About IP Tables (AIT)

In setting up a Proxy server and the network below it to be safe from the reach of the naughty hands of cyber humans. Linux comes with several software that can be used to create a firewall or network security wall and NAT. Namely by using IPTABLES for these needs.

IPTABLES is a module in Linux that provides direct support for the Linux kernel starting from version 2.4 for system security and several other network needs. IPTABLES can also be used to select incoming packets, both input, output and forward based on IP address, network identity, port number, source (origin), destination (destination), protocol used and even based on the type of connection to each desired packet (data).

IPTABLES can perform calculations on packets and apply traffic priorities based on service types. IPTABLES can be used to define a set of port-based security rules to secure specific hosts. IPTABLES can also be used to build a router or gateway, of course only for the Linux operating system.

Iptables has a table that functions to determine the direction of data packet rotation. Where there are 3 tables, namely:

1. Filter. Used to sort and grant ACCEPT/DROP permission to a data packet.
2. NAT. Used for network address translation.
3. Mangle. Used for QoS.

The simplest IPTABLES configuration handles at least 3 sets of rules called chains. These chains include: 

1. INPUT. Used to sort data packets entering the firewall machine.
2. FORWARD. Used to sort data packets that pass through the firewall machine and re-route them to other paths.
3. OUTPUT. Used to sort data packets coming out of the firewall machine.

Before we configure the firewall, we must first know the rules that we will use. This is a reference, whether our network can forward incoming packets or not or block all packets that will enter our network. Below is a table of rules that we use as a reference to configure the firewall, among others.

# iptables -t <TABLE> -I <CHAIN> -p <Protokol> -s <IPasal/Netmask> -d <IPtujuan/Netmask> -j
<ACCEPT/DROP>

Information:

| Nama Rule         | Simbol | Keterangan                                                                                                       |
|-------------------|--------|------------------------------------------------------------------------------------------------------------------|
| TABLE             | -t     | TABLE, bisa diisikan dengan filter, nat, atau mangle                                                             |
| CHAIN             | -l     | CHAIN, apabila tablenya filter bisa diisikan INPUT, OUTPUT, atau FORWARD                                         |
| PROTOKOL          | -p     | Protokol, bisa diisikan tcp, udp, icmp atau all                                                                  |
| IP asal/Netmask   | -s     | IPasal, bisa diisikan dengan ip address asal paket (source)                                                      |
| IP tujuan/Netmask | -d     | IPtujuan, bisa diisikan dengan ip address tujuan paket (destination)                                             |
| ACCEPT/DROP       | -j     | ACCEPT/DROP, bila ingin mengijinkan data lewat isikan dengan ACCEPT. Bila tidak mengijinkan isikan dengan DROP   |

1. NAT and IPtables 

Network Address Translation (NAT) can be accomplished by the Linux kernel version 2.4 in one of two ways:

1. Source NAT(SNAT), is used to hide the origin of packets by mapping the origin address of packets that will go to the external network to a specific IP address or address. With this capability, SNAT is commonly used as a Masquerader server.
2. Destination NAT (DNAT), is often used to transparently redirect incoming packets to a location (destination), for example to a machine that functions as a proxy server or SOCKS firewall.

One version of SNAT is IP Masquerade, which allows some workstations or hosts to connect to the Internet without having an IP address that can be recognized on the external network, the Internet. The server that functions as a gateway provides a masquerade using IPTABLES to make local hosts known on the Internet network where the IP address recorded is the gateway IP address, not the local network host IP address.

The IP packet masquerade process is done using address and port number substitution. The IP address of the packet from the local network is changed based on its destination.

Here are the simple rules:  

• Packets that are bound for the external network (leaving the local network through a gateway). The IP address of the packet's origin is changed to the IP address of the masquerader machine. The IP address of the masquerader is unique on the external network.
• Packets coming from the external network (to the local network through the gateway). The packet address is changed to the local network host IP address. Machines inside the local network have invalid (unknown) "private network" addresses on the external network.

IP Masquerade uses port forwarding to change a packet's IP address. When a packet arrives from an external network, its port address is checked and compared against the contents of the masquerade table. If the matched port is found, the IP address in the packet header is changed and the packet is sent to the demasqueraded IP address.

There are 3 things to consider in NAT implementation:

1. You must add all address translation rules to the chains in the NAT table.
2. Unlike filter tables, nat tables use PREROUTING, POSTROUTING and OUTPUT chains.
3. Include kernel modules to handle custom protocols.

If you have finished building a local network in terms of its topology, meaning that physically you have completed the network and your local network is functioning properly, implementing IP Masquerade only requires the following two steps:

1. Use IPTABLES to setup a masquerade rule

The following example masquerades local network packets (192.168.0.0/24) going out to the internet or an external network through the ppp0 interface (dial-up connection):

IPTABLES -t nat -A POSTROUTING -s 192.168.0.0/24 -o ppp0 --j MASQUERADE

If you are connected to an external network not via a dial-up connection, for example using a wireless radio link connection, then the example IP masquerade command above becomes:

iptables -t nat -A POSTROUTING --o eth1 --s 192.168.0.0/24 --j SNAT  -tosource 64.110.100.141

Where the connection to the external network is via the eth1 interface and the NAT IP address used is 64.110.100.141.

You can also write;

IPTABLES -t nat -A POSTROUTING -o eth1 --j MASQUERADE

which means masquerading all packets that go out through Eth1. This is done if you do not get a NAT IP from your ISP, only 1 public IP is owned, which is the one installed on Eth1. Don't forget to run the service IPTABLES save command so that all the rules created are saved and run when the system is rebooted.

2. Insert kernel modules to handle specific protocols.

modprobe -a ip_conntrack_ftp ip_net_ftp
modprobe -a ip_conntrack_irc ip_net_irc

You can build a destination NAT that will transparently redirect all packets coming from local network hosts sent by web browsers entering through the eth2 interface (the 3rd ethernet card on the masquerader machine) to a proxy server by implementing the following rules:

iptables -t nat -A PREROUTING -p tcp --port 80 -i eth2 -j DNAT --to 192.168.0.254

where IP address 192.168.0.254 is the proxy server address.

2. Conclusion 

Like a house that has a fence as its protection, whether from wood, concrete walls, barbed wire or a combination of several types of fences, it is not surprising that a computer which is a vital place in data communication that stores all the property and objects that we own should also be protected. Namely by using a firewall. A firewall is a method or mechanism that is applied to hardware, software or the system itself with the aim of protecting, either by filtering, limiting or even rejecting one or all relationships/activities of a segment on a private network with an external network that is not within its scope. IP addresses as a means of addressing on the Internet are increasingly becoming a luxury and exclusive item. Not just anyone can get a valid IP address easily these days. That is why a mechanism is needed that can save IP addresses. The simple logic for saving IP addresses is to share a valid IP address number to several other IP clients. Or in other words, several computers can access the Internet even though we only have one valid IP address.

One of those mechanisms is provided by Network Address Translation (NAT).

3. QUESTIONS

1. Explain the meaning of Firewall?
2. Mention the types of Firewall?
3. Explain the function and type of NAT?
4. What is the background to using NAT? And what are the advantages of using NAT?
5. Name the components that a NAT has!