Introduction to Packet Filtering in Linux

1
Introduction to Packet Filtering in Linux
Kianoosh Mokhtarian
Computer Engineering Department, Sharif
University of Technology 11/23/2006
2
Packet Filtering

• A Packet Filter
• Looks at the header of packets as they pass
  through
• Decides the fate of the entire packet
• ? DROP
• ? ACCEPT
• ? sth more complicated
• Under Linux
• Built into the kernel

3
Why Packet Filtering?

• Control
• Allow certain types of traffic, disallow others
• src addr, dest addr,
• Security
• Restrict what comes to you
• e.g. no telnetting to your Linux box in a network
• Watchfulness
• Tell the packet filter to let you know if
  anything abnormal occurs

4
Packet Filtering Under Linux

• In Linux kernels since the 1.1 series
• ipfw (1.1), ipfwadm (2), ipchains (2.2),
  iptables (2.4)
• iptables
• Talks to the kernel, tells it what packets to
  filter
• Kernel 2.3.15 or beyond
• Answer Y to CONFIG_NETFILTER in the kernel
  configuration

5
iptables

• Inserts and deletes rules from the kernel's
  packet filtering table
• Whatever you set up, it will be lost upon reboot
• Making permanent
• iptables-save and iptables-restore scripts to
  save/restore into/from a file
• Put the commands required to set up your rules in
  an initialization script

6
How Packets Traverse The Filters (1)

• The kernel starts with 3 lists of rules in the
  filter table firewall chains
• INPUT
• OUTPUT
• FORWARD
• A chain a checklist of rules
• Policy (usually DROP)

7
How Packets Traverse The Filters (2)

• The kernel first looks at the dest routing

8
How Packets Traverse The Filters (3)

• If destined for this box
• Packet passes downwards to the INPUT chain
• Any processes waiting for it will receive it
• Otherwise
• If forwarding not enabled or the kernel doesn't
  know how to forward the packet ? DROP
• Otherwise
• rightwards to the FORWARD chain
• If ACCEPTed the packet will be sent out
• Sendings through the OUTPUT chain

9
Using iptables (1)

• Start with 3 built-in chains
• Operations on chains
• Create a new chain (-N)
• Delete an empty chain (-X)
• Change the policy for a built-in chain (-P)
• List the rules in a chain (-L)
• Flush the rules out of a chain (-F)
• Zero the packet and byte counters on all rules in
  a chain (-Z)

10
Using iptables (2)

• A rule inside a chain
• A set of conditions the packet must meet
• What to do if the packets meets them a target
• Manipulate rules inside a chain
• Append a new rule to a chain (-A)
• Insert a new rule at some position in a chain
  (-I)
• Replace a rule at some position in a chain (-R)
• Delete a rule at some position in a chain, or the
  first that matches (-D)

11
Using iptables (3)

• Example drop all ICMP packets coming from the IP
  address 127.0.0.1
• iptables -A INPUT -s 127.0.0.1 -p icmp -j DROP
• Delete
• iptables -D INPUT 1
• or
• iptables -D INPUT -s 127.0.0.1 -p icmp -j DROP

12
Using iptables (4)

• Filtering specifications
• Source and destination IP addresses
• 1.2.3.0/24, 1.2.3.0/255.255.255.0
• Inversions
• ! 127.0.0.1
• Protocol
• TCP, UDP, ICMP,
• Interface
• ppp (all dial-up PPP links)

13
Using iptables (5)

• User-defined chains
• INPUT
  test

• Example TCP packet from 192.168.1.1 to 1.2.3.4
• Packets will be dropped if found to be in a loop
• Setting a chains policy iptables P FORWARD DROP