Advertisements
iptables is a user space application program that allows a system administrator to configure the tables provided by the Linux kernel firewall (implemented as different Netfilter modules) and the chains and rules it stores.
This article is a tutorial regarding how to configure or implement firewall using Linux security firewall iptables. This article explains and give examples of default and user defined iptables tables, chains, acl syntax, writing deleting and replacing iptables rules, blocking or allowing hosts or ip addresses and ports, port or ip redirection, logging options, using linux box as router using iptables, Masquerading, Network address translation (NAT), source-nat (SNAT), destination-nat (DNAT) and netmap
iptables mainly operates at Layers 3 & 4. Layer 3 deals with Source & Destination IP addresses and layer 4 deals with protocols and ports
To Check whether IPTables is enabled or not in the kernel,
#cat /boot/config* | grep CONFIG_NETFILTER
CONFIG_NETFILTER=y
The Main structure of the iptables is as follows.
Tables->Chains->Rules
Tables may contains a number of chains and each chain may contail a number of rules.
Main Tables
There are mainly three tables.
Mangle - Allows altering of packats TOS,TTL etc
NAT - Network Address Translation. Allow changing sourse destination IP addresses and ports.
Filter - Allows IP Packet filtering. [INPUT,FORWARD,OUTPUT]
Iptables rule syntax
1. command
2. tables
3. chain
4. protocol
5. source or destination
6. Jump target
eg:
iptables -t filter -I INPUT -p tcp -s 192.168.1.100 -j ACEEPT
Example :
Blocks any communication to OUR machine from source 192.168.1.77.
iptables -A INPUT -s 192.168.1.77 -j DROP
[root@vm1 ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP all -- 192.168.1.77 anywhere
Saving and restoring iptables rules :
Rules will go if we restart without saving it . So we have to save those rules.
To save the IPTables rules
iptables-save > iptables_rules.txt
To restore the IPTables rules
iptables-restore < iptables_rules.txt
Flushing iptables rules
iptables -F
or you can save the rules by just run
service iptables save
or
/etc/init.d/iptables save
it will save the rules tp /etc/sysconfig/iptables permenantly. if you restart iptables it'll read the rules from this file
Filter table has three chains
1. INPUT
2. OUTPUT
3. FORWARD
Nat table has three chains
1. PREROUTING
2. POSTROUTING
3. OUTPUT
Filter table has four chains
1. PREROUTING2. INPUT
3. OUTPUT
4. FORWARD
-----------------------------------------------------
[root@vm1 ~]# iptables -L -t filter
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
-----------------------------------------------------
[root@vm1 ~]# iptables -L -t nat
Chain PREROUTING (policy ACCEPT) --before routing occurs -nat
target prot opt source destination
Chain POSTROUTING (policy ACCEPT) --aftet routing deteremined
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
-----------------------------------------------------
[root@vm1 ~]# iptables -L -t mangle
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
-----------------------------------------------------
-t option is for listing a particular table chains and rules.
filter table is the default one.
[root@vm1 ~]# iptables -L -v
list packet details to and from through a chain
[root@vm1 ~]# iptables -L -v --line-numbers
list the rules with line numbers
[root@vm1 ~]# iptables -L -n
lists the numeric values (IP), Disables the resolutions.[Host and Service]
iptables rule for accepting ssh connections
[root@vm1 ~]# iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables rule for blocking telnet connections
[root@vm1 ~]# iptables -A INPUT -p tcp --dport telnet -j DROP
iptables rule for blocking telnet connections and insert it as rule 1
[root@vm1 ~]# iptables -I INPUT 1 -p tcp --dport telnet -j DROP
Appending adds the rule to the end. But with inserting you can insert a rule to anywhere in the list. Means to any position[number] in the list.
Deleting an iptables Rule
-D INPUT NUM
[root@vm1 ~]# iptables -D INPUT 3
deletes the rule number 3 from INPUT chain of defalt table.
Or we can delete like this.
iptables -D INPUT -p tcp --dport 22 -j ACCEPT
Replacing an iptables Rule
-R Chain_name NUM
To replace the 1st rule
[root@vm1 ~]# iptables -R INPUT 1 -p tcp --dport telnet -j ACCEPT
IPTables rules are Dynamic. The ssh/telnet connection will be freezed if rules applied in b/w.
Flushing the rules
iptables -F
Flushing will erase all the existing rules in iptables. If you don't save the rules before flushing all rules will be lost.
[root@vm1 ~]# iptables -L INPUT -v
listing rules only in the INPUT chain with packet counts
iptables -Z INPUT
will zero all the packet counters
Creating new chains and Renaming exsisting ones
To create User defined chains
-N Chain_name
[root@vm1 ~]# iptables -N ITS
Created a new chain ITS
Rename chains
-E Old_name New_name
[root@vm1 ~]# iptables -E ITS SPARTANZ
Drop Policy of iptables.
Dropping a policy will drop all the traffic through that chain
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
Writing rules for only one ethernet device:
To filter all the input through eth0
iptables -A INPUT -i eth0 -j DROP
Negation: (!)
iptables -A INPUT -s ! 192.168.1.55 -j DROP
it Drops all other inputs except from 192.168.1.55
example of TCP:
iptables -A INPUT -i eth+ -p tcp --dport telnet -j DROP
Blocks telnet though both or all ethernet devices
example of UDP:
TFTP, SysLog, NTP, DHCP
-p udp, --protocol udp
--sport 123 --dport 123 for NTP
ICMP (Internet Control Messaging Protocol):
Echo request -PING
Echo reply - Pong
-p icmp, --protocol icmp
--icmp-type name/number
iptables -p icmp --help
for getting help about icmp-types
Disabling ping using iptables.
To deny echo-replies from all hosts
iptables -A INPUT -p icmp --icmp-type echo-reply -j DROP
To drop echo-replies from our host
iptables -A OUTPUT -p icmp --icmp-type echo-reply -j DROP
MULTIPORT: (-m multiport)
-p tcp --dport 8080 or --dport web-cache
iptables -A INPUT -p tcp -m multiport --dport 8080,23 -j DROP
MAC ADDRESS FILTERING: ( -m mac --mac-source or --mac-destination )
Better than using IP addresses because ip addresses can be changed but not mac
Denying a host by mac address using iptables
iptables -I INPUT -m mac --mac-source 00:00:00:00:00:00 -j REJECT
Iptables and states :
in INPUT
iptables -I ITS -m state --state ESTABLISHED -j ACCEPT
Allows communication in already established services
in INPUT
iptables -I ITS -m state --state NEW,ESTABLISHED -j ACCEPT
Allows new connections and established connections from the system
Jump Targets in iptables :
ACCEPT -> Sends packets to other rules or processes
DROP -> Packet will be dropped
REJECT -> Sends a courtesy message back
REDIRECT -> Redirect from one destination to another. must be used with pre-routing in NAT. Local ports only.
LOG -> Allows us to log using SysLog
Logging :
Creating and enabling iptables log using syslog
iptables logs are kernel logs type. So we have to enable this in syslog.conf as follows
vi /etc/syslog.conf
kern.* /var/log/firewall
Create the log file.
touch /var/log/firewall
Restart the syslog service.
service syslog restart
and logging can be enabled as
iptables -I ITS 1 -p tcp --dport ssh -j LOG
ROUTING
You can use linux box as router with the help of iptables. First we have to enable packet forwarding in the server we are using as router. This can be done by setting the sysctl variable as follows
vi /etc/sysctl.conf
net.ipv4.ip_forward = 1
Save the file
Reload the sysctl.conf
sysctl -p
NETWORK ADDRESS TRANSLATION [NAT]
Three types:
Basic NAT. This involves IP address translation only, not port mapping.
PAT : Port Address Translation. This involves the translation of both IP addresses and port numbers.
NAPT : Network Address Port Translation.
SNAT and Masquerading can be done in POSTROUTING chain in nat table.
But DNAT is done in PREROUTING chain in nat table.
SNAT - Source NAT: Translation of Source IP Address. Use when u've only one static IP Address and many systems in local network.
DNAT - Destination NAT: Translation of the destination IP address. Used when traffice comes from internet to local systems.
Three default chains are there in nat table which cannot be deleted.
PREROUTING - Packet that are destined to a system that is accessible to the local router. [DNAT] Internet to Local area network
POSTROUTING - If we want to change the local ips to something that is routable. [SNAT/MASQUERADING]
OUTPUT - Locally sourced!!
Masquerading:
this is also similar to snat but uses when dhcp is used rather having static local ip address.
iptables -t nat -A POSTROUTING -j MASQUERADE -s 10.0.0.0/8 -d 192.168.1.0/24
now if u r pinging for 10.0.0.10 to 192.168.1.100 it appears to be pinging from 192.168.1.37 [Ip address of the system in network 192.168.1.0]
Note:
Masquerading listen to the interface. if dhcp changes the ip of interface, it automatically changes the affect.
Masquerading uses primary interface. Not sub[duplicate] ip addresses.
iptables -t nat -R POSTROUTING 1 -p tcp -j MASQUERADE --to-ports 1024-10240
allows communication only through that port range.
Some examples of nat
iptables -t nat -R POSTROUTING 1 -p tcp -j SNAT --to-source 192.168.1.37:1024-10240 -s 10.0.0.0/8
Do same as the last rule in Masquerading. Uses only if u've a static ip. It fails when ip changes.
iptables -t nat -A POSTROUTING -p tcp -j SNAT --to-source 192.168.1.37 -d 10.0.0.10 -s 192.168.1.100
iptables -t nat -A POSTROUTING -p tcp -j SNAT --to-source 10.0.0.1 -d 192.168.1.100 -s 10.0.0.10
Destination Network Address Translation: INBOUND
DNAT - permits connection to unexposed hosts. Its exact reverse of SNAT.
Rules will be written in PREROUTING.
iptables -t nat -A PREROUTING -j DNAT -p tcp --dport 3389 -to-destination 192.168.1.101 -d 192.168.1.37 -s 10.0.0.10
this will redirect the connection to port 3389@192.168.1.37 to same port @ 192.168.1.101 from 10.0.0.10
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
-----------------------------------------------------
[root@vm1 ~]# iptables -L -t nat
Chain PREROUTING (policy ACCEPT) --before routing occurs -nat
target prot opt source destination
Chain POSTROUTING (policy ACCEPT) --aftet routing deteremined
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
-----------------------------------------------------
[root@vm1 ~]# iptables -L -t mangle
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
-----------------------------------------------------
-t option is for listing a particular table chains and rules.
filter table is the default one.
[root@vm1 ~]# iptables -L -v
list packet details to and from through a chain
[root@vm1 ~]# iptables -L -v --line-numbers
list the rules with line numbers
[root@vm1 ~]# iptables -L -n
lists the numeric values (IP), Disables the resolutions.[Host and Service]
iptables rule for accepting ssh connections
[root@vm1 ~]# iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables rule for blocking telnet connections
[root@vm1 ~]# iptables -A INPUT -p tcp --dport telnet -j DROP
iptables rule for blocking telnet connections and insert it as rule 1
[root@vm1 ~]# iptables -I INPUT 1 -p tcp --dport telnet -j DROP
Appending adds the rule to the end. But with inserting you can insert a rule to anywhere in the list. Means to any position[number] in the list.
Deleting an iptables Rule
-D INPUT NUM
[root@vm1 ~]# iptables -D INPUT 3
deletes the rule number 3 from INPUT chain of defalt table.
Or we can delete like this.
iptables -D INPUT -p tcp --dport 22 -j ACCEPT
Replacing an iptables Rule
-R Chain_name NUM
To replace the 1st rule
[root@vm1 ~]# iptables -R INPUT 1 -p tcp --dport telnet -j ACCEPT
IPTables rules are Dynamic. The ssh/telnet connection will be freezed if rules applied in b/w.
Flushing the rules
iptables -F
Flushing will erase all the existing rules in iptables. If you don't save the rules before flushing all rules will be lost.
[root@vm1 ~]# iptables -L INPUT -v
listing rules only in the INPUT chain with packet counts
iptables -Z INPUT
will zero all the packet counters
Creating new chains and Renaming exsisting ones
To create User defined chains
-N Chain_name
[root@vm1 ~]# iptables -N ITS
Created a new chain ITS
Rename chains
-E Old_name New_name
[root@vm1 ~]# iptables -E ITS SPARTANZ
Drop Policy of iptables.
Dropping a policy will drop all the traffic through that chain
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
Writing rules for only one ethernet device:
To filter all the input through eth0
iptables -A INPUT -i eth0 -j DROP
Negation: (!)
iptables -A INPUT -s ! 192.168.1.55 -j DROP
it Drops all other inputs except from 192.168.1.55
example of TCP:
iptables -A INPUT -i eth+ -p tcp --dport telnet -j DROP
Blocks telnet though both or all ethernet devices
example of UDP:
TFTP, SysLog, NTP, DHCP
-p udp, --protocol udp
--sport 123 --dport 123 for NTP
ICMP (Internet Control Messaging Protocol):
Echo request -PING
Echo reply - Pong
-p icmp, --protocol icmp
--icmp-type name/number
iptables -p icmp --help
for getting help about icmp-types
Disabling ping using iptables.
To deny echo-replies from all hosts
iptables -A INPUT -p icmp --icmp-type echo-reply -j DROP
To drop echo-replies from our host
iptables -A OUTPUT -p icmp --icmp-type echo-reply -j DROP
MULTIPORT: (-m multiport)
-p tcp --dport 8080 or --dport web-cache
iptables -A INPUT -p tcp -m multiport --dport 8080,23 -j DROP
MAC ADDRESS FILTERING: ( -m mac --mac-source or --mac-destination )
Better than using IP addresses because ip addresses can be changed but not mac
Denying a host by mac address using iptables
iptables -I INPUT -m mac --mac-source 00:00:00:00:00:00 -j REJECT
Iptables and states :
in INPUT
iptables -I ITS -m state --state ESTABLISHED -j ACCEPT
Allows communication in already established services
in INPUT
iptables -I ITS -m state --state NEW,ESTABLISHED -j ACCEPT
Allows new connections and established connections from the system
Jump Targets in iptables :
ACCEPT -> Sends packets to other rules or processes
DROP -> Packet will be dropped
REJECT -> Sends a courtesy message back
REDIRECT -> Redirect from one destination to another. must be used with pre-routing in NAT. Local ports only.
LOG -> Allows us to log using SysLog
Logging :
Creating and enabling iptables log using syslog
iptables logs are kernel logs type. So we have to enable this in syslog.conf as follows
vi /etc/syslog.conf
kern.* /var/log/firewall
Create the log file.
touch /var/log/firewall
Restart the syslog service.
service syslog restart
and logging can be enabled as
iptables -I ITS 1 -p tcp --dport ssh -j LOG
ROUTING
You can use linux box as router with the help of iptables. First we have to enable packet forwarding in the server we are using as router. This can be done by setting the sysctl variable as follows
vi /etc/sysctl.conf
net.ipv4.ip_forward = 1
Save the file
Reload the sysctl.conf
sysctl -p
NETWORK ADDRESS TRANSLATION [NAT]
Three types:
Basic NAT. This involves IP address translation only, not port mapping.
PAT : Port Address Translation. This involves the translation of both IP addresses and port numbers.
NAPT : Network Address Port Translation.
SNAT and Masquerading can be done in POSTROUTING chain in nat table.
But DNAT is done in PREROUTING chain in nat table.
SNAT - Source NAT: Translation of Source IP Address. Use when u've only one static IP Address and many systems in local network.
DNAT - Destination NAT: Translation of the destination IP address. Used when traffice comes from internet to local systems.
Three default chains are there in nat table which cannot be deleted.
PREROUTING - Packet that are destined to a system that is accessible to the local router. [DNAT] Internet to Local area network
POSTROUTING - If we want to change the local ips to something that is routable. [SNAT/MASQUERADING]
OUTPUT - Locally sourced!!
Masquerading:
this is also similar to snat but uses when dhcp is used rather having static local ip address.
iptables -t nat -A POSTROUTING -j MASQUERADE -s 10.0.0.0/8 -d 192.168.1.0/24
now if u r pinging for 10.0.0.10 to 192.168.1.100 it appears to be pinging from 192.168.1.37 [Ip address of the system in network 192.168.1.0]
Note:
Masquerading listen to the interface. if dhcp changes the ip of interface, it automatically changes the affect.
Masquerading uses primary interface. Not sub[duplicate] ip addresses.
iptables -t nat -R POSTROUTING 1 -p tcp -j MASQUERADE --to-ports 1024-10240
allows communication only through that port range.
Some examples of nat
iptables -t nat -R POSTROUTING 1 -p tcp -j SNAT --to-source 192.168.1.37:1024-10240 -s 10.0.0.0/8
Do same as the last rule in Masquerading. Uses only if u've a static ip. It fails when ip changes.
iptables -t nat -A POSTROUTING -p tcp -j SNAT --to-source 192.168.1.37 -d 10.0.0.10 -s 192.168.1.100
iptables -t nat -A POSTROUTING -p tcp -j SNAT --to-source 10.0.0.1 -d 192.168.1.100 -s 10.0.0.10
Destination Network Address Translation: INBOUND
DNAT - permits connection to unexposed hosts. Its exact reverse of SNAT.
Rules will be written in PREROUTING.
iptables -t nat -A PREROUTING -j DNAT -p tcp --dport 3389 -to-destination 192.168.1.101 -d 192.168.1.37 -s 10.0.0.10
this will redirect the connection to port 3389@192.168.1.37 to same port @ 192.168.1.101 from 10.0.0.10
No comments:
Post a Comment
Be nice. That's all.