Monday, March 12, 2012

configuring iptables in linux


iptables is a user space application program that allows a system administrator to configure the tables provided by the Linux kernel firewall (implemented as different Netfilter modules) and the chains and rules it stores.

This article is a tutorial regarding how to configure or implement firewall using Linux security firewall iptables. This article explains and give examples of default and user defined iptables tables, chains, acl syntax, writing deleting and replacing iptables rules, blocking or allowing hosts or ip addresses and ports, port or ip redirection, logging options, using linux box as router using iptables, Masquerading, Network address translation (NAT), source-nat (SNAT), destination-nat (DNAT) and netmap

iptables mainly operates at Layers 3 & 4. Layer 3 deals with Source & Destination IP addresses and layer 4 deals with protocols and ports

To Check whether IPTables is enabled or not in the kernel,
#cat /boot/config* | grep CONFIG_NETFILTER

The Main structure of the iptables is as follows.
Tables may contains a number of chains and each chain may contail a number of rules.

Main Tables
There are mainly three tables.

Mangle  -   Allows altering of packats TOS,TTL etc
NAT     -   Network Address Translation. Allow changing sourse destination IP addresses and ports.
Filter     -   Allows IP Packet filtering. [INPUT,FORWARD,OUTPUT]

Iptables rule syntax
1. command
2. tables
3. chain
4. protocol
5. source or destination
6. Jump target

iptables -t filter -I INPUT -p tcp -s -j ACEEPT

Example :
Blocks any communication to OUR machine from source
iptables -A INPUT -s -j DROP

[root@vm1 ~]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
DROP       all  --         anywhere

Saving and restoring iptables rules :
Rules will go if we restart without saving it . So we have to save those rules.
To save the IPTables rules
iptables-save > iptables_rules.txt

To restore the IPTables rules
iptables-restore < iptables_rules.txt

Flushing iptables rules
iptables -F

or you can save the rules by just run
service iptables save
/etc/init.d/iptables save
it will save the rules tp /etc/sysconfig/iptables permenantly. if you restart iptables it'll read the rules from this file

Filter table has three chains

Nat table has  three chains

Filter table has four chains
[root@vm1 ~]# iptables -L -t filter
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
[root@vm1 ~]# iptables -L -t nat
Chain PREROUTING (policy ACCEPT) --before routing occurs -nat
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT) --aftet routing deteremined
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
[root@vm1 ~]# iptables -L -t mangle
target     prot opt source               destination

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

target     prot opt source               destination

-t option is for listing a particular table chains and rules.
filter table is the default one.

[root@vm1 ~]# iptables -L -v
list packet details to and from through a chain

[root@vm1 ~]# iptables -L -v --line-numbers
list the rules with line numbers

[root@vm1 ~]# iptables -L -n
lists the numeric values (IP), Disables the resolutions.[Host and Service]

iptables rule for accepting ssh connections
[root@vm1 ~]# iptables -A INPUT -p tcp --dport 22 -j ACCEPT    

iptables rule for blocking telnet connections
[root@vm1 ~]# iptables -A INPUT -p tcp --dport telnet -j DROP

iptables rule for blocking telnet connections and insert it as rule 1
[root@vm1 ~]# iptables -I  INPUT 1 -p tcp --dport telnet -j DROP

Appending adds the rule to the end. But with inserting you can insert a rule to anywhere in the list. Means to any position[number] in the list.

Deleting an iptables Rule

[root@vm1 ~]# iptables -D INPUT 3
deletes the rule number 3 from INPUT chain of defalt table.

Or we can delete like this.
iptables -D INPUT -p tcp --dport 22 -j ACCEPT

Replacing an iptables Rule
-R Chain_name NUM

To replace the 1st rule
[root@vm1 ~]# iptables -R INPUT 1 -p tcp --dport telnet -j ACCEPT
IPTables rules are Dynamic. The ssh/telnet connection will be freezed if rules applied in b/w.

Flushing the rules
iptables -F
Flushing will erase all the existing rules in iptables. If you don't save the rules before flushing all rules will be lost.

[root@vm1 ~]# iptables -L INPUT -v
listing rules only in the INPUT chain with packet counts

iptables -Z INPUT
will  zero all the packet counters

Creating  new chains and Renaming exsisting ones
To create User defined chains
-N Chain_name

[root@vm1 ~]# iptables -N ITS
Created a new chain ITS

Rename chains
-E Old_name New_name

[root@vm1 ~]# iptables -E ITS SPARTANZ

Drop Policy of iptables.
Dropping a policy will drop all the traffic through that chain

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

Writing rules for only one ethernet device:
To filter all the input through eth0
iptables -A INPUT -i eth0 -j DROP

Negation: (!)
iptables -A INPUT -s ! -j DROP
it Drops all other inputs except from

example of TCP:
iptables -A INPUT -i eth+ -p tcp --dport telnet -j DROP
Blocks telnet though both or all ethernet devices

example of UDP:
-p udp, --protocol udp
--sport 123 --dport 123 for NTP

ICMP (Internet Control Messaging Protocol):
Echo request -PING
Echo reply - Pong

-p icmp, --protocol icmp
--icmp-type name/number

iptables -p icmp --help
for getting help about icmp-types

Disabling ping using iptables.
To deny echo-replies from all hosts
iptables -A INPUT -p icmp --icmp-type echo-reply -j DROP

To drop echo-replies from our host
iptables -A OUTPUT -p icmp --icmp-type echo-reply -j DROP

MULTIPORT: (-m multiport)
-p tcp --dport 8080 or --dport web-cache

iptables -A INPUT -p tcp -m multiport --dport 8080,23 -j DROP

MAC ADDRESS FILTERING: ( -m mac --mac-source or --mac-destination )
Better than using IP addresses because ip addresses can be changed but not mac

Denying a host by mac address using iptables
iptables -I INPUT -m mac --mac-source 00:00:00:00:00:00 -j REJECT

Iptables and states :

iptables -I ITS  -m state --state ESTABLISHED -j ACCEPT
Allows communication in already established services

iptables -I ITS  -m state --state NEW,ESTABLISHED -j ACCEPT
Allows new connections and established connections from the system

Jump Targets in iptables :
ACCEPT -> Sends packets to other rules or processes
DROP -> Packet will be dropped
REJECT -> Sends a courtesy message back
REDIRECT -> Redirect from one destination to another. must be used with pre-routing in NAT. Local ports only.
LOG -> Allows us to log using SysLog

Logging  :
Creating and enabling iptables log using syslog

iptables logs are kernel logs type. So we have to enable this in syslog.conf as follows
vi /etc/syslog.conf
kern.* /var/log/firewall

Create the log file.
touch /var/log/firewall

Restart the syslog service.
service syslog restart

and logging can be enabled as
iptables -I ITS 1 -p tcp --dport ssh -j LOG

You can use linux box as  router with the help of iptables. First we have to enable packet forwarding in the server we are using as router. This can be done by setting  the sysctl variable as follows

vi /etc/sysctl.conf
net.ipv4.ip_forward = 1
Save the file

Reload the sysctl.conf
sysctl -p


Three types:
Basic NAT. This involves IP address translation only, not port mapping.
PAT : Port Address Translation. This involves the translation of both IP addresses and port numbers.
NAPT : Network Address Port Translation.

SNAT and Masquerading can be done in POSTROUTING chain in nat table.
But DNAT is done in PREROUTING chain in nat table.

SNAT - Source NAT: Translation of Source IP Address. Use when u've only one static IP Address and many systems in local network.

DNAT - Destination NAT: Translation of the destination IP address. Used when traffice comes from internet to local systems.

Three default chains are there in nat table which cannot be deleted.
PREROUTING    - Packet that are destined to a system that is accessible to the local router. [DNAT] Internet to Local area network
POSTROUTING   - If we want to change the local ips to something that is routable. [SNAT/MASQUERADING]
OUTPUT        - Locally sourced!!

this is also similar to snat but uses when dhcp is used rather having static local ip address.

iptables -t nat -A POSTROUTING -j MASQUERADE -s -d
now if u r pinging for to it appears to be pinging from [Ip address of  the system in network]

Masquerading listen to the interface. if dhcp changes the ip of interface, it automatically changes the affect.
Masquerading uses primary interface. Not sub[duplicate] ip addresses.

iptables -t nat -R POSTROUTING 1 -p tcp -j MASQUERADE --to-ports 1024-10240
allows communication only through that port range.

Some examples of nat
iptables -t nat -R POSTROUTING 1 -p tcp -j SNAT --to-source -s
Do same as the last rule in Masquerading. Uses only if u've a static ip. It fails when ip changes.

iptables -t nat -A POSTROUTING -p tcp -j SNAT --to-source -d -s
iptables -t nat -A POSTROUTING -p tcp -j SNAT --to-source -d -s

Destination Network Address Translation: INBOUND

DNAT - permits connection to unexposed hosts. Its exact reverse of SNAT.
Rules will be written in PREROUTING.
iptables -t nat -A PREROUTING -j DNAT -p tcp --dport 3389 -to-destination -d -s
this will redirect the connection to port 3389@ to same port @ from

No comments:

Post a Comment

Be nice. That's all.