Kali Linux: filtering traffic using netfilter

→ Part 1. Kali Linux: security policy, protecting computers and network services
→ Part 2. Kali Linux: filtering traffic using netfilter
→ Part 3. Kali Linux: monitoring and logging
→ Part 4. Kali Linux: system protection and monitoring exercises

We present to your attention the continuation of the translation of Chapter 7 of the book “ Kali Linux Revealed ”. Last time it was about security policies and the protection of computers and network services. This material includes a translation of Section 7.4, which deals with firewall and packet filtering.

7.4. Firewall or packet filtering

A firewall is a computer hardware that can be represented as a software, hardware, or software / hardware complex. The firewall processes incoming and outgoing network packets (arriving at the local network or leaving it) and only passes those that comply with certain predefined rules.
')
A filtering network gateway is a type of firewall that protects the entire network. It is usually installed on a dedicated computer configured as a gateway for the network. As a result, this computer can handle all packets that cross the border between the network and the outside world. Alternatively, a local firewall is a software service that runs on a specific machine in order to restrict access to certain services on that machine, or perhaps to prevent outbound connections initiated by unwanted software that a computer user may intentionally or accidentally , install.

The Linux kernel has a built-in netfilter firewall. The requirements of different networks and users are not the same, so there is no standard approach to setting up a firewall that allows you to get a ready-made solution for all occasions. You can manage the netfilter firewall from user space using the iptables and ip6tables commands. The difference between the two teams is that the first is for IPv4 networks, the second is for IPv6 networks. Since both protocol stacks are likely to run for many more years, both tools should be used together. In addition, you can use the excellent fwbuilder program, which provides graphical tools for building and presenting traffic filtering rules.

No matter how you decide to configure netfilter — this netfilter — a standard Linux firewall, so let's take a closer look at how it works.

7.4.1. How netfilter works

Netfilter uses four tables that store rules that govern three types of package operations:

• filter : refers to the filtering rules (accept, reject, or ignore the packet);
  
• nat (Network Address Translation): refers to the translation of the source, destination, or ports of a packet;
  
• mangle : applies to other IP packet changes (including ToS fields and Type of Service parameters);
  
• raw : allows you to manually modify the packages before they reach the connection tracking system.
  

Each table contains lists of rules called chains. The firewall uses standard chaining to process packets based on predefined conditions. The administrator can create other chains that will be used only in cases when one of the standard chains refers directly or indirectly to them.

The filter table contains three standard chains:

• INPUT : for packets whose destination is the firewall itself;
  
• OUTPUT : for packets that the firewall sends;
  
• FORWARD : for packets that pass through a firewall (which is neither their source nor their destination).
  

The nat table also contains three standard chains:

• PREROUTING : to modify inbound packets;
  
• POSTROUTING : to modify packages when they are ready to go to their destination;
  
• OUTPUT : for modifying packets generated by the firewall itself.
  

The chains described above are shown in the figure below.


Fig. 7.1. Netfilter chains

Each chain is a list of rules. Each rule is a set of conditions and actions that must be carried out under appropriate conditions. During the processing of a packet, the firewall scans the appropriate chain, rule by rule, and when conditions for a certain rule are fulfilled, it “jumps” (hence the -j — option from the word “jump”) to the specified action to continue processing the packet.

The most common patterns of behavior are standardized, for them there are selected actions. Execution of one of these standard actions interrupts the passage in the chain, since the fate of the packet is already predetermined (this does not apply to the exceptions mentioned below). Here is a list of netfilter actions:

• ACCEPT : allows the package to follow its own path.
  
• REJECT : rejects a packet, generating an ICMP (Internet Control Message Protocol) error packet. The iptables --reject-with type option allows you to specify the type of error to be iptables --reject-with type .
  
• DROP : remove (ignore) package.
  
• LOG : write a message to the system log (via syslogd ) with the package description. Note that this action does not interrupt the packet processing, the execution of the chain continues with the following rule. That is why logging rejected packets requires the LOG and REJECT/DROP rules. Among the commonly used parameters related to logging, the following can be noted:
  
• ULOG : logs messages using ulogd . This approach may be more efficient than syslogd when processing a large number of messages. Note that this action, like LOG , does not interrupt packet processing.
  
• chain_name : go to the specified chain and process its rules.
  
• RETURN : interrupts the processing of the current chain and returns to the calling chain. In the event that the current chain is one of the standard ones, there is no calling chain, so instead, a default action (specified using the -P option of the iptables command) is performed instead.
  
• SNAT ( nat table only): applies the Source Network Address Translation (SNAT). Additional options describe exactly what changes need to be made, including the option - -to-source address:port , which allows you to specify a new source IP address of the packet, and, if necessary, the port.
  
• DNAT ( nat table only): Applies the Destination Network Address Translation (DNAT). Additional options describe exactly what changes need to be made, including the option --to-destination address:port , which allows you to specify a new IP-address of the destination, and, if necessary, the port.
  
• MASQUERADE (only in table nat ): performs the so-called masquerading (a special case of Source NAT).
  
• REDIRECT (only in the nat table): transparently redirects the packet to the specified port of the firewall itself. This action can be used to install a transparent web proxy, which works without additional settings on the client, since the client believes that it is connected to the recipient, while the data exchange actually goes through the proxy. The --to-ports port(s) option allows you to specify a port or range of ports to which packets should be redirected.
  

Describing other actions, in particular those related to the mangle table, is outside the scope of this material. Help on them can be found on the man pages of iptables(8) and ip6tables(8) .

▍What is ICMP?

ICMP (Internet Control Message Protocol) is used to transfer additional information about network connections. It allows you to check network connections using the ping command, which sends ICMP echo requests to which the recipient’s response is expected as ICMP echo replies. This protocol is used to report on packets rejected by the firewall, to indicate an overflow in the receive buffer, to suggest the best route for the next packet in the connection, and so on. This protocol is defined by several RFC documents. The first were RFC777 and RFC792 , however, many other documents expand or revise the protocol.

For example, a receive buffer is a small area of ​​memory intended for storing data after receiving it from the network and before processing by the kernel. If this memory is full, new data cannot be received and ICMP signals a problem. As a result, the source can reduce the data transfer rate (which, after some time, should ideally reach a level that provides a balance between the source and the receiver).

Note that while the IPv4 network can work without ICMP, ICMP v6 support is absolutely necessary for IPv6 networks, since this protocol combines several functions that, on IPv4 networks, were distributed between ICMPv4, the Internet Group Membership Protocol (IGMP) ), and Address Resolution Protocol (ARP). ICMPv6 is dedicated to the RFC4443 standard.

7.4.2. Syntax of iptables and ip6tables commands

The iptables and ip6tables commands are used to work with tables, chains and rules. Their option - t table allows you to specify the table with which you plan to work (by default, this is the filter table).

▍7.4.2.1. Teams

Here are the main options for working with chains:

• -L chain : prints the rules in the chain. Usually this option is used with the -n option to disable name resolution (for example, the command iptables -n -L INPUT will print out the rules for incoming packets).
  
• -N chain : creates a new chain. New chains create, pursuing a variety of goals, including - to test new network services and to prevent network attacks.
  
• -X chain : removes an empty or unused chain (for example, iptables -X ddos-attack ).
  
• -A chain rule : add a rule to the specified chain. Remember that rules are processed starting at the head of the chain, consider this by adding new rules to the chains.
  
• -I chain rule_num rule : inserts a rule in front of the rule specified using the rule_num argument. As with the -A option, remember how to process the rules by adding a new rule to the chain.
  
• -D chain rule_num (or -D chain rule ): removes the rule from the chain. The first use case identifies the rule to be deleted by its number (the iptables -L --line-numbers command allows you to output these numbers). The second option allows you to identify the rule by its content.
  
• -F chain : resets the chain (removes all rules from it). For example, to remove all rules related to outgoing packets, you can use the command iptables -F OUTPUT . If you do not specify specific chains when using this option, all rules in the table will be deleted.
  
• -P chain action : allows you to set a default action, or "policy" for a given chain. Note that only standard chains can have a policy. For example, to default all incoming traffic, you can use the command iptables -P INPUT DROP .
  

▍7.4.2.2. rules

Each rule is expressed in the form conditions -j action action_options . If several conditions are described in the same rule, then the final criterion is the combination of these conditions (according to the rules of logical AND). The result of combining, at a minimum, imposes on the rule the same restrictions as each individual condition.

The -p protocol condition corresponds to the IP packet -p protocol field. The most commonly used values ​​for this condition are tcp , udp , icmp , and icmpv6 . This condition can be supplemented with conditions concerning TCP ports using expressions like --source-port port and --destination-port port .

▍Logic negation of conditions

If you put an exclamation mark before the condition, it will transform it into the opposite condition. For example, an exclamation mark in the condition of the -p option allows you to construct an expression of the following form: “any packet with a protocol that differs from the specified one”. This mechanism of logical negation can be applied to any other conditions.

A condition like -s address or -s network/mask allows you to filter packets by their source address. Accordingly, the -d address or -d network/mask conditions allow the system to respond to packet destination addresses.

A condition like -i interface responds to packets that come from the specified network interface. The -o interface condition allows the selection of packets that go to a given interface.

The --state state filter filters packets based on their status in the connection (applying this condition requires the ipt_conntrack kernel ipt_conntrack to track connections). Thus, the NEW state describes a packet requesting a new connection, ESTABLISHED — packet belonging to an existing connection, RELATED — describes a packet initiating a new connection that is part of an already existing connection (analyzing this state is useful for ftp-data connections in the “active” FTP protocol mode ).

The iptables and ip6tables teams have many options, mastering them requires a serious approach to their study and experience. However, one of the options you will use most often is the one that is designed to block unwanted network traffic from a certain host or range of hosts. For example, in order to “silently” block incoming traffic from the IP address 10.0.1.5 and class C subnet 31.13.74.0/24, you need to do the following:

 # iptables -A INPUT -s 10.0.1.5 -j DROP # iptables -A INPUT -s 31.13.74.0/24 -j DROP # iptables -n -L INPUT Chain INPUT (policy ACCEPT) target     prot opt source               destination DROP       all  --  10.0.1.5             0.0.0.0/0 DROP       all  --  31.13.74.0/24        0.0.0.0/0 

Another commonly used command, iptables designed to allow network traffic from a service or port. For example, in order to allow users to connect via SSH, HTTP and IMAP, you can use the following commands:

 # iptables -A INPUT -m state --state NEW -p tcp --dport 22 -j ACCEPT # iptables -A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT # iptables -A INPUT -m state --state NEW -p tcp --dport 143 -j ACCEPT # iptables -n -L INPUT Chain INPUT (policy ACCEPT) target     prot opt source               destination DROP       all  --  10.0.1.5             0.0.0.0/0 DROP       all  --  31.13.74.0/24        0.0.0.0/0 ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22 ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:80 ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:143 

It is considered useful, to maintain a healthy atmosphere in the system, to remove old or unused rules. The easiest way to remove iptables rules is to access rules by line number, which can be obtained using the --line-numbers option. However, you should be careful here, since deleting a rule will lead to a change in the numbers of all the rules located below it in the chain:

 # iptables -n -L INPUT --line-numbers Chain INPUT (policy ACCEPT) num  target     prot opt source               destination 1    DROP       all  --  10.0.1.5             0.0.0.0/0 2    DROP       all  --  31.13.74.0/24        0.0.0.0/0 3    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22 4    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:80 5    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:143 # iptables -D INPUT 2 # iptables -D INPUT 1 # iptables -n -L INPUT --line-numbers Chain INPUT (policy ACCEPT) num  target     prot opt source               destination 1    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22 2    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:80 3    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:143 

There are more specific conditions depending on the general conditions described above. More details about this can be found in man ( iptables(8) and ip6tables(8) ).

7.4.3. Creating rules

Each rule creation operation requires one iptables or ip6tables command. Entering these commands manually can be a time consuming task, so usually these commands are written in the form of scripts that allow you to automatically configure the system as needed, each time the computer boots. Such scripts can be written by hand, but there is a more advanced way, which is to use the fwbuilder program. To install it, use this command:

 # apt install fwbuilder 

Principles of creating rules in the program are simple. First describe all the elements of the system to which the rules you want to create will be distributed. Among these elements are the following:

• The firewall itself with its network interfaces.
  
• Network and its corresponding IP address ranges.
  
• Servers.
  
• Ports owned by services running on servers.
  

Next, create rules using a graphical interface and dragging the corresponding elements with the mouse. Context menus can be used to change conditions (for example, to form conditions that are inverse of given). Then you need to select and configure actions.

Since IPv6 is taken into account, you can either create two separate sets of rules for IPv4 and IPv6, or create only one set and allow fwbuilder translate the rules according to the addresses assigned to objects.


Fig. 7.2. Fwbuilder main window

The result of working with fwbuilder will be the firewall setup script generated by the program in accordance with the specified rules. The modular architecture of the program allows you to create scripts designed for various systems, including iptables for Linux, ipf for FreeBSD, and pf for OpenBSD.

7.4.4. Apply rules every time the system boots

In order to apply the firewall rules every time the system boots up, you need to register the configuration script in the up directive of the /etc/network/interfaces file. In the following example, the script is stored at /usr/local/etc/arrakis.fw .

 auto eth0 iface eth0 inet static   address 192.168.0.1   network 192.168.0.0   netmask 255.255.255.0   broadcast 192.168.0.255   up /usr/local/etc/arrakis.fw 

This example assumes that you are using ifupdown to configure network interfaces. If you use other tools (such as NetworkManager or systemd-networkd ), refer to their documentation to find out how to run the script after enabling the interface.

Results

Today we talked about working with the netfilter firewall built into the Linux kernel, discussed the features of managing IPv4 and IPv6 traffic using the iptables and ip6tables commands. We looked at a graphical tool for creating fwbuilder rules and showed how to automatically set rules when the system boots. Next time we will share with you the translation of section 7.5, which is dedicated to monitoring Kali Linux.

Dear readers! How do you solve traffic filtering problems in Linux?