4. How do i use iptables on linux?

How do i use iptables on linux?


  • Link: https://www.netfilter.org/documentation/HOWTO/packet-filtering-HOWTO-7.html

    Often considered a black art in the sysadmin world, these days there are many frontends for iptables.

    This is a brief on using iptables directly.

    iptables has three default chains, INPUT packets coming in, OUTPUT packets going out, and FORWARD packets forwarded onto somewhere else. These cannot be deleted.

    This is directly from the link, this is to emphasis the options

    Create a new chain (-N).
    Delete an empty chain (-X).
    Change the policy for a built-in chain. (-P).
    List the rules in a chain (-L).
    Flush the rules out of a chain (-F).
    Zero the packet and byte counters on all rules in a chain (-Z).

    There are several ways to manipulate rules inside a chain:
    Append a new rule to a chain (-A).
    Insert a new rule at some position in a chain (-I).
    Replace a rule at some position in a chain (-R).
    Delete a rule at some position in a chain, or the first that matches (-D).

    Single Rules.
    What we trying to do? Stop receiving pings to 127.0.0.1

    First ping, to show you can ping

    $ ping 127.0.0.1
PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.078 ms
64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.063 ms
^C
--- 127.0.0.1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 999ms
rtt min/avg/max/mdev = 0.063/0.070/0.078/0.011 ms

    Append a rule to stop the pinging.

    $ sudo iptables -A INPUT -s 127.0.0.1 -p icmp -j DROP

    Try the ping again

    $ ping 127.0.0.1
PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
^C
--- 127.0.0.1 ping statistics ---
9 packets transmitted, 0 received, 100% packet loss, time 8003ms

    Delete the iptables rule and make sure you can ping again.

    $ sudo iptables -D INPUT -s 127.0.0.1 -p icmp -j DROP
$ ping 127.0.0.1
PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.066 ms
64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.083 ms
64 bytes from 127.0.0.1: icmp_seq=3 ttl=64 time=0.076 ms
^C
--- 127.0.0.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 1998ms
rtt min/avg/max/mdev = 0.066/0.075/0.083/0.007 ms

    In rules you can have the following:

    • The not operator "!" so the source or destination switch -s or -d can have not
      e.g: -s ! localhost

    • The protocol can be the number of special cases tcp, icmp, udp, etc the case does not matter, the protocol is specified with "-p" option and can be inverted with the "!"
      e.g: -p ! tcp

    • Specifiy the interface with the "-i" option in-interface or the "-o" out-interface, this can only be for the FORWARD chain, the INPUT or OUTPUT can only be on one or the other.

    • Packet fragments are resolved with rules matching the first fragment, unless specifically configured to match on other packet fragments.

    • iptables can be extended via additional modules, extensions are located on Ubuntu under /lib/modules/*-generic/kernel/net/ipv4/netfilter

    • The "-p tcp" has a bunch of options to it, iptables calls them TCP extensions.
      --tcp-flags SYN,ACK,FIN,RST,URG,PSH'
      --syn == equiv to saying --tcp-flags SYN,RST,ACK SYN
      --source-port & --sport same thing.
      --destination-port % --dport same thing.
      --tcp-option follow by a number, if the number matches the packet is dropped.

    • The "-p udp" has similar options to "-p tcp".

    • The "-p icmp" only provide one option
      --icmp-type,
      The command below will show all the options.

    $ sudo iptables -p icmp --help

    The -m matches other extensions.

    • mac with option --mac-source, match incoming mac address
    • limit with options --limit & --limit-burst, limit the match to specific number of times e.g:

    Syn-flood protection:
    iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
    Furtive port scanner:
    iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
    Ping of death:
    iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT

    • There is owner & unclean as per the documentation in the link.
    • The state match "-m state" is a comma separated values to match or not match

    NEW
    A packet which creates a new connection.

    ESTABLISHED
    A packet which belongs to an existing connection (i.e., a reply packet, or outgoing packet on a connection which has seen replies).

    RELATED
    A packet which is related to, but not part of, an existing connection, such as an ICMP error, or (with the FTP module inserted), a packet establishing an ftp data connection.

    INVALID
    A packet which could not be identified for some reason: this includes running out of memory and ICMP errors which don't correspond to any known connection. Generally these packets should be dropped.

    An example from Saltstack after covering the above:
    https://docs.saltstack.com/en/latest/topics/tutorials/firewall.html

    Accept two input rules where state is new and tcp, and protocol has to be tcp, for destination ports 4505 & 4506.

    $ sudo iptables -A INPUT -m state --state new -m tcp -p tcp --dport 4505 -j ACCEPT
$ sudo iptables -A INPUT -m state --state new -m tcp -p tcp --dport 4506 -j ACCEPT

    Command Dissection

    Option Description
    -A Append a new rule to the chain
    INPUT The chain is INPUT (incoming packets)
    -m state Match state
    --state new Match the state new (new connection)
    -m tcp Matching the tcp protocol
    -p tcp The protocol of the rule
    --dport 4506 The destination port is 4506
    -j ACCEPT Jump to accept, let the packet through

    User Defined Chains
    As well as the three default chains INPUT, OUTPUT, and FORWARD, you can configure your own chains, the link at the top of the page explains this well and shows the flow of the packet. User defined chains names are kept lower case to differentiate them from the default chains.

    Iptables Extensions

    LOG with options --log-level & --log-prefix, to change log levels & name the log file prefix.
    REJECT with options --reject-with, same as drop but under the met circumstances sends a reply packet, the --reject-with changes the type of return packet.

    Special Targets
    RETURN - The RETURN target will cause the current packet to stop traveling through the chain where it hit the rule. If it is the subchain of another chain, the packet will continue to travel through the superior chains as if nothing had happened. If the chain is the main chain, for example the INPUT chain, the packet will have the default policy taken on it. The default policy is normally set to ACCEPT, DROP or similar.

    QUEUE - The QUEUE target is used to queue packets to User-land programs and applications. It is used in conjunction with programs or utilities that are extraneous to iptables and may be used, for example, with network accounting, or for specific and advanced applications which proxy or filter packets.

linux 595 iptables 1
Log in to reply
 

© Lightnetics 2024