Linux Foundation LFCS – Domain No. 4 – Networking Part 2

8. Packet Filtering – 3

Opening up a whole interface to incoming packets may not be restrictive enough, and you may want more control as to what to allow and what to reject. Let’s suppose we have a small network of computers that use the 192 168 private address. We can open up our firewall to incoming packets from a single trusted IP address. For example 192. So the way we do that is iptables ainput s 192 jaccept so if you were to break this command down, we first appended a rule to the input chain for the source s IP address at zero four to accept all packets. Also, note how we can use the hash symbol to add comments. If we wanted to, we could have added a comment over here after accept like change the IP address as let me show you. I could have done this change the IP address as appropriate. So that won’t do anything to our command.

The command will still run the same the IP tables command, and it just adds this comment for you guys, because you will probably need to change the IP address according to your network. If we want to allow all incoming packets from a range of IP addresses, we could simply add a rule for each trusted IP address that would work fine. But if we have a lot of them, it may be easier to add a range of IP addresses in one go. To do this, we can use a net mask or standard slash notation to specify a range of IP addresses. For example, if we wanted to open up for firewall to all incoming packets from the complete 192 168 address range, we could use either of the following methods. So we can use Potables A input s 192 168

00:24 Jacceptcept and I’m going to put a comment here using standard notation, or I can do Iptables input 100 and 9216-8025-5255-2550 accept and then I’m going to put a comment here using a subnet mask. So these are two ways you can do it. Finally, as well as filtering against a single IP address, we can also match against the Mac address for the given device. To do this, we need to load a module, the Mac module that allows filtering against Mac addresses. Earlier, we saw another example of using modules to extend the functionality of IP tables when we use the state module to match for established and related packets. Here, we use the Mac module to check the Mac address of the source of the packet in addition to its IP address. And this is how you do it.

Iptables a input s 192 mac mac source 00508 d colon f d colon e 632 jacceptcept first, we have used M Mac to load the Mac module. And then we use Mac source to specify the Mac address of the source. IP address 109 216804 you will need to find out the Mac address of each ethernet device you wish to filter against running. If config or iwconfig for wireless devices, it will provide as Root will provide you with the Mac address. This may be useful for preventing spoofing of the source IP address, as it will allow any packets to generally originate from 192 having the Mac address that we have put in, but will block any packets that are spoofed to have come from that IP address address. And also note that Mac address filtering won’t work across the Internet, but it certainly works fine on a Lamb.

9. Packet Filtering – 4

In or could accept all packets incoming on a particular interface. In this case, the localhost interface is Iptables A input ILO O jaccept. That’s what we used. Suppose we have two separate interfaces ETH zero, which is our internal land connection, and PPP zero dial up modem, or maybe ETH One for our Nic, which is our external Internet connection. We may want to allow all incoming packets on our internal land, but it still filter incoming packets on our external Internet connection.

We could do this as following iptables A input I lost, which we already have, actually, but I’m going to put in again. IP tables a input I ETH zero accept. But we have to be careful. If we were to allow all packets for our external interface, for example, PPP zero dial up modem iptables A input IPP zero Gxf, we would have effectively just disabled our firewall. So suppose if you were to type in iptables A input IPP zero J accept. Running this command is going to disable your firewall. So just be careful when you’re running this.

10. Packet Filtering – 5

Above, we have seen how we can add rules to our firewall to filter against packets matching a particular interface or a source IP address. This allows full access through our and now we’ll look at how we can filter against protocols and ports to further refine what incoming packets we allow and what we block. Before we can begin, we need to know what protocol and port number a given service uses. For a simple example, let’s look at BitTorrent. BitTorrent uses the TCP protocol on port 68 81. So we would need to allow all TCP packets on destination port, the port on which they arrive at our machine 68 81. So we’re going to do IP tables a input p TCP Dport 6881 jaccept. Here we append a rule to the input chain for packets matching the TCP protocol PTCP and entering our machine on destination port 68 81, which is D port 68 81. In order to use matches such as destination or source ports, which is Dport or dash port, you must first specify the protocol is it a TCP, UDP, ICMP or all? These are the options. We can also extend the above to include a portrange, for example, allowing all TCP packets on the range 68 81 to 68 90. And this is how you do it iptables a input p TCP 688-1689 jaccept this is how you do arrange.

11. Packet Filtering – 6

So now we have seen the basics, we can start combining these rules. A popular Linux service is the Secure Shell SSH service allowing remote logins by default, SSH uses port 22 and again uses the TCP protocol. So if we want to allow remote logins, we would need to allow TCP connections on port 22. The way we do it is Iptables A input A input PCP Dport 22 jaccept misspelled IP tables there you go. So this will open up port 22, which is SSH, to all incoming TCP connections, which poses a potential security threat threat as hackers could try brute force cracking on accounts with weak passwords. However, if we know the IP addresses of trusted remote machines that will be used to log on using SSH, we can limit access to only these source IP addresses. For example, if we just wanted to open SSH access on our private land 192 168 we can limit access to just this source IP address range. We can do it by Iptables input p TCP s 192 168 00:24 deport 22 jaccept using source IP filtering allows us to securely open up SSH access on port 22 to only trusted IP addresses. For example, we could use this method to allow remote logins between work and home machines to all other IP addresses. The port and service would appear closed as if the service were disabled. So hackers using port scanning methods are likely to pass this by.

12. Packet Filtering – Summary

So hopefully it was short and interesting enough so far that aroused your interest in keep learning about Linux security, especially related to Red Hat and Sentos. We have barely scratched the surface. There’s a lot to learn in this field and depending on how interested the students are, I may offer a more advanced level course later on on Iptables. In the next section of this course we’ll be talking about the basic concept in Firewall D, which is another Firewall feature that is offered on Cento S Seven and Red Hat seven and above around and go through that as well. That one’s is also an introductory level section, so we were not going to go into a whole lot of detail, but it’ll be about the same length, of course, as we have just gone through. Thank you and I look forward to talking to you later.

13. Summary Domain No. 4

Hello students, and welcome. We are ripping up the fourth domain right now, and that was networking. Very important part of the test for LFCs. And we went over configuration of networking, of hostname resolution, statically or dynamically. We configured network services to start automatically at booth time. We implemented packet filtering. So on packet filtering, you might notice that the lectures are fairly lengthy. The reason for that is I have a separate course on packet filtering, so I took most of it from there. So that way I don’t have to recreate something that I already have in very detail. So you’re not going to be tested on such a great detail, so just take whatever you need to. But you have the entire course within this module. On packet filtering if you just want to enhance your knowledge on this very important subject. We learned how to start and stop and check the status of network services. We statically routed IP traffic. I showed you an example of how to do that. And we use time synchronization with peer NTP servers, so that’s networking. And the next topic we have in this series is service configuration that we’ll be talking about.