Laboratorium Komputerowe Progmar
Marcin Załęczny

We are using cookies in the page. If you use the page you agree for the cookies.      Close

Iptables

Displays iptables tables content. Default tables (chains) - INPUT, FORWARD, OUTPUT (-v switch adds some extra fields - interfaces): iptables -L -v

Add rule to a chain: iptables -A INPUT

Cleanup entire chain: iptables -F INPUT

Removes rule from chain: iptables -D INPUT

Sets default chain policy: ACCEPT, REJECT, DROP: iptables -P INPUT DROP

Allow filter rules to match based on connection state. Permits the use of the --ctstate option -m conntrack

Define the list of states for the rule to match on. --ctstate Valid states are:

  • NEW - the connection has not yet been seen,
  • RELATED - the connection is new, but is related to another connection already permitted,
  • ESTABLISHED - the connection is already established,
  • INVALID - the traffic couldn't be identified for some reason,

Require the rule to match only a limited number of times -m limitcode> Allows the use of the --limit option. Useful for limiting logging rules. --limit - The maximum matching rate, given as a number followed by "/second", "/minute", "/hour", or "/day" depending on how often you want the rule to match. If this option is not used and -m limit is used, the default is "3/hour".

  • -p - The connection protocol used,
  • --dport - The destination port(s) required for this rule. A single port may be given, or a range may be given as start:end, which will match all ports from start to end, inclusive,
  • -j - Jump to the specified target. By default, iptables allows four targets: ACCEPT - Accept the packet and stop processing rules in this chain. REJECT - Reject the packet and notify the sender that we did so, and stop processing rules in this chain. DROP - Silently ignore the packet, and stop processing rules in this chain. LOG - Log the packet, and continue processing more rules in this chain. Allows the use of the --log-prefix and --log-level options.
  • --log-prefix - When logging, put this text before the log message. Use double quotes around the text to use,
  • --log-level - Log using the specified syslog level. 7 is a good choice unless you specifically need something else,
  • -i - Only match if the packet is coming in on the specified interface
  • -o --out-interface - output name[+] network interface name ([+] for wildcard)
  • -v - Display more information in the output. Useful for if you have rules that look similar without using -v,
  • -s --source - address[/mask] source specification
  • -d --destination - address[/mask] destination specification
  • -I - Inserts a rule. Takes two options, the chain to insert the rule into, and the rule number it should be. -I INPUT 5 would insert the rule into the INPUT chain and make it the 5th rule in the list,

iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT <-- Old deprecated version of above iptables -A INPUT -p tcp --dport ssh -j ACCEPT iptables -I INPUT 1 -i lo -j ACCEPT

Żeby karta pobierała adres przez DHCP wystarczy do pliku /etc/network/interfaces dodać linijki: auto eth0 iface eth0 inet dhcp

Pobiera nowy adres ip z serwera dhcp: dhclient eth0

Below there is sample firewall code - save it to iptables.sh file: 

#!/bin/sh
IPTABLES=/sbin/iptables
MODPROBE=/sbin/modprobe

LAN=192.168.0.0/24
LAN_IFACE=wlp3s0
WAN_IFACE=eth0
LOCAL=127.0.0.1
LOCAL_HTTP_SERVER=192.168.0.1:80
LOCAL_HTTPS_SERVER=192.168.0.1:443
LOCAL_DNS_SERVER=192.168.0.1:53

# Flush existing rules and set chain policy to DROP
echo "[+] Flushing existing iptables rules..."

$IPTABLES -F
$IPTABLES -F -t nat
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD
$IPTABLES -X

$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP

# Load connection tracking modules
$MODPROBE ip_conntrack
$MODPROBE iptable_nat
$MODPROBE ip_conntrack_ftp
$MODPROBE ip_nat_ftp



#################################################################################################################################################
### INPUT chain ###
#################################################################################################################################################
echo "[+] Setting up INPUT chain..."

#accept loopback connections
$IPTABLES -A INPUT -i lo -s $LOCAL -m state --state NEW -j ACCEPT

# state tracking rules
$IPTABLES -A INPUT -m state --state INVALID -j LOG --log-prefix "[ipt]: DROP INVALID IN: " --log-ip-options --log-tcp-options
$IPTABLES -A INPUT -m state --state INVALID -j DROP
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# anti-spoofing rules
$IPTABLES -A INPUT -i $LAN_IFACE ! -s $LAN -j LOG --log-prefix "[ipt]: SPOOFED IN: " --log-ip-options --log-tcp-options
$IPTABLES -A INPUT -i $LAN_IFACE ! -s $LAN -j DROP

# accept rules
#$IPTABLES -A INPUT -i $LAN_IFACE -p tcp -s $LAN --dport 22 --syn -m state --state NEW -j LOG --log-prefix "[ipt]: ACCEPTED SSH NEW: " --log-ip-options --log-tcp-options
#$IPTABLES -A INPUT -i $LAN_IFACE -p tcp -s $LAN --dport 22 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type echo-request -j ACCEPT

# default INPUT LOG rule
$IPTABLES -A INPUT ! -i lo -j LOG --log-prefix "[ipt]: DEF DROP INPUT: " --log-ip-options --log-tcp-options




#################################################################################################################################################
### OUTPUT chain ###
#################################################################################################################################################
echo "[+] Setting up OUTPUT chain..."

#accept loopback connections
$IPTABLES -A OUTPUT -o lo -d $LOCAL -m state --state NEW -j ACCEPT

# state tracking rules
$IPTABLES -A OUTPUT -m state --state INVALID -j LOG --log-prefix "[ipt]: DROP INVALID OUT: " --log-ip-options --log-tcp-options
$IPTABLES -A OUTPUT -m state --state INVALID -j DROP
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# accept rules
#ftp
$IPTABLES -A OUTPUT -p tcp --dport 21 --syn -m state --state NEW -j ACCEPT
#ssh
$IPTABLES -A OUTPUT -p tcp --dport 22 --syn -m state --state NEW -j ACCEPT
#smtp
$IPTABLES -A OUTPUT -p tcp --dport 25 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 465 --syn -m state --state NEW -j ACCEPT
#imaps
$IPTABLES -A OUTPUT -p tcp --dport 993 --syn -m state --state NEW -j ACCEPT
#pop3s
$IPTABLES -A OUTPUT -p tcp --dport 995 --syn -m state --state NEW -j ACCEPT
#whois
$IPTABLES -A OUTPUT -p tcp --dport 43 --syn -m state --state NEW -j ACCEPT
#http
$IPTABLES -A OUTPUT -p tcp --dport 80 --syn -m state --state NEW -j ACCEPT
#https
$IPTABLES -A OUTPUT -p tcp --dport 443 --syn -m state --state NEW -j ACCEPT
#dns tcp
$IPTABLES -A OUTPUT -p tcp --dport 53 -m state --state NEW -j ACCEPT
#dns udp
$IPTABLES -A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT
#echo
$IPTABLES -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT

# default INPUT LOG rule
$IPTABLES -A OUTPUT ! -o lo -j LOG --log-prefix "[ipt]: DEF DROP OUTPUT: " --log-ip-options --log-tcp-options

Below there is an example of firewall IPv6 - ip6tables.sh. By default it logs and drops packets in all chains: INPUT, OUTPUT, FORWARD: 

#!/bin/bash

ip6tables -F INPUT
ip6tables -F OUTPUT
ip6tables -F FORWARD
ip6tables -X

ip6tables -P INPUT DROP
ip6tables -P FORWARD DROP
ip6tables -P OUTPUT DROP


# #############################################################################################################
# INPUT
# #############################################################################################################
ip6tables -A INPUT -j LOG --log-prefix "[ipt]: INPUT6 DROP: "
# #############################################################################################################
# #############################################################################################################




# #############################################################################################################
# OUTPUT
# #############################################################################################################
ip6tables -A OUTPUT -j LOG --log-prefix "[ipt]: OUTPUT6 DROP: "
# #############################################################################################################
# #############################################################################################################

# #############################################################################################################
# FORWARD
# #############################################################################################################
ip6tables -A FORWARD -j LOG --log-prefix "[ipt]: FORWARD6 DROP: "
# #############################################################################################################
# #############################################################################################################

Prints actual set of iptables rules to the standard output: iptables-save

Restores set of iptables rules from the file firewall.ipt created earlier by iptables-save command: iptables-restore firewall.ipt or: cat firewall.ipt | iptables-restore