7/24/2012

IPTables 2

                                     IPTables 2
  • Matching in IPTables 
IPTables basically based on matching all packets with rules in IPTables tables  (Filter,NAT,Mangle).
So we can manage matching based on various ways (MAC , IP , ports , protocols .. etc ) or we can say it's based on Network layers (Data Link , Network , Transport).


  • For layer 2 (Data Link) based on MAC address:


For source MAC You can use this flag (-m mac --mac-source) 
For destination MAC you can use this flag (-m mac --mac-destination)

This will match based in MAC address instead of IP address

Example :
To block traffic from 192.168.0.5 with MAC address (00:C6:3A:54:8D:05)

iptables -A INPUT -m mac --mac-source 00:c6:3A:54:8D:05 -j DROP


  • For Layer 3 (Network) based on IP address:


For source IP you can use this flags(-s or --src or --source)
For destination IP you can use this flags (-d or --dst or --destination)

Example:
Block all traffic from 192.168.0.5
iptables -A INPUT -s 192.168.0.5 -j DROP
or
iptables -A INPUT --src 192.168.0.5 -j DROP
or
iptables -A INPUT --source 192.168.0.5 -j DROP


  • For layer 4 (Transport) Based on protocol and ports:


Protocols such as (TCP UDP ICMP)

For protocol you can use this flag (-p or --protocol)
For source port you can use this flags (--sport or --source-port)
For destination port you can use this flags (--dport or --destination-port)

Example for TCP:
Allow host 192.168.0.5 to connect with my SSH
iptables -A INPUT -s 192.168.0.5 -p tcp --dport 22 -j ACCEPT

Example for UDP:
1-Allow hosts to connect with my NTP (port=123)
iptables -A INPUT -p udp --dport 123 -j ACCEPT
2- Deny access to syslog (port=514)
iptables -A INPUT -p udp --dport 514 -j DROP


How to deal with ICMP protocol ?

There are two of ICMP types
1- echo-request
2- echo-replay

Example:
ping 10.0.0.10
This mean my computer send echo-request to 10.0.0.10 and this host sends echo-replay
This process known as ping or
ping for echo-request
pong for echo-replay

Now how to handling ICMP in IPTables ?

by using protocol flags ( -p or --protocol ) and use (--icmp-type) to specify which type you want to deal with.

Example:
blocking my computer to replay on ping request or (deny echo-replay)
iptables -A INPUT -p icmp --icmp-type echo-replay -j DROP

No comments:

Post a Comment