What is IPTABLES?

What is IPTABLES?

It’s a firewall built into with your Linux box, IPTABLES is very powerful firewall to control network traffic.
The filters can be applied on the source and destination IP address / protocol like TCP, UDP and ICMP.
Following IPTABLES guide will assists you to understand the iptables and it’s chains including NAT

1. IPTABLES  and Chains

1.1 INPUT
1.2 OUTPUT
1.3 FORWARD

2. Advance IPTABLES

3. NAT

3.1 NAT
3.2 PAT

1.IPTABLES  and Chains

Set Default Chain Policies

The default chain policy is ACCEPT.  This can be Changed to DROP / REJECT / ACCEPT  for all the chains like INPUT, FORWARD, and OUTPUT chains as shown below.

#iptables -P INPUT DROP
#iptables -P FORWARD DROP
#iptables -P OUTPUT DROP

If default policy set to DROP then you have to allow packets writing the rules in associated chains. 

To know the status of the current setting of iptables default policy
#iptables -L |grep policy

1.1 INPUT

INPUT chain filters to an inbound traffic receiving on a network interface. The rule will be processed in line order of the chain.
In case a rule matches, then no other rule will be processed.
Ex: – Incoming / ingress traffic filter

Options:

-A : Append a new rule to end of the chain.
-I : Insert a new rule to top of the chain.
-D : Delete a rule from existing table by specifying the rule number.
-R : Replace a rule in the selected chain. Rules are numbered starting at 1
-L : List all rules in the selected chain.
-F : Flush all the rules from the selected chain, it’s like delete the rules from the chain / table.

Note

Find out all the options,parameter & examples with manuals

#man iptables

Rules:

1.1.1 Deny ICMP request from a single IP / Subnet.
Deny ICMP request from 192.168.1.23 to 192.168.1.246(Linux firewall).

#iptables -A INPUT -s 192.168.1.23 -p icmp –icmp-type echo-request -j DROP

Deny ICMP request from all

#iptables -A INPUT -p icmp –icmp-type echo-request -j DROP

Deny ICMP request from subnet (range of IP’s), -s defines the source IP or Network.

#iptables -A INPUT -s 192.168.0.0/24 -p icmp –icmp-type echo-request -j DROP

Deny ICMP request from a range of IP address using parameter -src-range.

#iptables -A INPUT -m iprange –src-range 192.168.1.24-192.168.1.40 -p icmp –icmp-type echo-request -j DROP

Deny the ICMP request on eth0 interface.

#iptables -A INPUT -i eth0 -s 192.168.0.0/24 -p icmp –icmp-type echo-request -j DROP

Note:
-s defines the source IP or Network.
-p protocol TCP / UDP / ICMP & all
-j jump to an action ACCEPT / DROP / REJECT / REDIRECT
-i specify the Name of an interface via which a packet was received

 

1.1.2 Accept ICMP request from a single IP / Subnet.

ACCEPT ICMP request from 192.168.1.23 to 192.168.1.246(Linux firewall).

#iptables -A INPUT -s 192.168.1.23 -p icmp –icmp-type echo-request -j ACCEPT

ACCEPT ICMP request from all

#iptables -A INPUT -p icmp –icmp-type echo-request -j ACCEPT

ACCEPT ICMP request from subnet (range of IP’s), -s defines the source IP or Network.

#iptables -A INPUT -s 192.168.0.0/24 -p icmp –icmp-type echo-request -j ACCEPT

 

1.1.3 Deny HTTP:80 , SMTP:25 , POP3:110 and DNS:53,  request from an IP or subnet.

#iptables -A INPUT -p tcp –dport 80 -j DROP

#iptables -A INPUT -p tcp –dport 25 -j DROP

#iptables -A INPUT -p tcp –dport 110 -j DROP

#iptables -A INPUT -p udp –dport 53 -j DROP

Deny HTTP:80, request from an IP or network

#iptables -A INPUT -s 192.168.1.23 -p tcp –dport 80 -j DROP

#iptables -A INPUT –s 192.168.1.0/24 -p tcp –dport 80 -j DROP

Note:
-j jump to an action, ACCEPT / DROP or REJECT.

 

1.1.4 Deny multiple ports using parameter ‘-m multiport’

#iptables -A INPUT -p tcp -m tcp -m multiport –dports 80,25,110 -j DROP

Note:
-m defines multiple port numbers
–dports define destination port numbers, separate the port number using comma.
-j jump to an action ACCEPT / DROP

 

1.1.5 Delete a rule 

List iptables rules with line numbers

#iptables -L –line-numbers

Delete the INPUT chain rulenumber ’1′

#iptables -D iptables -D INPUT 1

Delete the OUTPUT chain rulenumber ’1′

#iptables -D iptables -D OUTPUT 1

Delete the FORWARD chain rulenumber ’1′

#iptables -D iptables -D FORWARD 1

Note:
-D : Delete a rule from any of the chains by specifying the number next to the chain in the command.
In our above example, we are removing rule number 1 from the input chain, similarly you can use for output and forward as well.

1.1.6 Edit the rule

Let’s assume that you have created a rule under the input chain to accept an ICMP request from the source 192.168.1.23 and later changed to drop/reject. The rule in the input chain positioned at 1

#iptables -R INPUT 1 -s 192.168.1.23 -p icmp –icmp-type echo-request -j DROP

Note:
-R : Replace a rule in the selected chain. Rules are numbered starting at 1

 

1.1.7 Insert the rule at specific rulenum

Let’s assume you have several input chain rules within a chain and want to add a rule between the existing rule or specific line number.

#iptables -I INPUT 3 -s 192.168.1.23 -p icmp –icmp-type echo-request -j ACCEPT

Note:
-I : Insert a new rule to an existing chain at the top of the chain or specific line number

 

1.1.8 Listing  rules

Listing of chains(INPUT , OUTPUT and FORWARD)

#iptables -L

Listing of nat table

#iptables -L -t nat

Note:
-t : table
-v : Verbose output
-n : Numeric listing of iptables chains, ip address and port number in numeric.

Listing iptables rules with line numbers

#iptables -L –line-numbers

Listing iptables rules with numeric ports

#iptables -L -n

Note:
-n : Numeric port

 

1.1.9 Flush the iptables rules

Flush all the chains input,output and forward .

#iptables -F

Flush only INPUT chain

#iptables -F INPUT

Flush only OUTPUT chain

#iptables -F OUTPUT

Flush only FORWARD chain

#iptables -F FORWARD

Flush a specific chain like input or output or forward

#iptables -F OUTPUT

Flush NAT table

#iptables -F -nat

Note:

-F : Flush

 

1.2 OUTPUT

OUTPUT chain filters to an outgoing request from inside.
Ex:- outgoing/outgress traffic filter.

Options:
-A : Append a new rule to end of the chain.
-I : Insert a new rule to top of the chain.
-D : Delete a rule from existing table by specifying the rule number.
-R : Replace a rule in the selected chain. Rules are numbered starting at 1
-L : List all rules in the selected chain.
-F : Flush all the rules from the selected chain, it’s like delete the rules from the chain / table.

Note:
Find out all the options,parameter & examples with manuals

#man iptables

Rules:

1.2.1 Deny ICMP request from firewall (inside) to a target PC (outside)

Deny ICMP request from 192.168.1.246 (Firewall or inside the network) to 192.168.1.23 (User PC).

#iptables -A OUTPUT -d 192.168.1.23 -p icmp –icmp-type echo-request -j DROP

Note:
-d : Destination IP in our example 192.168.1.23 is a client IP , the request going out to target is dropped using an output chain filter.

Deny ICMP requests to all from inside(firewall) to outside (ALL)

#iptables -A OUTPUT -p icmp –icmp-type echo-request -j DROP

Deny ICMP request from the entire subnet (inside network: 192.168.0.0/24), -d defines the Destination IP or Network.

#iptables -A OUTPUT -d 192.168.0.0/24 -p icmp –icmp-type echo-request -j DROP

Deny ICMP request a to range of IP address (outside) using parameter –dst-range.

#iptables -A OUTPUT -m iprange –dst-range 192.168.1.24-192.168.1.40 -p icmp –icmp-type echo-request -j DROP

Note:
–dst-range : define the destination range (outside).

Deny ICMP out going request on eth0 interface to a subnet.

#iptables -A OUTPUT -i eth0 -d 192.168.0.0/24 -p icmp –icmp-type echo-request -j DROP

Note:
-d defines the source IP or Network.
-p protocol tcp / udp / icmp & all
-j jump to an action ACCEPT / DROP / REJECT / REDIRECT
-i specify the Name of an interface via which a packet was received

 

1.2.2 Accept ICMP outgoing request to a single IP / Subnet. 

ACCEPT ICMP outgoing request to 192.168.1.23 from 192.168.1.246 (Linux firewall).

#iptables -A OUTPUT -d 192.168.1.23 -p icmp –icmp-type echo-request -j ACCEPT

ACCEPT ICMP outgoing request from all

#iptables -A OUTPUT -p icmp –icmp-type echo-request -j ACCEPT

ACCEPT ICMP outgoing request to a subnet (range of IP’s), -d defines the destination IP or Network.

#iptables -A OUTPUT -d 192.168.0.0/24 -p icmp –icmp-type echo-request -j ACCEPT

 

1.2.3 Deny outgoing request for HTTP:80 , SMTP:25 , POP3:110 and DNS:53, to all destinations

#iptables -A OUTPUT -p tcp –dport 80 -j DROP

#iptables -A OUTPUT -p tcp –dport 25 -j DROP

#iptables -A OUTPUT -p tcp –dport 110 -j DROP

#iptables -A OUTPUT -p udp –dport 53 -j DROP

Deny outgoing request for HTTP: 80 , SMTP: 25 , POP3:110 and DNS:53, to a destination,outside(192.168.1.23)

#iptables -A OUTPUT -d 192.168.1.23 -p tcp –dport 80 -j DROP

Deny outgoing request for HTTP: 80 , SMTP: 25 , POP3:110 and DNS:53, to a destination network,outside(192.168.0.0/24).

#iptables -A OUTPUT -d 192.168.0.0/24 -p tcp –dport 80 -j DROP

Note:
-j jump to an action, ACCEPT / DROP or REJECT.

 

1.2.4 Deny outgoing traffic for 80,25,110. Define the multiple ports using a ‘-m multiport’ , to all destinations

#iptables -A OUTPUT -p tcp -m tcp -m multiport –dports 80,25,110 -j DROP

Note:
-m : define multiple port numbers
–dports: define destination port numbers, separate the port number using comma.
-j: jump to an action ACCEPT / DROP
1.2.5 Delete a rule from OUTPUT chain

List iptables rules with line numbers

#iptables -L –line-numbers

#iptables -D iptables -D OUTPUT 1

Note:
-D : Delete a rule from any of the chains by specifying the number next to the chain in the command.
In our above example, we are removing rule number 1 from the OUTPUT chain.

 

1.2.6 Edit the rule from the OUTPUT chain

Let’s assume that you have created a rule under the OUTPUT chain to accept an ICMP request to the destination 192.168.1.23 and later changed to drop/reject. The rule in the output chain positioned at 1

#iptables -R OUTPUT 1 -s 192.168.1.23 -p icmp –icmp-type echo-request -j DROP

Note:
-R : Replace a rule in the selected chain. Rules are numbered starting at 1

 

1.2.7 Insert the rule at specific rulenum in output chain

Let’s assume you have several input chain rules within a chain and want to add a rule between the existing rule or specific line number.

#iptables -I OUTPUT 3 -s 192.168.1.23 -p icmp –icmp-type echo-request -j ACCEPT

Note:
-I : Insert a new rule to an existing chain at the top of the chain or specific line number

 

1.2.8 Listing IPTABLE rules.

Listing of the rules from chains(INPUT , OUTPUT and FORWARD)

#iptables -L

Listing only rules under the OUTPUT chain

#iptables -L OUTPUT

Listing only rules under the FORWARD chain

#iptables -L FORWARD

Listing only rules under the INPUT chain

#iptables -L INPUT

Listing of nat table

#iptables -L -t nat

Note:
-t : table
-v : Verbose output
-n : Numeric listing of iptables chains, IP address and port number in numeric.

Listing iptables rules with line numbers

#iptables -L –line-numbers

Listing iptables rules with numeric ports

#iptables -L -n

Note:
-n : Numeric port

 

1.2.9 In the majority of cases ‘–state established’ used for TCP based connection, two way hand shake process between client and server. You have to use input and output chains allow communication between them.

With below example we are going to allow ssh request from outside to inside over TCP port 22, from 192.168.1.23 (client) to 192.168.1.246 (firewall)for two way hand shake ‘–state established’, in this method you have to add rules in both the chain input and output.
Rule under the INPUT chain

#iptables -A INPUT -s 192.168.1.23 -d 192.168.1.246 -p tcp –dport 22 -m state –state ESTABLISHED -j ACCEPT

Deny all ssh requests, except above IP i.e.,192.168.1.23

#iptables -A INPUT -p tcp –dport 22 -j DROP

Rule under the OUTPUT chain

#iptables -A OUTPUT -d 192.168.1.23 -s 192.168.1.246 -p tcp –sport 22 -m state –state ESTABLISHED -j ACCEPT

Deny all ssh requests, except above IP i.e.,192.168.1.246

#iptables -A OUTPUT -p tcp –sport 22 -j DROP

Note:
1. INPUT chain rule: connection from 192.168.1.23(outside) to 192.168.1.246(inside) on port 22 is allowed to use 2 way hand shaking. And deny reset all
2. OUTPUT chain rule: reverse connection from 192.168.1.246 (inside) to 192.168.1.23 (outside) on port 22 is allowed using 2 way hand shaking. And deny reset all.

 

1.3 FORWARD

FORWARD chain filters to a traffic received on an interface and forwarding to another interface.
The forward chain rarely used chain type.

The forward chain required during the NAT operation. The packets between two interfaces. Request received on eth0 interface forwarding it to eth1 using NAT table rule required forward chain.

In the below example we are assuming that the gateway server (Linux) has 2 network cards, eth0 & eth1

eth0 : Public IP
eth1 : Private

The default policy for input, output and forward is accepted. If the default policy of forward is accepted, then you don’t require adding the new rule.
We assume that you have set the default policy to DROP. With below forward rules, you can allow eth1 private or internal network traffic through eth0 Public IP or internet IP for NAT.

#iptables -P FORWARD DROP
#iptables -A FORWARD -i eth1 -j ACCEPT
#iptables -A FORWARD -o eth1 -j ACCEPT

Note:

-o, –out-interface name for packets entering the FORWARD, OUTPUT and POSTROUTING chains.

2. Advance IPTABLES

Adding comments to any rule. The comments can be up to 256 characters)

#iptables -A INPUT -s 192.168.0.0./24 -p tcp –dport 22 -m comment –comment “Deny SSH to entire subnet” -j DROP

Allow limited session to a service port per host.

#iptables -A INPUT -p tcp –syn –dport 22 -m connlimit –connlimit-above 2 -j REJECT

Transparent proxy , port redirection from 80:web for 3128:proxy default port.
Redirect the traffic received on 80 to different port 3128

#iptables -t nat -A PREROUTING -i eth0 -p tcp –dport 80 -j REDIRECT –to-port 3128

Prevent DoS attack by limiting session to service port 80, this will 25 session per minute .

#iptables -A INPUT -p tcp –dport 80 -m limit –limit 25/minute –limit-burst 100 -j ACCEPT

 

3. NAT

Network Address Translation

2.1 PAT: – Port Address Translation

2.2 NAT: – source NAT(SNAT) and destination NAT(DNAT).

Generally, the request received on Public IP, forwarding to a private IP behind the firewall is called NAT (Network Address Translation).

Ex:

Outside Request -> public IP, eth0 “nat” to a private IP eth1 (internal network)
Inside Request -> private IP, eth1 “nat” to a public IP eth0 (external)

In case, the request received on public IP for a particular port, forwarding the request to private IP behind the firewall on same port or user define port is called PAT (port address translation).

 

Both comments and pings are currently closed.

Comments are closed.

Copyright ©Solutions@Experts.com
Copyright © NewWpThemes Techmark Solutions - www.techmarksolutions.co.uk