Sunday, 8 January 2012



operating system -   Linux
type -    filter 
license - GNU general public license  

How to convert your Linux box into firewall ?

what are Iptables ?
- Iptables is used to set up, maintain, and inspect the tables of Ipv4 packet filtering rules in the Linux kernel. Several different tables may be defined. Each table contains number of built-in chains and may also contain user defined chains.

Basically Linux firewall is called Iptables

OK know you have a doubt what are chains  
-Each chain is a set of rules which can match a set of packets.

-Each rule specifies what to do with a packet that falls into our rule list.  

Those packets are called the 'target',

Features of Iptables 

1. Filtering - blocking unwanted traffic). You can filter incoming and outgoing traffic by user, group, time/date, or service (application).

2. NAT (Routing) - If your computer has two or more network cards (or if you are using virtualization ) you can use a spare computer as a router, one network card connected to the Internet and the other to your LAN with iptables monitoring and filtering traffic.

3.  Logging (monitoring) network traffic.

if you are interested check Wikipedia - Comparison of firewalls ..

Your firewall, Iptables, is configured either from the command line (usually with a script) or a configuration tool ( UFW, GUFW, Firestarter, guard dog, Shorewall, etc). Unfortunately many of the graphical configuration tools do not offer all the available options, let alone explain the options (Guard dog is an exception to this generalization).

Configuring iptables requires at least a basic understanding of network protocols, that is one must know a little about networking protocols, servers, and ports to grasp iptables. So that you can build a strong firewall !!

Believe me friends working with Iptables is real fun! Its my own experience !
even you people will experience it !

If you simply wish to maintain a blacklist you can look at tools such as denyhosts and fail2ban. There is also a GUI tool "iplist".

                How to iplist  --> thanks uljanow

You should know the basics of networking concept to build a strong firewall.

 Like knowing TCP, UDP, ICMP protocols and about services ( /etc/services ).

Check out links for networking basic concepts !

You can see all services in your linux machine by

                                                      gedit /etc/services                                                          

Obviously the list be very long, so use the knowledge of Linux cmd "grep to see about a particular port

                                                    grep telnet /etc/services                

And use the scanning tool to grasp whatever information you want.

Tool -
           Nmap, Shields up
           netstat, lsof (scanning local machine)

Shields Up is a web based scanner you may use to scan for open ports. One common source of confusion, if you have a router you will be scanning your router and not your computer(s) behind the router.

Now we are done with the prerequisite. Now lets roll to the the main topic !!

Anatomy of iptables

 Iptables is nothing more then a set of rules for processing network packets coming and going to and from your computer (firewall). These rules are organized into tables and chains. A packets fate is determined by following the rules, one at a time, like links in a chain.

note this guys : tables are named in small letters and all the chains are in CAPS

Filter : As the word specifies, it filters packets.

Nat - Network allocation table :  Network Allocation Table : Think router or forwarding packets to other machines.

Mangle - Alteration off quality of service bits in the TCP header.

Raw - This table is used less frequently then Mangle is to allow exception to       iptables.

Chains :

filter : Used to filter or block packets 

   FORWARD -  Filters packets accessible by another NIC on the firewall (ie packets moving from eth0 [Internet] to eth1 [LAN].

   INPUT -  Filters inbound traffic (packets going to the firewall).

   OUTPUT - Filters outbound traffic (packets leaving the firewall).

nat (network Allocation Table):

    PREROUTING - Inbound packets to be routed (via NAT) to your clients.
  Output - Outbound packets for your firewall.

  POSTROUTING - Outbound packets routed from pther computers.

In addition to these default chains we can even use custom, or user defined chain :-)

Actions : What to do if a packet is matched in any of the rules ?

 If a packet matches a rule, the action is called a target.

  NOTE: Actions are specified with the -j flag, i.e -j ACTION

  ACCEPT - The packet is approved, or accepted.

  REJECT - the packet is blocked, and an error message is returned.

  DROP - The packet is blocked, no error message is returned.
  LOG - The packet is logged. After a packet is logged processing continues along the chain.

  JUMP - Just to "jump" to another chain.

In addition to the defaults you may direct iptables to another (user defined) chain.

Using iptables for Filtering 

It is very important to understand that the order of your rule is very critical. Iptables starts as usual from the top of the chain, with the rule of more priority i.e the !st rule, and proceeds down the chain until the first instance of DROP, REJECT, ACCEPT.

 The basic syntax is 

        iptables -option [Chain] [Rule] -j [Target]                  

the term 'Target' is the action to be taken if there is any match to the rule specified by us, for example say Accept, Reject, Drop or send the packet to another, possibly user defined chain.


-P [chain] sets default Policy (target or action) for the packet if no rule in a chain is macthed.

 iptables -P INPUT DROP # Will drop (block) all incoming packets. 

Note: the above policy will immediately terminate your telnet or ssh session if you have not allowed ssh connections in your INPUT chain. Very bad if you are managing your server remotely and do not have physical access.

Note: SSH is more preferred more telnet because the security in SSH i.e the data is encrypted so to some extent SSH is secure compared to telnet. 

Want to know more about encryption, guys just Google it out !

-A [chain] Appends a rule to the bottom, or end of the specified chain.
              Least preferred ..

-I [chain] Inserts a rule into chain (you specified the location). If no position is specified the default is #1 (first rule).

iptables -I INPUT 3 [RULE] # Will insert the [RULE] at the second position of the INPUT chain .    

See here the rank is specified as 3.

-D [chain] deletes a rule that matches its argument.

the rule may be specified with the number in the chain or rule itself would do the same.

iptables -D INPUT 2 # Will delete the second rule in the INPUT chain.       

iptables -D INPUT [RULE] # Will delete the [RULE] from the input chain.       

-F [chain] flushes (removes or deletes a rule that matches its argument.

By default, in no arguments are given, this will flush the chains in the filter table.
You may specify a table and/or chain.

iptables -F INPUT # Clears the INPUT chain in the filter table.  

iptables -t nat -F PREROUTING # Clears the PREROUTING table in the nat table.       

iptables -F # Clears all the chains in the filter table (INPUT, OUTPUT, and FORWARD).

iptables -t nat -F # Clears all the chains in the nat table.     

-L [chains] a New, user defined chain (blasklist for example).

By default this will list the chains in the filter table. You may specify a table with -t ( -t nat ).

-N creates a New, user defined chain (blacklist for example).

                    iptables -N blacklist                    

-X delets a user defined chain.

                    iptables -X blacklist                    

Before a chain must be deleted, it must be empty (contains no rules). To remove the rules from a table, make use of the option "-F" to flust out all the rules.


 -j specifies target (action) default targets are LOG, ACCEPT, DROP and REJECT. You may also send processing of a packet to another chain.

iptables INPUT -j DROP # it will drop all the packets.
iptables INPUT -j blacklist # Will process the packets according to the blacklist chain(user defined).


Some rules can be changed reversed with a '!'
Will take the reverse of what the rules tells.h

ipatbles -A INPUT -p tcp ! --dport 22 -j DROP # Will not drop any tcp packet to  destination port 22

-p specifies he ip protocol (tcp, udp and icmp)

iptables -A INPUT -p icmp -j DROP # Block ping 

-s specifies the source ip address (where the packet was sent from).

iptables -A INPUT -s 117.5 2.12.23 -j DROP # drop all the packets from

iptables -A blacklist -s 117.5 2.12.23 -j DROP # drop all the packets from using a user defined chain, "blacklist"

iptables -A INPUT -s -p tcp --dport 22 -j  DROP # drop all the packets for ssh( port 22 ) from outside the LAN.

-d specifies the source ip address (where the packet are sent to).

iptables -A INPUT -s 117.5 2.12.23 -j DROP # drop all the packets to

NOTE: source and destination IP address can be IP address, or with a netmask, or with a host name. But guys prevent using host names because it should query the DNS to resolve the host name, which will slow the process and DNS can be spoofed.

tcp options ( to be used with -p tcp )

 --sport specifies source port number or range 

if using a range, the syntax is LOW:HIGH
LOW:  the port specified + the ports higher than the specified port

:HIGH = the port specified and below it.

 --dport specifies the destination port, similar fromat to --sport above.

- -tcp-flags

Ah ! --tcp-flag will be 1 elaborate topic and bit complex and requires an understanding of the tcp protocol and the headrers.

Ex : the following are the examples which has the same effect over the packets :

iptables -A INPUT --p tcp --syn --dport 22 -j ACCEPT # short version 

iptables -A INPUT --p tcp --tcp-flag SYN, ACK, RST SYN --syn --dport 22 -j ACCEPT # LONG version 

Meaning for the above rule is "" Matches all incoming packets with SYN flag set, but the ACK and RST flags must be cleared as well.

Multiple tcp flags can be set on a packet.

The options "--tcp-flag" takes two arguments. The above command (long format) matches when its second flagged, and the rest of the flags specified in its first arguments are cleared.

note: using "ALL" as an argument is the same as using "SYN, ACK, RST, PSH, URG, FIN"

If you do not specify flags when using --tcp-flags, any SYN packet and SYN-ACK packet s accepted.

next comes the 

udp options( to be used with -p udp)

  --sport specifies source port number or range

  --dport specifies the destination port, similar fromat to --sport above.

icmp options( to be used with -p ICMP)

 --icmp-type this option specifies the icp type of the packet to be matched.

Use iptables -p --help to list the various options here (without arguments with default to all, which is what most of us want).



Happy h4ck1ng


No comments:

Post a Comment

What's up 1337 ?

Give your Suggestion/ Feedback / Doubts /Open up a discussion.

"<script> </script>"