Configure Filtering in Linux

[LinuxScho]

Computer security is a broad term that cover many aspects such as physical security of the machine, control access to files, etc.. One aspect of the security concerns of network security. With the democratization of the Internet, intrusion attempts to develop. To limit the numbers of these attacks, the best is yet to filter from the network input anything that is not supposed to enter. The system allows the implementation of this filter is called a firewall. A firewall can be defined as a protective device (hardware and / or software) constitutes a filter between a computer or a LAN and an insecure network (Internet or another LAN for example). There are two main types of firewalls:

• Firewalls based on network filtering. These elements function in transmitting information layers of the OSI model. The filtering is done based on the information contained in the headers of the frames, packets (source and destination addresses) and segments (source and destination ports ). This type of filtering does not care about the contents of packets.
  
• The application firewalls or services. This type of filtering to control the processing of information. In this case, the information contained in the packet can be taken into account. Connection requests are directed to a special program called a proxy or proxy service. It is the latter that will establish the connection to the external service requested.

I am hoping that other members will provide some more notes on this.

[Xena]

To qualify for the filtering functions of the Linux kernel network must incorporate the network packet filtering option when compiling. This feature is a general structure that allows other elements to "plug" on it. To show the different rules to the kernel, it has the utility called iptables. The tool uses the concept of iptables rulesets, each table corresponding to a feature review of the package. The table filter matches the packet filtering, table nat concerns and address translation table mangle allows editing of packets. Initially, iptables will be used to chain management. A string can be likened to a security policy associated with a data stream. For example, we can define a string INTERNET to describe all flows coming from outside your local network. Three default chains exist, ie INPUT , FORWARD and OUTPUT . If the number of rules is limited, it is enough of them, but if the rules become consistent, it is preferable for ease of management, create new channels. Orders associated with the iptables chain management are:

• -N : Creating a new string. Example iptables -N INTERNET.
• -X : Deleting an empty string. Example iptables -X INTERNET.
• -P : Implementation of the default rule for an existing string. Example: iptables -P INPUT DROP. Only the chains INPUT , FORWARD and OUTPUT can be a default rule and the only available targets are ACCEPT and DROP.
• -L : List the rules in a chain. Example: iptables -L INTERNET.
• -F : Clear rules in a chain. Example: iptables -F INTERNET.

[StephanieRice]

In a second step, it should build rules within the different channels. Adding a rule is done with the option -A tool iptables, while deletion of a rule is with the option -D . The main specifications on which the rules can be based are:

• -S: Specifies the source IP address
  
• -D: specifies the destination IP address
  
• -P: Specifies the protocol. The protocol can be tcp, udp or icmp
  
• -I: Specifies the name of the physical interface through which packets enter
  
• -O specifies the name of the physical interface through which packets leave

These specifications are more general, but there are many others who are fully listed in the manpage of iptables.

[Elijah2010]

With iptables, the different filtering rules are organized and grouped in chains. By default, there are three chains called INPUT, OUTPUT and FORWARD. The various channels are viewed by the following procedure:

1. When a packet arrives, the kernel decides the destination of the package: the routing phase.
2. If the package is about the machine, the packet drops in the diagram and the INPUT chain is applied. If the packet passes this string, it will be forwarded to one of the local processes.
3. If routing decides that the packet is destined to another network, then the chain is FORWARD which is applied.
4. Finally, packets sent by a local process will be reviewed by the OUTPUT chain. If the packet is accepted, it will be sent regardless of its output interface.

A chain is composed of a list of rules. A rule to decide the future of a packet according to its header. The rules in a chain are examined one after the other until a match is found. Finally, if no match is found, the default rule, policy is applied. Associated with each rule that an action to decide the future of the package. The main functions are:

• ACCEPT: this target allows you to accept packages.
• DROP: This target can deny packets without notifying the applicant that the connection request was refused.
• REJECT: This target allows packets to refuse, but by alerting the applicant that the connection request was refused by sending a RESET packet (RST).

[Radames]

One of the great innovations of the network portion of the 2.4 kernel is the possibility of monitoring communications. This refers to the ability of the core to maintain a tracking table based communications, for example, the couple addresses (source and destination), the port numbers (source and destination), types of protocols or the communication status. Firewalls have this feature are called stateful firewalls. In this case, the packets are inspected in the context of a semester. For example, a TCP segment with the ACK bit set will be rejected if no corresponding SYN segment has been received before. Monitoring of "communications" is based on three statements:

• NEW : is the request for initial TCP, UDP datagram in the first or the first ICMP message.
• ESTABLISHED : If a table entry corresponds communications tracking, then the packet belongs to a type communication ESTABLISHED . In the case of TCP, we refer to the ACK bit after a communication has been initiated. In the case of UDP datagrams is the exchange between two hosts and matches port numbers that are taken into account. Finally, the ICMP echo-reply should match the query echo-request .
• RELATED : refers to ICMP error messages corresponding to a "communication" TCP or UDP already present in the tracking table.

From a practical standpoint, the module will be followed by communications enabled by the option -m state of the iptables command. The option --state to specify the state of communication to consider.

[VinFanatic]

Address translation is a technique that can replace a source address or destination by another. Address translation of the 2.4 kernel supports source NAT (SNAT) and Destination NAT (DNAT). The table nat allows editing of source and destination addresses through two channels by default:

• PREROUTING : allows changing the destination address (DTA) before the packet goes through the routing functions.
• POSTROUTING : allows modification of the source address (SNAT) after the package is executed by routing functions.

We focus initially on the source address translation or NAT-S. There are two distinct forms within nuclei (2.4 | 2.6): SNAT and MASQUERADE . SNAT is the standard form of address translation source, while the second is more specialized to the case of dynamically assigned IP addresses. The distinction between the two forms is subtle. With SNAT , communication is maintained for some time waiting in a malfunction. If this communication is restored quickly enough, the network programs will be unaffected and will be broadcast interrupted TCP traffic, since the IP address was not changed. With the form MASQUERADE , there is no waiting time when the connection is broken and information about the address translation is erased. This can immediately use the new IP address that can be allocated during a reconnection to an ISP.