Facultatea de Electronică şi Telecomunicaţii

Communications Netoworks Laboratory 4

Laboratory 4 – Packet filtering

Part1. Netfilter. Iptables.

1. Introduction
The Linux kernel comes with a packet filtering framework named netfilter. It allows you to
allow, drop and modify traffic leaving in and out of a system. A tool, iptables builds upon
this functionality to provide a powerful firewall, which you can configure by adding rules. In
addition, other programs such as fail2ban also use iptables to block attackers.
Iptables is just a command-line interface to the packet filtering functionality in netfilter.
The packet filtering mechanism provided by iptables is organized into three different kinds of
structures: tables, chains and targets. Simply put, a table is something that allows you to
process packets in specific ways. The default table is the filter table, although there are other
tables too.
Again, these tables have chains attached to them. These chains allow you to inspect traffic
at various points, such as when they just arrive on the network interface or just before they’re
handed over to a process. You can add rules to them match specific packets — such as TCP
packets going to port 80 — and associate it with a target. A target decides the fate of a packet,
such as allowing or rejecting it.
When a packet arrives (or leaves, depending on the chain), iptables matches it against rules
in these chains one-by-one. When it finds a match, it jumps onto the target and performs the
action associated with it. If it doesn’t find a match with any of the rules, it simply does what
the default policy of the chain tells it to. The default policy is also a target. By default, all chains
have a default policy of allowing packets [3].
Tables
As we’ve mentioned previously, tables allow you to do very specific things with packets. On
modern Linux distributions, there are four tables:
o The filter table: This is the default and perhaps the most widely used table. It is used
to make decisions about whether a packet should be allowed to reach its destination.
o The mangle table: This table allows you to alter packet headers in various ways,
such as changing TTL values.
o The nat table: This table allows you to route packets to different hosts on NAT
(Network Address Translation) networks by changing the source and destination
addresses of packets. It is often used to allow access to services that can’t be
accessed directly, because they’re on a NAT network.
o The raw table: iptables is a stateful firewall, which means that packets are inspected
with respect to their “state”. (For example, a packet could be part of a new
connection, or it could be part of an existing connection.) The raw table allows you to
work with packets before the kernel starts tracking its state. In addition, you can also
exempt certain packets from the state-tracking machinery.

1
Facultatea de Electronică şi Telecomunicaţii
Communications Netoworks Laboratory 4

Chains
Now, each of these tables are composed of a few default chains. These chains allow you to
filter packets at various points. The list of chains iptables provides are [3]:
• The PREROUTING chain: Rules in this chain apply to packets as they just arrive on
the network interface. This chain is present in the nat, mangle and raw tables.
• The INPUT chain: Rules in this chain apply to packets just before they’re given to a
local process. This chain is present in the mangle and filter tables.
• The OUTPUT chain: The rules here apply to packets just after they’ve been produced
by a process. This chain is present in the raw, mangle, nat and filter tables.
• The FORWARD chain: The rules here apply to any packets that are routed through
the current host. This chain is only present in the mangle and filter tables.
• The POSTROUTING chain: The rules in this chain apply to packets as they just leave
the network interface. This chain is present in the nat and mangle tables.
Througout this lab the chains INPUT, OUTPUT and FORWARD will be used. The differences
between these chains can be sumarized in the following way:
• INPUT: packets coming from the network and going to router/server.
• OUTPUT: packets originating from the router/server and going to the network.
• FORWARD: packets forwarded by the router, if/when it acts as a router between
different networks.
Targets
As we’ve mentioned before, chains allow you to filter traffic by adding rules to them. So for
example, you could add a rule on the filter table’s INPUT chain to match traffic on port 22.
But what would you do after matching them? That’s what targets are for — they decide the
fate of a packet.
Some targets are terminating, which means that they decide the matched packet’s fate
immediately. The packet won’t be matched against any other rules. The most commonly
used terminating targets are [3]:
o ACCEPT: This causes iptables to accept the packet.
o DROP: iptables drops the packet. To anyone trying to connect to your system, it
would appear like the system didn’t even exist.
o REJECT: iptables “rejects” the packet. It sends a “connection reset” packet in case
of TCP, or a “destination host unreachable” packet in case of UDP or ICMP.
On the other hand, there are non-terminating targets, which keep matching other rules even
if a match was found. An example of this is the built-in LOG target. When a matching packet
is received, it logs about it in the kernel logs. However, iptables keeps matching it with rest
of the rules too.
Sometimes, you may have a complex set of rules to execute once you’ve matched a packet.
To simplify things, you can create a custom chain. Then, you can jump to this chain from one
of the custom chains.

2
Facultatea de Electronică şi Telecomunicaţii
Communications Netoworks Laboratory 4

Defining Chain Rules

Defining a rule means appending it to the chain [4]. To do this, you need to insert the -A
option (Append) right after the iptables command, like so:
• sudo iptables -A
It will alert iptables that you are adding new rules to a chain. Then, you can combine the
command with other options, such as:
• -i (interface) — the network interface whose traffic you want to filter, such as
eth0, lo, ppp0, etc.
• -p (protocol) — the network protocol where your filtering process takes place. It
can be either tcp, udp, icmp, sctp, icmpv6, and so on. Alternatively, you can type all
to choose every protocol.
• -s (source) — the address from which traffic comes from. You can add a hostname
or IP address.
• –dport (destination port) — the destination port number of a protocol, such
as 22 (SSH), 443 (https), etc.
• -j (target) — the target name (ACCEPT, DROP, RETURN). You need to insert
this every time you make a new rule.

If you want to use all of them, you must write the command in this order:
• sudo iptables -A <chain> -i <interface> -p <protocol (tcp/udp)>
-s <source> --dport <port no.> -j <target>

Deleting Rules
If you want to remove all rules and start with a clean slate, you can use the -F option (flush)[4]:
• sudo iptables -F
This command erases all current rules. However, to delete a specific rule, you must use the
-D option. First, you need to see all the available rules by entering the following command:
• sudo iptables -L --line-numbers
You will get a list of rules with numbers:

Chain INPUT (policy ACCEPT)

num target prot opt source destination

1 ACCEPT all -- 192.168.0.4 anywhere

2 ACCEPT tcp -- anywhere anywhere tcp dpt:https
3 ACCEPT tcp -- anywhere anywhere tcp dpt:http

3
Facultatea de Electronică şi Telecomunicaţii
Communications Netoworks Laboratory 4

4 ACCEPT tcp -- anywhere anywhere tcp dpt:ssh

To delete a rule, insert the corresponding chain and the number from the list. Let’s say for
this iptables tutorial, we want to get rid of rule number three of the INPUT chain. The
command should be:
• sudo iptables -D INPUT 3

Examples
The most common use for a firewall is to block Ips [3].

• iptables -t filter -A INPUT -s 59.45.175.62 -j REJECT

The -t switch specifies the table in which our rule would go into — in our case, it’s the filter
table.
The -A switch tells iptables to “append” it to the list of existing rules in the INPUT chain.
The -s switch simply sets the source IP that should be blocked.
Finally, the -j switch tells iptables to “reject” traffic by using the REJECT target. If you want
iptables to not respond at all, you can use the DROP target instead.

• iptables -A INPUT -s 59.45.175.62 -j REJECT

To block a range of IP addresses one can ue the CIDR notation.

• iptables -A INPUT -s 59.45.175.0/24 -j REJECT

Iptables can be used to block protocols, too. For example, to block all incoming ICMP traffic,
one simply need to specify the protocol.

• iptables -A INPUT -p icmp -j DROP

A more complex example:

• iptables -A INPUT -p tcp -m tcp --dport 22 -s 59.45.175.0/24 -j

DROP

It blocks SSH access for an IP range. First match all TCP traffic, In order to check the
destination port, you should first load the tcp module with -m. Next, you can check if the
traffic is intended to the SSH destination port by using –dport

4
Facultatea de Electronică şi Telecomunicaţii
Communications Netoworks Laboratory 4

2. Experimental part
RIP configuration through zebra configuration file.
Traffic filtering with Iptables will be configured in this section.
Network topology
The network topology is presented in Figure 1.

Internet
C1
eth0: .2 I: 10.10.X.0/24

eth1:.1
A: 100.X.1.0/24
eth3: .1
r1 r5
eth2: .1 eth0: .13
eth0: .2
E: 100.X.0.0/30 eth1: .9 H: 100.X.0.12/30
L: 192.168.X.0/30
eth0: .2 eth3: .14 eth0: .1
C2 G: 100.X.0.8/30 eth1: .1
eth0: .2 r2 r4 C4
eth2: .1 eth0: .2

D: 100.X.4.0/24
eth1: .5 eth2: .18
B: 100.X.2.0/24

eth0: .6 eth1: .10

F: 100.X.0.4/30 K: 100.1.0.16/30

r3 eth2: .17
eth3: .1
C: 100.X.3.0/24
eth0: .2

C3

Figure 1: Network topology

Inside the netkit folder create a new folder lab3. Inside the lab3 folder create the
structure of subdirectories and files associated with the topology. The topology is the same
with the one used in lab 2. Copy the configuration files from lab 2. If you didn’t save the
work for lab 2, please revisit the ACNPS_lab2_online.pdf file to remember how to do it.
Instead of configuring Zebra and RIP inserting configuration commands from the vtysh after
the lab topology is started, the commands will be loaded at stratup from the configuration
files, daemons and ripd.conf. So, this time the configuration for the RIP protocol will be
inserted in the ripd.conf file before starting the lab, while the selection of the daemons
that will be started, will be configured in daemons file.

5
Facultatea de Electronică şi Telecomunicaţii
Communications Netoworks Laboratory 4

To achieve this, in each router’s folder, a new folder, etc, will be created, followed by the
creation of a directory named zebra inside it (Figure 2).

Figure 2: The Zebra’s configuration files located in the foder r1/etc/zebra

In zebra folder the configuration files, daemons and ripd.conf, will be created.
The daemons file will have the same content for each router (Figure 9 in ACNPS_lab2_online
file). We will configure zebra and ripd daemons to be started at startup:
• zebra=yes
• bgpd=no
• ospfd=no
• ospf6d=no
• ripd=yes
• ripngd=no

On each of the routers r1 to r4 the ripd.conf will contain the configuration commands for
the RIP protocol. In Figure 3a, the content of the ripd.conf file on router r1 is shown.

Figure 3a: The content of ripd.conf file on router r1

6
Facultatea de Electronică şi Telecomunicaţii
Communications Netoworks Laboratory 4

On r4 the config for rip is a little different, because it must tell rip to advertise the network
192.168.1.0/30 and to distribute the defaulte route inside the domain (Figure 3b):

Figure 3b: The content of ripd.conf file on router r1

Also, don’t forget to ad the default route on r4, after the lab is started.
To avoid starting the zebra daemon manually after lab’s startup, insert in the routers’ startup
files the command to start zebra. In Figure 4, the content of the r1.startup is shown.

Figure 4: The content of r1.startup file

Start the lab with lstart command:

• ~/netkit/lab2$ kathara lstart
Check that ping is wprking between the machines.

Q1: Insert in the lab report captures with the routing tables on r4 and r3.

7
Facultatea de Electronică şi Telecomunicaţii
Communications Netoworks Laboratory 4

Study of Iptables
Traffic filtering with Iptables will be configured in this section.
1. Basic traffic filtering – input traffic
In this section IP traffic originated from the c1’s IP address will be rejected by c3. The traffic
filter will be installed on C3 machine. It will reject the packets coming from C1 machine.
• On C1 machine ping the C3 machine
o C1:~# ping 100.X.3.2
• Does ping work?
On C3 build a script that will install an iptrables rule to reject the traffic coming from C1.
The script will be named filter-script.sh and will contain the lines:
• #!/bin/sh
• iptables -A INPUT -s 100.X.1.2 -j DROP
To edit the file use nano editor (or other available editors):
• C3:~#nano filter-script.sh
Use the command ls to check the access rights of the filter-script.sh file.
• C3:~#ls -l
After the file is edited and saved make it executable with the command:
• C3:~#chmod a+rx filter-script.sh

Q2: Insert in the lab report a capture with the content of the filter-script.sh file.

Use the command ls to recheck the access rights of the filter-script.sh file.
• C3:~#ls -l
Before running the script inspect the iptables with the command:
• C3:~#iptables -L -v

Q3: Insert a capture with the output of the iptables -L -v command?

Run the script with the command:

• C3:~#./filter-script.sh
Inspect the iptables with the command:
• C3:~#iptables -L -v

8
Facultatea de Electronică şi Telecomunicaţii
Communications Netoworks Laboratory 4

Q4: Insert a capture with the output of the iptables -L -v command?

Check that the filter is working:

• On C1 machine ping the C3 machine
o C1:~# ping 100.1.3.2

Q5: Does ping work? Why? Does c1 receive any message?

Q6: Use tcpdump to capture the messages received by c3. Does c3 receive any
message? What messages? Does it reply to c1?

Remove the iptables rules.

• iptables -F

Modify the script by replacing the DROP target with REJECT.

Run the script again to install the new rule.

Q7: Does ping work? Why?

Q8: Does c1 receive any message? What message?

Remove the iptables rules.

2. Basic traffic filtering – forward traffic

Implement a filtering rule on router r4 to filter traffic coming from c2 and directed to c4. Use
INPUT chain to define the rule.
• iptables -A INPUT -s 100.X.2.2 -j DROP
Apply the rule on router r4 using a filtering script like the one on c3.
Try to ping c4 from c2.
Q9: Does ping work when INPUT chain is used? Why?

Remove iptables rules.

Modify the filtering rule by replacing INPUT with FORWARD and apply it running the script.

Q10: Insert a capture with the output of the iptables -L -v command?

Q11: Does ping work when FORWARD chain is used? Why?

9
Facultatea de Electronică şi Telecomunicaţii
Communications Netoworks Laboratory 4

Try to ping c4 from c1.

Q12: Does ping work when FORWARD chain is used? Why?

Remove the iptables rules.

Modify the filtering rule such as to make ping from c1 to c4 work, while ping from c2 to c4
not. Apply it running the script.

Q13: Insert a capture with the output of the iptables -L -v command?

3. Filtering protocols
More complex filtering rules can be implemented with iptables. For example, protocols’
packets ca be filtered using iptables. In this section the ICMP packets will be filtered on C4
machine.
Implement filtering rules to filter on c4 the ICMP packets coming from networks
100.1.2.0/24 and 100.1.1.0/24. Use INPUT chain and DROP target. Write the
commands in a script file filter_icmp.sh, make it executable, and run the script to install
the iptables rules.
• Check that the filtering is working using ping command on C1 and C2.

Q12: Insert a capture with the output of the iptables -L -v command?

Q13: Insert captures with the output of the ping command from C2 and C3 to C4.
Does ping work on c3? Why?

Remove the iptables rules.

Replace the INPUT chain with OUTPUT chain in the script. Run the script again.

Q14: Does ping from C1 and C2 to C4 work when OUTPUT chain is used? Why?

Q15: Insert a capture with the output of the iptables -L -v command?

Remove the iptables rules.

10
Facultatea de Electronică şi Telecomunicaţii
Communications Netoworks Laboratory 4

Implement filtering rules to block ssh and telnet access from network 100.1.3.0/24 on
c1. Use REJECT as target for the filtering rules.
• Check that the filtering rule is working.

Q16: Insert the content of the script in the lab report.

Q17: Insert a capture in the lab report with c3 trying to connect via ssh and telnet
on c1.

Q18: Insert a capture in the lab report with c2 trying to connect via ssh and telnet
on c1.

Implement a filtering script on router r4 to block ping from Internet to the local domains A
and B. Use DROP as target for the filtering rules. Check that the filtering rule is working.

Q19: Insert a capture in the lab report with router r5 trying to ping c2.

Q20: Insert the content of the script in the lab report.

References:
1. http://wiki.netkit.org/netkit-labs/netkit-labs_basic-topics/netkit-lab_arp/netkit-
lab_arp.pdf
2. http://wiki.netkit.org/netkit-labs/netkit-labs_basic-topics/netkit-lab_quagga/netkit-
lab_quagga.pdf
3. https://www.booleanworld.com/depth-guide-iptables-linux-firewall/
4. https://www.hostinger.com/tutorials/iptables-tutorial

11