesFor our example we needed to create two firewall rules for traffic going through or to the firewall. We
also create a special rule at the top of the Policy that allows the firewall to communicate with itself using
the loopback interface. The completed firewalll rules are shown in the diagram below.
Figure 23. Three Rules
Note
Many Linux processes use the loopback interface to communicate between processes, so it is
very important to have a rule at the top of the policy that allows the firewall to communicate with
itself using the loopback interface.
7. Configuring NAT Rules
Now that the basic firewall rules have been configured we need to define our NAT policy. Open the NAT
object for editing by double-clicking on it in the object tree as shown in the diagram below.
Figure 24. Open the NAT Object for Editing
For our example we need to create a single NAT rule that will translate the source IP address of any traffic
coming from the inside 10.10.10.0/24 network going to the Internet. The source IP should be translated to
the IP address of the "outside" interface of the firewall.
To edit NAT rules we will use the same concepts that were used to edit the firewall Policy rules. Start by
clicking the green '+' sign at the top of the Rules panel to add a new NAT rule.
Drag-and-drop the "Internal Network" object you created earlier to the Original Src column of the NAT
rule. This identifies the traffic that will have its source IP address translated. Now, drag-and-drop the
"outside" interface from the linux-1 firewall object to the Translated Src column of the rule. This field
identifies the IP address that the traffic will be translated to. After you are done the NAT rule should like
the diagram below.
-
8/3/2019 Getting Started Iptables
15/17
Getting Started: Configuring
Linux iptables Firewalls
12
Figure 25. Completed NAT Rule
That's it, now we are ready to generate the configuration file and use the built-in installer to deploy it to
the firewall.
8. Compile and Install
In Firewall Builder the process of converting the rules from the Firewall Builder GUI syntax to the target
device commands is called compiling the configuration.
To compile, click on the Compile icon which looks like a hammer . If you havent saved your
configuration file yet you will be asked to do so. After you save your file a wizard will be displayed that
lets you select which firewall(s) you want to compile. In this example we are going to complie the firewall
called linux-1 configured with the rules above.
If there arent any errors, you should see some messages scroll by in the main window and a message at
the top left stating Success.
To view the output of the compile, click on the button that says Inspect Generated Files. This will open the
file that contains the script file that Firewall Builder generates. The script file can be quite long, it includes
functions to update interface IP addresses, static routes, etc. Near the bottom of the script you will find the
section where the iptables commands are generated. Note that any line that starts with # is a comment.
Figure 26. Example Compiler Output
The output from the compiler is automatically saved in a file in the same directory as the data file that was
used to create it. The generated files are named with the firewall name and a .fw extension. In our examplethe generated configuration file is called linux-1.fw. You could copy this script file to the firewall, or you
can use the built-in Firewall Builder installer.
Installing
Firewall Builder can install the generated configuration file for you using SSH and SCP. To use the installer
we need to identify one of the router interfaces as the Management Interface. This tells Firewall Builder
which IP address to connect to on the router.
-
8/3/2019 Getting Started Iptables
16/17
Getting Started: Configuring
Linux iptables Firewalls
13
Do this by double-clicking the firewall object to expand it, and then double-clicking on the interface name
that you want to assign as the management interface. In this example this is interface eth1 which is the
interface connected to the internal network.
Figure 27. Setting the Managment Interface
Note
Any time you are changing access lists on your firewall you face the risk of locking yourself out
of the device. Please be careful to always inspect your firewall rules closely and make sure that
you will be able to access the firewall after the iptables rules have been installed.
To install your access lists on the firewall, click on the install icon . This will bring up a wizard where
you will select the firewall to install. Click Next > to install the selected firewall.
Figure 28. Setting Compile and Install Actions
Firewall Builder will compile your rules converting them in to iptables command format. After the compile
completes successfully click Next >. Enter your username and password.
Figure 29. Install Dialog
After the access list configuration is installed you see a message at the bottom of the main window and
the status indicator in the upper left corner of the wizard will indicate if the installation was successful.
-
8/3/2019 Getting Started Iptables
17/17
Getting Started: Configuring
Linux iptables Firewalls
14
Figure 30. Successful Install
By default Firewall Builder will use SCP to copy the firewall script file to the firewall. Once the script file
is copied to the firewall, Firewall Builder will connect using SSH to run the script.