Progmar Marcin Załęczny

Language:

Iptables

Displays iptables tables content. Default tables (chains) - INPUT, FORWARD, OUTPUT (-v switch adds some extra fields - interfaces): iptables -L -v

Add rule to a chain: iptables -A INPUT

Cleanup entire chain: iptables -F INPUT

Removes rule from chain: iptables -D INPUT

Sets default chain policy: ACCEPT, REJECT, DROP: iptables -P INPUT DROP

Allow filter rules to match based on connection state. Permits the use of the --ctstate option -m conntrack

Define the list of states for the rule to match on. --ctstate Valid states are:

  • NEW - the connection has not yet been seen,
  • RELATED - the connection is new, but is related to another connection already permitted,
  • ESTABLISHED - the connection is already established,
  • INVALID - the traffic couldn't be identified for some reason,

Require the rule to match only a limited number of times -m limitcode> Allows the use of the --limit option. Useful for limiting logging rules. --limit - The maximum matching rate, given as a number followed by "/second", "/minute", "/hour", or "/day" depending on how often you want the rule to match. If this option is not used and -m limit is used, the default is "3/hour".

  • -p - The connection protocol used,
  • --dport - The destination port(s) required for this rule. A single port may be given, or a range may be given as start:end, which will match all ports from start to end, inclusive,
  • -j - Jump to the specified target. By default, iptables allows four targets: ACCEPT - Accept the packet and stop processing rules in this chain. REJECT - Reject the packet and notify the sender that we did so, and stop processing rules in this chain. DROP - Silently ignore the packet, and stop processing rules in this chain. LOG - Log the packet, and continue processing more rules in this chain. Allows the use of the --log-prefix and --log-level options.
  • --log-prefix - When logging, put this text before the log message. Use double quotes around the text to use,
  • --log-level - Log using the specified syslog level. 7 is a good choice unless you specifically need something else,
  • -i - Only match if the packet is coming in on the specified interface
  • -o --out-interface - output name[+] network interface name ([+] for wildcard)
  • -v - Display more information in the output. Useful for if you have rules that look similar without using -v,
  • -s --source - address[/mask] source specification
  • -d --destination - address[/mask] destination specification
  • -I - Inserts a rule. Takes two options, the chain to insert the rule into, and the rule number it should be. -I INPUT 5 would insert the rule into the INPUT chain and make it the 5th rule in the list,

iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT <-- Old deprecated version of above iptables -A INPUT -p tcp --dport ssh -j ACCEPT iptables -I INPUT 1 -i lo -j ACCEPT

Żeby karta pobierała adres przez DHCP wystarczy do pliku /etc/network/interfaces dodać linijki: auto eth0 iface eth0 inet dhcp

Pobiera nowy adres ip z serwera dhcp: dhclient eth0

Below there is sample firewall code - save it to iptables.sh file:

#!/bin/sh
IPTABLES=/sbin/iptables
MODPROBE=/sbin/modprobe

LAN=192.168.0.0/24
LAN_IFACE=wlp3s0
WAN_IFACE=eth0
LOCAL=127.0.0.1
LOCAL_HTTP_SERVER=192.168.0.1:80
LOCAL_HTTPS_SERVER=192.168.0.1:443
LOCAL_DNS_SERVER=192.168.0.1:53

# Flush existing rules and set chain policy to DROP
echo "[+] Flushing existing iptables rules..."

$IPTABLES -F
$IPTABLES -F -t nat
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD
$IPTABLES -X

$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP

# Load connection tracking modules
$MODPROBE ip_conntrack
$MODPROBE iptable_nat
$MODPROBE ip_conntrack_ftp
$MODPROBE ip_nat_ftp



#################################################################################################################################################
### INPUT chain ###
#################################################################################################################################################
echo "[+] Setting up INPUT chain..."

#accept loopback connections
$IPTABLES -A INPUT -i lo -s $LOCAL -m state --state NEW -j ACCEPT

# state tracking rules
$IPTABLES -A INPUT -m state --state INVALID -j LOG --log-prefix "[ipt]: DROP INVALID IN: " --log-ip-options --log-tcp-options
$IPTABLES -A INPUT -m state --state INVALID -j DROP
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# anti-spoofing rules
$IPTABLES -A INPUT -i $LAN_IFACE ! -s $LAN -j LOG --log-prefix "[ipt]: SPOOFED IN: " --log-ip-options --log-tcp-options
$IPTABLES -A INPUT -i $LAN_IFACE ! -s $LAN -j DROP

# accept rules
#$IPTABLES -A INPUT -i $LAN_IFACE -p tcp -s $LAN --dport 22 --syn -m state --state NEW -j LOG --log-prefix "[ipt]: ACCEPTED SSH NEW: " --log-ip-options --log-tcp-options
#$IPTABLES -A INPUT -i $LAN_IFACE -p tcp -s $LAN --dport 22 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type echo-request -j ACCEPT

# default INPUT LOG rule
$IPTABLES -A INPUT ! -i lo -j LOG --log-prefix "[ipt]: DEF DROP INPUT: " --log-ip-options --log-tcp-options




#################################################################################################################################################
### OUTPUT chain ###
#################################################################################################################################################
echo "[+] Setting up OUTPUT chain..."

#accept loopback connections
$IPTABLES -A OUTPUT -o lo -d $LOCAL -m state --state NEW -j ACCEPT

# state tracking rules
$IPTABLES -A OUTPUT -m state --state INVALID -j LOG --log-prefix "[ipt]: DROP INVALID OUT: " --log-ip-options --log-tcp-options
$IPTABLES -A OUTPUT -m state --state INVALID -j DROP
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# accept rules
#ftp
$IPTABLES -A OUTPUT -p tcp --dport 21 --syn -m state --state NEW -j ACCEPT
#ssh
$IPTABLES -A OUTPUT -p tcp --dport 22 --syn -m state --state NEW -j ACCEPT
#smtp
$IPTABLES -A OUTPUT -p tcp --dport 25 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 465 --syn -m state --state NEW -j ACCEPT
#imaps
$IPTABLES -A OUTPUT -p tcp --dport 993 --syn -m state --state NEW -j ACCEPT
#pop3s
$IPTABLES -A OUTPUT -p tcp --dport 995 --syn -m state --state NEW -j ACCEPT
#whois
$IPTABLES -A OUTPUT -p tcp --dport 43 --syn -m state --state NEW -j ACCEPT
#http
$IPTABLES -A OUTPUT -p tcp --dport 80 --syn -m state --state NEW -j ACCEPT
#https
$IPTABLES -A OUTPUT -p tcp --dport 443 --syn -m state --state NEW -j ACCEPT
#dns tcp
$IPTABLES -A OUTPUT -p tcp --dport 53 -m state --state NEW -j ACCEPT
#dns udp
$IPTABLES -A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT
#echo
$IPTABLES -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT

# default INPUT LOG rule
$IPTABLES -A OUTPUT ! -o lo -j LOG --log-prefix "[ipt]: DEF DROP OUTPUT: " --log-ip-options --log-tcp-options

Below there is an example of firewall IPv6 - ip6tables.sh. By default it logs and drops packets in all chains: INPUT, OUTPUT, FORWARD:

#!/bin/bash

ip6tables -F INPUT
ip6tables -F OUTPUT
ip6tables -F FORWARD
ip6tables -X

ip6tables -P INPUT DROP
ip6tables -P FORWARD DROP
ip6tables -P OUTPUT DROP


# #############################################################################################################
# INPUT
# #############################################################################################################
ip6tables -A INPUT -j LOG --log-prefix "[ipt]: INPUT6 DROP: "
# #############################################################################################################
# #############################################################################################################




# #############################################################################################################
# OUTPUT
# #############################################################################################################
ip6tables -A OUTPUT -j LOG --log-prefix "[ipt]: OUTPUT6 DROP: "
# #############################################################################################################
# #############################################################################################################

# #############################################################################################################
# FORWARD
# #############################################################################################################
ip6tables -A FORWARD -j LOG --log-prefix "[ipt]: FORWARD6 DROP: "
# #############################################################################################################
# #############################################################################################################

Prints actual set of iptables rules to the standard output: iptables-save

Restores set of iptables rules from the file firewall.ipt created earlier by iptables-save command: iptables-restore firewall.ipt or: cat firewall.ipt | iptables-restore