iptables
iptables
INFO
iptables firewall is used to manage packet filtering and NAT rules. IPTables comes with all Linux distributions.
Tables and Chains
Important Tables and chains :
1- Table = Filter < Chains = [ OUTPUT, INPUT, FORWARD ] 2- Table = Nat < Chains = [ OUTPUT, PREROUTING, POSTROUTING ] 3- Table = Mangle < Chains = [ INPUT, OUTPUT, FORWARD, PREROUTING, POSTROUTING ]
-A => Add Rule
-D => delete Rule
-t => table
-P => chain target
-R => chain index rule
-d => destination address
-j => target
-p => protocol
-s => source address
--sport => source port
--dport => destination port
➜ iptables -S => list all rules (human readable)
➜ iptables -L => list all rules
➜ iptables -F => Flush all Rules
Public Policy
➜ iptables -p OUTPUT DROP
➜ iptables -p OUTPUT ACCEPT
Add
add INPUT DROP
➜ iptables -A INPUT -s 192.168.1.102 -p tcp -j DROP
add INPUT ACCEPT
➜ iptables -A INPUT -s 192.168.1.102 -p tcp -j ACCEPT
add OUTPUT DROP
➜ iptables -A INPUT -s 192.168.1.102 -p tcp DROP
add OUTPUT DROP
➜ iptables -A OUTPUT -d 192.168.1.102 -p tcp DROP
➜ iptables -A OUTPUT -p tcp DROP
LOG
➜ iptables -A INPUT -s 192.168.1.102 -p tcp -j LOG --log-prefix="app server log"
➜ iptable -A OUTPUT -p tcp -j LOG --log-prefix "server OUTPUT log"
➜ iptables -A OUTPUT -d 192.168.1.1 -p icmp -j REJECT
Save
Note: In order to save the rules applied in the firewall, we must create a directory called iptables in the Debian-based Linux such as Ubuntu in the etc path and save the rules there in the following way :
Debian:
➜ sudo mkdir /etc/iptables
➜ sudo touch /etc/iptables/rules.v4
➜ sudo iptables-save > /etc/iptables/rules.v4
Note: In redhat-based linux, there is no need to create a directory, and the following method is used to save the applied rules :
RedHat:
➜ sudo iptables-save /etc/sysconfig/iptables
➜ sudo systemctl restart iptables.service
Note : To save the firewall rules in a text file anywhere, you can do the following :
➜ iptables-save > /home/$username/Documents/iptables_dump.txt
Restore
➜ iptables-restore < /home/$username/Documents/iptables_dump.txt
Master Examples
➜ iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to-destination 192.168.1.3:8080
Explanation
-t => nat Operation on the nat table...
-A => PREROUTING... by appending the following rule to its PREROUTING
chain. </ br />
-i => eth1Match packets coming in on the eth1 network interface...
-p => tcp... that use the tcp (TCP/IP) protocol
--dport 80 => ... and are intended for local port 80.
-j => DNATJump to the DNAT target...
--to-destination 192.168.1.3:8080 => ... and change the destination address to 192.168.1.3 and destination port to 8080.
syslog-ng
-> create syslog-ng Directory in /etc : /etc/syslog-ng
-> create syslog-ng.conf File in That Directory
-> copy This lines to syslog-ng.conf File :
destination iptables { file("/var/log/iptables.log"); };
filter f_iptables { match("IPT="); };
log { source(src); filter(f_iptables); destination(iptables); };
Nework Traffic Load Balancing
➜ iptables -t nat -A PREROUTING -p tcp --dport 443 -m state --state NEW -m statistic --mode nth --every 3 --packet 0 -j DNAT --to-destination 192.168.1.101:443
➜ iptables -t nat -A PREROUTING -p tcp --dport 443 -m state --state NEW -m statistic --mode nth --every 3 --packet 1 -j DNAT --to-destination 192.168.1.102:443
➜ iptables -t nat -A PREROUTING -p tcp --dport 443 -m state --state NEW -m statistic --mode nth --every 3 --packet 2 -j DNAT --to-destination 192.168.1.103:443
➜ iptables -A OUTPUT --dst 4.2.2.4 -p icmp -m icmp --icmp-type 8 -m limit --limit 3/min --limit-burst 2 -J LOG --log-level info --log-prefix "ICMP log Table"
Prevent Traceroute Network
➜ iptables -t raw -A PREROUTING -p udp --dport 33434:3534 -j DROP
➜ iptables -t raw -A PREROUTING -p icmp --icmp-type 8 -l DROP
Drop Invalid Packet
➜ iptables -t mangle -A PREROUTING -m conntrack --ctstate INVALID -j DROP
Important Modules
Comment
➜ sudo iptables -A INPUT -i enp1s0 -p icmp -m comment --comment "ADMIN:koosha"
Connectio Limit
➜ sudo iptables -A INPUT -i enp1s0 -p icmp -m connlimit --connlimit-above 2 -j DROP
Mac Address
➜ sudo iptales -A INPUT -i enp1s0 -p icmp -m mac --mac-source 2C:5E:55:6D:7E:66 -j DROP
TTL
➜ sudo iptables -I INPUT -p icmp -m ttl --ttl-gt 128 -j DROP
➜ sudo iptables -I INPUT -p icmp -m ttl --ttl-lt 128 -j DROP
➜ sudo iptables -I INPUT -p icmp -m ttl --ttl-eq 128 -j DROP
connection Track and State
➜ sudo iptables -A OUTPUT -o enps0 -p tcp --sport 22 -j ACCEPT
➜ sudo iptables -A INPUT -i enp1s0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
Limit
➜ sudo iptables -A input -i enp1s0 -p tcp --dport 80 -m limit --;imit 50/minute
➜ sudo iptables -A INPUT -i enp1s0 -p tcp --dport 80 -m limit --limit 50/minutes --limit-burst 100
create New chain
➜ sudo iptables -N ssh_chain
DELETE Chain
➜ sudo iptables -X ssh_chain
Set Rules For new VPS for web Hosting
➜ sudo iptables -A INPUT -i enp1s0 -p tcp -m multiport ! --dport 22,80,443 -j REJECT
➜ sudo iptables -A INPUT -i enp1s0 -p tcp ! --syn -m state --state NEW -j DROP
➜ sudo iptables -A INPUT -i enp1s0 -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
➜ sudo iptables -A OUTPUT -o enp1s0 -p tcp -m multiport --sport 22,80,443 -j ACCEPT
➜ sudo iptables -A INPUT -i enp1s0 -p tcp --tcp-flags ALL NONE -j DROP
➜ sudo iptables -A INPUT -i enp1s0 -p tcp --tcp-flags PSH,URG,FIN PSH,URG,FIN -j REJECT
➜ sudo iptables -A INPUT -p tcp -m state --state INVALID -j DROP
➜ sudo iptables -A INPUT -p tcp -m connlimit --connlimit-above 100 -j DROP
➜ sudo iptables -A INPUT -f -j DROP
➜ sudo iptables -A INPUT -p icmp --icmp-type 8 -j DROP
➜ sudo iptables -A INPUT -p icmp --icmp-type 13 -j DROP
➜ sudo iptables -A INPUT -p icmp --icmp-type 14 -j DROP
➜ sudo iptables -A INPUT -i enp1s0 -p tcp --syn -m limit --limit 100/minute --limit-burst 80 -j DROP
➜ sudp iptables -P INPUT DROP
➜ sudo iptables -p OUTPUT DROP
NAT
RouteServer IP = 127.16.2.11 mainSerevr IP = 127.16.2.10
➜ iptables -t nat -I PREROUTING -p tcp --dport 22 -d 172.16.2.11 -j DNAT --to-destination 172.16.2.10:8080
➜ iptables -t nat -I POSTROUTING -j MASQUERADE
➜ echo 1 > /proc/sys/net/ipv4/ip_forward
NOTE : The Policy of Forward chain should be ACCEPT
Last updated