Iptables is a Linux based packet filtering firewall. Iptables interfaces to the Linux netfilter module to perform filtering of network packets. This can be to deny/allow traffic filter or perform Network Address Translation (NAT). With careful configuration iptables can be a very cost effective, powerful and flexible firewall or gateway solution. Iptables is available from http://www.netfilter.org/ or via your Linux distribution.
In short, iptables is a packet filtering tool which allows system administrator to define incoming and outgoing packets to and from the system using certain rules. Iptables can be confusing it's pretty straightforward once you get the hang of it.
There are three real "chains" which iptables uses:
* INPUT
Which is used to grant or deny incoming connections to your machine.
* OUTPUT
Which is used to grant or deny outgoing connections from your machine.
* FORWARD
Which is used for forwarding packages across interfaces, only really needed (in general) when you're setting up a gateway machine.
The general form of an IP tables rule is:
iptables -A CHAIN -p tcp [options] -j ACTION
The CHAIN we've briefly covered before, "INPUT", "OUTPUT", "FORWARD", etc. Here "-A INPUT" means "append this rule to the input chain".
The "-p tcp" means this rule applies only to TCP connections, not UDP. (To specify UDP connections you'd use "-p udp" instead.)
"[options]" is where you specify what you wish to match against.
Finally "-j ACTION" is used to specify what to do to packets which match your rule. Usually an action will be one of "-j DROP" to drop the package, "-j ACCEPT", to accept the packet or "-j LOG" to log it.
Main commands
* -A --append : Add the rule a the end of the specified chain
Code:
iptables -A INPUT ...
* -D --delete : Allow to delete a chain.
There's 2 way to use it, you can specify the number of the chain to delete or specify the rule to delete
Code:
iptables -D INPUT 1
iptables -D INPUT --dport 80 -j DROP
* -R --replace : Allow to replace the specified chain
Code:
iptables -R INPUT 1 -s 192.168.0.1 -j DROP
* -I --insert : Allow to add a chain in a specific area of the global chain
Code:
iptables -I INPUT 1 --dport 80 -j ACCEPT
* -L --list : Display the rules
Code:
iptables -L # Display all the rules of the FILTER chains
iptables -L INPUT # Display all the INPUT rules (FILTER)
* -F --flush : Delete all the rules of a chain
Code:
iptables -F INPUT # Delete all the rules of the INPUT chain
iptables -F # Delete all the rules
* -N --new-chain : Allow to create a new chain
Code:
iptables -N LOG_DROP
* -X --delete-chain : Allow to delete a chain
Code:
iptables -X LOG_DROP # Delete the LOG_DROP chain
iptables -X # Delete the chains
* -P --policy : Allow to specify to the kernel the default policy of a chain ACCEPT, REJECT, DROP ...
Code:
iptables -P INPUT DROP
Allow incoming TCP traffic on port 22 (ssh) for adapter eth0
iptables -A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
Allow incoming TCP traffic on port 80 (HTTP) for the IP range 192.168.0.1 to 192.168.0.254.
iptables -A INPUT -s 192.168.0.0/24 -p tcp -m tcp --dport 80 -j ACCEPT
Blocks inbound TCP traffic port 22 (ssh)
iptables -A INPUT -p tcp -m tcp --dport 22 -j DRROP
Blocks inbound TCP traffic on port 80 (HTTP) from the IP 192.168.1.100
iptables -A INPUT -s 192.168.1.100 -p tcp -m tcp --dport 80 -j DRROP
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m sshbrute --set
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m sshbrute --update --seconds 60 --hitcount 4 -j DRROP
[:p:] this is a common set of rules used to block brute force ssh attacks. The first rule makes sure the IP connecting is added to the sshbrute list. The second rule tells iptables to check the sshbrute list and if the packet threshold is exceeded to drrop the traffic.
-I -- inserts the rule at the given rule number. If no rule number is given the rule is inserted at the head of the chain.
-p -- protocol of the rule
--dport the destination port to check on the rule
-i -- interface on which the packet was received.
-j -- what to do if the rule matches
-s -- source IP address of packet
-d -- destination IP address of packet
iptables -I INPUT -p tcp --dport 23 -j DROP
Drop all outbound web traffic
iptables -I OUTPUT -p tcp --dport 80 -j DROP
Drop all outbound traffic to 192.168.0.1
iptables -I OUTPUT -p tcp --dest 192.168.0.1 -j DROP
Allow all inbound web traffic
iptables -I INPUT -p tcp --dport 80 -j ACCEPT
Allow inbound HTTPS traffic from 10.2.2.4
iptables -I INPUT -s 10.2.2.4 -p tcp -m tcp --dport 443 -j DROP
Deny outbound traffic to 192.2.4.0-192.2.4.255
iptables -I OUTPUT -d 192.2.4.6.0/24 -j DROP
Allow incoming connections to port 21 from one IP address 11.22.33.44
iptables -A INPUT -p tcp -m state --state NEW --dport 21 --source 11.22.33.44
Deny all other incoming connections to port 21.
iptables -A INPUT -p tcp -m state --state NEW --dport 21 -j DROP
We used the "-m state --state NEW --dport 21" to match against new connections to port 21. Other options allow you to match against different things.
http://www.higherpass.com/linux/Tutorials/Iptables-Primer/
In short, iptables is a packet filtering tool which allows system administrator to define incoming and outgoing packets to and from the system using certain rules. Iptables can be confusing it's pretty straightforward once you get the hang of it.
Rules, Chains, and Tables
Iptables rules are grouped into chains. A chain is a set of rules used to determine what to do with a packet. These chains are grouped into tables. Iptables has three built in tables filter, NAT, mangle. More tables can be added through iptables extensions.Filter Table
The filter table is used to allow and block traffic, and contains three chains INPUT, OUTPUT, FORWARD. The input chain is used to filter packets destined for the local system. The output chain is used to filter packets created by the local system. The forward chain is used for packets passing through the system, mainly used for gateways/routers.There are three real "chains" which iptables uses:
* INPUT
Which is used to grant or deny incoming connections to your machine.
* OUTPUT
Which is used to grant or deny outgoing connections from your machine.
* FORWARD
Which is used for forwarding packages across interfaces, only really needed (in general) when you're setting up a gateway machine.
NAT Table
The NAT table is used to setup the rules to rewrite packets allowing NAT to happen. This table also has 3 chains, PREROUTING, POSTROUTING, and OUTPUT. The prerouting chain is where packets come to prior to being parsed by the local routing table. The postrouting chain is where packets are sent after going through the local routing table.The general form of an IP tables rule is:
iptables -A CHAIN -p tcp [options] -j ACTION
The CHAIN we've briefly covered before, "INPUT", "OUTPUT", "FORWARD", etc. Here "-A INPUT" means "append this rule to the input chain".
The "-p tcp" means this rule applies only to TCP connections, not UDP. (To specify UDP connections you'd use "-p udp" instead.)
"[options]" is where you specify what you wish to match against.
Finally "-j ACTION" is used to specify what to do to packets which match your rule. Usually an action will be one of "-j DROP" to drop the package, "-j ACCEPT", to accept the packet or "-j LOG" to log it.
Commands
The first step is to know iptables commands.Main commands
* -A --append : Add the rule a the end of the specified chain
Code:
iptables -A INPUT ...
* -D --delete : Allow to delete a chain.
There's 2 way to use it, you can specify the number of the chain to delete or specify the rule to delete
Code:
iptables -D INPUT 1
iptables -D INPUT --dport 80 -j DROP
* -R --replace : Allow to replace the specified chain
Code:
iptables -R INPUT 1 -s 192.168.0.1 -j DROP
* -I --insert : Allow to add a chain in a specific area of the global chain
Code:
iptables -I INPUT 1 --dport 80 -j ACCEPT
* -L --list : Display the rules
Code:
iptables -L # Display all the rules of the FILTER chains
iptables -L INPUT # Display all the INPUT rules (FILTER)
* -F --flush : Delete all the rules of a chain
Code:
iptables -F INPUT # Delete all the rules of the INPUT chain
iptables -F # Delete all the rules
* -N --new-chain : Allow to create a new chain
Code:
iptables -N LOG_DROP
* -X --delete-chain : Allow to delete a chain
Code:
iptables -X LOG_DROP # Delete the LOG_DROP chain
iptables -X # Delete the chains
* -P --policy : Allow to specify to the kernel the default policy of a chain ACCEPT, REJECT, DROP ...
Code:
iptables -P INPUT DROP
Basic Uses
The most common use of iptables is to simply block and allow traffic.Allow Traffic
Iptables allows you to allow traffic based on a number of different conditions such as Ethernet adapter, IP Address, port, and protocol.Allow incoming TCP traffic on port 22 (ssh) for adapter eth0
iptables -A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
Allow incoming TCP traffic on port 80 (HTTP) for the IP range 192.168.0.1 to 192.168.0.254.
iptables -A INPUT -s 192.168.0.0/24 -p tcp -m tcp --dport 80 -j ACCEPT
Block Traffic
Iptables can block traffic on the same conditions that traffic can be allowed.Blocks inbound TCP traffic port 22 (ssh)
iptables -A INPUT -p tcp -m tcp --dport 22 -j DRROP
Blocks inbound TCP traffic on port 80 (HTTP) from the IP 192.168.1.100
iptables -A INPUT -s 192.168.1.100 -p tcp -m tcp --dport 80 -j DRROP
Limit Traffic
Along with allowing and denying traffic IP tables can be used to limit the number of connections allowed over time thresholds.iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m sshbrute --set
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m sshbrute --update --seconds 60 --hitcount 4 -j DRROP
[:p:] this is a common set of rules used to block brute force ssh attacks. The first rule makes sure the IP connecting is added to the sshbrute list. The second rule tells iptables to check the sshbrute list and if the packet threshold is exceeded to drrop the traffic.
Common Options and Switches
-A -- adds a rule at the end of the chain-I -- inserts the rule at the given rule number. If no rule number is given the rule is inserted at the head of the chain.
-p -- protocol of the rule
--dport the destination port to check on the rule
-i -- interface on which the packet was received.
-j -- what to do if the rule matches
-s -- source IP address of packet
-d -- destination IP address of packet
Examples :
Drop all inbound telnet trafficiptables -I INPUT -p tcp --dport 23 -j DROP
Drop all outbound web traffic
iptables -I OUTPUT -p tcp --dport 80 -j DROP
Drop all outbound traffic to 192.168.0.1
iptables -I OUTPUT -p tcp --dest 192.168.0.1 -j DROP
Allow all inbound web traffic
iptables -I INPUT -p tcp --dport 80 -j ACCEPT
Allow inbound HTTPS traffic from 10.2.2.4
iptables -I INPUT -s 10.2.2.4 -p tcp -m tcp --dport 443 -j DROP
Deny outbound traffic to 192.2.4.0-192.2.4.255
iptables -I OUTPUT -d 192.2.4.6.0/24 -j DROP
Allow incoming connections to port 21 from one IP address 11.22.33.44
iptables -A INPUT -p tcp -m state --state NEW --dport 21 --source 11.22.33.44
Deny all other incoming connections to port 21.
iptables -A INPUT -p tcp -m state --state NEW --dport 21 -j DROP
We used the "-m state --state NEW --dport 21" to match against new connections to port 21. Other options allow you to match against different things.
ref:
http://ubuntuforums.org/showthread.php?t=159661http://www.higherpass.com/linux/Tutorials/Iptables-Primer/
Source : Artoflinux
0 comments: