title:Using iptables
keywords:linux,iptables,networking,icmp,ping
# Iptables

## Intro

iptables is linux firewall that uses linux kernel netfilters to expose in kernel
stuff to userland. Here is notes how to fulfill various tasks block, forward 
or prank this silly network packets. 

## Examples

SIP - Server IP, your machine ip address

__General cmd flag description__

| Flag | Desc |
| --- | --- |
| -A | Add a rule |
| -D | Delete rule from table |
| -F | Flush rules |
| -L | List chain |
| -R | Replace chain |
| -I | Insert chain |
| -N | Create new chain |
| -J | Jump to target |
| -X | Delete chain |
| -p | To specify protocol (here 'icmp') |
| -s | Ip addr |
| --icmp-type | For specifying type |
| -t | command matching table |
| -j | jump target |
| -i | interface name |

__Command matching table names__

| table | desc |
| --- | --- |
| filter   | default table INPUT/OUTPUT/FORWARD |
| nat      | new connection created PREROUTING/OUTPUT/POSTROUTING |
| mangle   | specialize packet alternation PREROUTING/OUTPUT/INPUT/FORWARD/POSTROUTING  |
| raw      | configuring exemptions from connection tracking PREROUTING/OUTPUT |
| security | Mandatory Access Control (MAC) networking rules INPUT/OUTPUT/FORWARD |

__Adding rulle targets__

| adding | desc |
| --- | --- |
| INPUT       | for packets destined to local sockets |
| OUTPUT      | for locally-generated packet |
| FORWARD     | for altering packets being routed through the box |
| PREROUTING  | for altering incoming packets before routing |
| POSTROUTING | for altering packets as they are about to go out |

### List all rulles

```
iptables -L
```

List iptables rulles with extra output that could be usefull

```
iptables -nL -v --line-numbers
```

### Remove rulle

To delete specific rulle run 

```
iptables -nL -v --line-numbers
```
search for chain and rulle number and delete it with next line

```
iptables -D [chain_name] [line_number]
```

### Load/store rulles

Save iptable rulles to file

```
iptables-save > /tmp/cool.rulles
```

Load rulles from file

```
iptables-restore < /tmp/cool.rules
```

### Remove chain

```
iptales -X chain_name
```

### Block ICMP (No ping) from outside

Createing chain where ping related rules will be located

```
iptables -N ping_in
iptables -t filter -A INPUT -j ping_in
iptables -N ping_out
iptables -t filter -A OUTPUT -j ping_out
```

After creating chains output looks like

```
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ping_in    all  --  anywhere             anywhere            

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ping_out   all  --  anywhere             anywhere            

Chain ping_in (1 references)
target     prot opt source               destination         

Chain ping_out (1 references)
target     prot opt source               destination  
```

#### Block outside ping

Lets block if someone tryes to ping us, juct block usual ping echo request,
not blocking ICMP protocol as such.

```
iptables -A ping_in -p icmp --icmp-type echo-request -j REJECT
iptables -A ping_out -p icmp --icmp-type echo-reply -j DROP
```

#### Block inside ping

If dont whant to use ping, or dont whant that other use pinging

```
iptables -A ping_out -p icmp --icmp-type echo-request -j DROP
iptables -A ping_in -p icmp --icmp-type echo-reply -j DROP
```

### Port forwarding

Forward ports

```
iptables -t nat -A PREROUTING -p tcp --dport <incoming-port> -j REDIRECT --to-port <destination-port>
```

Forward port to different ip

```
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 192.168.0.5:8080
```

### IP forwarding


Check if ip forwarding is set

```
cat /proc/sys/net/ipv4/ip_forward
```

if _0_ then not, set to _1_

```
echo 1 > /proc/sys/net/ipv4/ip_forward
```

```
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 216.58.213.174:80
iptables -t nat -A POSTROUTING -j MASQUERADE
```

### Block port

Usefull command to see with ports are used and programm that are using

``` 
netstat -tulpn
```

Here is list of popular protocols and services ports

| Proto | Service | Port | Desc |
| --- | --- | --- | --- |
| TCP     | HTTP   | 80  | plain text internet |
| TCP     | HTTPS  | 443 | SSL'ed plain text internet |
| TCP     | SMPT   | 25  | Simple Mail Transfer Protocol, used for e-mail routing between mail servers |
| TCP     | SSH    | 22  | Secure shell, remote login |
| TCP     | POP3   | 110 | Post Office Protocol used for emailing |
| TCP     | IMAP   | 143 | management of email messages, used for emailing |
| TCP     | DNS    | 53  | domain name resolving protocol |
| TCP/UDP | Telnet | 23  | old school plain text login shell |


If there is some unwanted service running, or you dont whant in future that
it trying to make some connection without your allowance. Lets block port as
such.

```
iptables -A INPUT -p tcp --dport 25 -j DROP
iptables -A INPUT -p udp --dport 25 -j DROP
```

### Block IP

#### Incoming ip
Lets block just incoming ip

```
iptables -A INPUT -s 8.8.8.8 -j DROP
```

#### By port

Block ip to access specific port

```
iptables -A INPUT -s 8.8.8.8 -p tcp --destination-port 25 -j DROP
```

### Block UID

There is possble to make iptables basing on user id

```
iptables -A OUTPUT -m owner --uid-owner {USERNAME} -j DROP
```

### Loging

Log droppend packages

```
iptables -A INPUT -m limit --limit 2/min -j LOG --log-level 4 --log-prefix 'In2/m '
```

## Playing with system

Lets make our system more secure or lets make some jokes, if you are user in
the system admins could be not happy with this jokes ;].

### Securety related iptable rulles

### Joke iptable rullez



## Links
1. https://en.wikipedia.org/wiki/Iptables  
2. http://www.cyberciti.biz/tips/linux-iptables-9-allow-icmp-ping.html  
3. http://www.cyberciti.biz/faq/how-do-i-block-an-ip-on-my-linux-server/
4. http://crybit.com/iptables-rules-for-icmp/  
5. https://www.safaribooksonline.com/library/view/linux-server-hacks/0596004613/ch04s06.html  
6. https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers  
7. https://spin.atomicobject.com/2012/10/01/useful-iptables-port-forwarding-patterns/
8. http://wiki.vpsget.com/index.php/Forward_%28redirect/nat%29_traffic_with_iptables
9. https://www.debuntu.org/how-to-redirecting-network-traffic-to-a-new-ip-using-iptables/
10. http://www.cyberciti.biz/faq/how-to-save-restore-iptables-firewall-config-ubuntu/
11. http://ipset.netfilter.org/iptables.man.html
12. http://gr8idea.info/os/tutorials/security/iptables5.html
13. http://linuxpoison.blogspot.co.uk/2010/11/how-to-limit-network-access-by-user.html
14. http://www.cyberciti.biz/tips/block-outgoing-network-access-for-a-single-user-from-my-server-using-iptables.html