Openstack Networking

iptables

Iptables is an extremely flexible firewall utility built for Linux operating systems. It is a command-line firewall utility that uses policy chains to allow or block traffic. When a connection tries to establish itself on your system, iptables looks for a rule in its list to match it to. If it doesn’t find a match, it resorts to the default action.

iptables almost always comes pre-installed on any Linux distribution. To update/install it, just retrieve the iptables package:

sudo apt-get install iptables

"iptables" only maintains firewall rules for IPv4 addresses but it has an IPv6 counterpart called "ip6tables", which can be used to maintain firewall rules for IPv6 network addresses.

 

Types of Chains

iptables uses three different policy chains: input, forward, and output.

Input – It is used to control the behavior for incoming connections. For example, if a user attempts to SSH into your PC/server, iptables will attempt to match the IP address and port to a rule in the input chain.

Output – It is used for outgoing connections. For example, if you try to ping openstack.org, iptables will check its output chain to see what the rules are regarding ping and openstack.org before making a decision to allow or deny the connection attempt.

Forward – It is used for incoming connections that aren’t actually being delivered locally. Think of a router – data is always being sent to it but rarely actually destined for the router itself; the data is just forwarded to its target. Unless you’re doing some kind of routing, NATing(Network Address Translation), or something else on your system that requires forwarding, you won’t even use this chain.

There’s one sure-fire way to check whether or not your system uses/needs the forward chain.

iptables -L -v

 

 

 

 

 

Policy Chain Default Behavior

What do you want iptables to do if the connection doesn’t match any existing rules?

·         To see the currently configured policy chains with unmatched traffic, run the command,

 $sudo iptables –L

Chain INPUT (policy ACCEPT)

target     prot opt source               destination         

ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED

Chain FORWARD (policy ACCEPT)

target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination

Usually, you want your system to accept connections by default. The command to accept connections by default:

iptables --policy INPUT ACCEPT
iptables --policy OUTPUT ACCEPT
iptables --policy FORWARD ACCEPT

To deny all connections:

iptables --policy INPUT DROP
iptables --policy OUTPUT DROP
iptables --policy FORWARD DROP

 

Connection-specific Responses

There are three most basic and commonly used “responses”.

Accept – Allow the connection.

Drop – Drop the connection, act like it never happened. This is best if you don’t want the source to realize your system exists.

Reject – Don’t allow the connection, but send back an error. This is best if you don’t want a particular source to connect to your system, but you want them to know that your firewall blocked them.

The best way to show the difference between these three rules is to show what it looks like when a PC tries to ping a Linux machine with iptables configured for each one of these settings.

Allowing or Blocking Specific Connections

With your policy chains configured, you can now configure iptables to allow or block specific addresses, address ranges, and ports. In these examples, we’ll set the connections to DROP, but you can switch them to ACCEPT or REJECT, depending on your needs and how you configured your policy chains.

Note: In these examples, we’re going to use iptables -A to append rules to the existing chain. iptables starts at the top of its list and goes through each rule until it finds one that it matches. If you need to insert a rule above another, you can use iptables -I [chain] [number] to specify the number it should be in the list.

·         block all connections from the Single IP address 10.11.33.1.

iptables -A INPUT -s 10.11.33.1 -j DROP

·         to block all of the IP addresses in the 10.11.33.1/24 network range. You can use a netmask or standard slash notation to specify the range of IP addresses. 

iptables -A INPUT -s 10.11.33.1/24 -j DROP     

   or

iptables -A INPUT -s 10.11.33.1/255.255.255.0 -j DROP

·         to block SSH connections from 10.11.33.1.

      iptables -A INPUT -p tcp --dport ssh -s 10.11.33.1 -j DROP

You can replace “ssh” with any protocol or port number. The -p tcp part of the code tells iptables what kind of connection the protocol uses.  If you were blocking a protocol that uses UDP rather than TCP, then -p udp would be necessary instead.

·         to block SSH connections from any IP address.

iptables -A INPUT -p tcp --dport ssh -j DROP

 

Connection States

As we already know, most of the protocols require two-way communication. But, connection states give you the capability you would need to allow two-way communication, but only allow one-way connections to be established.

Example: SSH connections FROM 10.11.33.1 are permitted, but SSH connections TO 10.11.33.1 are not. However, the system is permitted to send back information over SSH as long as the session has already been established, which makes SSH communication possible between these two hosts.

iptables -A INPUT -p tcp --dport ssh -s 10.11.33.1 -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -p tcp --sport 22 -d 10.11.33.1 -m state --state ESTABLISHED -j ACCEPT

·         -A INPUT: The -A flag appends a rule to the end of a chain. This is the portion of the command that tells iptables that we wish to add a new rule, that we want that rule added to the end of the chain, and that the chain we want to operate on is the INPUT chain.

·         -m conntrack: iptables has a set of core functionality, but also has a set of extensions or modules that provide extra capabilities.

·         --ctstate - Define the list of states for the rule to match on. Valid states are:

• NEW - The connection has not yet been seen.
• RELATED - The connection is new, but is related to another connection already permitted.
• ESTABLISHED - The connection is already established.
• INVALID - The traffic couldn't be identified for some reason.

 

Saving Changes

 

The changes that you make to your iptables rules will be scrapped the next time that the iptables service gets restarted unless you execute a command to save the changes.  This command can differ depending on your distribution:

$ sudo /sbin/iptables-save

·         List the currently configured iptables rules:

iptables –L -v

Adding the -v option will give you packet and byte information, and adding -n will list everything numerically. In other words – hostnames, protocols, and networks are listed as numbers.

·         To clear all the currently configured rules, you can issue the flush command.

iptables –F

Chain INPUT (policy ACCEPT)

target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)

target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination

 

When we want to keep two ports open specifically. We want to keep our SSH port, 22 is open. We are also going to assume that this computer is running a web server on the default port 80. The two lines we're going to use to add these rules are:

sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT

sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT

where, the options are:

·         -p tcp: This option matches packets if the protocol being used is TCP. This is a connection-based protocol that will be used by most applications because it allows for reliable communication.

·         --dport: This option is available if the -p tcp flag is given. It gives a further requirement of matching the destination port for the matching packet. The first rule matches for TCP packets destined for port 22, while the second rule matches TCP traffic pointed towards port 80.

Often, services on the computer communicate with each other by sending network packets to each other. They do this by utilizing a pseudo network interface called the loopback device, which directs traffic back to itself rather than to other computers.

So if one service wants to communicate with another service that is listening for connections on port 4555, it can send a packet to port 4555 of the loopback device. The rule we need to add is this:

sudo iptables -I INPUT 1 -i lo -j ACCEPT

This looks a bit different than our other commands. Let's go over what it is doing:

·         -I INPUT 1: The -I flag tells iptables to insert a rule. This is different than the -A flag which appends a rule to the end. The -I flag takes a chain and the rule position where you want to insert the new rule.

In this case, we're adding this rule as the very first rule of the INPUT chain. This will bump the rest of the rules down. We want this at the top because it is fundamental and should not be affected by subsequent rules.

·         -i lo: This component of the rule matches if the interface that the packet is using is the "lo" interface. The "lo" interface is another name for the loopback device. This means that any packet using that interface to communicate (packets generated on our server, for our server) should be accepted.

·         To see our current rules, we should use the -S flag. This is because the -L flag doesn't include some information, like the interface that a rule is tied to, which is an important part of the rule we just added:

sudo iptables -S

-P INPUT ACCEPT

-P FORWARD ACCEPT

-P OUTPUT ACCEPT

-A INPUT -i lo -j ACCEPT

-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT

-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT

·         Saving your iptables Configuration

By default, the rules that you add to iptables are volatile. This means that when you restart your server, your iptables rules will be gone.

Most users will want a way to automatically save the rules you have created and to load them when the server starts. The easiest way is with the iptables-persistent  package. You can download this from Ubuntu's default repositories:

sudo apt-get update

sudo apt-get install iptables-persistent

During the installation, you will be asked if you would like to save your current rules to be automatically loaded.

UFW

UFW, or Uncomplicated Firewall, is a front-end to iptables. ufw gives a framework for managing netfilter, as well as provides a command-line interface for controlling the firewall. It provides user friendly and easy to use interface for Linux firewall concepts. It’s well-supported and popular in the Linux community—even installed by default in a lot of distributions.

·         To make sure UFW is installed. It should be installed by default in Ubuntu, but if for some reason it’s not, you can install the package using aptitude or apt-get using the following commands:

$sudo dpkg –get-selection | grep ufw à to check, if not installed, then, give the following command to install it.

$ sudo apt-get install ufw

·         To check the status of UFW:

$ sudo ufw status

Right now, it will probably tell you it is inactive. Whenever ufw is active, you’ll get a listing of the current rules that looks similar to this:

Status: active

To               Action      From

--               ------      ----

22               ALLOW       Anywhere

·        To use IPv6 with UFW

To configure ufw both for ipv4 and ipv6:

sudo vi /etc/default/ufw

Then, set  "IPV6" to "yes":

IPV6=yes

Save and quit. Then restart your firewall with the following commands:

$ sudo ufw disable

$ sudo ufw enable

Now UFW will configure the firewall for both IPv4 and IPv6, when appropriate.

Set Up Defaults

One of the things that will make setting up any firewall easier is to define some default rules for allowing and denying connections. UFW’s defaults are to deny all incoming connections and allow all outgoing connections. This means anyone trying to reach your cloud server would not be able to connect, while any application within the server would be able to reach the outside world.

·         To set the defaults used by UFW:

$ sudo ufw default deny incoming

and

$ sudo ufw default allow outgoing

·        Allow Connections

To enable SSH connections to our server:

$ sudo ufw allow ssh

The following command allows a connection on port 22 using the TCP protocol. If our SSH server is running on port 2222, we could enable connections with the following command:

$ sudo ufw allow 22/tcp

$ sudo ufw allow 2222/tcp

Other Connections We Might Need

To allow connection to the web server using tcp, we will apply the following commands:

sudo ufw allow www or sudo ufw allow 80/tcp sudo ufw allow ftp or sudo ufw allow 21/tcp

·         You can also specify port ranges with UFW. To allow ports 1000 through 2000, use the command:

$ sudo ufw allow 1000:2000/tcp

·         If you want UDP:

$ sudo ufw allow 1000:2000/udp

IP Addresses

To allow connections from a specific IP address (say my work or home address):

$ sudo ufw allow from 192.168.255.255

Denying Connections

To deny some of the incoming connections, allow all connections and then restrictively deny ports you didn’t want to give access to by replacing “allow” with “deny” in the commands above. For example:

$ sudo ufw allow 80/tcp        à would allow access to port 80 

$ sudo ufw deny 80/tcp        à would deny access to port 80.

·        Deleting Rules

There are two options to delete rules.

The most straightforward one is to use the following syntax:

$ sudo ufw delete allow ssh

As you can see, we use the command “delete” and input the rules you want to eliminate after that. Other examples include:

$ sudo ufw delete allow 80/tcp

or

sudo ufw delete allow 1000:2000/tcp

A simpler, two-step alternative is to type:

 $ sudo ufw status numbered à will get UFW list out all the current rules in a numbered list.

$ sudo ufw delete [number] à where “[number]” is the line no. from the previous command.

To enable ufw:

$ sudo ufw enable

You can check the status of your rules now by typing:

$ sudo ufw status

To turn UFW off / disable:

$ sudo ufw disable

·         to reset your cloud server’s rules to their default settings:

$ sudo ufw reset

AppArmor

• AppArmor is an important security feature that’s been included by default with Ubuntu since Ubuntu 7.10. However, it runs silently in the background, so you may not be aware of what it is and what it’s doing. AppArmor locks down vulnerable processes.

• AppArmor is a Mandatory Access Control or MAC system. It uses Linux Security Module to restrict programs. AppArmor sets up a collection of default application profiles (where profiles are simple text files) that are loaded into kernel typically on boot, epsecially to protect Linux services. AppArmor's security model is to bind access control attributes to programs rather than to users.

You can also protect any other applications running on your system by creating profile files yourself.

In Ubuntu, AppArmor is installed and enabled by default. The apparmor profiles get loaded when system starts.

AppArmor operates in the following two types of profile modes:

1.    Enforce – Profiles loaded in enforcement mode will result in enforcement of the policy defined in the profile as well as reporting policy violation attempts (either via syslog or auditd).

2.    Complain – Profiles in complain mode will not enforce policy but instead report policy violation attempts.

Additional profiles can be found in apparmor-profiles package.

Apparmor is path-based, it allows mixing of enforcement and complain mode profiles, it uses include files to ease development. AppArmor is particularly useful for restricting software that may be exploited, such as a web browser or server software.

·         View Apparmor Status

You can view the current status of apparmor and all the profiles loaded:

$ sudo apparmor_status

apparmor module is loaded.

5 profiles are loaded.

5 profiles are in enforce mode.

   /sbin/dhclient

   /usr/lib/NetworkManager/nm-dhcp-client.action

   /usr/lib/connman/scripts/dhclient-script

   /usr/sbin/mysqld

   /usr/sbin/tcpdump

0 profiles are in complain mode.

2 processes have profiles defined.

2 processes are in enforce mode.

   /sbin/dhclient (585)

   /usr/sbin/mysqld (799)

0 processes are in complain mode.

0 processes are unconfined but have a profile defined.

If we check the above output we could see 5 profiles are in Enforce mode.

Change Profile Mode

·         To set a profile in complain mode, first install apparmor-utils package if it is not already installed.

$sudo apt-get install apparmor-utils

·         Use aa-complain command to set a profile in complain mode. For example, enable complain mode for mysqld.

$sudo aa-complain /usr/sbin/mysqld

setting /usr/sbin/mysqld to complain mode

·         Use aa-enforce command to set a profile in enforce mode. For example, enable enforce mode for mysqld.

$sudo aa-enforce /usr/sbin/mysqld

setting /usr/sbin/mysqld to enforce mode

AppArmor Profile Files

AppArmor profiles are text files located under /etc/apparmor.d/ directory. It can be used to manipulate the mode of all profiles. The files are named after the full path to the executable they profile, but replacing the “/” with “.”.

For example, ping command is located in /bin/ping. The equivalent AppArmor profile file will be named as bin.ping

·         To place all profiles into complain mode:

$ sudo aa-complain /etc/apparmor.d/*

·         To place all profiles in enforce mode:

$ sudo aa-enforce /etc/apparmor.d/*

·         apparmor_parser is used to load a profile into the kernel. It can also be used to reload a currently loaded profile using the -r option.

§  To load a profile:

$ cat /etc/apparmor.d/profile.name | sudo apparmor_parser –a

§  To reload a profile:

$ cat /etc/apparmor.d/profile.name | sudo apparmor_parser –r

·         service apparmor can be used to reload all profiles:

§  $ sudo service apparmor reload

·         The /etc/apparmor.d/disable directory can be used along with the apparmor_parser -R option to disable a profile.

$ sudo ln -s /etc/apparmor.d/profile.name /etc/apparmor.d/disable/

$ sudo apparmor_parser -R /etc/apparmor.d/profile.name

·         To re-enable a disabled profile remove the symbolic link to the profile in /etc/apparmor.d/

disable/. Then load the profile using the -a option.

$ sudo rm /etc/apparmor.d/disable/profile.name

$ cat /etc/apparmor.d/profile.name | sudo apparmor_parser -a

• AppArmor can be disabled, and the kernel module unloaded by entering the following:

$ sudo service apparmor stop

$ sudo update-rc.d -f apparmor remove

• To re-enable AppArmor enter:

$ sudo service apparmor start

$ sudo update-rc.d apparmor defaults