md/writeup/using_iptables.md


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272

# Iptables

## Intro

iptables is linux firewall that uses linux kernel netfilters to expose in kernel
stuff to userland. Here is notes how to fulfill various tasks block, forward 
or prank this silly network packets. 

## Examples

SIP - Server IP, your machine ip address

__General cmd flag description__

| Flag | Desc |
| --- | --- |
| -A | Add a rule |
| -D | Delete rule from table |
| -F | Flush rules |
| -L | List chain |
| -R | Replace chain |
| -I | Insert chain |
| -N | Create new chain |
| -J | Jump to target |
| -X | Delete chain |
| -p | To specify protocol (here 'icmp') |
| -s | Ip addr |
| --icmp-type | For specifying type |
| -t | command matching table |
| -j | jump target |
| -i | interface name |

__Command matching table names__

| table | desc |
| --- | --- |
| filter   | default table INPUT/OUTPUT/FORWARD |
| nat      | new connection created PREROUTING/OUTPUT/POSTROUTING |
| mangle   | specialize packet alternation PREROUTING/OUTPUT/INPUT/FORWARD/POSTROUTING  |
| raw      | configuring exemptions from connection tracking PREROUTING/OUTPUT |
| security | Mandatory Access Control (MAC) networking rules INPUT/OUTPUT/FORWARD |

__Adding rulle targets__

| adding | desc |
| --- | --- |
| INPUT       | for packets destined to local sockets |
| OUTPUT      | for locally-generated packet |
| FORWARD     | for altering packets being routed through the box |
| PREROUTING  | for altering incoming packets before routing |
| POSTROUTING | for altering packets as they are about to go out |

### List all rulles

```
iptables -L
```

List iptables rulles with extra output that could be usefull

```
iptables -nL -v --line-numbers
```

### Remove rulle

To delete specific rulle run 

```
iptables -nL -v --line-numbers
```
search for chain and rulle number and delete it with next line

```
iptables -D [chain_name] [line_number]
```

### Load/store rulles

Save iptable rulles to file

```
iptables-save > /tmp/cool.rulles
```

Load rulles from file

```
iptables-restore < /tmp/cool.rules
```

### Remove chain

```
iptales -X chain_name
```

### Block ICMP (No ping) from outside

Createing chain where ping related rules will be located

```
iptables -N ping_in
iptables -t filter -A INPUT -j ping_in
iptables -N ping_out
iptables -t filter -A OUTPUT -j ping_out
```

After creating chains output looks like

```
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ping_in    all  --  anywhere             anywhere            

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ping_out   all  --  anywhere             anywhere            

Chain ping_in (1 references)
target     prot opt source               destination         

Chain ping_out (1 references)
target     prot opt source               destination  
```

#### Block outside ping

Lets block if someone tryes to ping us, juct block usual ping echo request,
not blocking ICMP protocol as such.

```
iptables -A ping_in -p icmp --icmp-type echo-request -j REJECT
iptables -A ping_out -p icmp --icmp-type echo-reply -j DROP
```

#### Block inside ping

If dont whant to use ping, or dont whant that other use pinging

```
iptables -A ping_out -p icmp --icmp-type echo-request -j DROP
iptables -A ping_in -p icmp --icmp-type echo-reply -j DROP
```

### Port forwarding

Forward ports

```
iptables -t nat -A PREROUTING -p tcp --dport <incoming-port> -j REDIRECT --to-port <destination-port>
```

Forward port to different ip

```
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 192.168.0.5:8080
```

### IP forwarding


Check if ip forwarding is set

```
cat /proc/sys/net/ipv4/ip_forward
```

if _0_ then not, set to _1_

```
echo 1 > /proc/sys/net/ipv4/ip_forward
```

```
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 216.58.213.174:80
iptables -t nat -A POSTROUTING -j MASQUERADE
```

### Block port

Usefull command to see with ports are used and programm that are using

``` 
netstat -tulpn
```

Here is list of popular protocols and services ports

| Proto | Service | Port | Desc |
| --- | --- | --- | --- |
| TCP     | HTTP   | 80  | plain text internet |
| TCP     | HTTPS  | 443 | SSL'ed plain text internet |
| TCP     | SMPT   | 25  | Simple Mail Transfer Protocol, used for e-mail routing between mail servers |
| TCP     | SSH    | 22  | Secure shell, remote login |
| TCP     | POP3   | 110 | Post Office Protocol used for emailing |
| TCP     | IMAP   | 143 | management of email messages, used for emailing |
| TCP     | DNS    | 53  | domain name resolving protocol |
| TCP/UDP | Telnet | 23  | old school plain text login shell |


If there is some unwanted service running, or you dont whant in future that
it trying to make some connection without your allowance. Lets block port as
such.

```
iptables -A INPUT -p tcp --dport 25 -j DROP
iptables -A INPUT -p udp --dport 25 -j DROP
```

### Block IP

#### Incoming ip
Lets block just incoming ip

```
iptables -A INPUT -s 8.8.8.8 -j DROP
```

#### By port

Block ip to access specific port

```
iptables -A INPUT -s 8.8.8.8 -p tcp --destination-port 25 -j DROP
```

### Block UID

There is possble to make iptables basing on user id

```
iptables -A OUTPUT -m owner --uid-owner {USERNAME} -j DROP
```

### Loging

Log droppend packages

```
iptables -A INPUT -m limit --limit 2/min -j LOG --log-level 4 --log-prefix 'In2/m '
```

## Playing with system

Lets make our system more secure or lets make some jokes, if you are user in
the system admins could be not happy with this jokes ;].

### Securety related iptable rulles

### Joke iptable rullez


## Links
1. https://en.wikipedia.org/wiki/Iptables  
2. http://www.cyberciti.biz/tips/linux-iptables-9-allow-icmp-ping.html  
3. http://www.cyberciti.biz/faq/how-do-i-block-an-ip-on-my-linux-server/
4. http://crybit.com/iptables-rules-for-icmp/  
5. https://www.safaribooksonline.com/library/view/linux-server-hacks/0596004613/ch04s06.html  
6. https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers  
7. https://spin.atomicobject.com/2012/10/01/useful-iptables-port-forwarding-patterns/
8. http://wiki.vpsget.com/index.php/Forward_%28redirect/nat%29_traffic_with_iptables
9. https://www.debuntu.org/how-to-redirecting-network-traffic-to-a-new-ip-using-iptables/
10. http://www.cyberciti.biz/faq/how-to-save-restore-iptables-firewall-config-ubuntu/
11. http://ipset.netfilter.org/iptables.man.html
12. http://gr8idea.info/os/tutorials/security/iptables5.html
13. http://linuxpoison.blogspot.co.uk/2010/11/how-to-limit-network-access-by-user.html
14. http://www.cyberciti.biz/tips/block-outgoing-network-access-for-a-single-user-from-my-server-using-iptables.html