iptables rules are composed of chains that handle traffic at different points as it passes into and through a system (firewall, server, router, etc.). The INPUT chain is intended to handle packets destined for the system itself (think ssh login to the firewall), while the FORWARD chain (I believe) is intended to handle packets that have traveled through the firewall and are headed toward another system on the other side. As far as the absence of a "-d" entry goes, in the absence of -d, the destination is anywhere or all destinations.
Ok back to basics. The rules were mentioned in a course of Linux Server security that i'm follow in self study. However it was only mentioned that the purpose of them are for anti-spoofing. Me wouldn't be me if i wouldn't want to know what they actually mean and how they work.
Originally Posted by mizzle
In the lab exercises that followed the example were only exercises on iptables on the INPUT interface that and since there were only two eth's it was simply to solve except for the one were i have to allow traffic from an incoming TCP connection to active services on the workstation (ref #2 in the original post)
However what keeps bothering me with the forward rules is the absence of the destination. In my mind i see forward as a post office that sends traffic from point a to b. It kinda hard to position where the forward rule would be handled - but i'm probably making it a little to overcomplicated
For graphical purposed i created a little graph which has to potential to make communication more simple and the rules more comprehensible in the long run
seems to be cropped to unreable - i47.tinypic.com/b3t0yd.png
source file - i used yed graph editor to created it
message to mod - admins: i do know i can only post links if post count = 15 - but it for the better purpose of the toppic
Okay, post office is a good example.
Originally Posted by Daemorog
Let's say your linux server is just a router.
A router serves as the gateway to other networks.
Your router has a public interface (internet) and a private interface, your 192.168.x.x LAN.
Your router has the public ip 220.127.116.11 and private IP 192.168.0.1.
If a host on your LAN has IP 192.168.0.2, and wants to ping google.com, those packets aren't going through the 'input' chain of the router, they are going to be forwarded to that remote address over the interface 18.104.22.168.
If you try to ping 192.168.0.1, the router, from a machine on the LAN, that would fall into the input chain.
To emphasize some things implicit in Mizzle's description:
Originally Posted by mizzle
1) Generally speaking, the destination outgoing interface of packets is determined by a host's routing table and has nothing to do with iptables.
2) Whether a host may actually forward traffic between two interfaces as a router is determined by a system setting.
3) If a system is configured to forward traffic, the iptables FORWARD chain determines which packets may actually get forwarded based on various attributes (source, destination, protocol, port, flags, etc.). In the absence of a specific attribute, that particular attribute is considered to match any possible value of the attribute.
So, iptables does not do the forwarding, the routing function does the forwarding. Iptables just waits for packets to be routed to it and behaves per the defined rules.
your message remembered me that the gateway in the exercise is probably one with 3 network cards one for each network interface. Which makes it a little bit less complicating.
I tend to analyze and put things in my own words to help my understand technical explications:
so what you are actually saying is that when a device that is coupled to a certain eth0 [network interface] and wants to exit it (kinda bad word choice because i could imply the OUTPUT CHAIN here) the packet is forwarded to the network interface that is capable to do so
so in this case an example would probably look like the (-i) interface kinda confuses me because (-o) would be more logically for imho
iptables -A FORWARD -i (-o) eth0 (public interface 22.214.171.124) -s 192.168.0.2
or in other words 192.168.0.2 can forward traffic through the public interface to the outside world
this is probably very spoofable??
iptables -I FORWARD 1 -i eth0 -s 192.168.0.0/16 -o whatever -j DROP
iptables -I FORWARD 2 -i eth0 -s 10.0.0.0/8 -o whatever -j DROP
iptables -I FORWARD 3 -i eth1 -s ! 192.168.111.0/24 -j DROP
iptables -I FORWARD 4 -i eth2 -s ! 10.0.0.0/8 -j DROP
so basically rule one are two are saying that traffic from the outside networking is requesting to go deeper inside the logical network but that doesn't really make sense since they are already inside (aka spoofed)
rule tree and four are still a bit tricky
i would say if i get a request from a device inside the 192.168.111.0 DMZ to go to a internal or b external (which is kinda unsafe) it's OK else well what are you doing here
in the self thought process four would implies that a device from the internal network is actually from the internal
network before it can sends packets to other network interfaces
the funny part of it all it that i mostly understand all you theoretical explanations but can't map them to example just yet - well i hope i did a good job above ^^
I think you are understanding it. Basically, rule 1 says if a packet is received on eth0 (your public interface), and the source is in 192.168.0.0/16, then it is being spoofed, so no matter where it is going, drop it. Same pretty much goes for rule 2, just with a different source network. Rules 3 and 4 say if a packet is received on my internal interfaces that is not from my internal address ranges, then it is being spoofed, so no matter where it is going, drop it.
Rule 4 really should narrow the address range a bit since most people are not going to employ an entire /8 behind iptables. Also, rules 1 and 2 should be accompanied by a number of other anti-spoofing rules for addresses that should not appear on the Internet, not the least of which would be 172.16.0.0/15. If you are interested in other networks to drop, take a look here: http://www.rfc-editor.org/rfc/rfc5735.txt.
In the old days of ipchains, the interface was always referenced by -i.
Originally Posted by Daemorog
But with iptables, -i means INPUT interface, and -o means OUTPUT interface. You can also think of it as follows:
-i is for source (-s) based filtering, while
-o is for destination (-d) based filtering
NOTE: Although you can think of it as such, it is not always the case as you can mix -i with -d - ah yes, to some the power (and to others the bane) of iptables!
Firewalls can be quite difficult to understand if you are a beginner and are not referencing a routing diagram or flow chart. My best iptables flow chart can be found here:
IPTables Flow Chart Yukon Networks
That chart helped me fully understand iptables routing in my early days of firewalling and I hope it helps you too!
Thnx alot for all time you invested in answering my questions nplusplus (ton of kudos for you) and letting me come to the conclusion myself. In the begging i was quite confused coming from a windows server and cisco router background when the forward rule was invoked and how it was implemented.
To make a little summary: forward is invoked when on interface wants to send traffic to another interface. And that the -i like it always have been should be implemented as incoming
from the eth0 outside network that is actual devices somewhere on the internet for eth1 en eth2 that can be seen as devices that are coupled to these network interface devices of the DMZ and internal network accordantly.
If there isn't a destination implied it can be seen to who ever is connected.
I've been overthinking it all along, but that is easy said when you finally understand it.
About the 127.0.01 etc i do know for security reason that there are some extra ip's that should be blocked eg. (10/8, 172.16/12, 192.168/16) (RFC 1918 )
@tkb2766 thnx for the diagram kinda a bummer you have to login to actually download it though --> screenshot ftw ;). But i think it a little out of scope what i actually have to know till now but saved it anyway for further reference
Lets get going on cracking #2 together
forgot to give kudos to mizzle