What can filtering protect against: Source address spoofing Useful info revealed in response to port scans Malformed broadcast packets used to identify UNIX systems Some forms of network mapping Some denial of services attack Source-routed packets Some forms of fragmentation bombs Local mistakes that affect remote sites Access to private LAN services IPTABLES FEATURES Packet-filtering features new in iptables include these: source and Destination port list access to the TCP state flags access to the TCP options field connection-state maintenance for TCP, UDP, and ICMP exchanges Access to the IP header field Access to the MAC source address Type of attack ipt can mitigate TCP SYN flood Ping flood Basic iptables syntax -iptables ---firewall app --policy INPUT OUTPUT FORWARD DROP -A --- append (me shtu) -I --- insert -INPUT OUTPUT FORWARD --- direction of filtering -i --- interface -j --- target(action) ACCEPT DROP REJECT -p --- protocol tcp udp -s --- source ip -d --- destination ip --dport Types of Chains Input Output Forward Targets ACCEPT --- let the packet through DROP --- drop pck quietly REJECT --- return icmp-port unrichable Policy Chain Default Behavior iptables --policy INPUT DROP ACCEPT Reject iptables --policy OUTPUT DROP ACCEPT Reject iptables --policy FORWARD DROP ACCEPT Reject
Examples create variable SRV_IP="192.168.0.3" NETWORK="192.168.0.0/24" iptables -I INPUT -i eth0 -p tcp -s 0/0 -d $SRV_IP --dport 21 -j DROP ---- deny ftp from any source iptables -I INPUT -i eth0 -p tcp -s 0/0 -d $SRV_IP --dport 22 -j ACCEPT ---- permit SSH from any src iptables -I INPUT -i eth0 -p tcp -s $NETWORK -d $SRV_IP --dport 22 -j ACCEPT ---- permit SSH from spc. net #Allow ICMP ping incoming client request iptables -I INPUT -i eth0 -p icmp icmp-type 8 -s 0/0 -d $SRV_IP -m state -state NEW, ESTABLISHED, RELATED -j ACCEPT ---- permit icmp FROM ANY SRC type 8 #Allow ICMP ping outgoing respond iptables -I OUTPUT -i eth0 -p icmp -icmp-type 0 -s $SRV_IP -d 0/0 -m state -state NEW, ESTABLISHED, RELATED -j ACCEPT ---- permit icmp FROM ANY SRC type 8 #Disable outgoing ICMP request iptables -A OUTPUT -p icmp --icmp-type echo-request -j DROP iptables -A OUTPUT -p icmp --icmp-type 8 -j DROP #Disable incoming ICMP request iptables -A INPUT -p icmp --icmp-type 8 -j DROP #Stateful Packet Inspection iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A outPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
StandAlone Firewall #Variables for the example below SERVER_IP="192.168.1.130" MINT="192.168.1.128" UBUNTU="192.168.1.129" #Remove any existing rules from all chains iptables --flush #Set default policy to DROP iptables --policy INPUT DROP iptables --policy OUTPUT ACCEPT iptables --policy FORWARD DROP #Unlimited traffic on Loopback interface iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT #Stateful Packet Inspection iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i eth0 -p tcp -s $MINT -d $SERVER_IP --dport 21 -j ACCEPT --- Allow ftp iptables -A INPUT -i eth0 -p tcp -s $UBUNTU -d $SERVER_IP --dport 22 -j ACCEPT --- Allow ssh iptables -A INPUT -i eth0 -p icmp icmp-type 8 -s $UBUNTU -d $$SERVER_IP -j ACCEPT --- Allow icmp iptables -A INPUT -i eth0 -p icmp icmp-type 8 -s $MINT -d $$SERVER_IP -j REJECT --- reject icmp #Source address Spoofeing and other bad address #drop pretended to be from: iptables -A INPUT -i $INTERNET -s &IPADDR -j DROP --- external iptables -A INPUT -i $INTERNET -s &CLASS_A -j DROP --- from class A iptables -A INPUT -i $INTERNET -s &CLASS_B -j DROP --- from class B iptables -A INPUT -i $INTERNET -s &CLASS_C -j DROP --- from class C iptables -A INPUT -i $INTERNET -s @LOOPBACK -j DROP --- from loopback #!/bin/sh ---to make a file as script chmod 751 file name 7 - read/write 5 - group 1 - other
####################################################################################################F
Allowing or Blocking Specific Connections Connections from a single IP address or range iptables -A INPUT -s 10.10.10.10 -j DROP iptables -A INPUT -s 10.10.10.0/24 -j DROP iptables -A INPUT -s 10.10.10.0/255.255.255.0 -j DROP
Connections to a specific port iptables -A INPUT -p tcp --dport ssh -s 10.10.10.10 -j DROP ---- block SSH connections from 10.10.10.10 iptables -A INPUT -p tcp --dport ssh -j DROP ---- to block SSH connections from any IP address
Connection States iptables -A INPUT -p tcp --dport ssh -s 10.10.10.10 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp --sport 22 -d 10.10.10.10 -m state --state ESTABLISHED -j ACCEPT
Saving Changes sudo /sbin/iptables-save ---- Ubuntu /etc/init.d/iptables save ----Red Hat /sbin/service iptables save ----Red Hat Listing iptables -L ----List the currently configured rules iptables -L -v iptables -L | grep policy iptables -L INPUT iptables -L INPUT -n iptables -S ---To list out all of the active rules
Clearing iptables -F ----To clear all the currently configured rules iptables -L --line-numbers iptables -D INPUT 3 netstat -tupan