Iptables is a packet filtering tool which allows system administrator to define incoming and outgoing packets to a system using certain rules. Iptables can be confusing it's pretty straightforward once you get the hang of it.
Iptables is in short a Linux based packet filtering firewall. Iptables interfaces to the Linux netfilter module to perform filtering of network packets. This can be to deny/allow traffic filter or perform Network Address Translation (NAT). With careful configuration iptables can be a very cost effective, powerful and flexible firewall or gateway solution. Iptables is available from http://www.netfilter.org/ or via your Linux distribution.
Rules, Chains, and Tables
Iptables rules are grouped into chains. A chain is a set of rules used to determine what to do with a packet. These chains are grouped into tables. Iptables has three built in tables filter, NAT, mangle. More tables can be added through iptables extensions.
Filter Table
The filter table is used to allow and block traffic, and contains three chains INPUT, OUTPUT, FORWARD. The input chain is used to filter packets destined for the local system. The output chain is used to filter packets created by the local system. The forward chain is used for packets passing through the system, mainly used for gateways/routers.
There are three real "chains" which iptables uses:
* INPUT
Which is used to grant or deny incoming connections to your machine.
* OUTPUT
Which is used to grant or deny outgoing connections from your machine.
* FORWARD
Which is used for forwarding packages across interfaces, only really needed (in general) when you're setting up a gateway machine.
NAT Table
The NAT table is used to setup the rules to rewrite packets allowing NAT to happen. This table also has 3 chains, PREROUTING, POSTROUTING, and OUTPUT. The prerouting chain is where packets come to prior to being parsed by the local routing table. The postrouting chain is where packets are sent after going through the local routing table. The output chain
The general form of an IP tables command is:
iptables -A CHAIN -p tcp/udp [options] -j ACTION
The CHAIN we've briefly covered before, "INPUT", "OUTPUT", "FORWARD", etc. Here "-A INPUT" means "append this rule to the input chain".
The "-p tcp" means this rule applies only to TCP connections, not UDP. (To specify UDP connections you'd use "-p udp" instead.)
"[options]" is where you specify what you wish to match against.
Finally "-j ACTION" is used to specify what to do to packets which match your rule. Usually an action will be one of "-j DROP" to drop the package, "-j ACCEPT", to accept the packet or "-j LOG" to log it.
Commands
The first step is to know iptables commands.
Main commands
* -A --append : Add the rule a the end of the specified chain
Code:
iptables -A INPUT ...
* -D --delete : Allow to delete a chain.
There's 2 way to use it, you can specify the number of the chain to delete or specify the rule to delete
Code:
iptables -D INPUT 1
iptables -D INPUT --dport 80 -j DROP
* -R --replace : Allow to replace the specified chain
Code:
iptables -R INPUT 1 -s 192.168.0.1 -j DROP
* -I --insert : Allow to add a chain in a specific area of the global chain
Code:
iptables -I INPUT 1 --dport 80 -j ACCEPT
* -L --list : Display the rules
Code:
iptables -L # Display all the rules of the FILTER chains
iptables -L INPUT # Display all the INPUT rules (FILTER)
* -F --flush : Delete all the rules of a chain
Code:
iptables -F INPUT # Delete all the rules of the INPUT chain
iptables -F # Delete all the rules
* -N --new-chain : Allow to create a new chain
Code:
iptables -N LOG_DROP
* -X --delete-chain : Allow to delete a chain
Code:
iptables -X LOG_DROP # Delete the LOG_DROP chain
iptables -X # Delete the chains
* -P --policy : Allow to specify to the kernel the default policy of a chain ACCEPT, REJECT, DROP ...
Code:
iptables -P INPUT DROP
Basic Uses
The most common use of iptables is to simply block and allow traffic.
Allow Traffic
Iptables allows you to allow traffic based on a number of different conditions such as Ethernet adapter, IP Address, port, and protocol.
Allow incoming TCP traffic on port 22 (ssh) for adapter eth0
iptables -A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
Allow incoming TCP traffic on port 80 (HTTP) for the IP range 192.168.0.1 – 192.168.0.254.
iptables -A INPUT -s 192.168.0.0/24 -p tcp -m tcp --dport 80 -j ACCEPT
Block Traffic
Iptables can block traffic on the same conditions that traffic can be allowed.
Blocks inbound TCP traffic port 22 (ssh)
iptables -A INPUT -p tcp -m tcp --dport 22 -j DRROP
Blocks inbound TCP traffic on port 80 (HTTP) from the IP 192.168.1.100
iptables -A INPUT -s 192.168.1.100 -p tcp -m tcp --dport 80 -j DRROP
Limit Traffic
Along with allowing and denying traffic IP tables can be used to limit the number of connections allowed over time thresholds.
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m sshbrute --set
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m sshbrute --update --seconds 60 --hitcount 4 -j DRROP
[:p:] this is a common set of rules used to block brute force ssh attacks. The first rule makes sure the IP connecting is added to the sshbrute list. The second rule tells iptables to check the sshbrute list and if the packet threshold is exceeded to drrop the traffic.
Common Options and Switches
-A -- adds a rule at the end of the chain
-I -- inserts the rule at the given rule number. If no rule number is given the rule is inserted at the head of the chain.
-p -- protocol of the rule
--dport the destination port to check on the rule
-i -- interface on which the packet was received.
-j -- what to do if the rule matches
-s -- source IP address of packet
-d -- destination IP address of packet
Examples :
Drop all inbound telnet traffic
iptables -I INPUT -p tcp --dport 23 -j DRrOP
Drop all outbound web traffic
iptables -I OUTPUT -p tcp --dport 80 -j DRROP
Drop all outbound traffic to 192.168.0.1
iptables -I OUTPUT -p tcp --dest 192.168.0.1 -j DRROP
Allow all inbound web traffic
iptables -I INPUT -p tcp --dport 80 -j ACCEPT
Allow inbound HTTPS traffic from 10.2.2.4
iptables -I INPUT -s 10.2.2.4 -p tcp -m tcp --dport 443 -j DRROP
Deny outbound traffic to 192.2.4.0-192.2.4.255
iptables -I OUTPUT -d 192.2.4.6.0/24 -j DRROP
Allow incoming connections to port 21 from one IP address 11.22.33.44
iptables -A INPUT -p tcp -m state --state NEW --dport 21 --source 11.22.33.44
Deny all other incoming connections to port 21.
iptables -A INPUT -p tcp -m state --state NEW --dport 21 -j DROP
We used the "-m state --state NEW --dport 21" to match against new connections to port 21. Other options allow you to match against different things.
Subscribe to:
Post Comments (Atom)
Very Nice.. Thank you for your help.
ReplyDeleteIn addition please add some details of the table 'mangle' and another table 'raw'. I am writing some details from the man page of iptables. Anyway thank you for your help.
========
mangle:
This table is used for specialized packet alteration. Until kernel 2.4.17 it had two built-in chains: PREROUTING (for altering incoming packets before routing) and OUTPUT (for altering locally-generated packets before routing). Since kernel 2.4.18, three other built-in chains are also supported: INPUT (for packets coming into the box itself), FORWARD (for altering packets being routed through the box), and POSTROUTING (for altering packets as they are about to go out).
raw:
This table is used mainly for configuring exemptions from connection tracking in combination with the NOTRACK target. It registers at the netfilter hooks with higher priority and is thus called before ip_conntrack, or any other IP tables. It provides the following built-in chains: PREROUTING (for packets arriving via any network interface) OUTPUT (for packets generated by local processes)
Regards,
Justin Jose