iptables

by Anish


Posted on Saturday August 18


Referefce 8gwifi.org

Introduction

This sample chapter extracted from the book, The Modern Cryptograhy CookBook . The Book theme isCryptography is for EveryOne. Learn from Crypto Principle to Applied Cryptography With Practical Example

Get this book on Just $9 by availing coupon discount


IPtables is the firewall service that is available in a lot of different Linux Distributions. While modifying it might seem difficult to dealt with at first, this writeup should be able to show you just how easy it is to use and how quickly you can be on your way mucking around with your firewall

iptables CHAINS

Iptables is made up of 5 tables, each associated to specific functionalities of the net filter and each split into several "chains", specifying the functionalities of each table further

  • INPUT - Used to control the behavior of INCOMING connections.

  • FORWARD - Used to control the behavior of connections that aren't delivered locally but sent immediately out.

  • OUTPUT - Used to control the behavior of OUTGOING connections.

  • PREROUTING: This chain is used to make any routing related decisions before (PRE) sending any packets. Here is an example, we are redirecting any traffic that just reached the server on port 80 to the port 8080:

      iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080
    
  • FORWARD: As the name suggests, The FORWARD chain of FILTER table is used to forward the packets from a source to a destination. Here is an example of FORWARD chain where any TCP traffic received on port 80 on interface eth0 meant for the host 192.168.0.4 will be accepted and forwarded to 192.168.0.4:

      iptables -A FORWARD -i eth0 -p tcp --dport 80 -d 192.168.0.4 -j ACCEPT
    

    You should use nat's PREROUTING only to change the destination address of the packets and filters FORWARD only for filtering (dropping/accepting packets).

iptables Actions

  • ACCEPT: Allow the connection
  • DROP: Drop the connection (as if no connection was ever made; Useful if you want the system to disappear on the network)
  • REJECT: Dont allow the connection but send an error back.

iptables Default Policy

In every linux system, the chain is configured with default ACTION, in order to know what is the default policy

sudo iptables -L | grep policy
Chain INPUT (policy ACCEPT)
Chain FORWARD (policy ACCEPT)
Chain OUTPUT (policy ACCEPT)

How to Change Default iptables Policy

sysadmins can change the default policy by iptables --policy <CHAIN> <ACTCION>

for example

iptables --policy INPUT DROP
iptables --policy OUTPUT ACCEPT
iptables --policy FORWARD DROP

iptables main command options

Get familiar you self with iptables rules iptables -h , this is great place to start, some tips

  • iptables -A will add the rule at the end

  • iptables -I will add the rule at the top by default

  • iptables -D will delete a rule (specify a rule number or specify the whole rule you want to remove for this option to work)

  • iptables -C will check for the existence of a rule

  • iptables -F Delete all rules in chain or all chains

Most common IPtables rules

  • iptables: How to Block All Traffics

      iptables -F 
      iptables -A INPUT -j REJECT 
      iptables -A OUTPUT -j REJECT 
      iptables -A FORWARD -j REJECT
    
  • iptables How to Block Incoming Traffic Only

      iptables -F INPUT 
      iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT 
      iptables -A INPUT -j REJECT
    
  • iptables How Block Outgoing Traffic Only

      iptables -F OUTPUT 
      iptables -A OUTPUT -m state --state ESTABLISHED -j ACCEPT 
      iptables -A OUTPUT -j REJECT
    
  • iptables: How to Block Specific Incoming port or Service
    This will block http service any incoming traffic

      iptables -A INPUT -p tcp --dport 80 -j REJECT
    

    or

      iptables -A INPUT -p tcp --dport www -j REJECT
    

    to allow only local interfaces for http

      iptables -A INPUT -p tcp --dport 80 -j REJECT
    
  • iptables: How to block specific host

    This will block all access by that host

      iptables -A INPUT -s <remote_ip> -j REJECT
    
  • iptables: How to block outgoing to specific hosts

      iptables -A INPUT -s <remote_ip> -j REJECT
    
  • iptables: How to allow access to specific mac address only

      iptables -A INPUT -m mac --mac-source <mac_address> -j ACCEPT
      iptables -A INPUT -j REJECT
    
  • iptables: How to allow only SSH

      iptables -A INPUT -j REJECT
      iptables -A INPUT -p tcp --dport ssh -j ACCEPT
      iptables -A INPUT -i lo -j ACCEPT
      iptables -A INPUT -j REJECT
    
  • iptables: How to block all outgoing connection for example telnet

      iptables -A OUTPUT -p tcp --dport telnet -j REJECT
    
  • iptables: How to block ping

      iptables -A INPUT -p icmp --icmp-type echo-request -j DROP
    

    or

      iptables -A INPUT -p icmp --icmp-type 8 -j DROP
    
  • iptables: How to configure connection wait

    Makes iptables wait 15 seconds between new connections from the same IP on port 22 (SSH):

      iptables -A INPUT -p tcp -i eth0 -m state --state NEW --dport 22 -m recent --update --seconds 15 -j DROP
    
      iptables -A INPUT -p tcp -i eth0 -m state --state NEW --dport 22 -m recent --set -j ACCEPT
    
  • iptables: How to Block Smurf attacks

      iptables -A INPUT -p icmp -m icmp --icmp-type address-mask-request -j DROP
      iptables -A INPUT -p icmp -m icmp --icmp-type timestamp-request -j DROP
      iptables -A INPUT -p icmp -m icmp -j DROP
    
  • iptables: How to drop excessive RST packets to avoid smurf attacks

      iptables -A INPUT -p tcp -m tcp --tcp-flags RST RST -m limit --limit 2/second --limit-burst 2 -j ACCEPT
    
  • iptables: How to do Port Forwarding

    This rules will forward all the incoming request on port 80 to port 8080

      iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080
    

    This rules will forward all the incoming request on port 80 from localhost to port 8080

      iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport 80 -j REDIRECT --to-ports 8080
    
  • iptables How to List IPtables Rules

      iptables -L 
      iptables -t nat --line-numbers -n -L
    
  • iptables: How to save rule changes made to iptables

      Ubuntu: sudo /sbin/iptables-save
    
      RedHat / Centos: /sbin/service iptables save
    
      Others: /etc/init.d/iptables save
    
      Generic:  iptables-save > /etc/sysconfig/iptables
    
  • How to restore iptables rules from file

  •     sudo iptables-save | sudo tee /etc/iptables.conf
        sudo iptables-restore < /etc/iptables.conf
    
  • How to flush clear all iptables rules

    This command will not clear NAT rules
      iptables -F
    

    Note if there are NAT rule, then to flush it

      iptables -t nat -F
  • iptables: How to delete PREROUTING NAT rule

    First find out what line it is by iptables -t nat -L --line-numbers

      iptables -t nat -L --line-numbers
      Chain PREROUTING (policy ACCEPT)
      num  target     prot opt source               destination         
      1    REDIRECT   tcp  --  anywhere             anywhere             tcp dpt:8082 redir ports 8083
      2    REDIRECT   tcp  --  anywhere             anywhere             tcp dpt:8084 redir ports 8083
    
      Chain INPUT (policy ACCEPT)
      num  target     prot opt source               destination         
    
      Chain OUTPUT (policy ACCEPT)
      num  target     prot opt source               destination         
      1    REDIRECT   tcp  --  anywhere             localhost            tcp dpt:8084 redir ports 8083
      2    REDIRECT   tcp  --  anywhere             localhost            tcp dpt:8082 redir ports 8083
    

    Then delete the rule number
    iptables -t nat -D PREROUTING 2

  • iptables: How to do logging of iptbales

    create a new rule chain that logs and drops in sequence:

      # Create a new chain called LOGGING
      iptables -N LOGGING 
      #All the remaining incoming packets will jump to the LOGGING chain
      iptables -A INPUT -j LOGGING 
      #Log the incoming packets to syslog (/var/log/messages)
      iptables -A LOGGING -m limit --limit 3/min -j LOG --log-prefix "iptables drop packets" --log-level 4
      #Finally, drop all the packets that came to the LOGGING chain
      iptables -A LOGGING -j DROP
    

    Log All Dropped Outgoing Packets

      iptables -N LOGGING
      iptables -A OUTPUT -j LOGGING
      iptables -A LOGGING -m limit --limit 3/min -j LOG --log-prefix "iptables drop packets " --log-level 4
      iptables -A LOGGING -j DROP
    
  • iptables: How to build DDoS Rule in iptables

      # Reject spoofed packets
      iptables -A INPUT -s 10.0.0.0/8 -j DROP
      iptables -A INPUT -s 169.254.0.0/16 -j DROP
      iptables -A INPUT -s 172.16.0.0/12 -j DROP
      iptables -A INPUT -i eth0 -s 127.0.0.0/8 -j DROP
    
      iptables -A INPUT -s 224.0.0.0/4 -j DROP
      iptables -A INPUT -d 224.0.0.0/4 -j DROP
      iptables -A INPUT -s 240.0.0.0/5 -j DROP
      iptables -A INPUT -d 240.0.0.0/5 -j DROP
      iptables -A INPUT -s 0.0.0.0/8 -j DROP
      iptables -A INPUT -d 0.0.0.0/8 -j DROP
      iptables -A INPUT -d 239.255.255.0/24 -j DROP
      iptables -A INPUT -d 255.255.255.255 -j DROP
    
      # Stop smurf attacks
      iptables -A INPUT -p icmp -m icmp --icmp-type address-mask-request -j DROP
      iptables -A INPUT -p icmp -m icmp --icmp-type timestamp-request -j DROP
      iptables -A INPUT -p icmp -m icmp -j DROP
    
      # Drop all invalid packets
      iptables -A INPUT -m state --state INVALID -j DROP
      iptables -A FORWARD -m state --state INVALID -j DROP
      iptables -A OUTPUT -m state --state INVALID -j DROP
    
      # Drop excessive RST packets to avoid smurf attacks
      iptables -A INPUT -p tcp -m tcp --tcp-flags RST RST -m limit --limit 2/second --limit-burst 2 -j ACCEPT
    
  • iptables How to block portscans

      # Anyone who tried to portscan us is locked out for an entire day.
      iptables -A INPUT   -m recent --name portscan --rcheck --seconds 86400 -j DROP
      iptables -A FORWARD -m recent --name portscan --rcheck --seconds 86400 -j DROP
    
      # Once the day has passed, remove them from the portscan list
      iptables -A INPUT   -m recent --name portscan --remove
      iptables -A FORWARD -m recent --name portscan --remove
    
      # These rules add scanners to the portscan list, and log the attempt.
      iptables -A INPUT   -p tcp -m tcp --dport 139 -m recent --name portscan --set -j LOG --log-prefix "Portscan:"
      iptables -A INPUT   -p tcp -m tcp --dport 139 -m recent --name portscan --set -j DROP
    
      iptables -A FORWARD -p tcp -m tcp --dport 139 -m recent --name portscan --set -j LOG --log-prefix "Portscan:"
      iptables -A FORWARD -p tcp -m tcp --dport 139 -m recent --name portscan --set -j DROP
    

if i Missed out any rules, post a comment, I will add in the List



Thanku for reading !!! Give a Share for Support

Asking for donation sound bad to me, so i'm raising fund from The Modern Cryptography CookBook for Just $9. Leanpub books Discount coupon first 100 reader. No hurry read the sample chapters here then decide.

Alternatively to support you can buy My all four Cryptography book Just $10.99


Referefce
  • The Modern Cryptography Book.
  • Go lang Cryptography for developers
  • Python Cryptography
  • Cryptography for JavaScript Developer

python Cryptography Topics
Topics
For Coffee/ Beer/ Amazon Bill and further development of the project Support by Purchasing, The Modern Cryptography CookBook for Just $9 Coupon Price

Kubernetes for DevOps

Cryptography for Python Developers

Cryptography for JavaScript Developers

Go lang ryptography for Developers