title:Using iptables keywords:linux,iptables,networking,icmp,ping,block,forward,tcp,udp,netfilter # Iptables ## Intro iptables is linux firewall that uses linux kernel netfilters to expose in kernel stuff to userland. Here is notes how to fulfill various tasks block, forward or prank this silly network packets. This is not manual it just research notes how to get most of your linux box. ### netfiler modules #### conntrack Module that allows more specific connection tracking for TCP,UDP,ICMP or others. The information that conntrack gathers is then used to tell conntrack in which state the stream is currently in. ## Protocols ### TCP connection states | state | timeout | |---|---| | NONE | 30 minutes | | ESTABLISHED | 5 days | | SYN_SENT | 2 minutes | | SYN_RECV | 60 seconds | | FIN_WAIT | 2 minutes | | TIME_WAIT | 2 minutes | | CLOSE | 10 seconds | | CLOSE_WAIT | 12 hours | | LAST_ACK | 30 seconds | | LISTEN | 2 minutes | Not constant values could change from version to version. ### TCP connection establishment | handshake | desc | |---|---| | SYN | The active open is performed by the client sending a SYN to the server. The client sets the segment's sequence number to a random value A. | | SYN-ACK | In response, the server replies with a SYN-ACK. The acknowledgment number is set to one more than the received sequence number i.e. A+1, and the sequence number that the server chooses for the packet is another random number, B. | | ACK | Finally, the client sends an ACK back to the server. The sequence number is set to the received acknowledgement value i.e. A+1, and the acknowledgement number is set to one more than the received sequence number i.e. B+1. | Once it has seen one packet(the SYN), it considers the connection as NEW. Once it sees the return packet(SYN/ACK), it considers the connection as ESTABLISHED. ## Examples __General cmd flag description__ | Flag | Desc | | --- | --- | | -A | Append a new rule to a chain | | -D | Delete a rule at some position in a chain, or the first that matches | | -F | Flush the rules out of a chain | | -L | List the rules in a chain | | -R | Replace a rule at some position in a chain | | -I | Insert chain | | -N | Create a new chain | | -J | Jump to target | | -X | Delete an empty chain | | -P | Change the policy for a built-in chain | | -Z | Zero the packet and byte counters on all rules in a chain | | -I | Insert a new rule at some position in a chain | | -p | To specify protocol (here 'icmp') | | -s | Ip addr | | --icmp-type | For specifying type | | -t | command matching table | | -j | jump target | | -i | interface name | | -m | extra matching rulles | __Command matching table names__ | table | desc | | --- | --- | | filter | default table INPUT/OUTPUT/FORWARD | | nat | new connection created PREROUTING/OUTPUT/POSTROUTING | | mangle | specialize packet alternation PREROUTING/OUTPUT/INPUT/FORWARD/POSTROUTING | | raw | configuring exemptions from connection tracking PREROUTING/OUTPUT | | security | Mandatory Access Control (MAC) networking rules INPUT/OUTPUT/FORWARD | __Adding rulle targets__ | rulle table | desc | | --- | --- | | INPUT | for packets destined to local sockets | | OUTPUT | for locally-generated packet | | FORWARD | for altering packets being routed through the box | | PREROUTING | for altering incoming packets before routing | | POSTROUTING | for altering packets as they are about to go out | __Connection state__ There is possible to match specific states of connections here is a list of some of them. |state | desc | |---|---| | NEW | The NEW state tells us that the packet is the first packet that we see. | | ESTABLISHED | The ESTABLISHED state has seen traffic in both directions and will then continuously match those packets. | | RELATED | The RELATED state is one of the more tricky states. A connection is considered RELATED when it is related to another already ESTABLISHED connection. | | INVALID | The INVALID state means that the packet can't be identified or that it does not. | | UNTRACKED | This is the UNTRACKED state. | All connection tracking is handled in the __PREROUTING__ chain, except locally generated packets which are handled in the __OUTPUT__ chain. What this means is that iptables will do all recalculation of states and so on within the __PREROUTING__ chain. If we send the initial packet in a stream, the state gets set to __NEW__ within the __OUTPUT__ chain, and when we receive a return packet, the state gets changed in the __PREROUTING__ chain to __ESTABLISHED__, and so on. If the first packet is not originated by ourself, the __NEW__ state is set within the __PREROUTING__ chain of course. So, all state changes and calculations are done within the __PREROUTING__ and __OUTPUT__ chains of the nat table. ### List all rulles ```sh iptables -L ``` List iptables rulles with extra output that could be usefull ```sh iptables -nL -v --line-numbers ``` ### Remove rulle To delete specific rulle run ```sh iptables -nL -v --line-numbers ``` search for chain and rulle number and delete it with next line ```sh iptables -D [chain_name] [line_number] ``` ### Load/store rulles Save iptable rulles to file ```sh iptables-save > /tmp/cool.rulles ``` Load rulles from file ```sh iptables-restore < /tmp/cool.rules ``` ### Remove chain ```sh iptales -X chain_name ``` ### Block ICMP (No ping) from outside Createing chain where ping related rules will be located ```sh iptables -N ping_in iptables -t filter -A INPUT -j ping_in iptables -N ping_out iptables -t filter -A OUTPUT -j ping_out ``` After creating chains output looks like ```sh Chain INPUT (policy ACCEPT) target prot opt source destination ping_in all -- anywhere anywhere Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination ping_out all -- anywhere anywhere Chain ping_in (1 references) target prot opt source destination Chain ping_out (1 references) target prot opt source destination ``` #### Block outside ping Lets block if someone tryes to ping us, juct block usual ping echo request, not blocking ICMP protocol as such. ```sh iptables -A ping_in -p icmp --icmp-type echo-request -j REJECT iptables -A ping_out -p icmp --icmp-type echo-reply -j DROP ``` #### Block inside ping If dont whant to use ping, or dont whant that other use pinging ```sh iptables -A ping_out -p icmp --icmp-type echo-request -j DROP iptables -A ping_in -p icmp --icmp-type echo-reply -j DROP ``` ### Port forwarding Forward ports ```sh iptables -t nat -A PREROUTING -p tcp --dport -j REDIRECT --to-port ``` Forward port to different ip ```sh iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 192.168.0.5:8080 ``` ### IP forwarding Check if ip forwarding is set ```sh cat /proc/sys/net/ipv4/ip_forward ``` if _0_ then not, set to _1_ ```sh echo 1 > /proc/sys/net/ipv4/ip_forward ``` ```sh iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 216.58.213.174:80 iptables -t nat -A POSTROUTING -j MASQUERADE ``` ### Block port Usefull command to see with ports are used and programm that are using ```sh netstat -tulpn ``` Here is list of popular protocols and services ports | Proto | Service | Port | Desc | | --- | --- | --- | --- | | TCP | HTTP | 80 | plain text internet | | TCP | HTTPS | 443 | SSL'ed plain text internet | | TCP | SMPT | 25 | Simple Mail Transfer Protocol, used for e-mail routing between mail servers | | TCP | SSH | 22 | Secure shell, remote login | | TCP | POP3 | 110 | Post Office Protocol used for emailing | | TCP | IMAP | 143 | management of email messages, used for emailing | | TCP | DNS | 53 | domain name resolving protocol | | TCP/UDP | Telnet | 23 | old school plain text login shell | If there is some unwanted service running, or you dont whant in future that it trying to make some connection without your allowance. Lets block port as such. ```sh iptables -A INPUT -p tcp --dport 25 -j DROP iptables -A INPUT -p udp --dport 25 -j DROP ``` ### Block IP #### Incoming ip Lets block just incoming ip ```sh iptables -A INPUT -s 8.8.8.8 -j DROP ``` #### Block by port Block ip to access specific port ```sh iptables -A INPUT -s 8.8.8.8 -p tcp --destination-port 25 -j DROP ``` ### Block by UID There is possble to make iptables basing on user id ```sh iptables -A OUTPUT -m owner --uid-owner {USERNAME} -j DROP ``` ### Block by state You can block some ports, but if you whant that ESTABLISHED connections are still there. Then there is possible to match specific connection state ```sh iptables -A INPUT -m state --state NEW -j DROP -s 86.159.18.180 ``` ### Block TOR There is quite common that ANNONYMOUSE users have higher chance to abuse services. Also some website provides list of exit nodes. Here we going to add to new iptables chai list of IPs gathered from public source ```sh wget -c https://www.dan.me.uk/torlist/ > tor.list iptables -N TOR iptables -t filter -A INPUT -j TOR cat /tmp/tor.list | uniq | sort | xargs iptables -A TOR -j DROP -s ``` ### Logging Log droppend packages ```sh iptables -A INPUT -m limit --limit 2/min -j LOG --log-level 4 --log-prefix 'In2/m ' ``` ## Playing with system Lets make our system more secure or lets make some jokes, if you are user in the system admins could be not happy with this jokes ;]. ### Securety related iptable rulles ### Joke iptable rullez ## Links 1. https://en.wikipedia.org/wiki/Iptables 2. http://www.cyberciti.biz/tips/linux-iptables-9-allow-icmp-ping.html 3. http://www.cyberciti.biz/faq/how-do-i-block-an-ip-on-my-linux-server/ 4. http://crybit.com/iptables-rules-for-icmp/ 5. https://www.safaribooksonline.com/library/view/linux-server-hacks/0596004613/ch04s06.html 6. https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers 7. https://spin.atomicobject.com/2012/10/01/useful-iptables-port-forwarding-patterns/ 8. http://wiki.vpsget.com/index.php/Forward_%28redirect/nat%29_traffic_with_iptables 9. https://www.debuntu.org/how-to-redirecting-network-traffic-to-a-new-ip-using-iptables/ 10. http://www.cyberciti.biz/faq/how-to-save-restore-iptables-firewall-config-ubuntu/ 11. http://ipset.netfilter.org/iptables.man.html 12. http://gr8idea.info/os/tutorials/security/iptables5.html 13. http://linuxpoison.blogspot.co.uk/2010/11/how-to-limit-network-access-by-user.html 14. http://www.cyberciti.biz/tips/block-outgoing-network-access-for-a-single-user-from-my-server-using-iptables.html 15. http://www.iptables.info/en/connection-state.html 16. https://en.wikipedia.org/wiki/Transmission_Control_Protocol#Protocol_operation 17. https://tools.ietf.org/html/rfc675 18. https://www.netfilter.org/documentation/HOWTO/packet-filtering-HOWTO-7.html 19. https://www.dan.me.uk/torlist/ 20. https://www.honeynet.org/node/691 21. http://wiki.lvl1.org/Iptables 22. https://mkirby.org/mkblog/?p=47