IPTABLES and FIREWALLS

Question 1

What does iptables use on the kernel level?

Answer 1

Netfilter, IPtables is the front end that utilizes netfilter.

When you use IPtables, it just communicates to netfilter what it wants to do.

Question 2

Name all the chains in iptables

Answer 2

INPUT - incoming

OUTPUT - outgoing

FORWARD - routed

nat - (source nat)SNAT/MASQUERADE performed post routing chain of this table

nat - DNAT(destination nat)/Portforwarding performed pretrouting chain of this table

mangle - Modify value from packet headers

raw - Skip connection tracking

Question 3

What is the structure of an iptables command

Answer 3

TABLE COMMAND CHAIN_NAME MATCHES TARGET/JUMP

iptables -t filter -I INPUT -s 192.168.12.1 -j ACCEPT

or

iptables -t table_name -command(-I) CHAIN matches(-s) 192.168.1.1 -j TARGET

Question 4

Show the filter (default) tables

Show the nat table

Drop incoming ping echo request packets

Show verbose list info

Answer 4

iptables -L

iptables -t nat -L

iptables -t filter -A INPUT -p icmp –icmp-type echo-request -j DROP

iptables -vnL

Question 5

Deny access to ubuntu.com

Answer 5

iptables -t filter -A OUTPUT –p tcp –dport 80 -d www.ubuntu.com -j DROP

add 443 along with this

Question 6

What are all the iptables options/flags/commands?

Answer 6

-A
-I
-L
-F
-Z - zero packet and byte counters in all chains or given chain
-N - create user-defined chain by the given name
-X Delete user-defined chain
-P set policy for chain

Question 7

Append rule to drop incoming traffic to port 25
This is SNMP

scan afterword to test

Answer 7

iptables -t filter -A INPUT -p tcp –dport 25 -j DROP

nmap -p 25 192.168.0.10

Question 8

What chains on what tables are the below filtered/performed on:

incoming
outgoing
routed
SNAT/MASQUERADE -> source nat
DNAT/Port Forwarding

Where do you modify packet header?

Where do you skip connection tracking add rules?

Answer 8

Incoming - input chain - filter table

Outgoing - output chain - filter table

Routed - Forward chain - filter table

SNAT/MASQUERADE - Postrouting chain - nat table

DNAT/Port Forwarding - Prerouting chian - nat table

packet headers - mangle table

connection track add rules - NOTRACK target - raw table

Question 9

List the nat table’s rules

Answer 9

iptables -t nat -L

Question 10

Stop your server from receiving pings specifically echo requests

Answer 10

iptables -t filter -A INPUT -p ICMP –icmp-type echo-request -j DROP

Question 11

If you want to see a more verbose list of rules for all chains in the filter table, what command would you use?

Answer 11

iptables -t filter -vnL
v - verbose
n - numbered

Question 12

Flush the input chain
then flush all chains in the filter table
Flush all the chains in the nat table
Zero out the packet and byte counters
create a new chain and then delete it
Set the default policy for a chain to accept or drop
Delete a rule from your chain

Answer 12

iptables -F INPUT
iptables -F
iptables -t nat -F
iptables -Z
iptables -N MYCHAIN
iptables -X MYCHAIN
iptables -P INPUT ACCEPT
iptables -D OUTPUT 2

Question 13

iptables rules are stored in RAM and not saved after restarting
Write these rules to a script
Run your script at boot time

Answer 13

iptables -A INPUT -p icmp -j DROP

cd /scripts
vi firewall.sh
#!/bin/bash <- shell will interpret it, if it’s python you would direct this to the python interpreter.

iptables -F
iptable -A INPUT -p tcp –dport 22 -j DROP
iptables -F <- do this for every table
iptable -t nat POSTROUTING -s 10.0.0.0/8 -o ens166 -j SNAT –to-source 80.0.0.1
This translates source ips of the 10 network going OUT of NIC ens166 to ip 80.0.0.1
Basically just NAT to a public IP.

chmod 700 firewall.sh

If you keep executing the script it will update iptables and double the rules IPTABLES -F prevents this

Question 14

Why do you need to ./ before running a script?

Answer 14

It’s not part of the known paths to the kernel which are in
echo $PATH

Question 15

Which policy should go first
Allow ip to ssh
deny ssh availability

Answer 15

Allow ip to ssh

Question 16

Delete all rules for all tables

Answer 16

iptables -t filter -F
iptables -t nat -F
iptables -t mangle -F
iptables -t raw -F

Question 17

If we wanted to block www.ubuntu.com without using the url (“Something more common in firewalld”)
How would we perform this?

Answer 17

dig www.ubuntu.com
block all ips listed in the answer section

iptables -A OUTPUT -d 185.125.190.29 -j DROP

Question 18

With bigger websites, would you use IP tables to block traffic?

Answer 18

No, for sites that have a huge list of IPs associated you should use an application firewall, like squid.

Question 19

Allow outgoing traffic to https

Answer 19

iptables -A OUTPUT -p tcp –dport 443 -d 0/0 -j ACCEPT

Question 20

How would you block multiple tcp or udp ports?

Answer 20

iptables -INPUT -p tcp -m multiport –sports 80,443 -j DROP

-m = match
–dports = destination ports
–sports = source ports

Question 21

What does filtered mean in nmap?

Answer 21

The port is open but filtered via a firewall

Question 22

What is a stateful firewall
What is connection tracking

What are the connection states/packet staes?

Answer 22

Stateful firewalls and connection tracking refer to the same thing.

This is the ability to maintain state information about the connections

These are more secure, and decide to accept or drop packets based on relations packets have with other packets

Packet states:
New - first packet in connection
Established - Packets are part of existing connection
Related - Packets are requesting new connection and are part of existing connection (FTP)
Invalid - Packets are not part of existing connection
Untracked - Packets marked within the raw table with the NOTTRACK target.

Question 23

ACCEPT packets if they are part of an existing packet connection going out, so we can connect

Answer 23

iptables -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT

Question 24

You should always allow loopback connection on incoming and outgoing packets, do this

Drop packets that you cannot tell what state they are in

Answer 24

iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -i lo -j ACCEPT

iptables -A INPUT -m state –state INVALID -j DROP
iptables -A OUTPUT -m state –state INVALID -j DROP

NEW, STABLISHED, RELATED are the only states allowed.

We could also specify that we don’t want new connections established with the system, only established and related. Putting New on OUTPUT would be fine though since that is neccessary.

Question 25

Filter ethernet or wireless traffic. This can only be done by SOURCE MAC.

DROP all incoming traffic

Answer 25

iptables -A INPUT -i wlan0 -m mac –mac-source 08:00:27:55:6g:20 -j DROP

MACS are only valid in LAN. Source routers change the MAC with it’s own outgoing interface.

MACS can be spoofed easily too, another reason incoming macs wouldn’t matter being filtered.

Question 26

show iptables mtime help screen
What time does iptables go by
How can you make netfilter/iptables use the system time?

Create a script that will only allow you to do certain things at certain times

Answer 26

iptables –m time –help
UTC
iptables –m time –kerneltz

vi ip_rules.sh
#!/bin/bash
iptables -F

iptables -A INPUT -p tcp –dport 22 -m time –timestart 10:00 –timestop 16:00 -j ACCEPT

iptables -A INPUT -p tcp –dport 22 -j DROP
:wq
chmod 700 ip_rules.sh

Question 27

If you were a router and blocking routed traffic, what chain would you use?

Answer 27

FORWARD

Question 28

Log packets information about packet headers for something
Label these at info leven
Give these a prefix in the logs of “incoming ssh:”

Answer 28

iptables -A INPUT -p tcp –dport 22 -syn -j LOG –log-prefix=”incoming ssh:” –log-level info