IPTABLES and FIREWALLS Flashcards
What does iptables use on the kernel level?
Netfilter, IPtables is the front end that utilizes netfilter.
When you use IPtables, it just communicates to netfilter what it wants to do.
Name all the chains in iptables
INPUT - incoming
OUTPUT - outgoing
FORWARD - routed
nat - (source nat)SNAT/MASQUERADE performed post routing chain of this table
nat - DNAT(destination nat)/Portforwarding performed pretrouting chain of this table
mangle - Modify value from packet headers
raw - Skip connection tracking
What is the structure of an iptables command
TABLE COMMAND CHAIN_NAME MATCHES TARGET/JUMP
iptables -t filter -I INPUT -s 192.168.12.1 -j ACCEPT
or
iptables -t table_name -command(-I) CHAIN matches(-s) 192.168.1.1 -j TARGET
Show the filter (default) tables
Show the nat table
Drop incoming ping echo request packets
Show verbose list info
iptables -L
iptables -t nat -L
iptables -t filter -A INPUT -p icmp –icmp-type echo-request -j DROP
iptables -vnL
Deny access to ubuntu.com
iptables -t filter -A OUTPUT –p tcp –dport 80 -d www.ubuntu.com -j DROP
add 443 along with this
What are all the iptables options/flags/commands?
-A
-I
-L
-F
-Z - zero packet and byte counters in all chains or given chain
-N - create user-defined chain by the given name
-X Delete user-defined chain
-P set policy for chain
Append rule to drop incoming traffic to port 25
This is SNMP
scan afterword to test
iptables -t filter -A INPUT -p tcp –dport 25 -j DROP
nmap -p 25 192.168.0.10
What chains on what tables are the below filtered/performed on:
incoming
outgoing
routed
SNAT/MASQUERADE -> source nat
DNAT/Port Forwarding
Where do you modify packet header?
Where do you skip connection tracking add rules?
Incoming - input chain - filter table
Outgoing - output chain - filter table
Routed - Forward chain - filter table
SNAT/MASQUERADE - Postrouting chain - nat table
DNAT/Port Forwarding - Prerouting chian - nat table
packet headers - mangle table
connection track add rules - NOTRACK target - raw table
List the nat table’s rules
iptables -t nat -L
Stop your server from receiving pings specifically echo requests
iptables -t filter -A INPUT -p ICMP –icmp-type echo-request -j DROP
If you want to see a more verbose list of rules for all chains in the filter table, what command would you use?
iptables -t filter -vnL
v - verbose
n - numbered
Flush the input chain
then flush all chains in the filter table
Flush all the chains in the nat table
Zero out the packet and byte counters
create a new chain and then delete it
Set the default policy for a chain to accept or drop
Delete a rule from your chain
iptables -F INPUT
iptables -F
iptables -t nat -F
iptables -Z
iptables -N MYCHAIN
iptables -X MYCHAIN
iptables -P INPUT ACCEPT
iptables -D OUTPUT 2
iptables rules are stored in RAM and not saved after restarting
Write these rules to a script
Run your script at boot time
iptables -A INPUT -p icmp -j DROP
cd /scripts
vi firewall.sh
#!/bin/bash <- shell will interpret it, if it’s python you would direct this to the python interpreter.
iptables -F
iptable -A INPUT -p tcp –dport 22 -j DROP
iptables -F <- do this for every table
iptable -t nat POSTROUTING -s 10.0.0.0/8 -o ens166 -j SNAT –to-source 80.0.0.1
This translates source ips of the 10 network going OUT of NIC ens166 to ip 80.0.0.1
Basically just NAT to a public IP.
chmod 700 firewall.sh
If you keep executing the script it will update iptables and double the rules IPTABLES -F prevents this
Why do you need to ./ before running a script?
It’s not part of the known paths to the kernel which are in
echo $PATH
Which policy should go first
Allow ip to ssh
deny ssh availability
Allow ip to ssh
Delete all rules for all tables
iptables -t filter -F
iptables -t nat -F
iptables -t mangle -F
iptables -t raw -F
If we wanted to block www.ubuntu.com without using the url (“Something more common in firewalld”)
How would we perform this?
dig www.ubuntu.com
block all ips listed in the answer section
iptables -A OUTPUT -d 185.125.190.29 -j DROP
With bigger websites, would you use IP tables to block traffic?
No, for sites that have a huge list of IPs associated you should use an application firewall, like squid.
Allow outgoing traffic to https
iptables -A OUTPUT -p tcp –dport 443 -d 0/0 -j ACCEPT
How would you block multiple tcp or udp ports?
iptables -INPUT -p tcp -m multiport –sports 80,443 -j DROP
-m = match
–dports = destination ports
–sports = source ports
What does filtered mean in nmap?
The port is open but filtered via a firewall
What is a stateful firewall
What is connection tracking
What are the connection states/packet staes?
Stateful firewalls and connection tracking refer to the same thing.
This is the ability to maintain state information about the connections
These are more secure, and decide to accept or drop packets based on relations packets have with other packets
Packet states:
New - first packet in connection
Established - Packets are part of existing connection
Related - Packets are requesting new connection and are part of existing connection (FTP)
Invalid - Packets are not part of existing connection
Untracked - Packets marked within the raw table with the NOTTRACK target.
ACCEPT packets if they are part of an existing packet connection going out, so we can connect
iptables -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
You should always allow loopback connection on incoming and outgoing packets, do this
Drop packets that you cannot tell what state they are in
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -i lo -j ACCEPT
iptables -A INPUT -m state –state INVALID -j DROP
iptables -A OUTPUT -m state –state INVALID -j DROP
NEW, STABLISHED, RELATED are the only states allowed.
We could also specify that we don’t want new connections established with the system, only established and related. Putting New on OUTPUT would be fine though since that is neccessary.
Filter ethernet or wireless traffic. This can only be done by SOURCE MAC.
DROP all incoming traffic
iptables -A INPUT -i wlan0 -m mac –mac-source 08:00:27:55:6g:20 -j DROP
MACS are only valid in LAN. Source routers change the MAC with it’s own outgoing interface.
MACS can be spoofed easily too, another reason incoming macs wouldn’t matter being filtered.
show iptables mtime help screen
What time does iptables go by
How can you make netfilter/iptables use the system time?
Create a script that will only allow you to do certain things at certain times
iptables –m time –help
UTC
iptables –m time –kerneltz
vi ip_rules.sh
#!/bin/bash
iptables -F
iptables -A INPUT -p tcp –dport 22 -m time –timestart 10:00 –timestop 16:00 -j ACCEPT
iptables -A INPUT -p tcp –dport 22 -j DROP
:wq
chmod 700 ip_rules.sh
If you were a router and blocking routed traffic, what chain would you use?
FORWARD
Log packets information about packet headers for something
Label these at info leven
Give these a prefix in the logs of “incoming ssh:”
iptables -A INPUT -p tcp –dport 22 -syn -j LOG –log-prefix=”incoming ssh:” –log-level info
