LINUX SECURITY –IPTABLES

By: Sameh El-Hakim

Cyber Security Engineer

IPTABLES

Iptables tool is used to manage the Linux firewall rules.

Iptables firewall is used to manage packet filtering and NAT rules.

STRUCTURE

IPtables might contain multiple tables. Tables might contain multiple chains. Chains can be built-in or user defined. Chains might contain multiple rules. Rules are defined for the packets.

iptables Tables Chains Rules

IPTABLES TABLES AND CHAINS

Filter

Table

•INPUT chain – Incoming to firewall. For packets coming to the local server.

•OUTPUT chain – Outgoing from firewall. For packets generated locally and going out of the local

server.

•FORWARD chain – Packet for another NIC on the local server. For packets routed through the local

server.

NAT

table

•PREROUTING chain – Alters packets before routing. This is used for DNAT (destination NAT). “This helps to

translate the destination ip

address”

•POSTROUTING chain – Alters packets after routing. “This helps to translate the source ip address”

•OUTPUT chain – NAT for locally generated packets on the firewall.

Mangl

e table

•PREROUTING chain, OUTPUT chain, FORWARD chain, INPUT chain & POSTROUTING chain

Raw

table

•Raw table is for configuration exemptions.

IPTABLES RULES

Following are the key points to remember for the iptables rules:Rules contain a criteria and a target.

If the criteria is matched, it goes to the rules specified in the target (or) executes the special values mentioned in the target.

If the criteria is not matched, it moves on to the next rule.

TARGET VALUES

Following are the possible special values that you can specify in the target:ACCEPT – Firewall will accept the packet.

DROP – Firewall will drop the packet.

QUEUE – Firewall will pass the packet to the user space.

RETURN – Firewall will stop executing the next set of rules in the current chain for this packet. The control will be returned to the calling chain.

IPTABLE RULES

To insert in the top of the list:Iptable –I

To append at the end of the list:Iptable –A

Temporarily delete all the firewall rules:iptables ‐‐flush

Permanently remove all the default firewall rules:IPTables Rules are stored in /etc/sysconfig/iptables

FIREWALL RULE PARAMETERS

-p is for protocolPossible values are tcp, udp, icmp

Use “all” to allow all protocols. When you don’t specify p, by default “all” protocols will be used.

Use either the name (for example: tcp), or the number (for example: 6 for tcp) for protocol.

/etc/protocols file contains all allowed protocol name and number.

You an also use –protocol

-s is for sourceThis can be ip address, or network address, or hostname

When you don’t specify a source, it matches all source.

You can also use --src or –source

-d is for destinationThis is same as “s” (except this represents destination host, or ipaddress, or network)

You can also use –dst or –destination

FIREWALL RULE PARAMETERS

-j is target j stands for “jump to target”

This specifies what needs to happen to the packet that matches this firewall rule.

Possible values are ACCEPT, DROP, QUEUE, RETURN

-i is for input interface Indicates the interface through which the incoming packets are coming through the INPUT,

FORWARD, and PREROUTING chain.

For example: i eth0 indicates that this rule should consider the incoming packets coming through

the interface eth0.

If you don’t specify i option, all available interfaces on the system will be considered for input

Packets.

FIREWALL RULE PARAMETERS

-o is for out interface

Indicates the interface through which the outgoing packets are sent through the INPUT,FORWARD, and PREROUTING chain.

If you don’t specify o option, all available interfaces on the system will be considered for output packets.

--sport is for source port (for p tcp, or p udp)

By default all source ports are matched.

use either “–sport 22″ or “–sport ssh”.

/etc/services file contains all allowed port name and number.

To match range of ports, use colon. For example, 22:100

You can also use –sourceport.

FIREWALL RULE PARAMETERS

--dport is for destination port (for p tcp, or p udp)

Everything is same as –sport, except this is for destination ports.

--tcpflags is for TCP flags (for p tcp)

This can contain multiple values separated by comma.

Possible values are: SYN, ACK, FIN, RST, URG, PSH. You can also use ALL or NONE

--icmptype is for ICMP Type (for p icmp)

When you use icmp protocol “p icmp”, you can also specify the ICMP type using “–icmptype” parameter.

For example: use “–icmptype 0″ for “Echo Reply”, and “–icmptype 8″ for “Echo”.

REFERENCES

Everything from this website: “I just present to you this good information”

* http://www.thegeekstuff.com/2011/01/iptablesfundamentals/

* Interview questions: http://computernetworkingnotes.com/basic-networking-interview/questions-and-answers.html

THANK YOU