9/04/2011

IPTables 1

IPTables

IPTables is a front-end to control and manage netfilter.
Netfilter (firewall) is a framework integrated in Linux Kernel.
IPTables is consist of 3 tables (Filter,NAT,Mangle).
We will focus on layer 3 (Network) controlling source and destination IP Addresses , And layer 4 (Transport) TCP and UDP.
Filter table uses to control IP packets filtering , and it's consist of 3 chains (INPUT,FORWARD,OUTPUT)


  • HOW To use IPTables:

IPTables command consist of parts starting with iptables , we now discuss iptables command fields
1- iptables
2- action (APPEND,replace,inseart,delete..) followed by name of the chain such as (INPUT,FORWARD,OUTPUT) for Filter tables .
3- name of the tables with -t option (-t mangle) , if not specified so it's a filter table by default .
4- specify source IP (-s),destination IP (-d) or both .
5- specify Protocol with ports , protocols such as (tcp,udp,icmp) with (-p),And Source port and Destination port such as (ssh,telnet ...) with (--sport) ,(--dport) respectively.
6- select target with (-j) option followed by type of target (ACCEPT,DROP,DENY,LOG,REJECT)

Hint 1: in step 3, don't use this step if you work on Filter tables , if not you should specify the name of tables.
Hint 2: you don't have to use all the steps , use what is required to make a rule right and more safety

Examples :
1- block IP address 192.168.0.20 to connect to my ssh
iptables -A INPUT -s 192.168.0.20 -p tcp --dport ssh -j DROP
-A to append the rule
INPUT to specify the name of chain , INPUT chain concerned with input communication
-s specify IP address
-p specify protocol name
--dport specify destination port (destination port because we now handling INPUT communication)
-j select target name to refuse this communication
To make sure that the rule is appended iptables -L

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
DROP       tcp  --  192.168.0.20         anywhere            tcp dpt:ssh 

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

now we block 192.168.0.20 to connect with local ssh
2- bloch 192.168.0.20 to connect with local system
iptables -A INPUT -s 192.168.0.20 -j DROP
Hint 3: To start iptables /sbin/service iptables start
Hint 4: to make iptables start with system booting /sbin/chkconfig iptables on 
Hint 5: use /sbin/ip6tables to configure you firewall with IPV6.

No comments:

Post a Comment