Version
1.0 -- 2006-01-02 by Shashin T. Thakur
This
tutorial is a concise doc for those people who are new to iptables. This is
an edited from original www.netfilter.org.
This is a small reference doc which I have created for my purpose which i would
like to share with all member of open-source. Your suggestion and feedback is
very important to improve the same.
Hope
this is helpful for
you.
IPTABLES
A
packet filter is a piece of software which looks at the header of packets as
they pass through, and decides the fate of the entire packet. It might decide to
DROP the packet ( i.e., discard the packet as if it had never received it),
ACCEPT the packet (i.e., let the packet go through), or something more
complicated. in linux its done in the kernel.
It’s
done for three things: - monitoring, security, and
controlling. 
In
any Iptables there are 3 main type of traversal take
place.for eg : A,B,C are
three
system1.
A<-->B<-->c Forward packet for A to C via
B.3.
B--->C Send to other system from
B-->c.1.
A--->B Local packet reciving from A
to B. There
three main table on an
iptables.1. Mangle (Alter
packet)2.
Filter3.
NAT1. Mangle has following
sub-tables.
1.
Prerouting:
- altering packet before routing
decisions.
2.
Output:-
changing and altering the local generated packet before decisions.
Note:-
MANGLE IS never used in
NAT,MASQ
2. Filter has following
sub-tables.
1. Forward: - not for own source or own
destination
2. Input : - for own
destination.
3. Output: - for locally generated packets.
3. NAT has
following sub
tables.
1. Prerouting: - altering packet as they come to
firewall.
2. Post routing: - altering packet as they leave from firewall.
3.
OUTPUT: latering of locally genrated
packet.Packet
mend for different destination:
- (Forward Packet)
1.
On the wire
2, comes on the
interface
3.
MANGLE-PREROUTNG:-changing
TOS
4. NAT-PREROUTING: -
dnat,
5. Routing
decision
6. Filter forward:
- all forwarded packet filter's and go from here.
7. NAT-POSTROUTING: -
SNAT
8. Goes out on the
interface
9. Out on
wire.
Packet
mend for own system(Incoming Packets)
1.
on the wire
2. Comes on the
interface.
3.
MANGLE-PREROUTNG :-changing TOS
4. NAT-PREROUTING :- dnat,
5. Routing
decission
6. Filter Input:
filtering for all incoming
traffics.
7. Local process
or server
Packet
mended to send other system (outgoing packets)
1.
Local process or server
2.
Mangle output: - TOS
3. NAT
OUTPUT: -
4. Filter
OUTPUT: where we filter outgoing traffic of local
host.
5. Routing
Decision
6. NAT
POSTROUTING: - SNAT (filter not
recommended)
7.
Interface
8.
Internet
Usage
of Three Tables
- Mangling
- DNAT,
SNAT and MASQ is not recommended.
- valid
target in mangle are TOS,TTL,MARK
- On
packet marking the bandwidth limiting, qos are taken place.
- Nat
Table
-
for nating .
-
SNAT, DNAT , and MAQSURADING is done.
-
Only first packet will hit the chain the rest of packet will have the same
actions.
- DNAT
: change the destination and reroute into the host for eg DMZ
- SNAT
: to change the source address of the packet. For eg : hidding the DMZ pool
ip.
- MASQ
: same as snat but take more overhead, its allow dynamic assigned ip address.
- Filter
- Filtering
of the packet is done Accept/drop on the based of payload.
- Drop.
-
Log.
- ACCEPT.
- REJECT
.
CONNECTION
STATE:-
There
are 4 state of connection:
- New
:- packet is new in connection
- Established:
- state seen traffic in both direction.
- Related:
- a connection spawn from already established connection.
- Invalid:
- if state is not
identified.
- The
conntrack module keeps all state freshly in memory according to some
rule.
- State
calculation are done based on
following:
(i
) state for TCP & UDP :- srcip,dstip and src port and dest port.
(ii) For ICMP
: some other rules are
applied.
contract
debug:-
tcp 6 117 SYN_SENT
src=192.168.1.6 dst= 192.168.1.9 sport=32775 dport=22 [UNREPLIED]
src=192.168.1.9 dst= 192.168.1.6 sport=22 dport=32775
use=2
Tcp:
proto, 6: normal decimal encoding, 117: in seconds and decremented duration of
entry.
SyN_sent : send only
tcp syn pac, Rest is src&DST ip and ports
On
128 MB RAM 8192 possible connection can be
maintained.
IPsysctl
------------------------------------------------------------------------------------------------------------
Syntax
of an iptables commands
-t
: table name
-J :
Action
---------------------------------------------------------------------------------------------------------------------
command
to For add delete and Replace.
1.
-A Append :- iptables -A INPUT......... ( append rule at the end of the
chain)
eg.
/sbin/iptables -A PREROUTING -s 0/0 -d 0/0 -j ACCEPT -t mangle
Accepting all source and destination in
mangle
2.
-D Delete :-
eg. /sbin/iptables -D PREROUTING -s 10.10.10.0/255.255.255.0 -d 0/0
-j ACCEPT -t
mangle
deleting the above created chain from prerouting mangle.
3.
-R replace :-
eg. iptables -R PREROUTING 1 -s 10.10.10.3/255.255.255.255 -d
0/0 -t
mangle
Replaced the above created chains by source 10.10.10.3/255.255.255.25
4. -I insert
:-
eg:-
1. iptables -I PREROUTING 4 -s 10.10.10.13/255.255.255.255 -d 0/0 -t
mangle
getting inserted at given
linenumber.
2. iptables -I PREROUTING -s 10.10.10.16/255.255.255.255 -d 0/0 -t mangle
( inserted on above of all rules in table
)
IF line number is taken more then current created then this message come
iptables: Index of insertion too big.
5.
-L List : eg. 1) iptables -L -t mangle (Listing all the
subtable of main table
mangle)
2) iptables -L PREROUTING -t mangle (Listing only subtable PREROUTING).
6.
-F flush :- eg:- iptables -F -t mangle (Flushing all the table of
the of mangle)
7. -Z zero
:- eg: iptables -L PREROUTING -t mangle -Z (reset's the
packet counter to zero)
8.
-N New chain
:-
1. iptables -N shashin -t mangle (created chain
shashin)
2. iptables -I PREROUTING -L 10.10.10.2/255.255.255.255 -d 0/0 -j shashin
-t mangle (linked with chain
shashin)
3. iptables -I -l shashin -s 10.10.10.0/255.255.255.0 -d
192.168.1.254/255.255.255.255 -j ACCEPT -t
mangle
(created rule for shashin chain)
9.
-X delete chain:-
1. iptables -X shashin1 -t mangle ( deleted chain achain has to be always made
empty before
deletion)
10
-E rename chain :- iptables -E shashin shashin2 -t
mangle
corresponding target get auto renamed if mention some where in other chains.
---------------------------------------------------------------------------------------------------------------------
List
option -
1.
-N :- numeric
2. -V :-
verbose
3. -X :-
exact
4. --line-numbers:-
can be used with linenumbers.
eg.
bash# iptables -L
PREROUTING -t mangle -nvx
--line-number
Chain
PREROUTING (policy ACCEPT 2179 packets, 172919
bytes)
num
pkts bytes target prot opt
in out
source
destination
1
1603 75092 shashin2 all --
* *
10.10.10.2
0.0.0.0/0
---------------------------------------------------------------------------------------------------------------------
insert/append/delete
option
1.
-c set-counters : it sets the intial packet counter to 20 and 400
iptables
-I PREROUTING -s 10.10.10.0/255.255.255.0 -d 192.168.1.254/255.255.255.255
--set-counter 20 400 -j ACCEPT -t
mangle
bash# iptables
-L PREROUTING -t mangle -nvx
Chain PREROUTING (policy
ACCEPT 288 packets, 34205
bytes)
pkts bytes target prot opt
in out
source
destination
20 400 ACCEPT all
-- * *
10.10.10.0/24
192.168.1.254
Generic
match
1.
-p:
protocol
eg:- iptables -D PREROUTING -p icmp -j DROP -t
mangle (dropping ICMP protocol)
2.
-s: source
eg:- iptables -I PREROUTING -p icmp -s 10.10.10.3/255.255.255.255 -d
0/0 -j DROP -t mangle
(dropping Icmp packet from source 10.10.10.3
)
3. -d:
destination
eg:- /sbin/iptables -I PREROUTING -p icmp -s 0/0 -d
192.168.1.254/255.255.255.255 -j DROP -t
mangle
(dropping Icmp packet from destination 192.168.1.254 )
4.
-i: in-interface
eg:- /sbin/iptables -A PREROUTING -p icmp -i eth0 -j DROP -t
mangle
( dropping all icmp packet arriving from eth0)
5. -o: out-interface
eg:- /sbin/iptables -I POSTROUTING -p icmp -o eth1 -j DROP -t
nat
(dropping all icmp packet going from eth1 )
6.
-f:
fragment
eg:-
/sbin/iptables -I POSTROUTING -p icmp -o eth1 -f -j DROP -t
nat
( drops all fragmented packet of icmp)
Implicit
match with
protocol
1.
Tcp
(1) sport
:- source port
eg: /sbin/iptables -I POSTROUTING -p tcp -d
192.168.1.254 --sport 23 -j DROP -t nat
(2) dport : destination
port
eg:- /sbin/iptables -I POSTROUTING -p tcp -s
10.10.10.2 -d 192.168.1.254 --dport 23 -j DROP -t
nat
(dropping all outgoing traffic with destination ip 192.168.1.254 and destination
port =23)
(3) tcp-flag: syn,ack,fin-syn
eg:- iptables -I POSTROUTING -p tcp -s 10.10.10.2 -d 192.168.1.254 --dport
23 --tcp-flags syn, ack -j DROP -t nat (droping a tcp packet
if it contains a syn or ack flag for 192.168.1.254)
2.
UDP
(1) sport :-
source port
(2)
dport : destination port
3.
ICMP
(1) Icmp
type:-
Other
Match
(1)
mac-source :-
(2) limit :-
(3) limit-burst
:
(4) Multiport Match
(1)
source-port
80,90,100
(2) destination port
80,90,100
(3) port 22,23,25
(5)
--mark : packet marking
(6)
--uid-owner : user id
(7)
--gid-owner : group id
(8)
--pid-owner : pid owner
(9)
--sid : session-id
State
match
(1) --state:
what state the packet must be to match
(2) --Tos: type of service
match
(3) --ttl: TTL value
to match
TARGETS/JUMPS
1)
-j Accept :- will allowed to continue traversal in chains
.
2) -j Drop :-
will be refused to further process and packet get
drops
3) -j queue :-
the target will be queued
4) -j return :- If the
packet is traversing in other chain in that case it will return to its main
chain.
5) -j
log :- ( in dmesg) log-level, --log-prefix,--log-tcp-sequence,
log tcpoptions,
log-ip-options
6) -j reject
:- drops the packet sending a reject methods
7)
Mirror targets
8)
snat target : for source
nating.
9) dnat target:-
for destination nating.