Hello and welcome to the third and final installment of the IPTables
tutorial. Now that you have all the tools necessary to create basic
firewall scripts, I am going to give a better overview of the entire
IPTables system and how it works. I am also going to introduce some code
snippets that should go in almost any firewall script to provide defense
against some basic attacks.

Probably the most confusing part about IPTables is the organization of
the chains and tables. I am going to show diagrams of exactly how
different packets will traverse the chains and in what order.

There are three basic routes for a packet to take. Let's consider PATH
1 a packet originating from outside the network and destined for the
local machine. It's route is as followings:

PATH 1

In from internet
      |
      |
      v
raw PREROUTING -- mostly used for disabling connection tracking with
the NOTRACK target
      |
      |
      v
mangle PREROUTING -- in this table we can override the firewalls
routing decision, add marks to the ipaddress of the incoming packet, or
otherwise change packet data, like the packet's incoming interface. Most
home users won't need to touch this.
      |
      v
nat PREROUTING -- this chain performs network address translation
before the routing decision. We used this chain last week to redirect an
incoming packet from one port to another. We can also change the
destination ip using the masquarade or DNAT targets
      |
      v
   ROUTING
      |
      v
mangle INPUT -- another chance to mark your packet or change the type
of service information
      |
      v
filter INPUT -- finally, the familiar filter chain. This is where we
should do the accepting or rejecting of most packets. We have used this
chain widely to allow and disallow different services.



The chain transversal for an outgoing packet is essentially the same as
the incoming packet in reverse. The tables still perform the same
actions, but since we are using the OUTPUT and POSTROUTING chains
instead of the INPUT and PREROUTING chains we can specify different
rules for outgoing and incoming packets.

PATH 2

Local machine
      |
      |
      v
raw OUTPUT
      |
      |
      v
mangle OUTPUT
      |
      v
nat OUTPUT
      |
      v
filter OUTPUT
      |
      v
    ROUTING
      |
      v
mangle POSTROUTING
      |
      v
nat POSTROUTING
      |
      |
      v
Out to internet




The forward chain is different. When the packet comes in on the line,
it will pass through the three chain that all incoming packets pass
through, raw PREROUTING, mangle PREROUTING, and nat PREROUTING. Then,
when firewall decides that the packet must be forwarded, it will pass
through the mangle FORWARD and filter FORWARD chain. Then, it will pass
through the two chains that all outgoing packets pass through, mangle
POSTROUTING and nat POSTROUTING. Note that forwarded packets could
possibly be destined for the local machine. We saw this last week when
we redirected a packet from one port to another. The packet first passed
through PATH 3, because a packet whose port has been altered is consider
a forwarded packet. Then, the packet passed through PATH 1, like any
packet incoming to the local machine. That is why we needed to
specifically allow the packet on the filter FORWARD chain, and allow the
packet with the new port on the filter INPUT chain.

PATH 3

raw PREROUTING
      |
      |
      v
mangle PREROUTING
      |
      v
nat PREROUTING
      |
      v
    ROUTING
      |
      v
mangle FORWARD
      |
      v
filter FORWARD
      |
      v
mangle POSTROUTING
      |
      v
nat POSTROUTING
      |
      |
      v
Forward to another machine


Once you get a sense of these three paths, the iptables man page
suddenly starts to make sense, and you can then start building your
rules with confidence.

I am now going to introduce a few lines of script that you can use in
almost any firewall script to prevent some types of attacks.

This is going to drop packets that claim to be from the loopback ip but
are come in on a physical network interface. These packets are clearly
spoofed and should be dropped.

$IPT -A INPUT --in-interface ! lo --source 127.0.0.0/8 -j DROP


This line prevents the smurf attack, which depends on flooding a
network with ping requests. We can prevent this attack by only allowing
one ping request per second.

$IPT -A INPUT -p icmp -m icmp -m limit -limit 1/second -j ACCEPT


We also want to drop any packets that have TCP flags that don't make
any sense. To really understand these lines, you are going to need to
understand the TCP protocol and that is beyond the scope of this video.
All you really need to know is that the TCP protocol allows different
flags to be set, and we are going to drop packets where the flags
contradict each other or otherwise don't make logical sense.

You can choose to pause the video at this point and copy the lines, or
you can just click on the link to see the finished script.

$IPT -t filter -A INPUT -p tcp --tcp-flags FIN,ACK FIN -j DROP

$IPT -t filter -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP

$IPT -t filter -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP

$IPT -t filter -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP

$IPT -t filter -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP

$IPT -t filter -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP

$IPT -t filter -A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP

That concludes the iptables tutorial. I hope that this has been helpful
to you. There are several graphical tools available to help with
firewall creation that you might be interested in. For KDE, there's
kmyfirewall, and for gnome there's firestarter. These tools do simplify
some things, but to use them properly you do need to know some things
about iptables that you have learned in this tutorial.

Happy firewalling.