IP Tables

Learning outcomes:

• Able to set up Restrictions by port, IP, app, and user settings for emergencies
• Able to add/subtract firewall rules and manage iptables

Would you like to download my PowerPoint to follow along?

• What is a firewall
• Firewalls are a first line of defense on your network.
• The most basic function is to examine packets going into and out of your network
• They can focus on IPv4 or IPv6 traffic
• Firewalls can decide where packets go
• Firewalls can make their path determinations by IP address, Mac address, port or even application
• Firewall Basics
• Firewalls have rules they follow
• Example: All packets looking for a website in port 80 are sent to the web server
• Example: Only one address in a company is allowed to access the greater internet, everyone else is routed around the company's network
• Example: All people wanting to access the customer database need to have a pre-approved IP address to ensure access is legit and approved
• Example: Minecraft Server Setup
• What happens to packets that don't fit a rule?
• We go down list until it finds rule that it fits.
• If no rule fits, we default to either allow or deny
• Deny all is safer but takes more work to manage because you need to go in every time to add exceptions where appropriate
• Allow all has dangers but is easy to manage because you change the firewall less
• Choosing allow or deny is based on what you/company needs and how secure you need to be
• IP/MAC are the easiest/quickest to filter; data is the slowest
• You can do things like filter by port if the port shouldn't be used by that server
• Example: DNS server doesn't need ports for web or email
• Example: Pings are good for testing connections, but they allow nmap type attacks (ICMP)
• Stateful vs Stateless Firewalls
• Stateful firewalls filter based on full context
• Iptables are stateful (technically so is Windows firewall, we just don't care about that right now. Linux rulz! windows drools)
• Once the certain traffic is approved it's added to the state table and get more access to the protected network
• If it wasn't approved it gets blocked
• They can use IPSec (IP security) such as tunnels and encryption
• They are better at identifying unauthorized and forged info
• Stateless firewalls work on static information and don't inspect entire packets
• For example: source and destination is Info stateless might look at
• Packet filtering is done with matching conditions
• These conditions are pre-approved with corresponding pre-approved actions(Also known as an access control list)
• They mainly focuses on packet filtering
• Typically faster then stateful
• Firewall Use Case Example: DDOS
• DDOS attacks are very common, and a firewall can be a good first line of defense for them
• There are also third party services that specialize in DDOS prevention, but we can do something to help prevent DDOS as well.
• You could for example filter out a range of addresses
• You can think of use cases for your network, are you a USA based company with no workers or subcontractors elsewhere? Then maybe filter out non-USA IP addresses
• How does Linux do Firewalls?
• Multiple systems used for firewalls in Linux
• Some are built in to the system, Some are 3rd party
• IPtables are the most common so there are lots of resources available for help for them
• You might also see others such as nftables, firewalld and UFW (uncomplicated Firewall Ubuntu)
• IPTables don't survive reboot, but other ways of changing the firewall might! Check your system for what it uses
• Really common is to have IPTables with something over them for interaction rather then changing the IPTable directly
• Firewall Rule Chains
• Rules are done in a chain format
• Order matters
• As rules are examined, if a rule is used the system performs the operation and no further rules are used
• Allow all or deny all is the last rule in the chain
• There are multiple chains for different areas like prerouting(as they come in) and postrouting(as they go out)
• Each chain has the potential for multiple tables, like the "filter" table that decides if we allow or deny the packet access.
• Your options are accept, drop or reject packets
• Drop denies without notification
• Reject sends back error
• You can set a script for base rules and to modify rules in case of things like hacking and you need to shut down everything fast, or to set up your IPv6 in the same way as your IPv4
• DMZ and duel Firewalls
• Demilitarized Zone (DMZ)
• DMZ is where the potential problems go, like Web, Email, VoIP and FTP
• A duel firewall is where you have multiple firewalls at the same company, this is defense in depth and generally a good practice.
• Example: An external firewall that forwards potential problem packets to DMZ, and an internal firewall that protects the internal network from the DMZ
• Example: In industry a lot of companies will also incorporate things like network firewalls and computer firewalls, and have different vendors for each so the same "holes" don't line up

Suggested Activities and Discussion Topics:

• In small groups, work on what you think should happen for a DDOS event for your server. Make a list of priorities and spec them out like you're creating a script
• In groups of 3, write a script to to show IPtables rules, IP6tables rules, add some headings and titles so it's clear what you're looking at.
• In pairs, write a script to shut down everyone on the system except you (Alternative to full shutdown)
• Individually go through the documentation for one server you are running, and one server you are NOT running and see what the firewall options are, is it a script? Program? GUI? Does it persist on reboot?
• Complete the lab that is found on This PDF Make sure you are paying careful attention to the requirements.

Would you like to see some more classes? Click here