IPTables Tips and Tricks: More

Than Just ACCEPT and DROP

Gary Smith, Pacific Northwest National
Laboratory

A Little Context
The Five Golden Principles of Security
Know your system
Principle of Least Privilege
Defense in Depth
Protection is key but detection is a must.
Know your enemy.

Avoiding Locking Yourself Out

Scenario: You are going to make changes to the IPTables
policy rules. You want to avoid locking yourself, and
potentially everybody else out too (this costs time and
money).
Tips #1: Take a backup of your IPTables configuration
before you ever start working on it.
/sbin/iptablessave>/root/iptablesworks

Even better, include a timestamp as part of the file name:

/sbin/iptablessave>/root/iptablesworks`date+%F`

You get a file with a name like

/root/IPTablesworks20140414.

If you do something that prevents your system from

working, you can quickly restore it.
/sbin/iptablesrestore<
/root/iptablesworks20140414
3

Avoiding Locking Yourself Out (2)

Tip #2: Every time you create a backup copy of the
IPTables policy, create a link to the file with latest as part
of the name.
lns/root/iptablesworks`date+%F`
/root/iptablesworkslatest

Create a cron script that will reload to your latest working

saved policy every 5 minutes during testing.

Avoiding Locking Yourself Out (3)

Tip #3: Have an IPMI/KVM console ready and waiting.
If youre working on a physical server, connect to the IPMI
port on the server and log into the server.
If youre working on a VM, start up a console session on
the VM and log into the VM.

Avoiding Locking Yourself Out (4)

Tip #4: Put specific rules at the top of the policy and
generic rules at the bottom.
The more criteria you specify in the rule, the less chance
you will have of locking yourself out.
iptablesAINPUTptcpdport22s
10.0.0.0/8d192.168.100.101jDROP

Avoid generic rules like this at the top of the policy rules:
iptablesAINPUTptcpdport22jDROP

There are plenty of ways that you can be more specific.

For example, using "-i eth0" will limit the processing to a
single NIC in your server.
This way, it will not apply the rule to eth1.

Avoiding Locking Yourself Out (5)

Tip #5: Whitelist your IP address at the top of your policy
rules.
This is a very effective method of not getting locked out.
Everybody else, not so much.
iptablesIINPUTs<yourIP>jACCEPT

You need to put this as the FIRST rule in order for it to

work properly.
Remember, "-I" inserts it as the first rule; "-A" appends it
to the end of the list.

Avoiding Locking Yourself Out (6)

Tip #6: Know and understand all of the rules in your
current policy.
Not making the mistake in the first place is half the battle.
If you understand the inner workings behind your
IPTables policy, it will make your life easier.
Draw a flow chart if you must.
Also remember: What the policy does and what it is
supposed to do can be two different things.

Setting Up a Workstation Firewall Policy

Scenario: You want to set up a workstation with a
restrictive firewall policy:
Tip #1: Set the default policy as DROP.
Tip #2: Allow only the minimum amount of services
needed to let the user get work done.
#SetadefaultpolicyofDROP
*filter
:INPUTDROP[0:0]
:FORWARDDROP[0:0]
:OUTPUTDROP[0:0]

Setting Up a Workstation Firewall Policy (2)

#Acceptanyrelatedorestablishedconnections
IINPUT1mstatestateRELATED,ESTABLISHEDjACCEPT
IOUTPUT1mstatestateRELATED,ESTABLISHEDjACCEPT
#Allowalltrafficontheloopbackinterface
AINPUTilojACCEPT
AOUTPUTolojACCEPT
#AllowoutboundDHCPrequest
AOUTPUToeth0pudpdport67:68sport67:68j
ACCEPT

10

Setting Up a Workstation Firewall Policy (3)

#AllowinboundSSH
AINPUTieth0ptcpmtcpdport22mstatestate
NEWjACCEPT
#Allowoutboundemail
AINPUTieth0ptcpmtcpdport25mstatestate
NEWjACCEPT
#OutboundDNSlookups
AOUTPUToeth0pudpmudpdport53jACCEPT
#OutboundPINGrequests
AOUTPUToeth0picmpjACCEPT
#OutboundNetworkTimeProtocol(NTP)request
AOUTPUToeth0pudpdport123sport123jACCEPT
11

Setting Up a Workstation Firewall Policy (4)

#OutboundHTTP
AOUTPUToeth0ptcpmtcpdport80mstatestate
NEWjACCEPT
AOUTPUToeth0ptcpmtcpdport443mstate
stateNEWjACCEPT
COMMIT

12

Restricting an IP Address Range

Scenario: Youre employees are spending too much time
on Facebook and not getting their work done.
You want to block access to Facebook.
Tip: Use this process to block access to Facebook.
Find out all ip addresses of facebook.com:
hosttawww.facebook.com
www.facebook.comisanaliasfor
star.c10r.facebook.com.
star.c10r.facebook.comhasaddress31.13.65.17
whois31.13.65.17|grepinetnum
inetnum:31.13.64.031.13.127.255

13

Restricting an IP Address Range (2)

Convert that range to CIDR notation
(http://www.ipaddressguide.com/cidr) and you get 31.13.64.0/18.
To prevent outgoing access to www.facebook.com, do
iptablesAOUTPUTptcpieth0oeth1
d31.13.64.0/18jDROP

14

Regulating by Time
Scenario: The backlash from your employees over
denying access to Facebook is causes you to relent (a
little). You decide to allow access to facebook.com only at
lunch time (1200 to 1300).
Tip: Use the time features of IPTables to open up the
access.
iptablesAOUTPUTptcpmmultiportdport
http,httpsieth0oeth1mtimetimestart12:00
timestop13:00d31.13.64.0/18jACCEPT

This presumes a default policy of DROP.

15

Regulating by Time (2)

Scenario: Drop all TCP/UDP traffic during service hours
(between 02:00 and 03:00), that is, for maintenances
tasks which should not be disrupted by incoming traffic.
iptablesAINPUTptcpmtimetimestart02:00
timestop03:00jDROP
iptablesAINPUTpudpmtimetimestart02:00
timestop03:00jDROP

16

Limiting Connections with IPTables

Scenario: You suspect a bad actor is attempting to DoS
your webserver.
Tip #1: You can restrict the number of connections a
single IP address can have to your webserver.
iptablesAINPUTptcpsynmmultiportdport
80,443mconnlimitconnlimitabove20jREJECT
rejectwithtcpreset

17

Limiting Connections by Time (2)

Tip #2: You can drop incoming connections if the IP
address makes more than 10 connections to port 80/443
in 100 seconds.
iptablesAINPUTptcpmmultiportdport80,443
mstatedstateNEWmrecentset
iptablesAINPUTptcpmmultiportdport80,443
mstatestateNEWmrecentupdateseconds100
hitcount10jDROP

18

Monitoring IPTables
Scenario: You would like to monitor whats going on with
IPTables in real time, sort of like with top.
Tip #1: Issue this command as root:
watchinterval=5iptablesnvL|grepv"00"

Note: the spacing on the grep command is important.

The result looks like this:

19

Monitoring IPTables (2)

20

Monitoring IPTables (3)

Tip #2: Use this Perl script from perlmonks.org
http://www.perlmonks.org/?node_id=513732. It does a
more comprehensive display.

21

Monitoring IPTables (4)

22

Reporting on IPTables
Scenario: You (Your boss) think(s) this dynamic stuff is
just great, but a daily activity report would also be great.
Tip: Use FWReport (http://fwreport.sourceforge.net/).
FWReport is a log parser and reporting tool for IPTables.
It generates daily and monthly summaries of the log files,
allowing the security administrator to free up substantial
time, maintain better control over security of the network,
and reduce unnoticed attacks.

23

Reporting on IPTables (2)

24

Visualizing IPTables Log Files

Scenario: Its almost time for the monthly operations
review and you would like to have a really great graphical
representation of the activity on the firewall for the past
month.
Tip: There is an excellent tutorial on how to use psad,
afterglow, and graphviz to visualize the activity in your
IPTables firewall logs (http://lintut.com/use-afterglow-tovisualize-iptables-logs-on-centos-rhel-fedora/)
Here are some examples:

25

Visualizing IPTables Firewall Input

26

Visualizing IPTables Firewall Output

27

In Conclusion
Weve covered many facets of IPTables; all the way from
making sure you dont lock yourself out when working
with IPTables to monitoring IPTables to visualizing the
activity of an IPTables firewall.
These are just some of the tips and tricks that exist for
IPTables.
These will get you started down the path to realizing even
more IPTables tips and tricks.
There REALLY is more to IPTables than just ACCEPT and
DROP.

28

References
Convert an address range to CIDR www.ipaddressguide.com/cidr
Real-time IPTables Monitor - www.perlmonks.org/?
node_id=513732
FWReport - http://fwreport.sourceforge.net
Using Afterglow to Visualize IPTables Logs http://lintut.com/use-afterglow-to-visualize-IPTables-logson-centos-rhel-fedora/
IPTables - http://www.netfilter.org/

29

Questions?
Gary Smith
Information System Security Officer, Molecular
Science Computing, Pacific Northwest National
Laboratory
Richland, WA
gary.smith@pnnl.gov

30