Video Screencast Help

A Comparison of iptables Automation Tools

Created: 22 Apr 2001 • Updated: 21 Jun 2011
Language Translations
Anonymous's picture
0 0 Votes
Login to vote

by Anton Chuvakin

A Comparison of iptables Automation Tools
by Anton Chuvakin
last updated April 23, 2001


Introduction

Over the past several years, the use of Linux as a firewall platform has grown significantly. Linux firewalling code has come a long way since the time ipfwadm was introduced in kernel 1.2. Recent changes in linux firewalling code include netfilter architecture (controlled from the command line by iptables utility), which was introduced in stable kernel 2.4. The newest version 2.4 of Linux kernel (first released in January 2001) presents many new security enhancements such as: enhanced capabilities, better support for encryption (for VPN and encrypted file systems) and netfilter architecture, which is a re-implementation of Linux's firewalling code and which remains fully backward-compatible due to the use of ipchains and ipfwadm loadable kernel modules.

This article will offer a brief overview of the means of configuring iptables and will offer a brief review of some tools that have been developed to automate the configuration of iptables. This discussion will look at IP firewalling code in Linux kernel and its configuration via various interfaces such as GUIs or scripts (written in shell scripting language, Perl or special configuration language). Such interfaces are, in my opinion, intended to simplify the iptables configuration, make it more intuitive and reduce the chances of system administrator error. For the general information on iptables look at Rusty Russell's Linux iptables HOWTO.

Difficulties of Configuring iptables Via the Command Line Interface

Configuring iptables through its own command line interface (i.e. iptables command with the corresponding options) presents a serious challenge as one has to specify the behavior of all IP packets that make up a connection both inwards and outwards. It also requires an intimate knowledge of TCP/IP and application protocols. Also one should be aware that, as does its predecessor - ipchains, iptables combines IP filtering rules into chains that an IP packet travels through until it matches rule that is relevant to it, which might actually send it to another chain for further processing, or until it is processed by the default policy (say, ACCEPT, DROP, REJECT etc). While it is much easier to allow network applications through a firewall than others ( for example, POP3 is much easier than FTP), it still requires understanding of how the network connections are established and broken.

As an example, lets take one of the simplest protocols: POP3. Allowing incoming traffic on port 110 (POP3) does not solve all of an admin's problems - it only takes care of the packets flowing from the client machine to your server, not the other way. Furthermore, there are also issues of configuring network address translation (NAT) and various kinds of packet forwarding. And since the firewall configuration will affect the security of the entire enterprise, all possible steps to eliminate errors must be taken. This discussion will briefly cover how to configure iptables in the next section. For a more detailed explanation, refer to the iptables man page ("man iptables" on your Linux system) or Rusty Russell's Linux iptables HOWTO.

iptables Command Options

Before entering a discussion of the configuration of iptables, it may be helpful to undertake a *really* short summary of iptables command options.

Chain manipulation (three default chains, INPUT, FORWARD, OUTPUT, are always present):

  1. Create a new chain (-N).
  2. Delete an empty chain (-X).
  3. Change the policy for a built-in chain. (-P).
  4. List the rules in a chain (-L).
  5. Flush the rules out of a chain (-F).

Rule manipulation:

  1. Append a new rule to a chain (-A).
  2. Delete a rule at some position in a chain (-D).

These options allow the user to define the behavior of each incoming or outgoing packet for a simple 2 NIC firewall machine or host-based protection.

Benefits of iptables

Prior to discussing the various tools that have been developed to facilitate configuration of ip tables, I will summarize the important user-level benefits of iptables and, indeed, the whole netfilter architecture as opposed to the previous version of linux firewalling - ipchains.

 

  1. iptables allows setup of *stateful* firewalls. This means that the firewall has a memory of each connection passing through it. This mode is essential for effective configuration of FTP (active ftp) and DNS as well as many other network services.
  2. iptables can filter packets based on any combination of TCP flags and also based on MAC (i.e. hardware) addresses, which can be sometimes helpful for firewalls within LANs
  3. System logging is much more configurable and flexible than with ipchains
  4. Netfilter now has more powerful and easy to use support for network address translation (NAT) and transparent proxies.
  5. iptables can help block some DoS attacks by using the rate limiting for user-defined packet types that can sometimes block SYN floods (makes a nice addition for SYN cookies for host-based protection)

Some more details can be found in "Linux Kernel 2.4 Firewalling Matures: netfilter" by Dave Wreski.

iptables Configuration Tools

Now let's consider the tools that are supposed to help configure Linux iptables firewall. I will take a look at each tool, its features, flexibility and ease of use. Also I will comment on whether it does anything useful right out of the box (knowing that some unfortunate users will choose to just download it, run it and hope for the best, which, needless to say, is a completely wrong approach to applying security measures). The following tools will be included in the discussion:

  1. MonMotha's Firewall 2.3.5 by MonMotha
  2. Firewallscript (iptables 4.4c-3 devel) http://my.netfilter.se/ by Patrik Hildingsson
  3. Ferm-0.0.18 by Auke Kok
  4. AGT-0.83 by Andy Gilligan
  5. Knetfilter-1.2.4 by Luigi Genoni
  6. gShield-2.0.2 by R. Gregory

MonMotha's Firewall 2.3.5

MonMotha's Firewall is a medium-sized (about 30k) bash shell script. It seems that its best use is for host-based protection, as many important netwrok-based options are still under development. The interface (i.e. the way to pass configuration options to iptables) is a bit confusing, especially as it pertains to understanding which connections will be allowed and which ones denied. On the other hand, there is no special configuration file and installation is very easy (just copy the script anywhere). Its default (out of the box or as downloaded) does not do anything and in fact does not run at all. The documentation is almost nonexistent. The script might have some use for dialup users protection or other standalone Linux box that needs to have some firewalling if one is willing to figure out how it works by experimenting.

Firewallscript

Firewallscript (IFS 4.4d) is another monster bash script (85k). This script seems to be suitable for both host-based and network protection. It autogenerates the sample configuration files (which are far from being intuitive) when run the first time. The default, however, does not appear to be workable, at least on the test system. The script allows the configuration firewall together with NAT and masquerading. Since the script is complex and the documentation is lacking, precise tweaking required a lot of reading of the code and running of "iptables -L" to see which chains went up and which were allowed/denied. For those whose favorite pastime is IP-packet tracing, the script will provide hours of quality fun and (wow!) it might also help you with your firewall effort. On the upside, this program will probe and load the required kernel modules for iptables use (unlike several others). This and the previous script might certainly use an "undo" mode, which restores the iptables configuration to the original state.

Ferm

Ferm (which stands for "for easy rule making") is a Perl script that parses the configuration files written in its own C-like language. This language is very easy to read and understand. The script is well documented and the examples provided (which include a number of helpful comments) can be used and studied to make custom rules.

Here is the example rule:

 ----------------------------------------------------------------------------- # simple workstation example for ferm                                                        chain input {                                                                                    if ppp0 # put your outside interface here                                                    {                                                                                                proto tcp goto fw_tcp;                                                                       proto udp goto fw_udp;                                                                       proto icmp goto fw_icmp;                                                                 }                                                                                        } chain fw_tcp proto tcp {                                                                         dport ssh ACCEPT;                                                                            syn DENY log;                                                                                dport domain ACCEPT;                                                                         dport 0:1023 DENY log;                                                                   }                                                                                                                                                                                         chain fw_udp proto udp {                                                                         DENY log;                                                                                }                                                                                                                                                                                                                                                                                      chain fw_icmp proto icmp {                                                                       icmptype (                                                                                       destination-unreachable time-exceeded                                               ) ACCEPT;                                                                                    DENY log;                                                                                } ----------------------------------------------------------------------------- 

This configuration file will cause ferm to write iptables rules to allow outgoing ssh and DNS to pass, block all UDP traffic and allow in only 2 types of ICMP messages, destination-unreachable and time-exceeded, and deny and log the rest. It looks much nicer than several lines of iptables but provides little benefit beyond that. However, even this provides a very important advantage for the complicated rulesets, which do not look very intuitive and which make pose difficulties in following the packet as it travels through them. Configuration files, such as the one above, can be used right out of the box to provide some level of protection.

AGT

AGT is a C program that parses the configuration files to configure iptables. The code seems to be in the early stages of development. Some Makefile editing is required to compile it (no automake support yet). The program is not well documented, but comes with the sample configuration files. Here is the excerpt (with comments removed) from one of the configuration files:

 ----------------------------------------------------------------------------- NEW | FROM-INT                                                                               NEW | RESET                                                                                                                                                                               || FROM-INT | icmp | ACCEPT |||||                                                            || FROM-INT | tcp  | ACCEPT ||||| pop3                                                       || FROM-INT | tcp  | ACCEPT ||||| imap                                                                                                                                                    || RESET | tcp  | REJECT --reject-with tcp-reset |||||             ----------------------------------------------------------------------------- 

This configuration file format, combined with the lack of documentation, presents a serious challenge to iptables configuration. Despite the inclusion of helpful comments, the effort required to understand the structure of the files is better spent on learning iptables. The program does run out of the box.

Knetfilter

Knetfilter is a nice GUI for configuring iptables. Unfortunately, I was only able to test knetfilter-1.2.4 (the last with KDE1 support), so the description is not applicable to knetfilter-2.2.0 (the latest), that is said to have many new features. GUI fans will appreciate its easy way to configure rules for host-based protection, list, save and restore them and also test them (tcpdump network sniffer can also be run from the same panel) in real time with just several mouse clicks. It also provides NAT and masquerading support configuration. Knetfilter does not appear to be the best way to protect a dialup workstation since it requires the local IP for configuration (probe interface only works for eth0 interface and not for ppp0). Documentation for the project is not quite there yet; however, the interface is intuitive enough to be used without the assistance of a manual.

gSshield

gShield (bash shell script) seems to be the most mature tool of the current comparison. It comes with extensive documentation, has reasonably intuitive configuration files with many comments (sample follows) and allows the setup of NAT. It handles both dynamic (typically, bound to ppp0 interface) and static (eth0) IP addresses.

Optional GUI (gShieldConf), which is still in the early stages of development, can be obtained from http://members.home.com/vhodges/gshieldconf.html. However it seems to be compatible with only the early (1.x) versions of gShield.

Here is the sample configuration file with comments removed (excerpt):

 ----------------------------------------------------------- FW_ROOT="/etc/firewall"                                                                      IPTABLES=`which iptables`                                                                    LOCALIF="eth0" DNS="24.31.195.65"                                                                           LTIME="20/m"                                                                                 ALLOW_DHCP_LEASES="YES"                    ... ----------------------------------------------------------- 

gShield runs out of the box with secure settings and is ideal for users who would rather not mess with the configuration files; however, the author wisely recommends at least reading through the entire configuration file. The README states that "adds tcpwrapper-like functionality for access to services" is implemented, which means that to block/allow some service, one should not be required to think in terms of packets flowing in both directions, but rather in terms of what client connects to what server.

Here is the table summarizing the tools.

 ------------------------------------------------------------------------------ TOOL             VERSION   TYPE                       METHOD OF CONF --------------------------------------------------------------------------------- agt              0.82      C program                  confusing                                                       configuration files                   knetfilter       1.2.4     GUI (C++,Qt)               GUI ferm             0.17      perl script                C-like conf language gShield          2.0.3     shell script (opt GUI)     configuration files or GUI MM firewall      2.3.5     shell script               edit script firewall-iptables.sh       shell script               autogenerated                                                       configuration files and                                                       edit script  --------------------------------------------------------------------------------- 

Conclusion

In the opinion of the author, the idea of a tool to configure the reliable firewall for either network protection or host protection (which is significantly simpler than the previous task of network protection) still has not found its implementation, particularly one to be used by people who do not understand the technical details of packet filtering and its Linux implementation together with at least some of the iptables internals. The best way to configure iptables still seems to be "iptables -N" (create a new chain), "iptables -A" (append a new rule to a chain), "iptables -D" (delete a rule in a chain), etc (see the man page for more). In other words, if one can learn to successfully operate some of the tools described herein, one can just as easily learn to configure iptables from the command line. The rest of the tools lack support for some of the iptables features (such as NAT) or use confusing and not well-documented configuration files. However, I hope that such tools will be developed in the future, or that the above tools will mature, as the need exists for the simple firewall configuration support due to widespread use of Linux in an insecure Internet environment.

 

Anton Chuvakin (http://www.chuvakin.org) is in his final year of graduate studies at SUNY (State University of New York) Stony Brook. Upon completing his PhD he intends to pursue a career in information security. Linux is one of his hobbies.

This article originally appeared on SecurityFocus.com -- reproduction in whole or in part is not allowed without expressed written consent.