#readwise # Linux Fundamentals - Firewall Setup  ## Metadata - Author: [[Hack The Box]] - Full Title: Linux Fundamentals - Firewall Setup - URL: https://academy.hackthebox.com/module/18/section/2099 ## Summary Iptables is a Linux tool used to filter network traffic and protect computer networks. It organizes rules into tables and chains to manage how data is processed. There are built-in chains for filtering, modifying, and processing network packets. Iptables also allows user-defined chains for easier rule management based on specific criteria. ## Highlights The primary goal of firewalls is to provide a security mechanism for controlling and monitoring network traffic between different network segments, such as internal and external networks or different network zones. Firewalls play a crucial role in protecting computer networks from unauthorized access, malicious traffic, and other security threats. Linux, being a popular operating system used in servers and other network devices, provides built-in firewall capabilities that can be used to control network traffic. In other words, they can filter incoming and outgoing traffic based on pre-defined rules, protocols, ports, and other criteria to prevent unauthorized access and mitigate security threats. ([View Highlight](https://read.readwise.io/read/01jnavegq1j8q04g7se0a81re7)) --- An example from the history of Linux firewalls is the development of the iptables tool, which replaced the earlier ipchains and ipfwadm tools. The iptables utility was first introduced in the Linux 2.4 kernel in 2000 and provided a flexible and efficient mechanism for filtering network traffic. iptables became the de facto standard firewall solution for Linux systems ([View Highlight](https://read.readwise.io/read/01jnavfe30vjtmydna82rva84p)) --- The iptables utility provides a flexible set of rules for filtering network traffic based on various criteria such as source and destination IP addresses, port numbers, protocols, and more. There also exist other solutions like nftables, ufw, and firewalld. ([View Highlight](https://read.readwise.io/read/01jnavhxcfvmr6hwbgpryxjstk)) --- `Nftables` provides a more modern syntax and improved performance over iptables. However, the syntax of nftables rules is not compatible with iptables, so migration to nftables requires some effort. ([View Highlight](https://read.readwise.io/read/01jnavj0xx0dxh2505z0bngf23)) --- `UFW` stands for “Uncomplicated Firewall” and provides a simple and user-friendly interface for configuring firewall rules. UFW is built on top of the iptables framework like nftables and provides an easier way to manage firewall rules. ([View Highlight](https://read.readwise.io/read/01jnavjd9qqjv138170vn24rad)) --- FirewallD provides a dynamic and flexible firewall solution that can be used to manage complex firewall configurations, and it supports a rich set of rules for filtering network traffic and can be used to create custom firewall zones and services. It consists of several components that work together to provide a flexible and powerful firewall solution. ([View Highlight](https://read.readwise.io/read/01jnavjyrqwpr0rwmfxsq89f1y)) --- The main components of iptables are: | Component | Description | | --------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `Tables` | Tables are used to organize and categorize firewall rules. | | `Chains` | Chains are used to group a set of firewall rules applied to a specific type of network traffic. | | `Rules` | Rules define the criteria for filtering network traffic and the actions to take for packets that match the criteria. | | `Matches` | Matches are used to match specific criteria for filtering network traffic, such as source or destination IP addresses, ports, protocols, and more. | | `Targets` | Targets specify the action for packets that match a specific rule. For example, targets can be used to accept, drop, or reject packets or modify the packets in another way. | ([View Highlight](https://read.readwise.io/read/01jnavk4dfdce9mdw29dzsfr52)) --- Tables in iptables are used to categorize and organize firewall rules based on the type of traffic that they are designed to handle. These tables are used to organize and categorize firewall rules. Each table is responsible for performing a specific set of tasks. | Table Name | Description | Build-in Chains | | ---------- | --------------------------------------------------------------------------- | ----------------------------------------------- | | `filter` | Used to filter network traffic based on IP addresses, ports, and protocols. | INPUT, OUTPUT, FORWARD | | `nat` | Used to modify the source or destination IP addresses of network packets. | PREROUTING, POSTROUTING | | `mangle` | Used to modify the header fields of network packets. | PREROUTING, OUTPUT, INPUT, FORWARD, POSTROUTING | | `raw` | Used to configure special packet processing options | PREROUTING and OUTPUT | ([View Highlight](https://read.readwise.io/read/01jnavpkjz94kg8cdyt6fhtsbq)) --- In iptables, chains organize rules that define how network traffic should be filtered or modified. ([View Highlight](https://read.readwise.io/read/01jnaw1nwc716hmjebvqak7czr)) --- The built-in chains are pre-defined and automatically created when a table is created. ([View Highlight](https://read.readwise.io/read/01jnaw1ze28hxqv5z6bs6z39h2)) --- `User-defined chains` can simplify rule management by grouping firewall rules based on specific criteria, such as source IP address, destination port, or protocol. They can be added to any of the three main tables. ([View Highlight](https://read.readwise.io/read/01jnaw2g0qqwncyfh8k8sptfhn)) --- Iptables rules are used to define the criteria for filtering network traffic and the actions to take for packets that match the criteria. Rules are added to chains using the `-A` option followed by the chain name, and they can be modified or deleted using various other options. ([View Highlight](https://read.readwise.io/read/01jnavvfx78hpzjpb3x2rjzbqn)) --- Each rule consists of a set of criteria or matches and a target specifying the action for packets that match the criteria. The criteria or matches match specific fields in the IP header, such as the source or destination IP address, protocol, source, destination port number, and more. The target specifies the action for packets that match the criteria. They specify the action to take for packets that match a specific rule. For example, targets can accept, drop, reject, or modify the packets. Some of the common targets used in iptables rules include the following: | Target Name | Description | | ------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------- | | `ACCEPT` | Allows the packet to pass through the firewall and continue to its destination | | `DROP` | Drops the packet, effectively blocking it from passing through the firewall | | `REJECT` | Drops the packet and sends an error message back to the source address, notifying them that the packet was blocked | | `LOG` | Logs the packet information to the system log | | `SNAT` | Modifies the source IP address of the packet, typically used for Network Address Translation (NAT) to translate private IP addresses to public IP addresses | | `DNAT` | Modifies the destination IP address of the packet, typically used for NAT to forward traffic from one IP address to another | | `MASQUERADE` | Similar to SNAT but used when the source IP address is not fixed, such as in a dynamic IP address scenario | | `REDIRECT` | Redirects packets to another port or IP address | | `MARK` | Adds or modifies the Netfilter mark value of the packet, which can be used for advanced routing or other purposes | ([View Highlight](https://read.readwise.io/read/01jnavxnsrb33hza7k6xeay5tt)) --- Let us illustrate a rule and consider that we want to add a new entry to the INPUT chain that allows incoming TCP traffic on port 22 (SSH) to be accepted. The command for that would look like the following: ```sh sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT ``` ([View Highlight](https://read.readwise.io/read/01jnavyee7vbg2z7zah24b1fd9)) --- `Matches` are used to specify the criteria that determine whether a firewall rule should be applied to a particular packet or connection. Matches are used to match specific characteristics of network traffic, such as the source or destination IP address, protocol, port number, and more. | Match Name | Description | | ----------------------- | ------------------------------------------------------------------ | | `-p` or `--protocol` | Specifies the protocol to match (e.g. tcp, udp, icmp) | | `--dport` | Specifies the destination port to match | | `--sport` | Specifies the source port to match | | `-s` or `--source` | Specifies the source IP address to match | | `-d` or `--destination` | Specifies the destination IP address to match | | `-m state` | Matches the state of a connection (e.g. NEW, ESTABLISHED, RELATED) | | `-m multiport` | Matches multiple ports or port ranges | | `-m tcp` | Matches TCP packets and includes additional TCP-specific options | | `-m udp` | Matches UDP packets and includes additional UDP-specific options | | `-m string` | Matches packets that contain a specific string | | `-m limit` | Matches packets at a specified rate limit | | `-m conntrack` | Matches packets based on their connection tracking information | | `-m mark` | Matches packets based on their Netfilter mark value | | `-m mac` | Matches packets based on their MAC address | | `-m iprange` | Matches packets based on a range of IP addresses | ([View Highlight](https://read.readwise.io/read/01jnavz3ejrzwxrxawatce9h0p)) --- In general, matches are specified using the '-m' option in iptables. For example, the following command adds a rule to the 'INPUT' chain in the 'filter' table that matches incoming TCP traffic on port 80: ```sh sudo iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT ``` ([View Highlight](https://read.readwise.io/read/01jnaw05axdmnr6zdf3ytsvq5k)) ---