InfoSecter Support Notes for Iptables

Supported features

The analysis support concentrates on the firewall features. In particular InfoSecter reports include the following actions:

• permit or deny, the basic firewall filtering actions that result from the iptables ACCEPT, REJECT, and DROP terminal actions.
• translate, address translation that result from the SNAT, DNAT, and MASQUERADE iptable actions.
• The iptables LOG action is parsed but not currently tracked.

The tool analzes the match actions for each chain entry. It also models cumulative matches that result from jumps (-j) or gotos (-g) to user defined chains. InfoSecter also correctly models non-terminal RETURN actions from the user defined chains.

Specifically, InfoSecter uses the following match options in tracking how packets will be processed:

• --in-interface / -i and --out-interface / -o, specify which interface the packets will be coming from or going to.
• --protocol / -p, --source / -s, and --destination / -d, specify the protocol, source, and destination addresses of the packets of interest.
• -m icmp --icmp-type type indicates what ICMP types are being tracked by this rule.
• -m (tcp|udp) [ -p protocol ] port matching specifies the TCP or UDP ports that are specified by this rule.
• -m state --state state list indicates the states of connections that are affected by this rule. Often iptables configs will broadly accept ESTABLISHED and RELATED connections, but have specific rules for NEW connections.
• -m iprange (--src-range | --dst-range) range info specify the source or destination addresses of the packets as ranges rather than networks.
• -m multiport (--source-ports | --destination-ports | --ports) port information specify multiple ranges of source or destination ports.

Iptables supports an ever growing set of match and action modules. Many of these modules are useful for adjusting the runtime behavior of connections, i.e. quality of service (QoS) controls. InfoSecter concentrates on analyzing the behavior of more traditional firewall rules.

Gather device configurations

InfoSecter needs information about how the iptables chains are configured and about the interfaces attached to the firewall device. The user can invoke the iptables-grab-config.pl Perl script to call iptables-restore and ifconfig and then process the result into a file that can be analyzed by InfoSecter. The script must be run as a root user on the iptables system. Alternatively, the user can invoke the ifconfig-extract.pl Perl script to invoke ifconfig and pull out the relevant interface information. The user can then append that to a previously stored iptables config.