Wednesday, December 14, 2011

IP Packet Filtering: iptables Explained For Beginners

iptables is a IP Filter which is shipped with kernel. Technically speaking, an IP filter will work on Network layer in TCP/IP stack but actually iptables work on data link and transport layer as well. In a broad sense, iptables consists on tables, which consists of chain which is further comprised of rules.
Default tables are:
  1. Raw
  2. Mangle
  3. NAT
  4. Filter
Default chains are (yes, they are written in upper case):
  1. PREROUTING: used by raw, mangle and nat tables
  2. INPUT: used by mangle and filter tables
  3. FORWARD: used by mangle and filter tables
  4. OUTPUT: used by raw, mangle, nat and filter tables
  5. POSTROUTING: used by mangle and nat tables
I'll discuss about Filter table here. It is the one which is most generally used but if you are interested in others as well you can find a detailed tutorial at frozentux. Filter table uses three chains, INPUT, FORWARD and OUTPUT. 
  • INPUT chain is for the packets meant for your own local machine. Reply of a http request made by your browser will go through INPUT chain.
  • OUTPUT chain is for the packets going out of your machine. The http request made by your browser will go through this chain.
  • FORWARD chain is for the packets which you receive but they are not meant for you. Your machine is just supposed to forward them to another device. This generally happens when the machine is configured as a gateway or something similar.
Now every iptables rules have some "target" which is executed when it is matched against a "criteria". Following are the most common targets:
  • ACCEPT: Packet is accepted and goes to the application for processing.
  • DROP: Packet is dropped. No information regarding the drop is sent to the sender.
  • REJECT: Packet is dropped and information (error) message is sent to the sender.
  • LOG: Packet details are sent to syslogd for logging. 
  • DNAT: Rewrites the destination IP of the packet
  • SNAT: Rewrites the source IP of the packet
First four are used in Filter tables a lot. Now let us discuss some of the common criteria:
  • -p <protocol>: It matches protocols like tcp, udp, icmp and all
  • -s <ip_addr>: It matches source IP address
  • -d <ip_addr>: It matches destination IP address
  • --sport <port>: It matches the source port
  • --dport <port>: It matches the destination port
  • -i <interface>: It matches the interface from which the packet entered
  • -o <interface>: It matches the interface from which the packet exits
Now we know the basic things to start building our rules. Let us try to write some rules for a few hypothetical (or real) situations. First we'll set default policy for iptables filter table using -P flag.
iptables -t filter -P INPUT DROP
iptables -t filter -P OUTPUT DROP


Now we'll allow this machine to send only http requests and ssh requests:
iptables -A INPUT -p tcp -i eth0 --dport 80
iptables -A INPUT -p tcp -i eth0 --dport 22

Note that -A flag is used because we want to append these rules to current iptables config. If we do not use -A then the rules will be overwritten.

Also assume that my machine acts as an ftp server so I should allow connections to port 20 and 21.
iptables -A OUTPUT -p tcp -i eth0 --sport 20
iptables -A OUTPUT -p tcp -i eth0 --sport 21


Also I would say that I trust my internal network:
iptables -A OUTPUT -j ACCEPT -p all -d 192.168.1.0/24 -o eth0
iptables -A INPUT -j ACCEPT -p all -s 192.168.1.0/24 -i eth0

So this is how my final iptables script would look like:

iptables -t filter -P INPUT DROP
iptables -t filter -P OUTPUT DROP
iptables -A INPUT -p tcp -i eth0 --dport 80
iptables -A INPUT -p tcp -i eth0 --dport 22
iptables -A OUTPUT -p tcp -i eth0 --sport 20
iptables -A OUTPUT -p tcp -i eth0 --sport 21
iptables -A OUTPUT -j ACCEPT -p all -d 192.168.1.0/24 -o eth0
iptables -A INPUT -j ACCEPT -p all -s 192.168.1.0/24 -i eth0

Note that rules are read sequentially. So other than policy rules, if any rule matches then reading will stop and action will be taken according to that rule.

Sunday, December 4, 2011

Controlling Your Linux Server Using Twitter

Last weekend I wrote about "Using Twitter To Monitor Your Linux Server" using a command line client "MYST". I have added a new feature to MYST using which you can tell your server to execute commands by using DMs. Let us start configuration for the same.

Step 1: Ensure that you can send direct messages to your server's twitter account. Just follow the server's account and your server's account also needs to follow you.

Step 2: Add the following in your .myst.conf file below MYST section:

[Users]
auth_users: adityapatawari 

You can add more twitter handles separated by blank space. 

Step 3: Now you can DM any command to your server's account and it'll be executed. You need to ensure that myst.py script's "getdm" option is in cron.

MYST uses python's os.system to execute these commands. The user's access level who executed myst.py will decide if the commands coming from DM will be executed or not. If you want everything to be executed then run myst.py with super user or using sudo.

Please contribute to the MYST project on Gitorious.org