IPTABLES Flashcards
IPTABLE- default policy for INPUT chain
- Set a default policy to DROP all packets
- Add rules to specifically allow (ACCEPT) packets that may be from trusted IP addresses, or for certain ports on which we have services running such as bittorrent, FTP server, Web Server, Samba file server etc.
IPTABLE- status & getting it running
Is it running?
> lsmod | grep ip_tables
lsmod is used because IPTABLES is a module that needs to be installed and loaded
Get it running
> system-config-securitylevel
IPTABLE- default policy for OUTPUT chain
- Set a default policy to ACCEPT all packets. Usually this is always the case as we trust all packets leaving our host.
- Exceptionally, add rules to specifically block (DROP) packets to specific nuisance IP addresses or ranges, or towards certain ports.
IPTABLE- is it installed?
first line is command at prompt, second line kernel reply
> rpm -q iptables
iptables-1.4.7-5.1.el6_2.x86_64
IPTABLE : inspect the currently loaded rules
Displays the three chains that define an IPTABLE (Input, Output, Forward)
> iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Comment the following command lines
> iptables -P INPUT ACCEPT
> iptables -F
> iptables -A INPUT -i lo -j ACCEPT
> iptables -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
> iptables -A INPUT -p tcp –dport 22 -j ACCEPT
> iptables -P INPUT DROP
> iptables -P FORWARD DROP
> iptables -P OUTPUT ACCEPT
> iptables -L -v
iptables -P INPUT ACCEPT If connecting remotely we must first temporarily set the default policy on the INPUT chain to ACCEPT otherwise once we flush the current rules we will be locked out of our server.
iptables -F We used the -F switch to flush all existing rules so we start with a clean state from which to add new rules.
iptables -A INPUT -i lo -j ACCEPT Now it’s time to start adding some rules. We use the -A switch to append (or add) a rule to a specific chain, the INPUT chain in this instance. Then we use the -i switch (for interface) to specify packets matching or destined for the lo (localhost, 127.0.0.1) interface and finally -j (jump) to the target action for packets matching the rule - in this case ACCEPT. So this rule will allow all incoming packets destined for the localhost interface to be accepted. This is generally required as many software applications expect to be able to communicate with the localhost adaptor.
iptables -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT This is the rule that does most of the work, and again we are adding (-A) it to the INPUT chain. Here we’re using the -m switch to load a module (state). The state module is able to examine the state of a packet and determine if it is NEW, ESTABLISHED or RELATED. NEW refers to incoming packets that are new incoming connections that weren’t initiated by the host system. ESTABLISHED and RELATED refers to incoming packets that are part of an already established connection or related to and already established connection.
iptables -A INPUT -p tcp –dport 22 -j ACCEPT Here we add a rule allowing SSH connections over tcp port 22. This is to prevent accidental lockouts when working on remote systems over an SSH connection. We will explain this rule in more detail later.
iptables -P INPUT DROP The -P switch sets the default policy on the specified chain. So now we can set the default policy on the INPUT chain to DROP. This means that if an incoming packet does not match one of the following rules it will be dropped. If we were connecting remotely via SSH and had not added the rule above, we would have just locked ourself out of the system at this point.
iptables -P FORWARD DROP Similarly, here we’ve set the default policy on the FORWARD chain to DROP as we’re not using our computer as a router so there should not be any packets passing through our computer.
iptables -P OUTPUT ACCEPT and finally, we’ve set the default policy on the OUTPUT chain to ACCEPT as we want to allow all outgoing traffic (as we trust our users).
iptables -L -v we can list (-L) the rules we’ve just added to check they’ve been loaded correctly.
Finally, when we are satisfied, the last thing we need to do is save our rules so that next time we reboot our computer our rules are automatically reloaded:
> /sbin/service iptables save
Comment the following command line
> /sbin/service iptables save
This executes the iptables init script, which:
- runs /sbin/iptables-save and writes the current iptables configuration to /etc/sysconfig/iptables.
- Upon reboot, the iptables init script reapplies the rules saved in /etc/sysconfig/iptables by using the /sbin/iptables-restore command.
Comment the following command lines
> iptables -A INPUT -i lo -j ACCEPT
> iptables -A INPUT -i eth0 -j ACCEPT
> iptables -A INPUT -i ppp0 -j ACCEPT
Accept all packets incoming on local host interface
Accept all packets incoming on NIC eth0
Accept all packets incoming on dial up modem ppp0
Comment the following command lines
> iptables -A INPUT -s 192.168.0.4 -j ACCEPT
> iptables -A INPUT -s 192.168.0.0/24 -j ACCEPT
> iptables -A INPUT -s 192.168.0.0/255.255.255.0 -j ACCEPT
Accept all packets incoming from single host 192.168.0.4
Accept all packets incoming from hosts in 192.168.0.0/24 LAN
Ditto
Comment the following command lines
> iptables -A INPUT -s 192.168.0.4 -m mac –mac-source 00:50:8D:FD:E6:32 -j ACCEPT
Here we verify the IP address and the MAC address of the source.
- We therefore need to load the MAC module (-m mac)
- Then we use (–mac-source) to specify the mac address of the source IP address
This may be useful for preventing spoofing of the source IP address as it will allow any packets that genuinely originate from 192.168.0.4 (having the mac address 00:50:8D:FD:E6:32) but will block any packets that are spoofed to have come from that address. Note, mac address filtering won’t work across the internet but it certainly works fine on a LAN.
Comment the following command lines
>iptables -A INPUT -p tcp –dport 6881 -j ACCEPT
>iptables -A INPUT -p tcp –dport 6881:6890 -j ACCEPT
>iptables -A INPUT -p tcp -s 192.168.0.0/24 –dport 22 -j ACCEPT
- Here we append (-A) a rule to the INPUT chain for packets matching the tcp protocol (-p tcp) and entering our machine on destination port 6881 (–dport 6881).
- Allows all tcp packets on the range 6881 to 6890
- Allows all tcp packets from IP address sources on LAN 192.168.0.0/24 entering our host on destination port 22 (SSH)