summaryrefslogtreecommitdiff
path: root/md/writeup
diff options
context:
space:
mode:
authorFreeArtMan <dos21h@gmail.com>2016-02-21 16:36:35 +0000
committerFreeArtMan <dos21h@gmail.com>2016-02-21 16:36:35 +0000
commit96360f57fd31649aefb900146abb315da3aa8d01 (patch)
tree81bde421100906cdfda7d281c38c98d124efa7e2 /md/writeup
parent167ea3e3ea39982ce40ef2ba54b7889f6d587df5 (diff)
downloadmd-content-96360f57fd31649aefb900146abb315da3aa8d01.tar.gz
md-content-96360f57fd31649aefb900146abb315da3aa8d01.zip
Added 'Using iptables'
Diffstat (limited to 'md/writeup')
-rw-r--r--md/writeup/using_iptables.md262
1 files changed, 262 insertions, 0 deletions
diff --git a/md/writeup/using_iptables.md b/md/writeup/using_iptables.md
new file mode 100644
index 0000000..8b38488
--- /dev/null
+++ b/md/writeup/using_iptables.md
@@ -0,0 +1,262 @@
+# Iptables
+
+## Intro
+
+iptables is linux firewall that uses linux kernel netfilters to expose in kernel
+stuff to userland. Here is notes how to fulfill various tasks block, forward
+or prank this silly network packets.
+
+## Examples
+
+SIP - Server IP, your machine ip address
+
+__General cmd flag description__
+
+| Flag | Desc |
+| --- | --- |
+| -A | Add a rule |
+| -D | Delete rule from table |
+| -F | Flush rules |
+| -L | List chain |
+| -R | Replace chain |
+| -I | Insert chain |
+| -N | Create new chain |
+| -J | Jump to target |
+| -X | Delete chain |
+| -p | To specify protocol (here 'icmp') |
+| -s | Ip addr |
+| --icmp-type | For specifying type |
+| -t | command matching table |
+| -j | jump target |
+| -i | interface name |
+
+__Command matching table names__
+
+| table | desc |
+| --- | --- |
+| filter | default table INPUT/OUTPUT/FORWARD |
+| nat | new connection created PREROUTING/OUTPUT/POSTROUTING |
+| mangle | specialize packet alternation PREROUTING/OUTPUT/INPUT/FORWARD/POSTROUTING |
+| raw | configuring exemptions from connection tracking PREROUTING/OUTPUT |
+| security | Mandatory Access Control (MAC) networking rules INPUT/OUTPUT/FORWARD |
+
+__Adding rulle targets__
+
+| adding | desc |
+| --- | --- |
+| INPUT | for packets destined to local sockets |
+| OUTPUT | for locally-generated packet |
+| FORWARD | for altering packets being routed through the box |
+| PREROUTING | for altering incoming packets before routing |
+| POSTROUTING | for altering packets as they are about to go out |
+
+### List all rulles
+
+```
+iptables -L
+```
+
+List iptables rulles with extra output that could be usefull
+
+```
+iptables -nL -v --line-numbers
+```
+
+### Remove rulle
+
+To delete specific rulle run
+
+```
+iptables -nL -v --line-numbers
+```
+search for chain and rulle number and delete it with next line
+
+```
+iptables -D [chain_name] [line_number]
+```
+
+### Load/store rulles
+
+Save iptable rulles to file
+
+```
+iptables-save > /tmp/cool.rulles
+```
+
+Load rulles from file
+
+```
+iptables-restore < /tmp/cool.rules
+```
+
+### Remove chain
+
+```
+iptales -X chain_name
+```
+
+### Block ICMP (No ping) from outside
+
+Createing chain where ping related rules will be located
+
+```
+iptables -N ping_in
+iptables -t filter -A INPUT -j ping_in
+iptables -N ping_out
+iptables -t filter -A OUTPUT -j ping_out
+```
+
+After creating chains output looks like
+
+```
+Chain INPUT (policy ACCEPT)
+target prot opt source destination
+ping_in all -- anywhere anywhere
+
+Chain FORWARD (policy ACCEPT)
+target prot opt source destination
+
+Chain OUTPUT (policy ACCEPT)
+target prot opt source destination
+ping_out all -- anywhere anywhere
+
+Chain ping_in (1 references)
+target prot opt source destination
+
+Chain ping_out (1 references)
+target prot opt source destination
+```
+
+#### Block outside ping
+
+Lets block if someone tryes to ping us, juct block usual ping echo request,
+not blocking ICMP protocol as such.
+
+```
+iptables -A ping_in -p icmp --icmp-type echo-request -j REJECT
+iptables -A ping_out -p icmp --icmp-type echo-reply -j DROP
+```
+
+#### Block inside ping
+
+If dont whant to use ping, or dont whant that other use pinging
+
+```
+iptables -A ping_out -p icmp --icmp-type echo-request -j DROP
+iptables -A ping_in -p icmp --icmp-type echo-reply -j DROP
+```
+
+### Port forwarding
+
+Forward ports
+
+```
+iptables -t nat -A PREROUTING -p tcp --dport <incoming-port> -j REDIRECT --to-port <destination-port>
+```
+
+Forward port to different ip
+
+```
+iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 192.168.0.5:8080
+```
+
+### IP forwarding
+
+
+Check if ip forwarding is set
+
+```
+cat /proc/sys/net/ipv4/ip_forward
+```
+
+if _0_ then not, set to _1_
+
+```
+echo 1 > /proc/sys/net/ipv4/ip_forward
+```
+
+```
+iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 216.58.213.174:80
+iptables -t nat -A POSTROUTING -j MASQUERADE
+```
+
+### Block port
+
+Usefull command to see with ports are used and programm that are using
+
+```
+netstat -tulpn
+```
+
+Here is list of popular protocols and services ports
+
+| Proto | Service | Port | Desc |
+| --- | --- | --- | --- |
+| TCP | HTTP | 80 | plain text internet |
+| TCP | HTTPS | 443 | SSL'ed plain text internet |
+| TCP | SMPT | 25 | Simple Mail Transfer Protocol, used for e-mail routing between mail servers |
+| TCP | SSH | 22 | Secure shell, remote login |
+| TCP | POP3 | 110 | Post Office Protocol used for emailing |
+| TCP | IMAP | 143 | management of email messages, used for emailing |
+| TCP | DNS | 53 | domain name resolving protocol |
+| TCP/UDP | Telnet | 23 | old school plain text login shell |
+
+
+If there is some unwanted service running, or you dont whant in future that
+it trying to make some connection without your allowance. Lets block port as
+such.
+
+```
+iptables -A INPUT -p tcp --dport 25 -j DROP
+iptables -A INPUT -p udp --dport 25 -j DROP
+```
+
+### Block IP
+
+#### Incoming ip
+Lets block just incoming ip
+
+```
+iptables -A INPUT -s 8.8.8.8 -j DROP
+```
+
+#### By port
+
+Block ip to access specific port
+
+```
+iptables -A INPUT -s 8.8.8.8 -p tcp --destination-port 25 -j DROP
+```
+
+### Loging
+
+Log droppend packages
+
+```
+iptables -A INPUT -m limit --limit 2/min -j LOG --log-level 4 --log-prefix 'In2/m '
+```
+
+## Playing with system
+
+Lets make our system more secure or lets make some jokes, if you are user in
+the system admins could be not happy with this jokes ;].
+
+### Securety related iptable rulles
+
+### Joke iptable rullez
+
+
+
+## Links
+1. https://en.wikipedia.org/wiki/Iptables
+2. http://www.cyberciti.biz/tips/linux-iptables-9-allow-icmp-ping.html
+3. http://www.cyberciti.biz/faq/how-do-i-block-an-ip-on-my-linux-server/
+4. http://crybit.com/iptables-rules-for-icmp/
+5. https://www.safaribooksonline.com/library/view/linux-server-hacks/0596004613/ch04s06.html
+6. https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers
+7. https://spin.atomicobject.com/2012/10/01/useful-iptables-port-forwarding-patterns/
+8. http://wiki.vpsget.com/index.php/Forward_%28redirect/nat%29_traffic_with_iptables
+9. https://www.debuntu.org/how-to-redirecting-network-traffic-to-a-new-ip-using-iptables/
+10. http://www.cyberciti.biz/faq/how-to-save-restore-iptables-firewall-config-ubuntu/
+11. http://ipset.netfilter.org/iptables.man.html
+12. http://gr8idea.info/os/tutorials/security/iptables5.html \ No newline at end of file