The Netfilter Project

Created by F4r5h1d

Mindmap for Netfilter (iptables and nftables abstracted)

#iptables, #netfilter

Gufw

iptables [-t table] -L [chain] [options]

#iptables -L

#iptables -t nat -L

ufw

GUI

list rules

cmd

iptables-save

# iptables-save > fw1-rules.v001

firewalld GUI

for example Firewall GUI in openSUSE YAST

GUI

ufw

fwbuilder

save/restore rules

iptables-restore

#iptables-restore < fw1-rules.v001

firewalld

GUI

flush all rules

iptables [-t table] -F [chain] [options]

#iptables -F

#iptables -t nat -F

firewalld-cmd

Systemctl and Firewalld

Enable firewalld

This makes sure that firewalld will be started automatically with the server.

systemctl enable firewalld

Start firewalld

After the firewalld service is enabled, you'll need to start it manually the first time. This is how you would manually start firewalld if it were not already running.

systemctl start firewalld

Stop firewalld

When troubleshooting rules and connection issues, you may need to stop the fireawlld service momentarily. You can stop the service with the following command.

systemctl stop firewalld

Restart firewalld

If for some reason, you need to restart the service, you can do that with the systemctl restart command.

systemctl restart firewalld

Firewalld status

Checking the status of the service gives us the most meaningful and informative output. Here you can see whether the service is enabled, running, failed, or anything else.

systemctl status firewalld

In this example output, you can see that the service is enabled, active, and running on the server. If it were not running or in a failed state, this would be displayed.

[root@centos-7 ~]# systemctl status firewalld● firewalld.service - firewalld - dynamic firewall daemonLoaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)Active: active (running) since Tue 2019-01-22 22:50:32 EST; 1h 0min agoMain PID: 808 (firewalld)CGroup: /system.slice/firewalld.service└─808 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid

Managing Firewalld and Configuring Rules

Now that we have firewalld running, we can get down to set the configuration. We can open ports, allow services, whitelist IPs for access, and more. In all of these examples, we include the --permanent flag. This is important to make sure a rule is saved even after you restart firewalld, or reboot the server. Once you’re done adding new rules, you need to reload the firewall to make the new rules active.

Add a Port for TCP or UDP

You do have to specify TCP or UDP and to open a port for both. You will need to add rules for each protocol.

firewall-cmd --permanent --add-port=22/TCPfirewall-cmd --permanent --add-port=53/UDP

Remove a Port for TCP or UDP

Using a slight variation on the above structure, you can remove a currently open port, effectively closing off that port.

firewall-cmd --permanent --remove-port=444/tcp

Add a Service

These services assume the default ports configured within the /etc/services configuration file; if you wish to use a service on a non-standard port, you will have to open the specific port, as in the example above.

firewall-cmd --permanent --add-service=sshfirewall-cmd --permanent --add-service=http

Remove a Service

As above, you specify the remove-service option, and you can close off the port that is defined for that service.

firewall-cmd --permanent --remove-service=mysql

Whitelist an IP Address

To whitelist or allow access from an IP or range of IPs, you can tell the firewall to add a trusted source.

firewall-cmd --permanent --add-source=192.168.1.100

You can also allow a range of IPs using what is called CIDR notation. CIDR is outside the scope of this article but is a shorthand that can be used for noting ranges of IP addresses.

firewall-cmd --permanent --add-source=192.168.1.0/24

Remove a Whitelisted IP Address

To remove a whitelisted IP or IP range, you can use the --remove-source option.

firewall-cmd --permanent --remove-source=192.168.1.100

Block an IP Address

As the firewall-cmd tool is mostly used for opening or allowing access, rich rules are needed to block an IP. Rich rules are similar in form to the way iptables rules are written.

firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='192.168.1.100' reject"

You can again use CIDR notation also block a range of IP addresses.

firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='192.168.1.0/24' reject"

Whitelist an IP Address for a Specific Port (More Rich Rules)

We have to reach back to iptables and create another rich rule; however, we are using the accept statement at the end to allow the IP access, rather than reject its access.

firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.1.100" port protocol="tcp" port="3306" accept'

Removing a Rich Rule

To remove a rich rule, use the option --remove-rich-rule, but you have to fully specify which rule is being removed, so it is best to copy and paste the full rule, rather than try to type it all out from memory.

firewall-cmd --permanent --remove-rich-rule='rule family="ipv4" source address="192.168.1.100" port protocol="tcp" port="3306" accept'

Saving Firewall Rules

After you have completed all the additions and subtraction of rules, you need to reload the firewall rules to make them active. To do this, you again use the firewall-cmd tool but using the option --reload.

firewall-cmd --reload

Viewing Firewall Rules

After reloading the rules, you can confirm if the new rules are in place correctly with the following.

firewall-cmd --list-all

Here is an example output from the --list-all option, you can see that this server has a number of ports, and services open in the firewall along with a rich rule (that forwards one port to another).

[root@centos-7 ~]# firewall-cmd --list-allpublic (default, active)interfaces: enp1s0sources: 192.168.1.0/24services: dhcpv6-client dns http https mysql nfs samba smtp sshports: 443/tcp 80/tcp 5900-5902/tcp 83/tcp 444/tcp 3260/tcpmasquerade: noforward-ports:icmp-blocks:rich rules:rule family="ipv4" source address="192.168.1.0/24" forward-port port="5423" protocol="tcp" to-port="80"

cmd

management

interfaces

cmd

iptables

iptables [-t table] -X [chain] [options]

delete a rule

nft

cmd

nftables

initial release: 2014

current status:
active and growing fast, becoming the default firewall implementation in modern Unix-like OSs.

Nftables is a framework by the Netfilter Project that provides packet filtering, network address translation (NAT), and other packet mangling. It's a successor to iptables and aims to provide a more efficient and flexible way of handling packet filtering and classification. Nftables uses a new, simple, and coherent syntax compared to iptables.

Key-Features of Nftables:

Simplified Syntax: Offers a more straightforward syntax to define rules.
Single Framework: Replaces iptables, ip6tables, arptables, and ebtables with one unified solution.
Efficient Processing: Utilizes a more efficient data structure, improving performance especially in large rule sets.
Better Integration: Integrated into the Linux kernel, providing better performance and reliability.

Example Use-Cases:

Basic Packet Filtering:
- To allow incoming SSH connections:
  nft add rule ip filter input tcp dport 22 accept
Creating a NAT Rule:
- To masquerade outgoing packets on a specific interface (e.g., eth0):
  nft add rule ip nat postrouting oifname "eth0" masquerade
Blocking an IP Address:
- To drop packets from a specific IP address:
  nft add rule ip filter input ip saddr 192.168.1.100 drop
Port Forwarding:
- To forward incoming HTTP requests to a different IP:
  nft add rule ip nat prerouting tcp dport 80 dnat 192.168.1.10
Logging Traffic:
- To log dropped packets:
  nft add rule ip filter input counter log prefix "dropped packet: "

Nftables offers a robust and versatile solution for network packet manipulation in Linux environments, making it a valuable tool for network administrators and cybersecurity professionals. Its integration with the Linux kernel and improved syntax make it a more effective tool for managing network traffic and ensuring security.

user-space managers

iptables

initial release: 1998

current status:
active, but being replaced by nftables

Rule creation cheat sheet

iptables [-t table] -D chain rule-specification [options]

# iptables -D INPUT -i eth1 -s 10.10.10.0/24 -j ACCEPT

kernel-space modules

modules

Netfilter in Linux Kernel

netfilter is a framework for packet mangling, outside
the normal Berkeley socket interface.

rule tables

raw

nftables has no pre-defined tables

mangle

nftables has no pre-defined tables

nat

nftables has no pre-defined tables

filters

nftables has no pre-defined tables

PREROUTING