Teach you how to use Linux firewall to isolate local spoofed addresses!

How to use iptables firewall to protect your network from hackers.

Even in remote networks protected by intrusion detection and isolation systems, hackers are still finding various sophisticated ways to invade. IDS/IPS cannot stop or reduce attacks by hackers who want to take over control of your network. Improper configuration allows an attacker to bypass all deployed security measures.

In this article, I will explain how a security engineer or system administrator can avoid these attacks.

Almost all Linux distributions come with a built-in firewall to protect processes and applications running on the Linux host. Most firewalls are designed as IDS/IPS solutions. The main purpose of such a design is to detect and prevent malicious packets from gaining entry into the network.

Linux firewalls usually have two interfaces: iptables and ipchains programs (LCTT translation: on systems that support systemd, the newer interface firewalld is used). Most people refer to these interfaces as iptables firewall or ipchains firewall. Both interfaces are designed as packet filters. iptables is a stateful firewall that makes decisions based on previous packets. ipchains does not make decisions based on previous packets, it is designed to be a stateless firewall.

In this article, we will focus on the iptables firewall that appeared after kernel 2.4.

With iptables firewall, you can create policies or ordered rule sets that tell the kernel how to treat specific packets. In the kernel is the Netfilter framework. Netfilter is both the framework and the project name of the iptables firewall. As a framework, Netfilter allows iptables hooks to be designed to manipulate packet functionality. In a nutshell, iptables relies on the Netfilter framework to build functionality such as filtering packet data.

Each iptables rule is applied to a chain in a table. An iptables chain is a set of rules that compare packages for similar characteristics. Tables (such as nat or mangle) describe different functional directories. For example, the mangle table is used to modify package data. Therefore, specific rules for modifying packet data are applied here; and filtering rules are applied to the filter table because the filter table filters packet data.

An iptables rule has a match set, and a target such as Drop or Deny, which tells iptables what to do with a packet to comply with the rule. Therefore, without targets and match sets, iptables cannot process packets efficiently. If a packet matches a rule, the target points to a specific action that will be taken. On the other hand, in order for iptables to process it, each packet must match before it can be processed.

Now that we know how iptables firewall works, let’s look at how to use iptables firewall to detect and reject or drop spoofed addresses.

As a security engineer, when dealing with remote spoofed addresses, the first step I take is to turn on source address verification in the kernel.

Source address verification is a kernel-level feature that drops packets pretending to come from your network. This feature uses the reverse path filter method to check whether the source address of a received packet is reachable through the interface on which the packet arrived. (LCTT translation annotation: The source address of the arriving packet should be reachable in the reverse direction from the network interface it arrived on. This effect can be achieved by simply reversing the source address and destination address)

Use the following simple script to turn on source address verification without manual operation:

#!/bin/sh #作者: Michael K Aboagye #程序目标: 打开反向路径过滤 #日期: 7/02/18 #在屏幕上显示 “enabling source address verification” echo -n "Enabling source address verification…" #将值0覆盖为1来打开源地址验证 echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter echo "completed"

When the above script is executed, it only displays the message Enabling source address verification and does not wrap the line. The default reverse path filtering value is 0, which means no source verification. Therefore, the second line simply overrides the default value of 0 to 1. 1 means that the kernel will verify the source address by confirming the reverse path.

Finally, you can use the following command to drop or reject spoofed addresses from the remote host by selecting one of the DROP or REJECT targets. However, for security reasons, I recommend using the DROP target.

Replace the IP-address placeholder with your own IP address like below. In addition, you must choose to use either REJECT or DROP, not both at the same time.

iptables -A INPUT -i internal_interface -s IP_address -j REJECT / DROP iptables -A INPUT -i internal_interface -s 192.168.0.0/16 -j REJECT / DROP

This article only provides basic knowledge on how to use iptables firewall to avoid remote spoofing attacks.

The above is the detailed content of Teach you how to use Linux firewall to isolate local spoofed addresses!. For more information, please follow other related articles on the PHP Chinese website!