Wednesday 15 June 2011

Use iptables to implement packet filtering and configure network address translation (NAT)

I'll start with the second part of this objective as it is the more concretely defined.
In my case, I will be using two vlans instead of two actual interfaces for reasons that would take, way, way too long to explain.
I have a bunch of servers on network 10.168.20.0 and they want to communicate with servers on network 10.10.11.0. In this configuration, 10.168.20.0 could be thought of as my local network and 10.10.11.0 as the internet.

The gateway server has eth1.11 with ip address 10.10.11.16 and eth1.10 with ip address 10.168.20.227. If you are wondering what the .11 and .10 mean, well, they are tagged (VLan) traffic, have a look here for some details. In a more standard configuration you would probably use eth0 for local and eth1 for internet, so change commands below accordingly.

On the gateway server, we need to modify the iptables rules as follows:
  1. iptables -t nat -I POSTROUTING -o eth1.11 -j MASQUERADE
  2. iptables -I FORWARD -i eth1.10 -o eth1.11 -j ACCEPT --comment "accept everything on the way out"
  3. iptables -I FORWARD -o eth1.10 -i eth1.11 -m state --state RELATED,ESTABLISHED -j ACCEPT -m comment --comment "accept related or established on the way back"
  4. service iptables save
The first rule modifies the packets so that they are returned to the the original server.
The second rule will forward any traffic coming from eth1.10, i.e. the local network to eth1.11, ie. the "internet".  You don't need the comments, obviously.
Finally, the third rule will forward the packages on their way back from the internet to the local network, note that no new connections will be forwarded, to prevent connections being forwarded that were not initiated from a server in the local network.

You now need to allow the gateway to forward ip packets and this can be done by modifying the /etc/sysctl.conf file. Look for this line net.ipv4.ip_forward = 0 and change its value to net.ipv4.ip_forward = 1

Issue the following command to reload the sysctl.conf file:
sysctl -p
You can check that the changes have taken place with:
sysctl net.ipv4.ip_forward
Your server is ready, you just need to make sure that the default gateway is set to this server in the clients, see my previous post for details on how to do this.

NAT done and dusted, lets have a look at packet filtering. This is such an open ended objective that it is hard to see what is been asked of the candidate, I have touched on iptables in a previous post, so I'll be brief here.
Say you want to prevent an ip addresses from accessing your server, in case they are trying a rudimentary DOS attack
iptables -I INPUT -p tcp --dport 80 -s 10.168.20.225 -j REJECT
You can block a whole network, just change the -s parameter to say, 10.168.20.0/24. You can use a similar rule to allow access from particular ip addresses or networks (make sure that there are no spaces between the ip addresses or networks) :
 iptables -I INPUT -p tcp --dport 80 -s 10.168.20.225,10.168.20.226 -j ACCEPT
Similarly, you could create a single rule for several services (say http, https):
 iptables -I INPUT -p tcp -m multiport --dports 80,443  -j ACCEPT
As you can imagine, this barely touches the surface of what iptables can do, but it gives you an idea.

No comments:

Post a Comment