IPTABLES and FIREWALLS Flashcards

1
Q

What does iptables use on the kernel level?

A

Netfilter, IPtables is the front end that utilizes netfilter.

When you use IPtables, it just communicates to netfilter what it wants to do.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Name all the chains in iptables

A

INPUT - incoming

OUTPUT - outgoing

FORWARD - routed

nat - (source nat)SNAT/MASQUERADE performed post routing chain of this table

nat - DNAT(destination nat)/Portforwarding performed pretrouting chain of this table

mangle - Modify value from packet headers

raw - Skip connection tracking

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is the structure of an iptables command

A

TABLE COMMAND CHAIN_NAME MATCHES TARGET/JUMP

iptables -t filter -I INPUT -s 192.168.12.1 -j ACCEPT

or

iptables -t table_name -command(-I) CHAIN matches(-s) 192.168.1.1 -j TARGET

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Show the filter (default) tables

Show the nat table

Drop incoming ping echo request packets

Show verbose list info

A

iptables -L

iptables -t nat -L

iptables -t filter -A INPUT -p icmp –icmp-type echo-request -j DROP

iptables -vnL

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Deny access to ubuntu.com

A

iptables -t filter -A OUTPUT –p tcp –dport 80 -d www.ubuntu.com -j DROP

add 443 along with this

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What are all the iptables options/flags/commands?

A

-A
-I
-L
-F
-Z - zero packet and byte counters in all chains or given chain
-N - create user-defined chain by the given name
-X Delete user-defined chain
-P set policy for chain

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Append rule to drop incoming traffic to port 25
This is SNMP

scan afterword to test

A

iptables -t filter -A INPUT -p tcp –dport 25 -j DROP

nmap -p 25 192.168.0.10

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What chains on what tables are the below filtered/performed on:

incoming
outgoing
routed
SNAT/MASQUERADE -> source nat
DNAT/Port Forwarding

Where do you modify packet header?

Where do you skip connection tracking add rules?

A

Incoming - input chain - filter table

Outgoing - output chain - filter table

Routed - Forward chain - filter table

SNAT/MASQUERADE - Postrouting chain - nat table

DNAT/Port Forwarding - Prerouting chian - nat table

packet headers - mangle table

connection track add rules - NOTRACK target - raw table

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

List the nat table’s rules

A

iptables -t nat -L

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Stop your server from receiving pings specifically echo requests

A

iptables -t filter -A INPUT -p ICMP –icmp-type echo-request -j DROP

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

If you want to see a more verbose list of rules for all chains in the filter table, what command would you use?

A

iptables -t filter -vnL
v - verbose
n - numbered

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Flush the input chain
then flush all chains in the filter table
Flush all the chains in the nat table
Zero out the packet and byte counters
create a new chain and then delete it
Set the default policy for a chain to accept or drop
Delete a rule from your chain

A

iptables -F INPUT
iptables -F
iptables -t nat -F
iptables -Z
iptables -N MYCHAIN
iptables -X MYCHAIN
iptables -P INPUT ACCEPT
iptables -D OUTPUT 2

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

iptables rules are stored in RAM and not saved after restarting
Write these rules to a script
Run your script at boot time

A

iptables -A INPUT -p icmp -j DROP

cd /scripts
vi firewall.sh
#!/bin/bash <- shell will interpret it, if it’s python you would direct this to the python interpreter.

iptables -F
iptable -A INPUT -p tcp –dport 22 -j DROP
iptables -F <- do this for every table
iptable -t nat POSTROUTING -s 10.0.0.0/8 -o ens166 -j SNAT –to-source 80.0.0.1
This translates source ips of the 10 network going OUT of NIC ens166 to ip 80.0.0.1
Basically just NAT to a public IP.

chmod 700 firewall.sh

If you keep executing the script it will update iptables and double the rules IPTABLES -F prevents this

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Why do you need to ./ before running a script?

A

It’s not part of the known paths to the kernel which are in
echo $PATH

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Which policy should go first
Allow ip to ssh
deny ssh availability

A

Allow ip to ssh

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Delete all rules for all tables

A

iptables -t filter -F
iptables -t nat -F
iptables -t mangle -F
iptables -t raw -F

17
Q

If we wanted to block www.ubuntu.com without using the url (“Something more common in firewalld”)
How would we perform this?

A

dig www.ubuntu.com
block all ips listed in the answer section

iptables -A OUTPUT -d 185.125.190.29 -j DROP

18
Q

With bigger websites, would you use IP tables to block traffic?

A

No, for sites that have a huge list of IPs associated you should use an application firewall, like squid.

19
Q

Allow outgoing traffic to https

A

iptables -A OUTPUT -p tcp –dport 443 -d 0/0 -j ACCEPT

20
Q

How would you block multiple tcp or udp ports?

A

iptables -INPUT -p tcp -m multiport –sports 80,443 -j DROP

-m = match
–dports = destination ports
–sports = source ports

21
Q

What does filtered mean in nmap?

A

The port is open but filtered via a firewall

22
Q

What is a stateful firewall
What is connection tracking

What are the connection states/packet staes?

A

Stateful firewalls and connection tracking refer to the same thing.

This is the ability to maintain state information about the connections

These are more secure, and decide to accept or drop packets based on relations packets have with other packets

Packet states:
New - first packet in connection
Established - Packets are part of existing connection
Related - Packets are requesting new connection and are part of existing connection (FTP)
Invalid - Packets are not part of existing connection
Untracked - Packets marked within the raw table with the NOTTRACK target.

23
Q

ACCEPT packets if they are part of an existing packet connection going out, so we can connect

A

iptables -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT

24
Q

You should always allow loopback connection on incoming and outgoing packets, do this

Drop packets that you cannot tell what state they are in

A

iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -i lo -j ACCEPT

iptables -A INPUT -m state –state INVALID -j DROP
iptables -A OUTPUT -m state –state INVALID -j DROP

NEW, STABLISHED, RELATED are the only states allowed.

We could also specify that we don’t want new connections established with the system, only established and related. Putting New on OUTPUT would be fine though since that is neccessary.

25
Q

Filter ethernet or wireless traffic. This can only be done by SOURCE MAC.

DROP all incoming traffic

A

iptables -A INPUT -i wlan0 -m mac –mac-source 08:00:27:55:6g:20 -j DROP

MACS are only valid in LAN. Source routers change the MAC with it’s own outgoing interface.

MACS can be spoofed easily too, another reason incoming macs wouldn’t matter being filtered.

26
Q

show iptables mtime help screen
What time does iptables go by
How can you make netfilter/iptables use the system time?

Create a script that will only allow you to do certain things at certain times

A

iptables –m time –help
UTC
iptables –m time –kerneltz

vi ip_rules.sh
#!/bin/bash
iptables -F

iptables -A INPUT -p tcp –dport 22 -m time –timestart 10:00 –timestop 16:00 -j ACCEPT

iptables -A INPUT -p tcp –dport 22 -j DROP
:wq
chmod 700 ip_rules.sh

27
Q

If you were a router and blocking routed traffic, what chain would you use?

A

FORWARD

28
Q

Log packets information about packet headers for something
Label these at info leven
Give these a prefix in the logs of “incoming ssh:”

A

iptables -A INPUT -p tcp –dport 22 -syn -j LOG –log-prefix=”incoming ssh:” –log-level info