[LINUX] Packet filtering settings using iptables on Ubuntu 19.10 Eoan Ermine and their persistence

Overview

--Save and reflect the settings with the iptables-save / iptables-restore command --Configure both IPv4 and IPv6 --Persist the settings with the netfilter-persistent command (so that the settings do not disappear even if the OS is restarted) --Perform a port scan with nmap to see if the iptables settings are reflected

Save and reflect settings with the iptables-save / iptables-restore command

Check the initial settings (IPv4)

Check with the iptables command and the iptables-save command.

$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

$ sudo iptables-save
# Generated by iptables-save v1.8.3 on Sun Jan 12 23:15:35 2020
*filter
:INPUT ACCEPT [1796:190499]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1400:212762]
COMMIT
# Completed on Sun Jan 12 23:15:35 2020

Write rules (IPv4)

This time I saved the packet filtering rules in a file called rules.v4.

*filter
:INPUT   DROP   [0:0]
:FORWARD DROP   [0:0]
:OUTPUT  ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp --tcp-flags ALL NONE -j DROP
-A INPUT -p tcp ! --syn -m state --state NEW -j DROP
-A INPUT -p tcp --tcp-flags ALL ALL -j DROP
-A INPUT -p icmp --icmp-type echo-request -m hashlimit --hashlimit-name t_icmp --hashlimit 1/m --hashlimit-burst 10 --hashlimit-mode srcip --hashlimit-htable-expire 120000 -j ACCEPT
-A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p udp --sport 53 -j ACCEPT
-A INPUT -p tcp -m state --syn --state NEW --dport 22 -m hashlimit --hashlimit-name t_sshd --hashlimit 1/m --hashlimit-burst 10 --hashlimit-mode srcip --hashlimit-htable-expire 120000 -j ACCEPT
-A INPUT -p tcp --dport 80   -j ACCEPT
-A INPUT -p tcp --dport 443  -j ACCEPT
COMMIT

The contents of the rule are Simple explanation of firewall iptables-Even beginners can understand well! I referred to the Web server operation course by VPS \ (4 ) \ | Sakura Knowledge.

Reflect the rules (IPv4)

Apply the rules with the iptables-restore command.

$ sudo iptables-restore < rules.v4

Confirm that the settings are reflected.

$ sudo iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
DROP       tcp  --  anywhere             anywhere             tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
DROP       tcp  --  anywhere             anywhere             tcp flags:!FIN,SYN,RST,ACK/SYN state NEW
DROP       tcp  --  anywhere             anywhere             tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG
ACCEPT     icmp --  anywhere             anywhere             icmp echo-request limit: up to 1/min burst 10 mode srcip htable-expire 120000
ACCEPT     tcp  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     udp  --  anywhere             anywhere             udp spt:domain
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:ssh flags:FIN,SYN,RST,ACK/SYN limit: up to 1/min burst 10 mode srcip htable-expire 120000
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https

Chain FORWARD (policy DROP)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

$ sudo iptables-save
# Generated by iptables-save v1.8.3 on Sun Jan 12 23:16:24 2020
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [50:6132]
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
-A INPUT -p icmp -m icmp --icmp-type 8 -m hashlimit --hashlimit-upto 1/min --hashlimit-burst 10 --hashlimit-mode srcip --hashlimit-name t_icmp --hashlimit-htable-expire 120000 -j ACCEPT
-A INPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p udp -m udp --sport 53 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 --tcp-flags FIN,SYN,RST,ACK SYN -m hashlimit --hashlimit-upto 1/min --hashlimit-burst 10 --hashlimit-mode srcip --hashlimit-name t_sshd --hashlimit-htable-expire 120000 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
COMMIT
# Completed on Sun Jan 12 23:16:24 2020

Check the initial settings (IPv6)

Check with the ip6tables command and ip6tables-save command.

$ sudo ip6tables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

$ sudo ip6tables-save
# Generated by ip6tables-save v1.8.3 on Sun Jan 12 20:37:47 2020
*filter
:INPUT ACCEPT [328:22552]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [448:31496]
COMMIT
# Completed on Sun Jan 12 20:37:47 2020

Write rules (IPv6)

This time I saved the packet filtering rules in a file called rules.v6.

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
COMMIT

Reflect the rules (IPv6)

Apply the rule with the ip6tables-restore command.

$ sudo ip6tables-restore < rules.v6

Confirm that the settings are reflected.

$ sudo ip6tables -L
Chain INPUT (policy DROP)
target     prot opt source               destination

Chain FORWARD (policy DROP)
target     prot opt source               destination

Chain OUTPUT (policy DROP)
target     prot opt source               destination

$ sudo ip6tables-save
# Generated by ip6tables-save v1.8.3 on Mon Jan 13 00:10:54 2020
*filter
:INPUT DROP [18:1296]
:FORWARD DROP [0:0]
:OUTPUT DROP [74:5328]
COMMIT
# Completed on Mon Jan 13 00:10:54 2020

Persist settings with the netfilter-persistent command

The meaning of perpetuating

The iptables settings will return to their initial state when the OS is restarted. If you make the settings persistent with the netfilter-persistent command, the settings will be reflected again when the OS starts.

Install the iptables-persistent package

Install the iptables-persistent package, a plugin for iptables with the netfilter-persistent command.

$ sudo apt install iptables-persistent

It also installs the netfilter-persistent package as a dependency. The netfilter-persistent command for persistence is included in the netfilter-persistent package.

Persist settings with netfilter-persistent save

Persist current settings with netfilter-persistent save.

$ sudo netfilter-persistent save
run-parts: executing /usr/share/netfilter-persistent/plugins.d/15-ip4tables save
run-parts: executing /usr/share/netfilter-persistent/plugins.d/25-ip6tables save

Persistent settings are stored in the files rules.v4 and rules.v6 under / etc / iptables /.

$ tree /etc/iptables/
/etc/iptables/
├── rules.v4
└── rules.v6

0 directories, 2 files

After restarting the OS with sudo reboot etc., if you check the settings, it is restored properly.

Documentation for iptables-persistent and netfilter-persistent

A README file and a manual are available.

$ cat /usr/share/doc/iptables-persistent/README
netfilter-persistent and its plugins
------------------------------------

netfilter-persistent does no work on its own. You need the accompanying
plugins (for example, iptables-persistent) to load and save filter rules.

However, commands are run from netfilter-persistent. For example, to save
all filter rules:

   netfilter-persistent save

or to load them:

   netfilter-persistent start

For more details, see `man netfilter-persistent`.

The system service will try to load rules at startup if enabled, but by
default it will not flush rules at shutdown. This behaviour can be changed
by editing /etc/default/netfilter-persistent.

Ubuntu Manpage: netfilter-persistent - load, flush and save netfilter rule sets

Port scan with nmap

Scan the port with the nmap command from another machine to see if the iptables settings are working.

Port scan with some patterns.

XXX.XXX.XXX.XXX is the target IP address (IPv4).

$ sudo nmap -Pn XXX.XXX.XXX.XXX
Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-12 23:38 JST
Nmap scan report for www.example.com (XXX.XXX.XXX.XXX)
Host is up (0.020s latency).
Not shown: 997 filtered ports
PORT    STATE  SERVICE
22/tcp  open   ssh
80/tcp  closed http
443/tcp closed https

Nmap done: 1 IP address (1 host up) scanned in 4.59 seconds

Stealth scan.

$ sudo nmap -sS -sU -Pn XXX.XXX.XXX.XXX
Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-12 23:38 JST
Nmap scan report for www.example.com (XXX.XXX.XXX.XXX)
Host is up (0.023s latency).
Not shown: 1000 open|filtered ports, 997 filtered ports
PORT    STATE  SERVICE
22/tcp  open   ssh
80/tcp  closed http
443/tcp closed https

Nmap done: 1 IP address (1 host up) scanned in 10.63 seconds

XXXX: XXXX: XXXX: XXXX: XXXX: XXXX: XXXX: XXXX is the target IP address (IPv6).

$ nmap -6 -Pn XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX
Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-12 23:46 JST
Nmap scan report for wwww.v6.example.com (XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX)
Host is up.
All 1000 scanned ports on wwww.v6.example.com (XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX) are filtered

Nmap done: 1 IP address (1 host up) scanned in 201.70 seconds