Iptables
operating system - Linux
type - filter
license - GNU general public license
How to convert your Linux box into firewall ?
what are Iptables ?
- Iptables is used to set up, maintain, and inspect the tables of Ipv4 packet filtering rules in the Linux kernel. Several different tables may be defined. Each table contains number of built-in chains and may also contain user defined chains.
Basically Linux firewall is called Iptables
OK know you have a doubt what are chains
-Each chain is a set of rules which can match a set of packets.
-Each rule specifies what to do with a packet that falls into our rule list.
Those packets are called the 'target',
Features of Iptables
1. Filtering - blocking unwanted traffic). You can filter
incoming and outgoing traffic by user, group, time/date, or service
(application).
2.
NAT (Routing) - If your computer has two or more network
cards (or if you
are using virtualization ) you can use a spare computer as a router, one
network card connected to the Internet and the other to your LAN with
iptables monitoring and filtering traffic.
3.
Logging (monitoring) network traffic.
if you are interested check
Wikipedia - Comparison of firewalls ..
Your
firewall, Iptables, is configured either from the command line (usually
with a script) or a configuration tool ( UFW, GUFW, Firestarter, guard
dog, Shorewall, etc). Unfortunately many of the graphical configuration
tools do not offer all the available options, let alone explain the
options (Guard dog is an exception to this generalization).
Configuring
iptables requires at least a basic understanding of network protocols, that is one must
know a little about networking protocols, servers, and ports to grasp
iptables. So that you can build a strong firewall !!
Believe me friends working with Iptables is real fun! Its my own experience !
even you people will experience it !
If you simply wish to maintain a blacklist you can look at tools such as
denyhosts and fail2ban. There is also a GUI tool "iplist".
How to iplist --> thanks
uljanow
You should know the basics of networking concept to build a strong firewall.
Like knowing TCP, UDP, ICMP protocols and about services ( /etc/services ).
Check out links for networking basic concepts !
You can see all services in your linux machine by
gedit /etc/services
Obviously the list be very long, so use the knowledge of Linux cmd "grep to see about a particular port
grep telnet /etc/services
And use the scanning tool to grasp whatever information you want.
Tool -
Nmap, Shields up
netstat, lsof (scanning local machine)
Shields Up is a web based scanner
you may use to scan for open ports. One common source of confusion,
if you have a router you will be scanning your router and not your computer(s) behind the router.
Now we are done with the prerequisite. Now lets roll to the the main topic !!
Anatomy of iptables
Iptables
is nothing more then a set of rules for processing network packets
coming and going to and from your computer (firewall). These rules are
organized into tables and chains. A packets fate is determined by
following the rules, one at a time, like links in a chain.
note this guys :
tables are named in small letters and all the chains are in CAPS
Filter : As the word specifies, it filters packets.
Nat - Network allocation table : Network Allocation Table : Think
router or forwarding packets to other machines.
Mangle - Alteration off quality of service bits in the TCP header.
Raw - This table is used less frequently then Mangle is to allow exception to iptables.
Chains :
filter : Used to filter or block packets
FORWARD - Filters packets accessible by another NIC on the firewall (ie
packets moving from eth0 [Internet] to eth1 [LAN].
INPUT - Filters inbound traffic (packets
going to the firewall).
OUTPUT - Filters outbound traffic (packets leaving the firewall).
nat (network Allocation Table):
PREROUTING - Inbound packets to be routed (via NAT) to your clients.
Output - Outbound packets for your firewall.
POSTROUTING - Outbound packets routed from pther computers.
In addition to these default chains we can even use custom, or user defined chain :-)
Actions : What to do if a packet is matched in any of the rules ?
If a packet matches a rule, the action is called a target.
NOTE: Actions are specified with the -j flag, i.e -j ACTION
ACCEPT - The packet is approved, or accepted.
REJECT - the packet is blocked, and an error message is returned.
DROP - The packet is blocked, no error message is returned.
LOG - The packet is logged. After a packet is logged processing continues along the chain.
JUMP - Just to "jump" to another chain.
In addition to the defaults you may direct iptables to another (user defined) chain.
Using iptables for Filtering
It is very important to understand that the order of your rule is very critical. Iptables starts as usual from the top of the chain, with the rule of more priority i.e the !st rule, and proceeds down the chain until the first instance of DROP, REJECT, ACCEPT.
The basic syntax is
iptables -option [Chain] [Rule] -j [Target]
the term 'Target' is the action to be taken if there is any match to the rule specified by us, for example say Accept, Reject, Drop or send the packet to another, possibly user defined chain.
Options
-P [chain] sets default Policy (target or action) for the packet if no rule in a chain is macthed.
iptables -P INPUT DROP # Will drop (block) all incoming packets.
Note: the above policy will immediately terminate your telnet or ssh session if you have not allowed ssh connections in your INPUT chain. Very bad if you are managing your server remotely and do not have physical access.
Note: SSH is more preferred more telnet because the security in SSH i.e the data is encrypted so to some extent SSH is secure compared to telnet.
Want to know more about encryption, guys just Google it out !
-A [chain] Appends a rule to the bottom, or end of the specified chain.
Least preferred ..
-I [chain] Inserts a rule into chain (you specified the location). If no position is specified the default is #1 (first rule).
iptables -I INPUT 3 [RULE] # Will insert the [RULE] at the second position of the INPUT chain .
See here the rank is specified as 3.
-D [chain] deletes a rule that matches its argument.
the rule may be specified with the number in the chain or rule itself would do the same.
iptables -D INPUT 2 # Will delete the second rule in the INPUT chain.
iptables -D INPUT [RULE] # Will delete the [RULE] from the input chain.
-F [chain] flushes (removes or deletes a rule that matches its argument.
By default, in no arguments are given, this will flush the chains in the filter table.
You may specify a table and/or chain.
iptables -F INPUT # Clears the INPUT chain in the filter table.
iptables -t nat -F PREROUTING # Clears the PREROUTING table in the nat table.
iptables -F # Clears all the chains in the filter table (INPUT, OUTPUT, and FORWARD).
iptables -t nat -F # Clears all the chains in the nat table.
-L [chains] a New, user defined chain (blasklist for example).
By default this will list the chains in the filter table. You may specify a table with -t ( -t nat ).
-N creates a New, user defined chain (blacklist for example).
iptables -N blacklist
-X delets a user defined chain.
iptables -X blacklist
Before a chain must be deleted, it must be empty (contains no rules). To remove the rules from a table, make use of the option "-F" to flust out all the rules.
Target
-j specifies target (action) default targets are LOG, ACCEPT, DROP and REJECT. You may also send processing of a packet to another chain.
iptables INPUT -j DROP # it will drop all the packets.
iptables INPUT -j blacklist # Will process the packets according to the blacklist chain(user defined).
Rules
Some rules can be changed reversed with a '!'
Will take the reverse of what the rules tells.h
ipatbles -A INPUT -p tcp ! --dport 22 -j DROP # Will not drop any tcp packet to destination port 22
-p specifies he ip protocol (tcp, udp and icmp)
iptables -A INPUT -p icmp -j DROP # Block ping
-s specifies the source ip address (where the packet was sent from).
iptables -A INPUT -s 117.5 2.12.23 -j DROP # drop all the packets from 117.52.12.23
iptables -A blacklist -s 117.5 2.12.23 -j DROP # drop all the packets from 117.52.12.23 using a user defined chain, "blacklist"
iptables -A INPUT -s 192.168.0.0/24 -p tcp --dport 22 -j DROP # drop all the packets for ssh( port 22 ) from outside the LAN.
-d specifies the source ip address (where the packet are sent to).
iptables -A INPUT -s 117.5 2.12.23 -j DROP # drop all the packets to 117.52.12.23
NOTE: source and destination IP address can be IP address, or with a netmask, or with a host name. But guys prevent using host names because it should query the DNS to resolve the host name, which will slow the process and DNS can be spoofed.
tcp options ( to be used with -p tcp )
--sport specifies source port number or range
if using a range, the syntax is LOW:HIGH
LOW: the port specified + the ports higher than the specified port
:HIGH = the port specified and below it.
--dport specifies the destination port, similar fromat to --sport above.
- -tcp-flags
Ah ! --tcp-flag will be 1 elaborate topic and bit complex and requires an understanding of the tcp protocol and the headrers.
Ex : the following are the examples which has the same effect over the packets :
iptables -A INPUT --p tcp --syn --dport 22 -j ACCEPT # short version
iptables -A INPUT --p tcp --tcp-flag SYN, ACK, RST SYN --syn --dport 22 -j ACCEPT # LONG version
Meaning for the above rule is "" Matches all incoming packets with SYN flag set, but the ACK and RST flags must be cleared as well.
Multiple tcp flags can be set on a packet.
The options "--tcp-flag" takes two arguments. The above command (long format) matches when its second flagged, and the rest of the flags specified in its first arguments are cleared.
note: using "ALL" as an argument is the same as using "SYN, ACK, RST, PSH, URG, FIN"
If you do not specify flags when using --tcp-flags, any SYN packet and SYN-ACK packet s accepted.
next comes the
udp options( to be used with -p udp)
--sport specifies source port number or range
--dport specifies the destination port, similar fromat to --sport above.
icmp options( to be used with -p ICMP)
--icmp-type this option specifies the icp type of the packet to be matched.
Use iptables -p --help to list the various options here (without arguments with default to all, which is what most of us want).
THANK YOU
-ADMIN
Happy h4ck1ng