Linux Securirty Notes 15: IPTables 3: Matching Traffic

IPTables Building Rules with Source, Destination of IP, MAC, Protocols & Port
   
    Here we will deal with the possibilities to match the traffic to define the rule, i.e, matching destination & source IP/MAC/PORT/PROTOCOL, Interfaces,Usage of Wildcards etc.

Matching the traffic based on Source and destination:
--src/-s/--source
--dst/-d/--destination
    These are the switches used to match the source and destination of the traffic. Widely used while rules created based on source and destination address
Eg:-
Blocking all the traffic from a source (192.168.1.200) (--src)

# iptables -A INPUT --src 192.168.1.200 -j DROP

    This Drops all the incoming traffic to out server from the Source 192.168.1.200. Here the match of source is used by "--src".
Blocking all the traffic To a destination from our server (--dst)

# iptables -A OUTPUT --dst 192.168.1.200 -j DROP

    This Drops all the outgoing traffic in our server to 192.168.1.200. Here the match of destination is used by "--dst".

Matching Based on Interface:
    It is useful while creating the rules based on a particular interface.
(-i eth0/eth1.. etc)
    switch "-i" is used to match the traffic with the interface to define the rule.
Eg:-
(-i eth1)

# iptables -A INPUT -i eth1 --src 192.168.1.200 -j DROP

    Any incoming traffic from the ip address on the interface eth1 will be dropped.

Negation rule:

# iptables -A INPUT -i eth1 --src !192.168.1.200 -j DROP

    This will Drop all the incoming traffic to the interface eth1 other than the IP 192.168.1.200. Only the incoming traffic from ip 192.168.1.200 will be accepted.

# iptables -A INPUT -i eth1 -j DROP

    This Drops all the incoming traffic on the interface eth1.

Wildcard for Matching all interfaces(eth+):
For eg:-
    IF we have more interfaces like eth0, eth1, eth2, eth3, eth4 etc and need to define a rule that matched all the interface, we can use the wild-card eth+ . eth+ will match all the interfaces starting with "eth".
For Eg:-

# iptables -A INPUT -i eth+ -p tcp --dport 23 -j DROP

    This will drop all the incoming telnet traffic to all interfaces, which starts with eth.

TCP Based Matching (--protocol/-p): (Connection Oriented)
     Majority of the rules are based on TCP . TCP is on Transport Layer (layer 4).
-p tcp/ --protocol tcp
    This switch will make IPTables to initiate the tcp modules and allow/deny the tcp based traffic. This switch makes sense to IPTables about the three way handshake of TCP. The protocol type (tcp/udp) has to be specified while using the "-p" match.
--sport/--source-port
    Generally the --sport of TCP client will be greater than 1024, and it is generaly picked arbitrarily from greater than 1024. So usally we wont filter based on the source port for TCP based traffic until and unless we know exactly how a application behaves.
--dport/--destination-port
    This is the common match that used along with the "-p" switch. Each and every TCP connection will have a well defined destination port. so based on this destination port we created/matched the rule.
--tcp-flags SYN, ACK SYN, ACK, FIN
    This is used to match the three way handshake of the tcp protocols.
    SYN - Step 1 of Three way Handshake (Initial synchronization) (From Server)
    ACK SYN - Step 2 of three way Handshake (To Acknowledge that the SYN has recieved) (From Client)
    ACK - Step 3 of Three way HandShake(From Server)
    FIN (Finishing a TCP Session)
Eg:-

# iptables -A INPUT -p tcp --dport 23 -j DROP

    Here Match is made with the protocol TCP having the destination port of 23. So all the incoming traffic to telnet will be dropped.

# iptables -A OUTPUT -p tcp --dport 21 -j DROP

    This will Drop all the FTP outbound traffic(all request to ftp access from our server)

UDP Based Match: (Connection Less)
    Some of the UDP based applications are TFTP:69, Syslog:514, NTP:123, DHCP:67/68, DNS:53
-p udp/--protocol udp
--dport/--destination-port
--sport/--source-port
    In majority of the cases, the UDP based traffic having same source port as the destination port.Eg:- The NTP client packets has same destination-port and source-port as 123 in header.
Eg:-
If we are running the syslogd daemon we have to block all other traffic to the service other than the syslog server.

# iptables -A INPUT -p udp --dport 514 -s !192.168.1.3 -j DROP

    So here only the traffic from the host 192.168.1.3 with UDP:514 will be accepted and all other source will be denied. Here the match is made with the protocol UDP and --dport 514 along with the Source(-s) using Negation(!).

ICMP based traffic Match.
    This is designed to communicate the status information.
various types of ICMP:
    echo-request - PING (sends the request via output chains using echo-request to destination)
    echo-reply -   PONG (Remote system Recieves the echo-request and responds with an echo-reply (PONG))
-p icmp/--protocol icmp
    Here defines the protocol type
--icmp-type name/number of icmp type
    Here we specifies the ICMP-Types. It can be name or number.eg:- echo-reply, icmp-request etc.
To get the list of icmp types that supported by the IPTables

# iptables -p icmp --help

        Using this we can build the rules. The above command can be used for both the tcp and udp protocols

    # iptables -p tcp --help
    # iptables -p udp --help

Eg:-

# iptables -A INPUT -p icmp --icmp-type echo-reply -j DROP

    All the echo-reply from outside will be droped.
Rule to drop all the echo-request to our filrewall from all outbound destination.

# iptables -A INPUT -i eth1 -p icmp --icmp-type echo-request -j DROP

    This will disable all the echo-request from the outside interface. But from this server we will be able to ping to any other system because we have not doped any incoming echo-reply.

Multiport Matching in single rule (-m):
    This feature uses to match multiple ports in a single rule.
-m multiport
 Checking the Multiport module installation

# rpm -ql iptables |grep multiport
/lib/iptables/libipt_multiport.so

    This is the modlue responsible for multiport
Eg:-

# iptables -A INPUT -p tcp -m multiport --dport 21,23 -j DROP

    Here we defined the multiple ports in single rule.

Matching Layer 2 Traffic (MAC-address):
    The MAC address is least changable.
Checking the capability of iptables to match the Layer 2 traffic

# rpm -ql iptables |grep mac
/lib/iptables/libipt_mac.so

    This is the modlue responsible for mac address based rule.
-m mac
    This will tell iptables to consult the libipt_mac.so module for processing the rule
--mac-source
    Source MAC address. Same as the --src option in Layer 3 (IP Adress)
--mac-destination
    Destination MAC address. Same as the --dst option in Layer 3 (IP Address)
Eg:-

# iptables -A INPUT -p tcp -m mac --mac-source 00:09:8F:3E:10:3A -j DROP

    IF the source mac address is matched then the traffic will be DROPed.
Filtering based on Layer 2 (MAC Address) is more secure because the IP Address can easily be changed.