Iptables

Intro

iptables is linux firewall that uses linux kernel netfilters to expose in kernel stuff to userland. Here is notes how to fulfill various tasks block, forward or prank this silly network packets. This is not manual it just research notes how to get most of your linux box.

netfiler modules

conntrack

Module that allows more specific connection tracking for TCP,UDP,ICMP or others. The information that conntrack gathers is then used to tell conntrack in which state the stream is currently in.

Protocols

TCP connection states

state timeout
NONE 30 minutes
ESTABLISHED 5 days
SYN_SENT 2 minutes
SYN_RECV 60 seconds
FIN_WAIT 2 minutes
TIME_WAIT 2 minutes
CLOSE 10 seconds
CLOSE_WAIT 12 hours
LAST_ACK 30 seconds
LISTEN 2 minutes

Not constant values could change from version to version.

TCP connection establishment

handshake desc
SYN The active open is performed by the client sending a SYN to the server. The client sets the segment's sequence number to a random value A.
SYN-ACK In response, the server replies with a SYN-ACK. The acknowledgment number is set to one more than the received sequence number i.e. A+1, and the sequence number that the server chooses for the packet is another random number, B.
ACK Finally, the client sends an ACK back to the server. The sequence number is set to the received acknowledgement value i.e. A+1, and the acknowledgement number is set to one more than the received sequence number i.e. B+1.

Once it has seen one packet(the SYN), it considers the connection as NEW. Once it sees the return packet(SYN/ACK), it considers the connection as ESTABLISHED.

Examples

General cmd flag description

Flag Desc
-A Append a new rule to a chain
-D Delete a rule at some position in a chain, or the first that matches
-F Flush the rules out of a chain
-L List the rules in a chain
-R Replace a rule at some position in a chain
-I Insert chain
-N Create a new chain
-J Jump to target
-X Delete an empty chain
-P Change the policy for a built-in chain
-Z Zero the packet and byte counters on all rules in a chain
-I Insert a new rule at some position in a chain
-p To specify protocol (here 'icmp')
-s Ip addr
--icmp-type For specifying type
-t command matching table
-j jump target
-i interface name
-m extra matching rulles

Command matching table names

table desc
filter default table INPUT/OUTPUT/FORWARD
nat new connection created PREROUTING/OUTPUT/POSTROUTING
mangle specialize packet alternation PREROUTING/OUTPUT/INPUT/FORWARD/POSTROUTING
raw configuring exemptions from connection tracking PREROUTING/OUTPUT
security Mandatory Access Control (MAC) networking rules INPUT/OUTPUT/FORWARD

Adding rulle targets

rulle table desc
INPUT for packets destined to local sockets
OUTPUT for locally-generated packet
FORWARD for altering packets being routed through the box
PREROUTING for altering incoming packets before routing
POSTROUTING for altering packets as they are about to go out

Connection state

There is possible to match specific states of connections here is a list of some of them.

state desc
NEW The NEW state tells us that the packet is the first packet that we see.
ESTABLISHED The ESTABLISHED state has seen traffic in both directions and will then continuously match those packets.
RELATED The RELATED state is one of the more tricky states. A connection is considered RELATED when it is related to another already ESTABLISHED connection.
INVALID The INVALID state means that the packet can't be identified or that it does not.
UNTRACKED This is the UNTRACKED state.

All connection tracking is handled in the PREROUTING chain, except locally generated packets which are handled in the OUTPUT chain. What this means is that iptables will do all recalculation of states and so on within the PREROUTING chain. If we send the initial packet in a stream, the state gets set to NEW within the OUTPUT chain, and when we receive a return packet, the state gets changed in the PREROUTING chain to ESTABLISHED, and so on. If the first packet is not originated by ourself, the NEW state is set within the PREROUTING chain of course. So, all state changes and calculations are done within the PREROUTING and OUTPUT chains of the nat table.

List all rulles

iptables -L

List iptables rulles with extra output that could be usefull

iptables -nL -v --line-numbers

Remove rulle

To delete specific rulle run

iptables -nL -v --line-numbers

search for chain and rulle number and delete it with next line

iptables -D [chain_name] [line_number]

Load/store rulles

Save iptable rulles to file

iptables-save > /tmp/cool.rulles

Load rulles from file

iptables-restore < /tmp/cool.rules

Remove chain

iptales -X chain_name

Block ICMP (No ping) from outside

Createing chain where ping related rules will be located

iptables -N ping_in
iptables -t filter -A INPUT -j ping_in
iptables -N ping_out
iptables -t filter -A OUTPUT -j ping_out

After creating chains output looks like

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ping_in    all  --  anywhere             anywhere            

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ping_out   all  --  anywhere             anywhere            

Chain ping_in (1 references)
target     prot opt source               destination         

Chain ping_out (1 references)
target     prot opt source               destination

Block outside ping

Lets block if someone tryes to ping us, juct block usual ping echo request, not blocking ICMP protocol as such.

iptables -A ping_in -p icmp --icmp-type echo-request -j REJECT
iptables -A ping_out -p icmp --icmp-type echo-reply -j DROP

Block inside ping

If dont whant to use ping, or dont whant that other use pinging

iptables -A ping_out -p icmp --icmp-type echo-request -j DROP
iptables -A ping_in -p icmp --icmp-type echo-reply -j DROP

Port forwarding

Forward ports

iptables -t nat -A PREROUTING -p tcp --dport <incoming-port> -j REDIRECT --to-port <destination-port>

Forward port to different ip

iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 192.168.0.5:8080

IP forwarding

Check if ip forwarding is set

cat /proc/sys/net/ipv4/ip_forward

if 0 then not, set to 1

echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 216.58.213.174:80
iptables -t nat -A POSTROUTING -j MASQUERADE

Block port

Usefull command to see with ports are used and programm that are using

netstat -tulpn

Here is list of popular protocols and services ports

Proto Service Port Desc
TCP HTTP 80 plain text internet
TCP HTTPS 443 SSL'ed plain text internet
TCP SMPT 25 Simple Mail Transfer Protocol, used for e-mail routing between mail servers
TCP SSH 22 Secure shell, remote login
TCP POP3 110 Post Office Protocol used for emailing
TCP IMAP 143 management of email messages, used for emailing
TCP DNS 53 domain name resolving protocol
TCP/UDP Telnet 23 old school plain text login shell

If there is some unwanted service running, or you dont whant in future that it trying to make some connection without your allowance. Lets block port as such.

iptables -A INPUT -p tcp --dport 25 -j DROP
iptables -A INPUT -p udp --dport 25 -j DROP

Block IP

Incoming ip

Lets block just incoming ip

iptables -A INPUT -s 8.8.8.8 -j DROP

Block by port

Block ip to access specific port

iptables -A INPUT -s 8.8.8.8 -p tcp --destination-port 25 -j DROP

Block by UID

There is possble to make iptables basing on user id

iptables -A OUTPUT -m owner --uid-owner {USERNAME} -j DROP

Block by state

You can block some ports, but if you whant that ESTABLISHED connections are still there. Then there is possible to match specific connection state

iptables -A INPUT -m state --state NEW -j DROP -s 86.159.18.180

Logging

Log droppend packages

iptables -A INPUT -m limit --limit 2/min -j LOG --log-level 4 --log-prefix 'In2/m '

Playing with system

Lets make our system more secure or lets make some jokes, if you are user in the system admins could be not happy with this jokes ;].

Securety related iptable rulles

Joke iptable rullez

Links

  1. https://en.wikipedia.org/wiki/Iptables
  2. http://www.cyberciti.biz/tips/linux-iptables-9-allow-icmp-ping.html
  3. http://www.cyberciti.biz/faq/how-do-i-block-an-ip-on-my-linux-server/
  4. http://crybit.com/iptables-rules-for-icmp/
  5. https://www.safaribooksonline.com/library/view/linux-server-hacks/0596004613/ch04s06.html
  6. https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers
  7. https://spin.atomicobject.com/2012/10/01/useful-iptables-port-forwarding-patterns/
  8. http://wiki.vpsget.com/index.php/Forward_%28redirect/nat%29_traffic_with_iptables
  9. https://www.debuntu.org/how-to-redirecting-network-traffic-to-a-new-ip-using-iptables/
  10. http://www.cyberciti.biz/faq/how-to-save-restore-iptables-firewall-config-ubuntu/
  11. http://ipset.netfilter.org/iptables.man.html
  12. http://gr8idea.info/os/tutorials/security/iptables5.html
  13. http://linuxpoison.blogspot.co.uk/2010/11/how-to-limit-network-access-by-user.html
  14. http://www.cyberciti.biz/tips/block-outgoing-network-access-for-a-single-user-from-my-server-using-iptables.html
  15. http://www.iptables.info/en/connection-state.html
  16. https://en.wikipedia.org/wiki/Transmission_Control_Protocol#Protocol_operation
  17. https://tools.ietf.org/html/rfc675
  18. https://www.netfilter.org/documentation/HOWTO/packet-filtering-HOWTO-7.html

https://www.honeynet.org/node/691 http://wiki.lvl1.org/Iptables https://mkirby.org/mkblog/?p=47