July 11, 2016
LINUX IPTABLES BASICS-Uses and Commands
What are IPTABLES ?
IPtables is a basic firewall in linux.
Original firewall running in Linux was ipchains. Netfilter.org created IPTABLES to overcome the shortcomings of ipchains. It is faster and secure compared to ipchains. It is a default firewall package installed under RedHat and Fedora Linux.
Why IPTABLES :
Some features of IPTABLES
- Packet inspection:
- Firewall keep track of each packet passing through it and in certain cases it’ll view the contents of data flow to anticipate certain protocols.
- Packet Filtering:
- Packets are filtered based on MAC address and flags in the TCP/UDP header. Packet Filtering is helpful to restrict access of malfunctioned packets.
- Rate limiting :
- This feature helps iptables block some types of Denial of Service (DoS) attacks.
Packet Processing in IPTABLES
- Basic Structure
- Tables –> Chains –> Rules
- All Packets inspected, when they pass through a sequence of built-in tables for processing.
-
- Mangle Table
- Responsible for the alteration of Quality of Service (QoS) bits.
- PREROUTING chain
- OUTPUT chain
- FORWARD chain
- INPUT chain
- POSTROUTING chain
-
- Filter Table
- Responsible for packet filtering. It has 3 built-in chains. It is the Default table.
- INPUT : Control packets coming INTO the PC/Server
- FORWARD : packets passing THROUGH PC (if it’s a router)
- OUTPUT : packets leaving OUT PC.
-
- NAT table
- Responsible for Network Address Translation.To Modify network address information in IP packet header when they are in transit. It has 2 built in chains.
Different inbuilt chains are
We can add rules to control INPUT connections from remote to server
Manage packets from one NIC to another in same machine
- Pre-routing chain:
- Address translation occurs before routing.Also known as Destination NAT or DNAT. Allows us to change Destination IP address
- Post-routing chain:
- Address tanslation occurs after routing.Also known as Source NAT or SNAT. Facilitates to change source IP address.
- Chains:
- Set of rules that govern network traffic by opening and closing ports that can be applied or bound to an interface in a particular order
How to apply:
To specify table : use switch -t
Syntax :
- To List all rules from filter table
Command: iptables -t filter –list |
|
Command: iptables –list |
|
Command: iptables -t mangle –list |
|
Command: iptables -t nat –list |
- How to add Rules:
- Each rule inspects IP packet and process further based on targets and Jumps.
- ACCEPT
- IPTABLES stop further processing of packet and hand it over to the OS or App.
- DROP
- IPTABLES stop packet processing and packet is blocked
- REJECT
- It also drops the packet but return an error message to sender/host.
Switches that are used commonly used:
- -s source address
- -d destination address
- -p protocol
- -i interface
- -j action
- -P specify default policy for a chain
- -D delete a rule for a chain
- -R replace a rule for a chain
- -F remove all rules for specified chain
- -L list chain rules
- -A append/add rule to end of a chain
Some commonly used TCP and UDP ports:
- FTP : TCP 21/20
- SMTP (Email out) : 25
- SSH : TCP 22
- POP3(Email in) : 110
- Telnet : TCP 23
- IMAP(Email in) : 143
- Web/http : TCP 80
- DNS : UDP 53
- SSL/https : TCP 443
- DHCP : UDP 67/68
- SNMP : 161/162
- SAMBA : 137-139 and 445
- NETBIOS : 137-139
- ACTIVE DIRECTORY : 445 NetBios/DNS