Firewall with IPTables

What is IPTables?

IPTables is a packet filtering service created in C language by Netfilter Project.
Direct packet filtering is handled by a module called Netfilter in the Linux kernel, and IPTables is responsible for managing rules.

IPTables Chain

IPTables manages firewall rules by chain.
1. INPUT Chain : Filters packets entering the external -> server.
2. OUTPUT Chain : Filters packets going from inside to outside the server.
3. FORWARD CHAIN: Filter all packets that pass through it. (Used in bridge interface configuration.)

Current Chains:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy DROP)
target     prot opt source               destination
DOCKER-USER  all  --  0.0.0.0/0            0.0.0.0/0
DOCKER-ISOLATION-STAGE-1  all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
DOCKER     all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain DOCKER (1 references)
target     prot opt source               destination

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target     prot opt source               destination
DOCKER-ISOLATION-STAGE-2  all  --  0.0.0.0/0            0.0.0.0/0
RETURN     all  --  0.0.0.0/0            0.0.0.0/0

Chain DOCKER-ISOLATION-STAGE-2 (1 references)
target     prot opt source               destination
DROP       all  --  0.0.0.0/0            0.0.0.0/0
RETURN     all  --  0.0.0.0/0            0.0.0.0/0

Chain DOCKER-USER (1 references)
target     prot opt source               destination
RETURN     all  --  0.0.0.0/0            0.0.0.0/0

IPTables Command

Basic Commands

• -L : Prints the list of applied policies.
• -A: Add a new policy.
• -I : Select a location and insert the policy.
• -R : Select a location to exchange policies.
• -D : Select a location to remove the policy.
• -N : Create a new chain.(In addition to INPUT, OUTPUT, and FORWARD)
• -P : Modify the pre-defined policies in the chain.
• -F : Clear the rules from the chain.
• -Z : Zero packets and byte counts for all rules in the chain.
• -X : Remove the empty chain.

ex)

• iptables -L : Output of applied policy list
• iptables -D INPUT 1:Deletes the policy on the first line of the INPUT chain.

Control Option Commands

• -s : Controls the destination of the packet.
• -d : Controls the destination of the packet.
• -j : Controls the status of packets after passing the firewall.
• -p : Controls the protocol.
• --sport : Controls the destination port.
• --dport : Controls the destination port.

ex)

• iptables -A INPUT -s 192.168.0.5 -j DROP : Blocks all packets coming from 192.168.0.5.
• iptables -A INPUT -d! 192.168.0.10 -j ACCEPT : Accepted unless the packet is directed toward 192.168.0.10.
• iptables -A INPUT -p TCP -j ACCEPT : Allows TCP protocol packets.
• iptables -A INPUT -p TCP --dport 80 -j DROP : Blocks TCP packets destined for port 80.

Simple IPTables experiment I: ICMP BLock

Ping Disable
ICMP ping before

IPTABLES -N ICMP
IPTABLES -A INPUT -p icmp -j ICMP
IPTALBLES -A ICMP -p icmp -icmp-type 8 -j DROP

Add a policy to iptables that does not respond to ICMP messages.

• IPTABLES -N ICMP: Adds a new chain called ICMP to the table.
• IPTABLES-A INPUT-picmp-j ICMP: Adds a policy that forwards ICMP messages to the ICMP chain when they are received.
• IPTALBLES-A ICMP-picmp-icmp-type 8-j DROP: Type 8 of ICMP messages (icmp echo request)
  Block messages.

When ICMP File comes(INPUT), redirected to 'ICMP'

With ICMP type 8 (icmp echo request), DROP Package

We can see that no response to Ping happened.

Simple IPTables experiment II : UDP Flood Block

Before:

1. Iperf Log

brian11hwang@jooyoung iperf -c 10.0.1.3 -B 10.0.1.4 -u -b 5G
------------------------------------------------------------
Client connecting to 10.0.1.3, UDP port 5001
Binding to local address 10.0.1.4
Sending 1470 byte datagrams, IPG target: 2.19 us (kalman adjust)
UDP buffer size:  208 KByte (default)
------------------------------------------------------------
[  3] local 10.0.1.4 port 52229 connected with 10.0.1.3 port 80
[ ID] Interval       Transfer     Bandwidth
[  3]  0.0-10.0 sec  2.86 GBytes  2.46 Gbits/sec
[  3] Sent 2087706 datagrams
[  3] Server Report:
[  3]  0.0-10.0 sec  2.80 GBytes  2.41 Gbits/sec   0.006 ms 41410/2087706 (2%)

2. Tshark Log

5584414 178.703669944     10.0.1.4 → 10.0.1.3     UDP 1512 58225 → 5001 Len=1470
5584415 178.703702400     10.0.1.4 → 10.0.1.3     UDP 1512 58225 → 5001 Len=1470
5584416 178.703702416     10.0.1.4 → 10.0.1.3     UDP 1512 58225 → 5001 Len=1470
5584417 178.703702431     10.0.1.4 → 10.0.1.3     UDP 1512 58225 → 5001 Len=1470
5584418 178.703702445     10.0.1.4 → 10.0.1.3     UDP 1512 58225 → 5001 Len=1470
5584419 178.703702459     10.0.1.4 → 10.0.1.3     UDP 1512 58225 → 5001 Len=1470
5584420 178.703702473     10.0.1.4 → 10.0.1.3     UDP 1512 58225 → 5001 Len=1470
5584421 178.703702488     10.0.1.4 → 10.0.1.3     UDP 1512 58225 → 5001 Len=1470
5584422 178.703702502     10.0.1.4 → 10.0.1.3     UDP 1512 58225 → 5001 Len=1470
5584423 178.703736543     10.0.1.4 → 10.0.1.3     UDP 1512 58225 → 5001 Len=1470
5584424 178.703736557     10.0.1.4 → 10.0.1.3     UDP 1512 58225 → 5001 Len=1470
5584425 178.703736572     10.0.1.4 → 10.0.1.3     UDP 1512 58225 → 5001 Len=1470
5584426 178.703736587     10.0.1.4 → 10.0.1.3     UDP 1512 58225 → 5001 Len=1470
5584427 178.721185099     10.0.1.3 → 10.0.1.4     UDP 1512 5001 → 58225 Len=1470

Iperf Server Periodically sends ACK Although UDP Connection for status check.

Iptables Setting:

IPTABLES -N UDP 
IPTABLES -A INPUT -p udp -j UDP
sudo iptables -I UDP -p udp -d 10.0.1.3 --dport 5001 -j DROP
IPTABLES -A UDP -j LOG --log-prefix "UDP FLOOD"

(Iperf uses 5001 Port)

After:

brian11hwang@jooyoung iperf -c 10.0.1.3 -B 10.0.1.4 -u -b 5G
------------------------------------------------------------
Client connecting to 10.0.1.3, UDP port 5001
Binding to local address 10.0.1.4
Sending 1470 byte datagrams, IPG target: 2.19 us (kalman adjust)
UDP buffer size:  208 KByte (default)
------------------------------------------------------------
[  3] local 10.0.1.4 port 56652 connected with 10.0.1.3 port 5001
[  3] WARNING: did not receive ack of last datagram after 10 tries.
[ ID] Interval       Transfer     Bandwidth
[  3]  0.0-10.0 sec  6.25 GBytes  5.37 Gbits/sec
[  3] Sent 4565229 datagrams

However, after Cannot Recieve Ack because Iptables drop all packet. Thus Iperf does not know the need to send ACK.