path: root/md/writeup/using_iptables.md

title:Using iptables
keywords:linux,iptables,networking,icmp,ping,block,forward,tcp,udp,netfilter
# Iptables

## Intro

iptables is linux firewall that uses linux kernel netfilters to expose in kernel
stuff to userland. Here is notes how to fulfill various tasks block, forward 
or prank this silly network packets. This is not manual it just research notes
how to get most of your linux box.

### netfiler modules
#### conntrack
Module that allows more specific connection tracking for TCP,UDP,ICMP or others.
The information that conntrack gathers is then used to tell conntrack in which 
state the stream is currently in.

## Protocols
### TCP connection states
| state | timeout |
|---|---|
| NONE 	| 30 minutes |
| ESTABLISHED | 5 days |
| SYN_SENT    | 2 minutes |
| SYN_RECV    | 60 seconds |
| FIN_WAIT    | 2 minutes |
| TIME_WAIT   | 2 minutes |
| CLOSE       | 10 seconds |
| CLOSE_WAIT  | 12 hours |
| LAST_ACK    | 30 seconds |
| LISTEN      | 2 minutes |

Not constant values could change from version to version.

### TCP connection establishment
| handshake | desc |
|---|---|
| SYN     | The active open is performed by the client sending a SYN to the server. The client sets the segment's sequence number to a random value A. |
| SYN-ACK | In response, the server replies with a SYN-ACK. The acknowledgment number is set to one more than the received sequence number i.e. A+1, and the sequence number that the server chooses for the packet is another random number, B. |
| ACK     | Finally, the client sends an ACK back to the server. The sequence number is set to the received acknowledgement value i.e. A+1, and the acknowledgement number is set to one more than the received sequence number i.e. B+1. |

Once it has seen one packet(the SYN), it considers the connection as NEW. 
Once it sees the return packet(SYN/ACK), it considers the connection as ESTABLISHED.

## Examples

__General cmd flag description__

| Flag | Desc |
| --- | --- |
| -A | Append a new rule to a chain |
| -D | Delete a rule at some position in a chain, or the first that matches |
| -F | Flush the rules out of a chain |
| -L | List the rules in a chain |
| -R | Replace a rule at some position in a chain |
| -I | Insert chain |
| -N | Create a new chain |
| -J | Jump to target |
| -X | Delete an empty chain |
| -P | Change the policy for a built-in chain |
| -Z | Zero the packet and byte counters on all rules in a chain |
| -I | Insert a new rule at some position in a chain |
| -p | To specify protocol (here 'icmp') |
| -s | Ip addr |
| --icmp-type | For specifying type |
| -t | command matching table |
| -j | jump target |
| -i | interface name |
| -m | extra matching rulles |

__Command matching table names__

| table | desc |
| --- | --- |
| filter   | default table INPUT/OUTPUT/FORWARD |
| nat      | new connection created PREROUTING/OUTPUT/POSTROUTING |
| mangle   | specialize packet alternation PREROUTING/OUTPUT/INPUT/FORWARD/POSTROUTING  |
| raw      | configuring exemptions from connection tracking PREROUTING/OUTPUT |
| security | Mandatory Access Control (MAC) networking rules INPUT/OUTPUT/FORWARD |

__Adding rulle targets__

| rulle table | desc |
| --- | --- |
| INPUT       | for packets destined to local sockets |
| OUTPUT      | for locally-generated packet |
| FORWARD     | for altering packets being routed through the box |
| PREROUTING  | for altering incoming packets before routing |
| POSTROUTING | for altering packets as they are about to go out |

__Connection state__

There is possible to match specific states of connections here is a list of 
some of them.

|state | desc |
|---|---|
| NEW         | The NEW state tells us that the packet is the first packet that we see.  |
| ESTABLISHED | The ESTABLISHED state has seen traffic in both directions and will then continuously match those packets. |
| RELATED     | The RELATED state is one of the more tricky states. A connection is considered RELATED when it is related to another already ESTABLISHED connection.  |
| INVALID     | The INVALID state means that the packet can't be identified or that it does not. |
| UNTRACKED   | This is the UNTRACKED state. |

All connection tracking is handled in the __PREROUTING__ chain, except locally 
generated packets which are handled in the __OUTPUT__ chain. What this means is that
iptables will do all recalculation of states and so on within 
the __PREROUTING__ chain. If we send the initial packet in a stream, 
the state gets set to __NEW__ within the __OUTPUT__ chain, and when we receive 
a return packet, the state gets changed in the __PREROUTING__ chain to 
__ESTABLISHED__,  and so on. If the first packet is not originated by 
ourself, the __NEW__ state  is set within the __PREROUTING__ chain of course. 
So, all state changes and calculations are done within 
the __PREROUTING__ and __OUTPUT__ chains of the nat table. 

### List all rulles

```sh
iptables -L
```

List iptables rulles with extra output that could be usefull

```sh
iptables -nL -v --line-numbers
```

### Remove rulle

To delete specific rulle run 

```sh
iptables -nL -v --line-numbers
```
search for chain and rulle number and delete it with next line

```sh
iptables -D [chain_name] [line_number]
```

### Load/store rulles

Save iptable rulles to file

```sh
iptables-save > /tmp/cool.rulles
```

Load rulles from file

```sh
iptables-restore < /tmp/cool.rules
```

### Remove chain

```sh
iptales -X chain_name
```

### Block ICMP (No ping) from outside

Createing chain where ping related rules will be located

```sh
iptables -N ping_in
iptables -t filter -A INPUT -j ping_in
iptables -N ping_out
iptables -t filter -A OUTPUT -j ping_out
```

After creating chains output looks like

```sh
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ping_in    all  --  anywhere             anywhere            

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ping_out   all  --  anywhere             anywhere            

Chain ping_in (1 references)
target     prot opt source               destination         

Chain ping_out (1 references)
target     prot opt source               destination  
```

#### Block outside ping

Lets block if someone tryes to ping us, juct block usual ping echo request,
not blocking ICMP protocol as such.

```sh
iptables -A ping_in -p icmp --icmp-type echo-request -j REJECT
iptables -A ping_out -p icmp --icmp-type echo-reply -j DROP
```

#### Block inside ping

If dont whant to use ping, or dont whant that other use pinging

```sh
iptables -A ping_out -p icmp --icmp-type echo-request -j DROP
iptables -A ping_in -p icmp --icmp-type echo-reply -j DROP
```

### Port forwarding

Forward ports

```sh
iptables -t nat -A PREROUTING -p tcp --dport <incoming-port> -j REDIRECT --to-port <destination-port>
```

Forward port to different ip

```sh
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 192.168.0.5:8080
```

### IP forwarding


Check if ip forwarding is set

```sh
cat /proc/sys/net/ipv4/ip_forward
```

if _0_ then not, set to _1_

```sh
echo 1 > /proc/sys/net/ipv4/ip_forward
```

```sh
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 216.58.213.174:80
iptables -t nat -A POSTROUTING -j MASQUERADE
```

### Block port

Usefull command to see with ports are used and programm that are using

```sh
netstat -tulpn
```

Here is list of popular protocols and services ports

| Proto | Service | Port | Desc |
| --- | --- | --- | --- |
| TCP     | HTTP   | 80  | plain text internet |
| TCP     | HTTPS  | 443 | SSL'ed plain text internet |
| TCP     | SMPT   | 25  | Simple Mail Transfer Prot