Comprehensive network security

One of the most common examples of firewalls is the one available on Linux distributions, called by IPTables. This firewall, like the majority of packet filtering firewalls is based on rules and access control lists (ACL) that are used to represent and enforce the security policy of the network they are willing to protect, monitor and control.

In IPTables, these ACLs have special characteristics, because they use sophisticated elements and parameters do build a rule based on the security context and need. This means that the administrator is able to build any type of ACL, according to his needs and in line with the privacy and security of the designed policy. In a deeper approach, this firewall is based on a designed formed by three different structures:

·      Rules

Rules are basically the commands passed to the firewall so it can perform a specific action (allow or block). They must be built according to the language configured on the firewall software so it may understand them and need to follow specific patterns to be properly interpreted (Figure 8). In general, rules are similar among many firewall software and appliances, where the main concept of rule is followed by all. It is not difficult to export rules form a firewall to another, as long as the rules language is similar. In IPTables, the rules are stored into chains and processed by order. The first rule is the first to be checked, the second rule is the second to be checked, and so on until the end of all rules. Here, it is important to plan the sequence of rules to be used, because if in wrong order, some content may be block by a previous rule, when it should, indeed, be allowed. Planning firewall rules is a major factor in network administration, though, many firewall software allow the administrator to reorganise the rules after they are configured and saved. Focusing on the specific case of IPTables, new rules are primarily store in the kernel of the operating system, meaning that if the machine is restarted, all the rules content will be deleted and lost. Because of this factor, all rules should be saved in a file to be loaded at each start of the machine. It is true that most times, it is used a dedicated machine to work as firewall only, where the act of restarting it is not as common as a normal personal computer, however, it is also common to be used a large set of rules, where having to configure all of them every time the machine restarts, results in a very heavy task and time consuming.

                                                     Figure 8 – Iptables rule example

 

·      Chains

Storing firewall rules, chains allow the administrator to specify the different type of treatments to be applied to the packets, independently of the table it is focusing on. It is possible to find two different type of chains in IPTables, where the first one, named standard chains include the chains that are already available in the software and can be applied to the general network traffic. The second type are chains created by the administrator himself and are designed to fulfil specific needs.

In the case of standard chains, it is possible to identify the “Prerouting”, consisting of the local machine (firewall machine) incoming traffic and also includes the traffic locally generated and destinated to the local machine. Another standard chain is the “Input”, that targets all the traffic which destination is once again the machine itself. Moreover, “Forward” chain is related to the network traffic that goes through the machine and “Output” consists of the traffic that is locally generated, both with a local or remote destination. This is basically all the traffic that the firewall machine is producing and that is being sent to the network or to the machine itself. The last chain is the “Postrounting” and focuses the traffic that goes out from the machine, including network traffic locally generated and having a local destination as well).

·      Tables

Rules are stored into chains and, consequently, chains are stored into tables, where each table stores chains and rules with the same specific characteristic. Here, there are also three different table types: Filter; NAT and Mangle.

“Filter” is the table responsible by the filtration of all packets that go through the firewall, no matter their destination. This table is used to analyse the network traffic, allowing, or blocking it, according to the table stored rules. When focusing on a firewall, the main identified action is the packet filtration, even though they allow other actions. In this case, it’s the table “Filter” the main responsible one for such packet filtration.

The table “NAT” controls the packets that go through the firewall but having different origins and destinations. NAT, or Network Address Translation, is a mechanism that allows the translation from private addresses to the public one and vice-versa. This table is normally used for communications between the private and public networks, allowing the computers within the private network to access the public one, through one or more public IP addresses.

The last table type is named “Mangle” and allows the manipulation of packet characteristics, such as the type of service. This allows the implementation of quality service, also known as QoS.

In sum, IPTables is a packet filtering firewall available with Linux distributions and allow the control and monitorization of the network and the computer itself. It provided different actions, including “accept”, “drop”, “reject” and “log” configured into rules and personalized chains. As it was mentioned before, there rules need to follow a specific order and must be planed prior their implementation, so all actions are respected and working accordingly to the organization security policy.