Friday, January 23, 2009

iptable examples

Anatomy of IP tables command

Table

Table specifies the name of the table the command operates on : Filter, NAT or Mangle. you can specify a table name in any iptables command.
when you do not specify a table name , the command operates on the filter table. specify a table as -t tablename or --table tablename


Command

what to do with the rest of the command line.
ex:- add or delete a rule, display rules, or add a chain.

Ex:-

-A or --append
-D or --delete
-I or --insert
-R or --replace (iptables -R chain-rule-number rule-specification --jump target)
-L or --list (iptables -L [chain] display-criteria)
-F or --flush (Deletes all rules from chain, Omit chain to delete all rules from all chains, ex:- iptables -F [chain] )

-Z or --zero (changes to zero the value of all packet and byte counters in chain or in all chains when you do not specify chain.Use with -L to display the counters before clearing them. iptables -Z [-L] [chain])

-X or --delete-chain (Removes the user defined chain named chain. if you do not specify chain, removes all the user defined chains. you cannot delete a chain that target points to. iptables -X chain)



CHAINS

A chain is simply a list of rules that act on a packet flowing through the system.specifies the name of the chain that this rule belongs to or that this command works on. The chain is INPUT, OUTPUT,FORWARD,PREROUTING, POSTROUTING , or the name of the user defined chain.


FORWARD

The FORWARD chain is invoked only in the case when IP forwarding is enabled and the packet is destined for a system other than the host itself. For example, if the Linux system has the IP address 172.16.1.1 and is configured to route packets between the Internet and the 172.16.1.0/24 network, and a packet from 1.1.1.1 is destined to 172.16.1.10, the packet will traverse the FORWARD chain.


INPUT

The INPUT chain is invoked only when a packet is destined for the host itself. The rules that are run against a packet are done before the packet goes up the stack and arrives at the application


OUTPUT

The OUTPUT chain is invoked when packets are sent from applications running on the host itself. For example, if an administrator on the command-line interface (CLI) tries to use SSH to connect to a remote system, the OUTPUT chain will see the first packet of the connection


Defining the Rule-Specification

p [!] protocol This specifies the IP protocol to compare against. You can use any protocol defined in the /etc/protocols file, such as “tcp,” “udp,” or “icmp.” A built-in value for “all” indicates that all IP packets will match. If the protocol is not defined in /etc/protocols, you can use the protocol number here. For example, 47 represents “gre.” The exclamation mark (!) negates the check. Thus, specifying -p ! tcp means all packets that are not TCP. If this option is not provided, Netfilter will assume “all.” The --protocol option is an alias for this option. An example of its usage is

[root@serverA ~]# iptables -t filter -A INPUT -p tcp --dport 80 -j ACCEPT


For ip6tables, use
[root@serverA ~]# ip6tables -t filter -A INPUT -p tcp --dport 80 -j ACCEPT

These rules will accept all packets destined to TCP port 80 on the INPUT chain.


d [!] address [/mask] This option specifies the destination IP address to check against. When combined with an optional netmask, the destination IP can be compared against an entire netblock. As with -s, the exclamation mark negates the rule, and the address and netmask can be abbreviated.





MATCH CRITERIA

they packet match criteria/rule specifications

i interface This option specifies the name of the interface on which a packet was received. This is handy for instances where special rules should be applied if a packet arrives from a physical location, such as a DMZ interface. For example, if eth1 is your DMZ interface and you want to allow it to send packets to the host at 10.4.3.2, you can use [root@serverA ~]# iptables -A FORWARD -i eth1 -d 10.4.3.2 -j ACCEPT


o interface This option specifies the name of the interface on which a packet will leave the system. For example,

[root@serverA ~]# iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT

In this example, any packets coming in from eth0 and going out to eth1 are accepted.



[!] -f This option specifies whether a packet is an IP fragment or not. The exclamation mark negates this rule. For example,
[root@serverA ~]# iptables -A INPUT -f -j DROP

In this example, any IP fragments coming in on the INPUT chain are automatically dropped. The same rule with negative logic would be
[root@serverA ~]# iptables -A INPUT ! -f -j ACCEPT



c PKTS BYTES This option allows you to set the counter values for a particular rule when inserting, appending, or replacing a rule on a chain. The
counters correspond to the number of packets and bytes that have traversed the rule, respectively. For most administrators, this is a rare need. An example of its usage is

[root@serverA ~]# iptables -I FORWARD -f -j ACCEPT -c 10 10

In this example, a new rule allowing packet fragments is inserted into the FORWARD chain, and the packet counters are set to 10 packets and 10 bytes.


v This option will display any output of iptables (usually combined with
the -L option) to show additional data. For example,
[root@serverA ~]# iptables -L –v

n This option will display any hostnames or port names in their numeric form. Normally, iptables will do Domain Name System (DNS) resolution for you and show hostnames instead of IP addresses and protocol names (like SMTP) instead of port numbers (25). If your DNS system is down, or if you do not want to generate any additional packets, this is a useful option. An example of this is
[root@serverA ~]# iptables -L -n


x This option will show the exact values of a counter. Normally, iptables will try to print values in “human-friendly” terms and thus perform rounding in the process. For example, instead of showing “10310,” iptables will show “10k.”

An example of this is [root@serverA ~]# iptables -L -x


line-numbers This option will display the line numbers next to each rule in a chain. This is useful when you need to insert a rule in the middle of a chain and need a quick list of the rules and their corresponding rule numbers.

An example of this is
[root@serverA ~]# iptables -L –line-numbers

For IPv6 firewall rules, use
[root@serverA ~]# ip6tables -L --line-numbers
-----------------------------------------------------------------------------------------------

Rule-Spec Extensions with Match


limit

This module provides a method of limiting the packet rate. It will match so long as the rate of packets is under the limit. A secondary “burst” option matches against a momentary spike in traffic, but will stop matching if the spike sustains. The two parameters are

▼ limit rate
▲ limit-burst number


The rate is the sustained packet-per-second count. The number in the second parameter specifies how many back-to-back packets to accept in a spike. The default value for number is 5. You can use this feature as a simple approach to slowing down a SYN flood:

[root@serverA ~]# iptables -N syn-flood
[root@serverA ~]# iptables -A INPUT -p tcp --syn -j syn-flood
[root@serverA ~]# iptables -A syn-flood -m limit --limit 1/s -j RETURN
[root@serverA ~]# iptables -A syn-flood -j DROP

This will limit the connection rate to an average of one per second, with a burst up to
five connections. This isn’t perfect, and a SYN flood can still deny legitimate users with
this method; however, it will help keep your server from spiraling out of control.






..................................................................................
JUMPS

A jump transfers control to a different chain within the same table.
ex:- sudo iptables --append INPUT --protocol tcp --jump tcp_rules


TARGETS

j target This option specifies an action to “jump” to. These actions are referred to as targets in iptables parlance. The targets that we’ve seen so far have been ACCEPT, DROP, and RETURN. The first two accept and drop packets, respectively. The third is related to the creation of additional chains.

As we saw in the preceding section, it is possible for you to create your own chains to help keep things organized and to accommodate more complex rules. If iptables is evaluating a set of rules in a chain that is not built-in, the RETURN target will tell iptables to return back to the parent chain. If iptables sees the RETURN action in one of the built-in chains, it will execute the default rule for the chain.

Additional targets can be loaded via Netfilter modules. For example, the REJECT target can be loaded with ipt_REJECT, which will drop the packet and return an ICMP error packet back to the sender. Another useful target is ipt_REDIRECT, which can make a packet be destined to the NAT host itself even if the packet is destined for somewhere else.


------------------------------------------------------------------------------------------------------------------------------------

EXPLICIT MATCH EXTENSIONS

STATE
the state extension matches criteria based on the state of the connection the packet is part of

--state state:-
matches a packet whose state is defined by state , a comma separated list of states form the following LIST.

ESTABLISHED :-

any packet, within a specific connection, following the exchange of packets in both directions for that connection.

INVALID :-
a stateless or unidentifiable packet.

NEW :-
the first packet within a connection, typically a SYN packet.

RELATED :-
any packets exchanged in a connection spawned from an ESTABLISHED connection.ex:- an FTP data connection might be related to the FTP control connection.


state

This module allows you to determine the state of a TCP connection through the eyes of the conntrack module. It provides one additional option:

state state here state is INVALID, ESTABLISHED, NEW, or RELATED. A state is INVALID if the packet in question cannot be associated to an existing flow. If the packet is part of an existing connection, the state is ESTABLISHED. If the packet is starting a new flow, it is
considered NEW. Finally, if a packet is associated with an existing connection (e.g., an FTP data transfer), then it is RELATED.

Using this feature to make sure that new connections have only the TCP SYN bit set,we do the following:
[root@serverA ~]# iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

Reading this example, we see that for a packet on the INPUT chain that is TCP, that does not have the SYN flag set, and the state of a connection is NEW, we drop the packet. (Recall that legitimate new TCP connections must start with a packet that has the SYN bit set.)

tcp

This module allows us to examine multiple aspects of TCP packets. We have seen
some of these options (like --syn) already. Here is a complete list of options:

▼ source-port [!] port: [port] This option examines the source port of
a TCP packet. If a colon followed by a second port number is specified, a range
of ports is checked. For example, “6000:6010” means “all ports between 6000
and 6010, inclusive.” The exclamation mark negates this setting. For example,
--source-port ! 25 means “all source ports that are not 25.” An alias for
this option is --sport.

■ destination-port [!] port: [port] Like the --source-port option,
this examines the destination port of a TCP packet. Port ranges and negation
are supported. For example, -destination-port ! 9000:9010 means “all
ports that are not between 9000 and 9010, inclusive.” An alias for this option is
--dport.

■ tcp-flags [!] mask comp This checks the TCP flags that are set in a packet.
The mask tells the option what flags to check, and the comp parameter tells the
option what flags must be set. Both mask and comp can be a comma-separated
list of flags. Valid flags are SYN, ACK, FIN, RST, URG, PSH, ALL, and NONE,
where ALL means all flags and NONE means none of the flags. The exclamation
mark negates the setting. For example, to use --tcp-flags ALL SYN,ACK
means that the option should check all flags and only the SYN and ACK flags
must be set.

▲ [!] --syn This checks if the SYN flag is enabled. It is logically equivalent
to --tcp-flags SYN,RST,ACK SYN. The exclamation point negates the
setting.

An example using this module checks if a connection to DNS port 53 originates from port 53, does not have the SYN bit set, and has the URG bit set, in which case it should be dropped. Note that DNS will automatically switch to TCP when a request is greater than 512 bytes.

[root@serverA ~]# iptables -A INPUT -p tcp --sport 53 --dport 53 --tcp-flags ! SYN URG -j DROP



tcpmss

This matches a TCP packet with a specific Maximum Segment Size (MSS). The lowest legal limit for IP is 576, and the highest value is 1500. The goal in setting an MSS value for a connection is to avoid packet segmentation between two endpoints. Dial-up connections tend to use 576-byte MSS settings, whereas users coming from high-speed links tend to use 1500-byte values. The command-line option for this setting is

mss value:[value]

where value is the MSS value to compare against. If a colon followed by a second value
is provided, an entire range is checked. For example,

[root@serverA ~]# iptables -I INPUT -p tcp -m tcpmss --mss 576 -j ACCEPT
[root@serverA ~]# iptables -I INPUT -p tcp -m tcpmss ! --mss 576 -j ACCEPT

This will provide a simple way of counting how many packets (and how many bytes)
are coming from connections that have a 576-byte MSS and how many are not. To see the
status of the counters, use iptables -L -v.

udp

Like the TCP module, the UDP module provides extra parameters to check for a
packet. Two additional parameters are provided:

▼ source-port [!] port:[port] This option checks the source port of
a User Datagram Protocol (UDP) packet. If the port number is followed by a
colon and another number, the range between the two numbers is checked. If the
exclamation point is used, the logic is inverted.
▲ Like the source-port option,
destination-port [!] port:[port]
this option checks the UDP destination port.
For example:
[root@serverA ~]# iptables -I INPUT -p udp --destination-port 53 -j ACCEPT
This example will accept all UDP packets destined for port 53. This rule is typi-
cally set to allow traffic to DNS servers.


------------------------------------------------------------------------------------------------------------------------------------
Examples:-


To list iptable rules:-

iptables -L

To replace rule number 3 in the INPUT chain with a rule that rejects all packets from the IP address 192.168.0.10

iptables -R INPUT 3 --source 192.168.0.10 --jump REJECT


Resetting iptables:-

sudo iptables --flush && iptables --delete-chain

To delete all rules from the NAT table:-

sudo iptables -t NAT -F


To reject packets coming from the FTP port:-

sudo iptables --append FORWARD --sport ftp --jump REJECT

To delete a rule :-
sudo iptables --delete -A FORWARD -i eth1 -o eth0 -j ACCEPT


To load state extension and establishes a rule that matches and drops both invalid packets and packets for new connections:

sudo iptables --match state --state INVALID,NEW --jump DROP

To log packets from the internet that attempts to create a new connection

sudo iptables -A FORWARD -j LOG


To limit the local systems that can connect to the internet

sudo iptables -t NAT -A POSTROUTING -o eth0 -s 192.168.0.0-192.168.0.32 -j MASQERADE




iptables is being configured to allow the firewall to accept TCP packets for routing when they enter on interface eth0 from any IP address and are destined for an IP address of 192.168.1.58 that is reachable via interface eth1. The source port is in the range 1024 to 65535 and the destination port is port 80

iptables -A FORWARD -s 0/0 -i eth0 -d 192.168.1.58 -o eth1 -p TCP --sport 1024:65535 --dport 80 -j ACCEPT

to accept all packets except those from the Ip address 192.168.0.45

iptables -A INPUT -j ACCEPT ! -s 192.168.0.45


The following example accepts messages coming in that are from (source) any host in the
192.168.0.0 network and that are going (destination) anywhere at all (the -d option is left
out or could be written as -d 0/0):

iptables -A INPUT -s 192.168.0.0/24 -j ACCEPT


allow responses from connections we have initiated if for instance we use a web browser to visit a website we want to allow the website that we ask for to come through the web site

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT


smurf attack,to prevent flooding a network with ping messages only allow 1 ping request/second

iptables -A INPUT -p icmp -m icmp -m limit -limit 1/second -j ACCEPT


Anti spoofing:-drop packets that claim to be from loopback IP but coming on the physical network interface

iptables -A INPUT --in-interface !lo --source 127.0.0.0/8 -j DROP


to allow local access to printers and to disallow internet access to printers

iptables -A services -m iprange --src-range 192.168.1.1-192.168.1.254 -p tcp --dport 631 -j ACCEPT

To see what services we have running on our machine and what ports they are using

netstat --inet -pln

Ex:-
This rule will drop all packets from the 172.16.0.0/16 network.
iptables -t filter -A INPUT -s 172.16/16 -j DROP

Ex:-

To use ip6tables to drop all packets from the IPv6 network range 2001:DB8::/32,

we would use a rule like:
[root@serverA ~]# ip6tables -t filter -A INPUT -s 2001:DB8::/32 -j DROP


Ex:-

This rule will allow all packets going through the FORWARD chain that are destined for the 10.100.93.0/24 network.

iptables -t filter -A FORWARD -d 10.100.93.0/24 -j ACCEPT



to disable ping on loopback interface

iptables -A input -s 127.0.0.1 -p icmp -j DROP


to drop the above rule

iptables -D input -s 127.0.0.1 -p icmp -j DROP


specifying rule number so deletion can work

iptables -D INPUT 1



letting a specific remote network address access a local webserver

iptables -A INPUT -s ! example.com -d 64.41.64.124 -p TCP -sport 80 -j DROP


blocking the gateway/firewall machine

iptables -A input -s 66.98.216/24 -d 64.41.64/24 -j DROP


Adding user defined chain

#create a chain to block new connections , except established locally

iptables -N block
iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A block -m state --state NEW -i ! ppp0 -j ACCEPT
iptables -A block -j DROP # DROP everything else not accepted

# jump to that chain from INPUT and FORWARD chains

iptables -A INPUT -j block
iptables -A FORWARD -j block

Enabling the masquerade

modprobe iptables_nat # load the kernel module

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

.........................................................................................
sudo iptables -t NAT -A POSTROUTING -o eth0 -j MASQUERADE
sudo iptables -t NAT -A PREROUTING -p tcp -d 66.187.232.50 -j DNAT --to-destination 192.168.0.10
sudo iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -s www.xyz.com -j DROP


iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
iptables -A OUTPUT -d 72.14.221.85 -j REJECT
iptables -A OUTPUT -d 72.14.209.86 -j REJECT
iptables -A OUTPUT -d 72.14.209.87 -j REJECT
iptables -A OUTPUT -d 64.233.161.85 -j REJECT
iptables -A OUTPUT -d 209.85.129.85 -j REJECT
iptables -A OUTPUT -d 209.85.141.85 -j REJECT
iptables -A OUTPUT -d 216.187.118.219 -j REJECT
iptables -A OUTPUT -d 209.85.143.189 -j REJECT
iptables -A OUTPUT -d 202.138.103.100 -j REJECT


copying rules to and from the kernel

The iptables-save utiliy copies packet filtering rules from the kernel to standard output so you can save them in a file. the iptables-restore utility copies rules from standard input, as written by iptables-save, to the kernel.
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)