Netfilter 2: in the POM of Your Hands
There are times we might want to run iptables on a nonfirewall system. Despite the advice you may have read (as noted in the last paragraph of the “Preparing Your System for an iptables Upgrade” section above), there are times you'll want to run iptables on simple hosts. The simplest, but most common example would be a student system on a university network. In this case, you really should trust no other system. So you'll probably want to accept only related, established traffic.
Another example might be if you have decided to use an XDM server where most users work, but your internet policy only permits certain employees rights to surf the Web. How to deal with this? Well, fortunately, we can deal with this fairly simply with rules like the following:
iptables -t filter -I OUTPUT -p tcp --dport 80 -m owner --uid-owner 500 -j REJECT iptables -t filter -I OUTPUT -p tcp --dport 80 -j ACCEPT // only required if OUTPUT // policy is DROP/REJECT
iptables -t filter -I OUTPUT -p tcp --dport 80 -m owner --uid-owner 500 -j ACCEPT iptables -t filter -I OUTPUT -p tcp --dport 80 -j REJECT // only required if OUTPUT // policy is ACCEPTNaturally, you'd need a list of either those permitted access or those denied. Also, you wouldn't want to write individual rules. I suggest handling the rules like this: for i in cat surfweb.txt, do
iptables -t filter -I OUTPUT -p tcp --dport 80 -m owner --uid-owner $i -j REJECT doneJust create a list of users to REJECT (or to ACCEPT and change the rule to match) as the file surfweb.txt. Add user IDs to this list as needed. You might find the above construct valuable for other repetitive rules as well. Note, however, this only prevents them from surfing from the XDM server, not from their local system.
So how might they be stopped from surfing from their local system? Well, the firewall simply could drop or reject packets coming from the disallowed IP. Easy, right? I mean, this is what packet filters are all about. But wait, we're using DHCP and don't necessarily know in advance what the IP will be. Looks like we've outsmarted ourselves—or have we? While we may not know the IP address, one thing we can know is the MAC address. So we get a list of MAC addresses from the systems (or via arp, or from the dhcpd.leases file). Then we use a rule like the following:
iptables -t filter -I FORWARD -i eth0 -m mac --mac-source <MAC> -j ACCEPT iptables -t filter -A FORWARD -i eth0 -p tcp --dport 80 -m state --state NEW -j DROP
This is best done in a loop like we did earlier, with the MAC addresses in one file and then looping through them.
Note: to use the MAC address to permit or deny systems, remember that they must be on your local network—that is, directly connected, via a hub, to the firewall. If the systems in question are behind an internal firewall, and not connected on the same LAN segment as the external firewall, you must put this rule on the inner firewall.
My point here is crucial: you must know what the system with the rule on it can know about packets it is to control. Only a system where packets originate can know which user ID belongs to the process originating the packets. Only a system on the local LAN segment can know the MAC address of an originating system. After that, we have only the information available in the IP header.
This month we looked at Rusty's patch-o-matic, installing an updated kernel and the user-land iptables utility. Probably the most important part is making sure that if things go wrong you can recover. Meanwhile, Rusty has worked very hard on ensuring you don't need to recover. After that we looked at a couple of common network configurations. You'll need to remember these when you dive into next month's Kernel Korner, which will be a part two of this article. Finally, we took a quick look at how and where iptables might be used in nonfirewall situations to control network resources.
Next month we'll look at managing services behind our NAT-ed firewall, specifically how to make the most use of the IPs your ISP has assigned, and how, with this configuration, to handle services like e-mail properly. We'll also look at more matches, targets, tables and some common errors when building rules.
Special Reports: DevOps
Have projects in development that need help? Have a great development operation in place that can ALWAYS be better? Regardless of where you are in your DevOps process, Linux Journal can help!
With deep focus on Collaborative Development, Continuous Testing and Release & Deployment, we offer here the DEFINITIVE DevOps for Dummies, a mobile Application Development Primer, advice & help from the experts, plus a host of other books, videos, podcasts and more. All free with a quick, one-time registration. Start browsing now...
- Vagrant Simplified
- System Status as SMS Text Messages
- Dealing with Boundary Issues
- Libreboot on an X60, Part I: the Setup
- SUSE – “Will not diverge from its Open Source roots!”
- Bluetooth Hacks
- New Products
- October 2015 Issue of Linux Journal: Raspberry Pi
- Disney's Linux Light Bulbs (Not a "Luxo Jr." Reboot)
- Linux and the Internet of Things