From 96360f57fd31649aefb900146abb315da3aa8d01 Mon Sep 17 00:00:00 2001 From: FreeArtMan Date: Sun, 21 Feb 2016 16:36:35 +0000 Subject: Added 'Using iptables' --- md/writeup/using_iptables.md | 262 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 262 insertions(+) create mode 100644 md/writeup/using_iptables.md (limited to 'md/writeup') diff --git a/md/writeup/using_iptables.md b/md/writeup/using_iptables.md new file mode 100644 index 0000000..8b38488 --- /dev/null +++ b/md/writeup/using_iptables.md @@ -0,0 +1,262 @@ +# Iptables + +## Intro + +iptables is linux firewall that uses linux kernel netfilters to expose in kernel +stuff to userland. Here is notes how to fulfill various tasks block, forward +or prank this silly network packets. + +## Examples + +SIP - Server IP, your machine ip address + +__General cmd flag description__ + +| Flag | Desc | +| --- | --- | +| -A | Add a rule | +| -D | Delete rule from table | +| -F | Flush rules | +| -L | List chain | +| -R | Replace chain | +| -I | Insert chain | +| -N | Create new chain | +| -J | Jump to target | +| -X | Delete chain | +| -p | To specify protocol (here 'icmp') | +| -s | Ip addr | +| --icmp-type | For specifying type | +| -t | command matching table | +| -j | jump target | +| -i | interface name | + +__Command matching table names__ + +| table | desc | +| --- | --- | +| filter | default table INPUT/OUTPUT/FORWARD | +| nat | new connection created PREROUTING/OUTPUT/POSTROUTING | +| mangle | specialize packet alternation PREROUTING/OUTPUT/INPUT/FORWARD/POSTROUTING | +| raw | configuring exemptions from connection tracking PREROUTING/OUTPUT | +| security | Mandatory Access Control (MAC) networking rules INPUT/OUTPUT/FORWARD | + +__Adding rulle targets__ + +| adding | desc | +| --- | --- | +| INPUT | for packets destined to local sockets | +| OUTPUT | for locally-generated packet | +| FORWARD | for altering packets being routed through the box | +| PREROUTING | for altering incoming packets before routing | +| POSTROUTING | for altering packets as they are about to go out | + +### List all rulles + +``` +iptables -L +``` + +List iptables rulles with extra output that could be usefull + +``` +iptables -nL -v --line-numbers +``` + +### Remove rulle + +To delete specific rulle run + +``` +iptables -nL -v --line-numbers +``` +search for chain and rulle number and delete it with next line + +``` +iptables -D [chain_name] [line_number] +``` + +### Load/store rulles + +Save iptable rulles to file + +``` +iptables-save > /tmp/cool.rulles +``` + +Load rulles from file + +``` +iptables-restore < /tmp/cool.rules +``` + +### Remove chain + +``` +iptales -X chain_name +``` + +### Block ICMP (No ping) from outside + +Createing chain where ping related rules will be located + +``` +iptables -N ping_in +iptables -t filter -A INPUT -j ping_in +iptables -N ping_out +iptables -t filter -A OUTPUT -j ping_out +``` + +After creating chains output looks like + +``` +Chain INPUT (policy ACCEPT) +target prot opt source destination +ping_in all -- anywhere anywhere + +Chain FORWARD (policy ACCEPT) +target prot opt source destination + +Chain OUTPUT (policy ACCEPT) +target prot opt source destination +ping_out all -- anywhere anywhere + +Chain ping_in (1 references) +target prot opt source destination + +Chain ping_out (1 references) +target prot opt source destination +``` + +#### Block outside ping + +Lets block if someone tryes to ping us, juct block usual ping echo request, +not blocking ICMP protocol as such. + +``` +iptables -A ping_in -p icmp --icmp-type echo-request -j REJECT +iptables -A ping_out -p icmp --icmp-type echo-reply -j DROP +``` + +#### Block inside ping + +If dont whant to use ping, or dont whant that other use pinging + +``` +iptables -A ping_out -p icmp --icmp-type echo-request -j DROP +iptables -A ping_in -p icmp --icmp-type echo-reply -j DROP +``` + +### Port forwarding + +Forward ports + +``` +iptables -t nat -A PREROUTING -p tcp --dport -j REDIRECT --to-port +``` + +Forward port to different ip + +``` +iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 192.168.0.5:8080 +``` + +### IP forwarding + + +Check if ip forwarding is set + +``` +cat /proc/sys/net/ipv4/ip_forward +``` + +if _0_ then not, set to _1_ + +``` +echo 1 > /proc/sys/net/ipv4/ip_forward +``` + +``` +iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 216.58.213.174:80 +iptables -t nat -A POSTROUTING -j MASQUERADE +``` + +### Block port + +Usefull command to see with ports are used and programm that are using + +``` +netstat -tulpn +``` + +Here is list of popular protocols and services ports + +| Proto | Service | Port | Desc | +| --- | --- | --- | --- | +| TCP | HTTP | 80 | plain text internet | +| TCP | HTTPS | 443 | SSL'ed plain text internet | +| TCP | SMPT | 25 | Simple Mail Transfer Protocol, used for e-mail routing between mail servers | +| TCP | SSH | 22 | Secure shell, remote login | +| TCP | POP3 | 110 | Post Office Protocol used for emailing | +| TCP | IMAP | 143 | management of email messages, used for emailing | +| TCP | DNS | 53 | domain name resolving protocol | +| TCP/UDP | Telnet | 23 | old school plain text login shell | + + +If there is some unwanted service running, or you dont whant in future that +it trying to make some connection without your allowance. Lets block port as +such. + +``` +iptables -A INPUT -p tcp --dport 25 -j DROP +iptables -A INPUT -p udp --dport 25 -j DROP +``` + +### Block IP + +#### Incoming ip +Lets block just incoming ip + +``` +iptables -A INPUT -s 8.8.8.8 -j DROP +``` + +#### By port + +Block ip to access specific port + +``` +iptables -A INPUT -s 8.8.8.8 -p tcp --destination-port 25 -j DROP +``` + +### Loging + +Log droppend packages + +``` +iptables -A INPUT -m limit --limit 2/min -j LOG --log-level 4 --log-prefix 'In2/m ' +``` + +## Playing with system + +Lets make our system more secure or lets make some jokes, if you are user in +the system admins could be not happy with this jokes ;]. + +### Securety related iptable rulles + +### Joke iptable rullez + + + +## Links +1. https://en.wikipedia.org/wiki/Iptables +2. http://www.cyberciti.biz/tips/linux-iptables-9-allow-icmp-ping.html +3. http://www.cyberciti.biz/faq/how-do-i-block-an-ip-on-my-linux-server/ +4. http://crybit.com/iptables-rules-for-icmp/ +5. https://www.safaribooksonline.com/library/view/linux-server-hacks/0596004613/ch04s06.html +6. https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers +7. https://spin.atomicobject.com/2012/10/01/useful-iptables-port-forwarding-patterns/ +8. http://wiki.vpsget.com/index.php/Forward_%28redirect/nat%29_traffic_with_iptables +9. https://www.debuntu.org/how-to-redirecting-network-traffic-to-a-new-ip-using-iptables/ +10. http://www.cyberciti.biz/faq/how-to-save-restore-iptables-firewall-config-ubuntu/ +11. http://ipset.netfilter.org/iptables.man.html +12. http://gr8idea.info/os/tutorials/security/iptables5.html \ No newline at end of file -- cgit v1.2.3