Firewall Using iptables
Kernal flow diagram
Syntax of iptable command :-
<table-name> — Specifies which table the rule applies to. If omitted, the filter table is used. (filter,nat,mangle)
<command> — Specifies the action to perform, such as appending or deleting a rule. (insert,append,delete)
<chain-name> — Specifies the chain to edit, create, or delete. (input,output,forward,postrouting,prerouting)
<parameter>-<option> pairs — Parameters and associated options that specify how to process a packet that matches the rule.(Accept,reject,drop etc)
The length and complexity of an iptables command can change significantly, based on its purpose.
Tables and uses:-
Targets:-
Command switches:-
TCP and UDP Match Criteria :-
Extended options:-
Filter
INPUT-:Packets coming to the firewall
OUTPUT-:Packets originates fro firewall
FORWARD-:Packets moving through the firewall
Input rules:-
A packet coming to firewall from any system or network to input inter face with destination ip of 192.168.1.1 which is using TCP should be accepted.
Nat:-
PREROUTING — Alters network packets when they arrive.
OUTPUT — Alters locally-generated network packets before they are sent out.
POSTROUTING — Alters network packets before they are sent out.
Simple commands :-
Iptables -L
Display filter rules
Iptables –t nat –L
Display nat rules
Iptables –L –line-number
Display with line number
iptables -D <chain-name> <line-number>
Dilete the nth rule which indicates by line-number
Iptables –F
Flush all the filter rules
Iptables –t nat –F
Flush all the nat rules
Simple rules:-
iptables is being configured to allow the firewall to accept TCP packets for routing when they enter on interface eth0 from any IP address and are destined for an IP address of 192.168.1.58 that is reachable via interface eth1. The source port is in the range 1024 to 65535 and the destination port is port 80 (www/http).
Icmp and iptables:-
Icmp and iptables:-
There are different message types within ICMP. The message type identifies what sort of ICMP message it is.
ICMP packet with a message type 3 (Destination Unreachable) and a message code 3 (Port Unreachable) lets you know that the machine you tried to reach is not listening on this port.
The limit feature in iptables specifies the maximum average number of matches to allow per second. You can specify time intervals in the format /second, /minute, /hour, or /day, or you can use abbreviations so that 3/second is the same as 3/s.
iptables -t filter -A FORWARD -s 192.168.0.100 -p icmp -j REJECT --reject-with icmp-host-unreachable
iptables -t filter -A FORWARD -s 192.168.0.100 -p icmp -j REJECT --reject-with icmp-net-unreachable
=> Zero (0) is for echo-reply
=> Eight (8) is for echo-request.
SERVER_IP="202.54.10.20" iptables -A INPUT -p icmp --icmp-type 8 -s 0/0 -d $SERVER_IP -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type 0 -s $SERVER_IP -d 0/0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t filter -A FORWARD -s 192.168.0.100 -p tcp --dport 23 -j DROP
iptables -t filter -A FORWARD -s 192.168.0.100 -p tcp -j DROP
iptables -t filter -A FORWARD -s 192.168.0.100 -p tcp --syn -j DROP
iptables -t filter -A FORWARD -s 192.168.0.100 -m mac --mac-source 00:08:A1:70:D3:D4 -j DROP
iptables -t filter -A FORWARD -s 192.168.0.100 -m pkttype --pkt-type broadcast -j DROP
iptables -t filter -A INPUT -s 192.168.0.100 -m pkttype --pkt-type broadcast -j DROP
iptables -t filter -A FORWARD -m pkttype --pkt-type unicast -j DROP
ptables -t filter -A INPUT -c 10 400 -s 192.168.0.100 -j DROP
iptables -t filter -L –v
iptables -t filter -A FORWARD -m range --src-range 192.168.0.1-192.168i.0.120 -j DROP
iptables -t filter -A FORWARD -m iprange --src-range 192.168.0.1-192.168.0.120 -j DROP
iptables -t filter -A FORWARD -m length --length 1028 -j DROP
iptables -t filter -A FORWARD -m length --length 1028:2028 -j DROP
iptables -t filter -A FORWARD -m length --length 1028:2028 -j DROP
iptables -t filter -A FORWARD -m multiport --dport 23,21 -j DROP
iptables -t filter -A FORWARD -p tcp -m multiport --dport 23,21 -j DROP
iptables -t filter -A FORWARD -p tcp -m ttl --ttl 24 -j DROP
iptables -t filter -A FORWARD -m ttl --ttl 24 -j DRO
iptables -t filter -A FORWARD -m -j DROP
iptables -t filter -A FORWARD -m state --state ESTABLISHED -j DROP
iptables -t filter -A FORWARD -m state --state NEW -j DROP
cat /proc/net/ip_conntrack
iptables -t filter -A OUTPUT -m owner --uid-owner user1 -j DROP
iptables -t filter -A FORWARD -m owner --uid-owner user1 -j DROP
iptables -t filter -A OUTPUT -m owner --gid-owner user1 -j DROP
iptables -t filter -A FORWARD -p tcp --dport 21 -s 192.168.0.100 -m state --state RELATED -j DROP
Logging:
iptables -t filter -A FORWARD -p tcp --dport 21 -s 192.168.0.100 -m state --state RELATED -j DROP
iptables -t filter -A INPUT -s 192.168.0.100 -j LOG --log-level info
iptables -t filter -A INPUT -s 192.168.0.100 -p tcp --tcp--flags SYN SYN -j LOG --log-level info
iptables -t filter -A INPUT -s 192.168.0.100 -m limit --limit 10/m -j LOG --log-level info
iptables -t filter -A INPUT -s 192.168.0.100 -m limit --limit-burst 1 --limit 10/m -j LOG --log-level info
NAT:-
SNAT :-
iptables -t nat -A POSTROUTING -s 192.168.0.100 -j SNAT --to-source 80.0.0.1
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth1 -j MASQUERADE --to-ports 2000
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth1 -p tcp -j MASQUERADE --to-ports 2000:3000
DNAT :-
iptables -t nat -A PREROUTING -p tcp --dport 23 -j DNAT --to-destination 192.168.0.100
iptables -t nat -A PREROUTING -p tcp --dport 21 -j DNAT --to-destination 192.168.0.1
iptables -t nat -A PREROUTING -p tcp --dport 23 -j DNAT --to-destination 192.168.0.1-192.168.0.2
mangle :-
iptables -t mangle -A FORWARD -s 192.168.0.2 -j MARK --set-mark 0x1
iptables -t mangle -A FORWARD -m mark --mark 0x1 -j DROP
iptables -t mangle -A FORWARD -s 192.168.0.2 -m tos --tos 0x2 -j DROP
iptables -t mangle -A FORWARD -s 192.168.0.2 -p tcp --tcp-flags SYN SYN -j TCPMSS --clamp-mss-to-pmtu
Kernal flow diagram
Syntax of iptable command :-
<table-name> — Specifies which table the rule applies to. If omitted, the filter table is used. (filter,nat,mangle)
<command> — Specifies the action to perform, such as appending or deleting a rule. (insert,append,delete)
<chain-name> — Specifies the chain to edit, create, or delete. (input,output,forward,postrouting,prerouting)
<parameter>-<option> pairs — Parameters and associated options that specify how to process a packet that matches the rule.(Accept,reject,drop etc)
The length and complexity of an iptables command can change significantly, based on its purpose.
Tables and uses:-
Targets:-
Command switches:-
TCP and UDP Match Criteria :-
Extended options:-
Filter
INPUT-:Packets coming to the firewall
OUTPUT-:Packets originates fro firewall
FORWARD-:Packets moving through the firewall
Input rules:-
A packet coming to firewall from any system or network to input inter face with destination ip of 192.168.1.1 which is using TCP should be accepted.
Nat:-
PREROUTING — Alters network packets when they arrive.
OUTPUT — Alters locally-generated network packets before they are sent out.
POSTROUTING — Alters network packets before they are sent out.
Simple commands :-
Iptables -L
Display filter rules
Iptables –t nat –L
Display nat rules
Iptables –L –line-number
Display with line number
iptables -D <chain-name> <line-number>
Dilete the nth rule which indicates by line-number
Iptables –F
Flush all the filter rules
Iptables –t nat –F
Flush all the nat rules
Simple rules:-
iptables is being configured to allow the firewall to accept TCP packets for routing when they enter on interface eth0 from any IP address and are destined for an IP address of 192.168.1.58 that is reachable via interface eth1. The source port is in the range 1024 to 65535 and the destination port is port 80 (www/http).
Icmp and iptables:-
Icmp and iptables:-
There are different message types within ICMP. The message type identifies what sort of ICMP message it is.
ICMP packet with a message type 3 (Destination Unreachable) and a message code 3 (Port Unreachable) lets you know that the machine you tried to reach is not listening on this port.
The limit feature in iptables specifies the maximum average number of matches to allow per second. You can specify time intervals in the format /second, /minute, /hour, or /day, or you can use abbreviations so that 3/second is the same as 3/s.
iptables -t filter -A FORWARD -s 192.168.0.100 -p icmp -j REJECT --reject-with icmp-host-unreachable
iptables -t filter -A FORWARD -s 192.168.0.100 -p icmp -j REJECT --reject-with icmp-net-unreachable
=> Zero (0) is for echo-reply
=> Eight (8) is for echo-request.
SERVER_IP="202.54.10.20" iptables -A INPUT -p icmp --icmp-type 8 -s 0/0 -d $SERVER_IP -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type 0 -s $SERVER_IP -d 0/0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t filter -A FORWARD -s 192.168.0.100 -p tcp --dport 23 -j DROP
iptables -t filter -A FORWARD -s 192.168.0.100 -p tcp -j DROP
iptables -t filter -A FORWARD -s 192.168.0.100 -p tcp --syn -j DROP
iptables -t filter -A FORWARD -s 192.168.0.100 -m mac --mac-source 00:08:A1:70:D3:D4 -j DROP
iptables -t filter -A FORWARD -s 192.168.0.100 -m pkttype --pkt-type broadcast -j DROP
iptables -t filter -A INPUT -s 192.168.0.100 -m pkttype --pkt-type broadcast -j DROP
iptables -t filter -A FORWARD -m pkttype --pkt-type unicast -j DROP
ptables -t filter -A INPUT -c 10 400 -s 192.168.0.100 -j DROP
iptables -t filter -L –v
iptables -t filter -A FORWARD -m range --src-range 192.168.0.1-192.168i.0.120 -j DROP
iptables -t filter -A FORWARD -m iprange --src-range 192.168.0.1-192.168.0.120 -j DROP
iptables -t filter -A FORWARD -m length --length 1028 -j DROP
iptables -t filter -A FORWARD -m length --length 1028:2028 -j DROP
iptables -t filter -A FORWARD -m length --length 1028:2028 -j DROP
iptables -t filter -A FORWARD -m multiport --dport 23,21 -j DROP
iptables -t filter -A FORWARD -p tcp -m multiport --dport 23,21 -j DROP
iptables -t filter -A FORWARD -p tcp -m ttl --ttl 24 -j DROP
iptables -t filter -A FORWARD -m ttl --ttl 24 -j DRO
iptables -t filter -A FORWARD -m -j DROP
iptables -t filter -A FORWARD -m state --state ESTABLISHED -j DROP
iptables -t filter -A FORWARD -m state --state NEW -j DROP
cat /proc/net/ip_conntrack
iptables -t filter -A OUTPUT -m owner --uid-owner user1 -j DROP
iptables -t filter -A FORWARD -m owner --uid-owner user1 -j DROP
iptables -t filter -A OUTPUT -m owner --gid-owner user1 -j DROP
iptables -t filter -A FORWARD -p tcp --dport 21 -s 192.168.0.100 -m state --state RELATED -j DROP
Logging:
iptables -t filter -A FORWARD -p tcp --dport 21 -s 192.168.0.100 -m state --state RELATED -j DROP
iptables -t filter -A INPUT -s 192.168.0.100 -j LOG --log-level info
iptables -t filter -A INPUT -s 192.168.0.100 -p tcp --tcp--flags SYN SYN -j LOG --log-level info
iptables -t filter -A INPUT -s 192.168.0.100 -m limit --limit 10/m -j LOG --log-level info
iptables -t filter -A INPUT -s 192.168.0.100 -m limit --limit-burst 1 --limit 10/m -j LOG --log-level info
NAT:-
SNAT :-
iptables -t nat -A POSTROUTING -s 192.168.0.100 -j SNAT --to-source 80.0.0.1
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth1 -j MASQUERADE --to-ports 2000
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth1 -p tcp -j MASQUERADE --to-ports 2000:3000
DNAT :-
iptables -t nat -A PREROUTING -p tcp --dport 23 -j DNAT --to-destination 192.168.0.100
iptables -t nat -A PREROUTING -p tcp --dport 21 -j DNAT --to-destination 192.168.0.1
iptables -t nat -A PREROUTING -p tcp --dport 23 -j DNAT --to-destination 192.168.0.1-192.168.0.2
mangle :-
iptables -t mangle -A FORWARD -s 192.168.0.2 -j MARK --set-mark 0x1
iptables -t mangle -A FORWARD -m mark --mark 0x1 -j DROP
iptables -t mangle -A FORWARD -s 192.168.0.2 -m tos --tos 0x2 -j DROP
iptables -t mangle -A FORWARD -s 192.168.0.2 -p tcp --tcp-flags SYN SYN -j TCPMSS --clamp-mss-to-pmtu
No comments:
Post a Comment