Negating Conditions
Prefixing a condition with an exclamation mark negates the condition. For example,
negating a condition on the
-p
option matches “any packet with a different protocol
than the one specified.” This negation mechanism can be applied to all other condi-
tions as well.
The -s
address
or -s
network/mask
condition matches the source address of the packet. Corre-
spondingly, -d
address
or -d
network/mask
matches the destination address.
The -i
interface
condition selects packets coming from the given network interface. -o
interface
selects packets going out on a specific interface.
The --state
state
condition matches the state of a packet in a connection (this requires the
ipt_conntrack
kernel module, for connection tracking). The NEW state describes a packet start-
ing a new connection, ESTABLISHED matches packets belonging to an already existing connec-
tion, and RELATED matches packets initiating a new connection related to an existing one (which
is useful for the ftp-data connections in the “active” mode of the FTP protocol).
There are many available options for
iptables
and
ip6tables
and mastering them all requires
a great deal of study and experience. However, one of the options you will use most often is the
one to block malicious network traffic from a host or range of hosts. For example, to silently block
incoming traffic from the IP address 10.0.1.5 and the 31.13.74.0/24 class C subnet:
# iptables -A INPUT -s 10.0.1.5 -j DROP
# iptables -A INPUT -s 31.13.74.0/24 -j DROP
# iptables -n -L INPUT
Chain INPUT (policy ACCEPT)
target
prot opt source
destination
DROP
all
--
10.0.1.5
0.0.0.0/0
DROP
all
--
31.13.74.0/24
0.0.0.0/0
Another commonly-used
iptables
command is to permit network traffic for a specific service or
port. To allow users to connect to SSH, HTTP, and IMAP, you could run the following commands:
# iptables -A INPUT -m state --state NEW -p tcp --dport 22 -j ACCEPT
# iptables -A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT
# iptables -A INPUT -m state --state NEW -p tcp --dport 143 -j ACCEPT
# iptables -n -L INPUT
Chain INPUT (policy ACCEPT)
target
prot opt source
destination
DROP
all
--
10.0.1.5
0.0.0.0/0
DROP
all
--
31.13.74.0/24
0.0.0.0/0
ACCEPT
tcp
--
0.0.0.0/0
0.0.0.0/0
state NEW tcp dpt:22
ACCEPT
tcp
--
0.0.0.0/0
0.0.0.0/0
state NEW tcp dpt:80
ACCEPT
tcp
--
0.0.0.0/0
0.0.0.0/0
state NEW tcp dpt:143
It is considered to be good computer hygiene to clean up old and unnecessary rules. The easiest
way to delete
iptables
rules is to reference the rules by line number, which you can retrieve with
164
Kali Linux Revealed
the --line-numbers option. Be wary though: dropping a rule will renumber all the rules appearing
further down in the chain.
# iptables -n -L INPUT --line-numbers
Chain INPUT (policy ACCEPT)
num
target
prot opt source
destination
1
DROP
all
--
10.0.1.5
0.0.0.0/0
2
DROP
all
--
31.13.74.0/24
0.0.0.0/0
3
ACCEPT
tcp
--
0.0.0.0/0
0.0.0.0/0
state NEW tcp dpt:22
4
ACCEPT
tcp
--
0.0.0.0/0
0.0.0.0/0
state NEW tcp dpt:80
5
ACCEPT
tcp
--
0.0.0.0/0
0.0.0.0/0
state NEW tcp dpt:143
# iptables -D INPUT 2
# iptables -D INPUT 1
# iptables -n -L INPUT --line-numbers
Chain INPUT (policy ACCEPT)
num
target
prot opt source
destination
1
ACCEPT
tcp
--
0.0.0.0/0
0.0.0.0/0
state NEW tcp dpt:22
2
ACCEPT
tcp
--
0.0.0.0/0
0.0.0.0/0
state NEW tcp dpt:80
3
ACCEPT
tcp
--
0.0.0.0/0
0.0.0.0/0
state NEW tcp dpt:143
There are more specific conditions, depending on the generic conditions described above. For
more information refer to manual pages for
iptables(8)
and
ip6tables(8)
7.4.3. Creating Rules
Each rule creation requires one invocation of
iptables
or
ip6tables
. Typing these commands
manually can be tedious, so the calls are usually stored in a script so that the system is automati-
cally configured the same way every time the machine boots. This script can be written by hand
but it can also be interesting to prepare it with a high-level tool such as
fwbuilder
.
# apt install fwbuilder
The principle is simple. In the first step, describe all the elements that will be involved in the
actual rules:
• The firewall itself, with its network interfaces
• The networks, with their corresponding IP ranges
• The servers
• The ports belonging to the services hosted on the servers
Next, create the rules with simple drag-and-drop actions on the objects as shown in Figure
7.2
,
“
Fwbuilder’s Main Window
” [page 166]. A few contextual menus can change the condition (negat-
ing it, for instance). Then the action needs to be chosen and configured.
As far as IPv6 is concerned, you can either create two distinct rulesets for IPv4 and IPv6, or create
only one and let
fwbuilder
translate the rules according to the addresses assigned to the objects.
165
Chapter 7 — Securing and Monitoring Kali Linux
|
