Linux Security Using IPTables: Configuration And Testing

Importance of IPTables Firewall

Discuss about the Linux Security Using Iptables.

All the IT systems connected in the internet are always under various threats. Linux servers are used for most of the web based application hosting purposes. Hence Linux web based servers are under serious security threat always. Hardware firewalls are used to prevent security breaches in the network. Hardware firewalls got their own disadvantages. The cannot solve all the firewall objectives. IPTables is the software firewall used in most of the Linux operating systems (Baki Billah & Rahman, 2013).

A brief study about the IPTables will be done. Various configurations will be done in IPTables and the configurations are tested.  Main uses and limitations will be discussed later.

The IPTables follows some setup rules based on some set of policies. When data request comes the rules will be checked and communication path will be controlled based on the rules. IPTable will check the source and destination IP addresses, requested service protocol, duration and many other things. All these details will be checked for any suitable match in the rules. If the match is there then the action defined in the IPTables will be done. Otherwise default rules will apply to that data transfer communication (Bauer & Bauer, 2005).

Kali Linux is installed in a virtual server. Installed I P tables using the following command.

The present rules of the IP tables will be listed out using the following command.

The structure of the chain policies are as follows.

To check the existing rules of the IPTables rules use the following command.

Default INPUT, OUTPUT, Forward rules will be shows as follows ("7.4. FORWARD and NAT Rules", 2016).

To discard the present rules (Not default rules) and to restart the firewall

Configuration of IPT IPTable Firewall

This rule is to block SSH packets from any IP or IP ranges ("How To List and Delete Iptables Firewall Rules | DigitalOcean", 2016).

Iptables  -l INPUT –s 192.168.100.100 –p tcp –dport ssh –j REJECT

Tested SSH access from 192.168.100.100 to the server 192.168.1.1 and got connection refused result ("HowTos/Network/IPTables - CentOS Wiki", 2016)

If we check the logs of the IPTables

Discarded the existing IPTable rules. The following rule allows the SSH connections from outside ("iptables - Debian Wiki", 2016).

For outgoing ports, the following rule allows SSH connection ("iptables - Debian Wiki", 2016)

To block the PING responses (XenServer et al., 2016)

# echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all

Installation of IP Tables

To block ping permanently the following command needs to go to /etc/sysctl.conf

net.ipv4.icmp_echo_ignore_all = 1

To set these changes without rebooting the system

# sysctl –p

This is mainly used in web servers where the service port for web services is 80. To reject web service request at port 80.

Block incoming traffic connection to your IP address of your virtual machine.

The following rule will block all the incoming connections to IP Address of 192.168.1.1

Iptables -A INPUT -i eth0 -s 192.168.1.1/16 -j DROP

Block all the incoming connect ions from a specific MAC address

Block all the incoming connect ions from a specific MAC address and a port

Allow traffic coming to port 80 (inbound) but reject traffic going out (outbound) through port 80.

To start the real testing process, firstly installed all the iptables in the operating system Kali Linux. Then, checked the rules present in the firewall, after completing the checks ensured to save and restore the present rules in the form of a text file. Once this process is completed, all the required tests can be started. The point to be remembered is that, before carryout any test the previous test rules must be deleted ("Iptables Essentials: Common Firewall Rules and Commands | DigitalOcean", 2016) ("IptablesHowTo - Community Help Wiki", 2016).

The first test is carried out for rejecting all the SSH packets. In order to complete this test ifconfig language is used. This will be helpful to make connection with the internal network. So once the connection is established, on the destination port 22 the tcp packets must be rejected. Further, made sure that the line number and the rules match with each other. To check whether the test is completed successfully, use another system with a different IP address and check whether the connection works or not. In case, if the connection is rejected by the host then it means that the test is successfully completed and it has rejected all the SSH packets.

As mentioned earlier, ensure to delete the previously used rules. This test is carried out to establish ssh connection. The very first step of this test will be to accept the tcp packets from the destination port 22. Then use another system with a different IP address and check whether the connection works or not. In case, if the connection is accepted by the host then it means that the test is successfully completed and it has accepted the SSH connection if not the connection has failed.

Listing current rules

From the previous test, delete all the previously used rules. This test is carried out to check whether a connection is established and able to ping the other system with different IP address. The first step of this test will be to reject the icmp packets for denying the ping. After rejecting the icmp packets check whether it is possible to ping the other IP address system or not.

Delete all the previously used rules from the previous test. This test is carried out to check the rejection of traffic from the port 80. The first step of this test will be rejecting the traffic that comes from the port 80. Then the next is to check whether the website server is installed. If the website server is installed then the web page will be connected from another system with a different IP address and if not the port 80 is rejecting all the traffic coming from it.

Delete all the previously used rules from the previous test. This test is carried out to check whether all the traffic is blocked or not. The first step of this test will be to drop all the internal access from the host. Then use another system with a different IP address for pinging the host machine. Thus, it shows whether the traffic connection is blocked or not.

Delete all the previously used rules from the previous test. This test is carried out to check whether the port 80 has become a one way traffic port. The first step of this test will be to reject all the traffic that goes out and comes in from the port 80. Next step is to use another system with a different IP address and the host machine for testing whether it is possible to connect with the web server or not. In case, if the host machine fails to receive the connection and if the other system with a different IP address has successfully established connection then it means that the port 80 has become a one way traffic port.

It got lot of advantages. The ipchain’s design is dropped completely and a new architecture is implemented called as Netfilier. It provides a clear modular design. It creates a strong expansion. It achieves a NAT.ipchains that is dynamic in nature. These NAT.ipchains are basically addresses that are disguised as multiple pairs. It helps in achieving user filtering. It helps in achieving MAC. It helps in achieving a real filtering process that depends on the state. It helps in achieving the transiting rate limit of a packet. It helps the iptables ’of Linux with free firewall tools. And it provides open source that is free of cost. In case, if the setting of the software firewall is set right, then it functions effectively. The IP layer and the TCP layers are used for filter. It is flexible. Connection tracking is an important feature. Multiple ports can be controlled in both incoming as well as outgoing connections. One set of IP range can be allowed or rejected. Application and port level allow/reject also possible  (Jang, 2009).

Rejecting all ssh packets

IPchains got -l flag to log the activity. IPTables don't have it. IP masquerading which is supported by ipchains is not supported by iptables ("Man page of IPTABLES", 2016). For high pocket rates low performance is observed. It is difficult to maintain and got less performance.  IPTables got only two type of activities. Match and log is the first one. Match and drop is the second one. The firewalls that are hardware based are expensive. It is difficult for the user with fewer budgets to purchase the hardware based firewall (Negus & Caen, 2008).It is difficult to solve security issues. The rules are set by the iptables for controlling the data packets access. It affects the network traffic. The table of rules might be large and complicated. If the complexity increases then it becomes difficult for testing. It will contain many loopholes due to complexities and complex rules. It depends on a single component for protecting the system. The packet filtering can just help in prevention of the IP deception. One can use the port module for setting the list of ports. One can make use of network data stream for deciding the rules for the multiple network interfaces. One can ensure to avoid the deception rule of the source address. One can stop the high flow of the data in specific ports

It won't offer end to end connection but it relays the TCP connections between internal circuit and external circuit. When connecting to external network there will be a proxy before firewall. Proxy changes the IP addresses of the internal circuits to the external world. External world can see only the IPs of the proxy. Thus the internal IPs are saved. The circuit level firewall supports applications. It acts as a gateway with the help of SOCKS packages which is based on RFC 1928 based. This RFC explains the internal to external client server framework that covers both TCP and UDP domains. It got its own rules in forwarding ICMP messages.

References

7.4. FORWARD and NAT Rules. (2016). Access.redhat.com. Retrieved 15 September 2016, from https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/4/html/Security_Guide/s1-firewall-ipt-fwd.html

Baki Billah, S. & Rahman, M. (2013). Design & Development of Network Security System using IP Tables. Saarbrücken: LAP LAMBERT Academic Publishing.

Bauer, M. & Bauer, M. (2005). Linux server security. Sebastapol, CA: O'Reilly.

How To List and Delete Iptables Firewall Rules | DigitalOcean. (2016). Digitalocean.com. Retrieved 15 September 2016, from https://www.digitalocean.com/community/tutorials/how-to-list-and-delete-iptables-firewall-rules

HowTos/Network/IPTables - CentOS Wiki. (2016). Wiki.centos.org. Retrieved 15 September 2016, from https://wiki.centos.org/HowTos/Network/IPTables

iptables - Debian Wiki. (2016). Wiki.debian.org. Retrieved 15 September 2016, from https://wiki.debian.org/iptables

Iptables Essentials: Common Firewall Rules and Commands | DigitalOcean. (2016). Digitalocean.com. Retrieved 15 September 2016, from https://www.digitalocean.com/community/tutorials/iptables-essentials-common-firewall-rules-and-commands

IptablesHowTo - Community Help Wiki. (2016). Help.ubuntu.com. Retrieved 15 September 2016, from https://help.ubuntu.com/community/IptablesHowTo

Jang, M. (2009). Ubuntu server administration. New York: McGraw-Hill.

Man page of IPTABLES. (2016). Ipset.netfilter.org. Retrieved 15 September 2016, from https://ipset.netfilter.org/iptables.man.html

Negus, C. & Caen, F. (2008). Ubuntu Linux toolbox. Indianapolis, Ind.: Wiley Pub.

XenServer, x., XenServer, H., Linux, H., Linux, H., systems, H., & WINE, I. et al. (2016). Collection of basic Linux Firewall iptables rules. Linuxconfig.org. Retrieved 15 September 2016, from https://linuxconfig.org/collection-of-basic-linux-firewall-iptables-rules.