IPTABLES and FIREWALLS Flashcards
What does iptables use on the kernel level?
Netfilter, IPtables is the front end that utilizes netfilter.
When you use IPtables, it just communicates to netfilter what it wants to do.
Name all the chains in iptables
INPUT - incoming
OUTPUT - outgoing
FORWARD - routed
nat - (source nat)SNAT/MASQUERADE performed post routing chain of this table
nat - DNAT(destination nat)/Portforwarding performed pretrouting chain of this table
mangle - Modify value from packet headers
raw - Skip connection tracking
What is the structure of an iptables command
TABLE COMMAND CHAIN_NAME MATCHES TARGET/JUMP
iptables -t filter -I INPUT -s 192.168.12.1 -j ACCEPT
or
iptables -t table_name -command(-I) CHAIN matches(-s) 192.168.1.1 -j TARGET
Show the filter (default) tables
Show the nat table
Drop incoming ping echo request packets
Show verbose list info
iptables -L
iptables -t nat -L
iptables -t filter -A INPUT -p icmp –icmp-type echo-request -j DROP
iptables -vnL
Deny access to ubuntu.com
iptables -t filter -A OUTPUT –p tcp –dport 80 -d www.ubuntu.com -j DROP
add 443 along with this
What are all the iptables options/flags/commands?
-A
-I
-L
-F
-Z - zero packet and byte counters in all chains or given chain
-N - create user-defined chain by the given name
-X Delete user-defined chain
-P set policy for chain
Append rule to drop incoming traffic to port 25
This is SNMP
scan afterword to test
iptables -t filter -A INPUT -p tcp –dport 25 -j DROP
nmap -p 25 192.168.0.10
What chains on what tables are the below filtered/performed on:
incoming
outgoing
routed
SNAT/MASQUERADE -> source nat
DNAT/Port Forwarding
Where do you modify packet header?
Where do you skip connection tracking add rules?
Incoming - input chain - filter table
Outgoing - output chain - filter table
Routed - Forward chain - filter table
SNAT/MASQUERADE - Postrouting chain - nat table
DNAT/Port Forwarding - Prerouting chian - nat table
packet headers - mangle table
connection track add rules - NOTRACK target - raw table
List the nat table’s rules
iptables -t nat -L
Stop your server from receiving pings specifically echo requests
iptables -t filter -A INPUT -p ICMP –icmp-type echo-request -j DROP
If you want to see a more verbose list of rules for all chains in the filter table, what command would you use?
iptables -t filter -vnL
v - verbose
n - numbered
Flush the input chain
then flush all chains in the filter table
Flush all the chains in the nat table
Zero out the packet and byte counters
create a new chain and then delete it
Set the default policy for a chain to accept or drop
Delete a rule from your chain
iptables -F INPUT
iptables -F
iptables -t nat -F
iptables -Z
iptables -N MYCHAIN
iptables -X MYCHAIN
iptables -P INPUT ACCEPT
iptables -D OUTPUT 2
iptables rules are stored in RAM and not saved after restarting
Write these rules to a script
Run your script at boot time
iptables -A INPUT -p icmp -j DROP
cd /scripts
vi firewall.sh
#!/bin/bash <- shell will interpret it, if it’s python you would direct this to the python interpreter.
iptables -F
iptable -A INPUT -p tcp –dport 22 -j DROP
iptables -F <- do this for every table
iptable -t nat POSTROUTING -s 10.0.0.0/8 -o ens166 -j SNAT –to-source 80.0.0.1
This translates source ips of the 10 network going OUT of NIC ens166 to ip 80.0.0.1
Basically just NAT to a public IP.
chmod 700 firewall.sh
If you keep executing the script it will update iptables and double the rules IPTABLES -F prevents this
Why do you need to ./ before running a script?
It’s not part of the known paths to the kernel which are in
echo $PATH
Which policy should go first
Allow ip to ssh
deny ssh availability
Allow ip to ssh