7/29/2012

IPTables 3

IPTables 3

  • Adding new chain :

You can use this flag (-N)

example
iptables -N LAN

Practical example :

To manage your Intranet easily you should write a new chain and write Intranet rules in this chain.
1- Create new chain
iptables -N LAN
2- Forward all traffic in network (192.168.0.0/24) into LAN chain.
iptables -I INPUT 1 -s 192.168.0.0/24 -j LAN
Then you can manage your Intranet rules easily in LAN chain such as :
iptables -A LAN -p tcp --dport 22 -j ACCEPT


  • Change Default Policy :

You can change default policy for a chain from ACCEPT to DROP or to LOG ... etc
For example to change default policy for INPUT chain to DROP all communication instead of ACCEPT

Example :
iptables -P INPUT DROP

  • Matching multiple ports :

Uses to match more than one port in one rule
You can use this flag (-m multiport)

Example
Deny hosts to connect to SSH and Telnet
iptables -A INPUT -p tcp -m multiport --dport 22,23 -j DROP


  • List rules :

Use this command to list rules for all chains

Example :
iptables -L


Chain INPUT (policy ACCEPT)
target     prot opt source               destination      
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere          
ACCEPT     all  --  anywhere             anywhere          
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination      
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination


  • List rules by line number :

Use this command to list rules by line number

Example :
sudo iptables -L –line-number



Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
2 ACCEPT icmp -- anywhere anywhere
3 ACCEPT all -- anywhere anywhere
4 ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
5 REJECT all -- anywhere anywhere reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
num target prot opt source destination
1 REJECT all -- anywhere anywhere reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
num target prot opt source destination   

  • Deleting :

For deleting rules by rule number (line number)
You can use this flag (-D)

Example :
iptables -D INPUT 4

This will delete line number 4 from input chain.

  • Replace :

For replacing one rule with anther one by line number
You can use this flag (-R)

Example :
iptables -R INPUT 3 -s 192.168.0.5 -j ACCEPT

This will replace rule number 4 in input chain with ( Accept 192.168.0.5 )

  • Inserting :

For inserting rule in a chain by line number 
You can use this flag (-I)

Example :
iptables -I INPUT 4 -p tcp --dport 22 -j ACCEPT

This will insert in line number 4 (ACCEPT SSH)

  • Negation :

You can use this flag (!)

Example :
Deny all traffic but not from 192.168.0.10

iptables -A INPUT -s ! 192.168.0.10 -j DROP


  • Logging :

For logging a traffic 
You can use this flag (-J LOG)

Example :
Log all traffic from 192.168.0.10

iptables -A INPUT -s 192.168.0.10 -j LOG


  • Dealing with wildcard :

Such as eth , ppp ... etc
You can use this flag (-i) , and replace the number beside the interface with + such as (eth+) instead of (eth0 or eth1 .. etc).

Example :
Deny SSH from eth interface

iptables -A INPUT -i eth+ -p tcp --dport 22 -j DROP


Hint :You must manage your chains and rules in perfect way because processing occurs in IPTables on packages from up to down , and this may affect on your connection speed.

7/24/2012

IPTables 2

                                     IPTables 2
  • Matching in IPTables 
IPTables basically based on matching all packets with rules in IPTables tables  (Filter,NAT,Mangle).
So we can manage matching based on various ways (MAC , IP , ports , protocols .. etc ) or we can say it's based on Network layers (Data Link , Network , Transport).


  • For layer 2 (Data Link) based on MAC address:


For source MAC You can use this flag (-m mac --mac-source) 
For destination MAC you can use this flag (-m mac --mac-destination)

This will match based in MAC address instead of IP address

Example :
To block traffic from 192.168.0.5 with MAC address (00:C6:3A:54:8D:05)

iptables -A INPUT -m mac --mac-source 00:c6:3A:54:8D:05 -j DROP


  • For Layer 3 (Network) based on IP address:


For source IP you can use this flags(-s or --src or --source)
For destination IP you can use this flags (-d or --dst or --destination)

Example:
Block all traffic from 192.168.0.5
iptables -A INPUT -s 192.168.0.5 -j DROP
or
iptables -A INPUT --src 192.168.0.5 -j DROP
or
iptables -A INPUT --source 192.168.0.5 -j DROP


  • For layer 4 (Transport) Based on protocol and ports:


Protocols such as (TCP UDP ICMP)

For protocol you can use this flag (-p or --protocol)
For source port you can use this flags (--sport or --source-port)
For destination port you can use this flags (--dport or --destination-port)

Example for TCP:
Allow host 192.168.0.5 to connect with my SSH
iptables -A INPUT -s 192.168.0.5 -p tcp --dport 22 -j ACCEPT

Example for UDP:
1-Allow hosts to connect with my NTP (port=123)
iptables -A INPUT -p udp --dport 123 -j ACCEPT
2- Deny access to syslog (port=514)
iptables -A INPUT -p udp --dport 514 -j DROP


How to deal with ICMP protocol ?

There are two of ICMP types
1- echo-request
2- echo-replay

Example:
ping 10.0.0.10
This mean my computer send echo-request to 10.0.0.10 and this host sends echo-replay
This process known as ping or
ping for echo-request
pong for echo-replay

Now how to handling ICMP in IPTables ?

by using protocol flags ( -p or --protocol ) and use (--icmp-type) to specify which type you want to deal with.

Example:
blocking my computer to replay on ping request or (deny echo-replay)
iptables -A INPUT -p icmp --icmp-type echo-replay -j DROP