fwbuilder
is undoubtedly among the best of them.
iptables
and ip6tables
commands. The difference between these two commands is that the former acts on the IPv4 network, whereas the latter acts on IPv6. Since both network protocol stacks will probably be around for many years, both tools will need to be used in parallel.
filter
concerns filtering rules (accepting, refusing or ignoring a packet);
nat
concerns translation of source or destination addresses and ports of packages;
mangle
concerns other changes to the IP packets (including the ToS — Type of Service — field and options);
raw
allows other manual modifications on packets before they reach the connection tracking system.
filter
table has three standard chains:
INPUT
: concerns packets whose destination is the firewall itself;
OUTPUT
: concerns packets emitted by the firewall;
FORWARD
: concerns packets transiting through the firewall (which is neither their source nor their destination).
nat
table also has three standard chains:
PREROUTING
: to modify packets as soon as they arrive;
POSTROUTING
: to modify packets when they are ready to go on their way;
OUTPUT
: to modify packets generated by the firewall itself.
-j
option in the commands) to the specified action to continue processing. The most common behaviors are standardized, and dedicated actions exist for them. Taking one of these standard actions interrupts the processing of the chain, since the packet's fate is already sealed (barring an exception mentioned below):
ACCEPT
: allow the packet to go on its way;
REJECT
: reject the packet with an ICMP error packet (the --reject-with type
option to iptables
allows selecting the type of error);
DROP
: delete (ignore) the packet;
LOG
: log (via syslogd
) a message with a description of the packet; note that this action does not interrupt processing, and the execution of the chain continues at the next rule, which is why logging refused packets requires both a LOG and a REJECT/DROP rule;
ULOG
: log a message via ulogd
, which can be better adapted and more efficient than syslogd
for handling large numbers of messages; note that this action, like LOG, also returns processing to the next rule in the calling chain;
RETURN
: interrupt processing of the current chain, and return to the calling chain; in case the current chain is a standard one, there's no calling chain, so the default action (defined with the -P
option to iptables
) is executed instead;
SNAT
(only in the nat
table): apply Source NAT (extra options describe the exact changes to apply);
DNAT
(only in the nat
table): apply Destination NAT (extra options describe the exact changes to apply);
MASQUERADE
(only in the nat
table): apply masquerading (a special case of Source NAT);
REDIRECT
(only in the nat
table): redirect a packet to a given port of the firewall itself; this can be used to set up a transparent web proxy that works with no configuration on the client side, since the client thinks it connects to the recipient whereas the communications actually go through the proxy.
mangle
table, are outside the scope of this text. The iptables(8) and ip6tables(8) have a comprehensive list.
iptables
and ip6tables
commands allow manipulating tables, chains and rules. Their -t table
option indicates which table to operate on (by default, filter
).
-N chain
option creates a new chain. The -X chain
deletes an empty and unused chain. The -A chain rule
adds a rule at the end of the given chain. The -I chain rule_num rule
option inserts a rule before the rule number rule_num. The -D chain rule_num
(or -D chain rule
) option deletes a rule in a chain; the first syntax identifies the rule to be deleted by its number, while the latter identifies it by its contents. The -F chain
option flushes a chain (deletes all its rules); if no chain is mentioned, all the rules in the table are deleted. The -L chain
option lists the rules in the chain. Finally, the -P chain action
option defines the default action, or “policy”, for a given chain; note that only standard chains can have such a policy.
conditions -j action action_options
. If several conditions are described in the same rule, then the criterion is the conjunction (logical and) of the conditions, which is at least as restrictive as each individual condition.
-p protocol
condition matches the protocol field of the IP packet. The most common values are tcp
, udp
, icmp
, and icmpv6
. Prefixing the condition with an exclamation mark negates the condition, which then becomes a match for “any packets with a different protocol than the specified one”. This negation mechanism is not specific to the -p
option and it can be applied to all other conditions too.
-s address
or -s network/mask
condition matches the source address of the packet. Correspondingly, -d address
or -d network/mask
matches the destination address.
-i interface
condition selects packets coming from the given network interface. -o interface
selects packets going out on a specific interface.
-p tcp
condition can be complemented with conditions on the TCP ports, with clauses such as --source-port port
and --destination-port port
.
--state state
condition matches the state of a packet in a connection (this requires the ipt_conntrack
kernel module, for connection tracking). The NEW
state describes a packet starting a new connection; ESTABLISHED
matches packets belonging to an already existing connection, and RELATED
matches packets initiating a new connection related to an existing one (which is useful for the ftp-data
connections in the “active” mode of the FTP protocol).
LOG
action, for instance, has the following options:
--log-level
, with default value warning
, indicates the syslog
severity level;
--log-prefix
allows specifying a text prefix to differentiate between logged messages;
--log-tcp-sequence
, --log-tcp-options
and --log-ip-options
indicate extra data to be integrated into the message: respectively, the TCP sequence number, TCP options, and IP options.
DNAT
action provides the --to-destination address:port
option to indicate the new destination IP address and/or port. Similarly, SNAT
provides --to-source address:port
to indicate the new source IP address and/or port.
REDIRECT
action (only available if NAT is available) provides the --to-ports port(s)
option to indicate the port, or port range, where the packets should be redirected.
iptables
/ip6tables
. Typing these commands manually can be tedious, so the calls are usually stored in a script so that the same configuration is set up automatically every time the machine boots. This script can be written by hand, but it can also be interesting to prepare it with a high-level tool such as fwbuilder
.
#
apt install fwbuilder
fwbuilder
translate the rules according to the addresses assigned to the objects.
fwbuilder
can then generate a script configuring the firewall according to the rules that have been defined. Its modular architecture gives it the ability to generate scripts targeting different systems (iptables
for Linux, ipf
for FreeBSD and pf
for OpenBSD).
up
directive of the /etc/network/interfaces
file. In the following example, the script is stored under /usr/local/etc/arrakis.fw
.
Example 14.1. interfaces
file calling firewall script
auto eth0 iface eth0 inet static address 192.168.0.1 network 192.168.0.0 netmask 255.255.255.0 broadcast 192.168.0.255 up /usr/local/etc/arrakis.fw