Difference between revisions of "Iptables"

From Christoph's Personal Wiki
Jump to: navigation, search
Line 58: Line 58:
 
;<code>--set-counters PKTS BYTES</code> : set the counter during insert/append
 
;<code>--set-counters PKTS BYTES</code> : set the counter during insert/append
 
;<code>[!] --version -V</code> : print package version.
 
;<code>[!] --version -V</code> : print package version.
 +
 +
==Netmask==
 +
<div style="float:left; margin:0px 20px 20px 0px;">
 +
{| align="center" style="border: 1px solid #999; background-color:#FFFFFF"
 +
|-
 +
! colspan="4" bgcolor="#EFEFEF" | '''Common Netmask Bit Values'''
 +
|-align="center" bgcolor="#1188ee" color="#fff"
 +
!Netmask
 +
!Bits
 +
|- align="left"
 +
|255.0.0.0 || 8
 +
|--bgcolor="#eeeeee" align="left"
 +
|255.255.0.0 || 16
 +
|-
 +
|255.255.255.0 || 24
 +
|--bgcolor="#eeeeee" align="left"
 +
|255.255.255.128 || 25
 +
|-
 +
|255.255.255.192 || 26
 +
|--bgcolor="#eeeeee" align="left"
 +
|255.255.255.224 || 27
 +
|-
 +
|255.255.255.240 || 28
 +
|--bgcolor="#eeeeee" align="left"
 +
|255.255.255.248 || 29
 +
|-
 +
|255.255.255.252 || 30
 +
|}
 +
</div>
 +
 +
==ICMP datagram types==
 +
see: RFC 1700 (Assigned Numbers)
 +
/usr/include/netinet/ip_icmp.h
 +
<div style="float:left; margin:0px 20px 20px 0px;">
 +
{| align="center" style="border: 1px solid #999; background-color:#FFFFFF"
 +
|-
 +
! colspan="4" bgcolor="#EFEFEF" | '''ICMP Datagram Types'''
 +
|-align="center" bgcolor="#1188ee" color="#fff"
 +
!Type number
 +
!iptables mnemonic
 +
!Type description
 +
|- align="left"
 +
|0 || echo-reply || Echo Reply
 +
|--bgcolor="#eeeeee" align="left"
 +
|3 || destination-unreachable || Destination Unreachable
 +
|-
 +
|4 || source-quench || Source Quench
 +
|--bgcolor="#eeeeee" align="left"
 +
|5 || redirect || Redirect
 +
|-
 +
|8 || echo-request || Echo Request
 +
|--bgcolor="#eeeeee" align="left"
 +
|11 || time-exceeded || Time Exceeded
 +
|-
 +
|12 || parameter-problem || Parameter Problem
 +
|--bgcolor="#eeeeee" align="left"
 +
|13 || timestamp-request || Timestamp Request
 +
|-
 +
|14 || timestamp-reply || Timestamp Reply
 +
|--bgcolor="#eeeeee" align="left"
 +
|15 || none || Information Request
 +
|-
 +
|16 || none || Information Reply
 +
|--bgcolor="#eeeeee" align="left"
 +
|17 || address-mask-request || Address Mask Request
 +
|-
 +
|18 || address-mask-reply || Address Mask Reply
 +
|}
 +
</div>
 +
 +
==Type Of Service (TOS)==
 +
<div style="float:left; margin:0px 20px 20px 0px;">
 +
{| align="center" style="border: 1px solid #999; background-color:#FFFFFF"
 +
|-
 +
! colspan="4" bgcolor="#EFEFEF" | '''Suggested Uses for TOS Bitmasks'''
 +
|-align="center" bgcolor="#1188ee" color="#fff"
 +
!TOS
 +
!ANDmask
 +
!XORmask
 +
!Suggested Use
 +
|- align="left"
 +
|Minimum Delay || 0x01 || 0x10 || ftp, telnet, ssh
 +
|--bgcolor="#eeeeee" align="left"
 +
|Maximum Throughput || 0x01 || 0x08 || ftp-data, www
 +
|-
 +
|Maximum Reliability || 0x01 || 0x04 || snmp, dns
 +
|--bgcolor="#eeeeee" align="left"
 +
|Minimum Cost || 0x01 || 0x02 || nntp, smtp
 +
|}
 +
</div>
  
 
==Example script==
 
==Example script==

Revision as of 01:46, 4 March 2007

Basic command options

Chain manipulation (three default chains, INPUT, FORWARD, OUTPUT, are always present):

  • Create a new chain (-N, --new-chain chain)
  • Delete an empty chain (-X, --delete-chain [chain])
  • Change the policy for a built-in chain (-P, --policy chain target)
  • List the rules in a chain (-L, --list [chain])
  • Flush the rules out of a chain (-F, --flush [chain])
  • Zero the packet and byte counters in all chains (-Z, --zero) (note: It is legal to specify the -L, --list (list) option as well, to see the counters immediately before they are cleared.)

Rule manipulation:

  • Append a new rule to a chain (-A, --append chain rule-specification)
  • Delete a rule at some position in a chain (-D, --delete chain rule-specification)

Help (-h)

Usage

iptables -[AD] chain rule-specification [options]
iptables -[RI] chain rulenum rule-specification [options]
iptables -D chain rulenum [options]
iptables -[LFZ] [chain] [options]
iptables -[NX] chain
iptables -E old-chain-name new-chain-name
iptables -P chain target [options]
iptables -h (print this help information)

Commands

Either long or short options are allowed.

--append -A chain 
append to chain
--delete -D chain 
delete matching rule from chain
--delete -D chain rulenum 
delete rule rulenum (1 = first) from chain
--insert -I chain [rulenum] 
insert in chain as rulenum (default 1=first)
--replace -R chain rulenum 
replace rule rulenum (1 = first) in chain
--list -L [chain] 
list the rules in a chain or all chains
--flush -F [chain] 
delete all rules in chain or all chains
--zero -Z [chain] 
zero counters in chain or all chains
--new -N chain 
create a new user-defined chain
--delete-chain -X [chain] 
delete a user-defined chain
--policy -P chain target 
change policy on chain to target
--rename-chain -E old-chain new-chain 
change chain name, (moving any references)

Options

--proto -p [!] proto 
protocol: by number or name, eg. 'tcp'
--source -s [!] address[/mask] 
source specification
--destination -d [!] address[/mask] 
destination specification
--in-interface -i [!] input name[+] 
network interface name ([+] for wildcard)
--jump -j target 
target for rule (may load target extension)
--goto -g chain 
jump to chain with no return
--match -m match 
extended match (may load extension)
--numeric -n 
numeric output of addresses and ports
--out-interface -o [!] output name[+] 
network interface name ([+] for wildcard)
--table -t table 
table to manipulate (default: 'filter')
--verbose -v 
verbose mode
--line-numbers 
print line numbers when listing
--exact -x 
expand numbers (display exact values)
[!] --fragment -f 
match second or further fragments only
--modprobe=<command> 
try to insert modules using this command
--set-counters PKTS BYTES 
set the counter during insert/append
[!] --version -V 
print package version.

Netmask

Common Netmask Bit Values
Netmask Bits
255.0.0.0 8
255.255.0.0 16
255.255.255.0 24
255.255.255.128 25
255.255.255.192 26
255.255.255.224 27
255.255.255.240 28
255.255.255.248 29
255.255.255.252 30

ICMP datagram types

see: RFC 1700 (Assigned Numbers)
/usr/include/netinet/ip_icmp.h
ICMP Datagram Types
Type number iptables mnemonic Type description
0 echo-reply Echo Reply
3 destination-unreachable Destination Unreachable
4 source-quench Source Quench
5 redirect Redirect
8 echo-request Echo Request
11 time-exceeded Time Exceeded
12 parameter-problem Parameter Problem
13 timestamp-request Timestamp Request
14 timestamp-reply Timestamp Reply
15 none Information Request
16 none Information Reply
17 address-mask-request Address Mask Request
18 address-mask-reply Address Mask Reply

Type Of Service (TOS)

Suggested Uses for TOS Bitmasks
TOS ANDmask XORmask Suggested Use
Minimum Delay 0x01 0x10 ftp, telnet, ssh
Maximum Throughput 0x01 0x08 ftp-data, www
Maximum Reliability 0x01 0x04 snmp, dns
Minimum Cost 0x01 0x02 nntp, smtp

Example script

#!/bin/bash

LOOPBACK="127.0.0.0/8"
CLASS_A="10.0.0.0/8"
CLASS_B="172.16.0.0/12"
CLASS_C="192.168.0.0/16"
CLASS_D="224.0.0.0/4"
CLASS_E="240.0.0.0/5"
BROADCAST_SRC="0.0.0.0"
BROADCAST_DEST="255.255.255.255"

########
# flush iptables
iptables -F
iptables -t nat -F
iptables -t mangle -F

########
# loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

########
# policies
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP

iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
iptables -t nat -P POSTROUTING ACCEPT

iptables -t mangle -P PREROUTING ACCEPT
iptables -t mangle -P OUTPUT ACCEPT

########
# allow related incoming
iptables -I INPUT 1 -m state --state ESTABLISHED,RELATED -j ACCEPT

########
# programs and stuff (add a line for each service you want to allow)

# SSH on local network
iptables -A INPUT -s $CLASS_A -p tcp --destination-port 22 -j ACCEPT

# apache server (on all interfaces/networks)
iptables -A INPUT -p tcp --destination-port 80 -j ACCEPT

# samba + network share
iptables -A INPUT -s $CLASS_A -p tcp --destination-port 137 -j ACCEPT
iptables -A INPUT -s $CLASS_A -p udp --destination-port 137 -j ACCEPT
iptables -A INPUT -s $CLASS_A -p tcp --destination-port 138 -j ACCEPT
iptables -A INPUT -s $CLASS_A -p udp --destination-port 138 -j ACCEPT
iptables -A INPUT -s $CLASS_A -p tcp --destination-port 139 -j ACCEPT
iptables -A INPUT -s $CLASS_A -p udp --destination-port 139 -j ACCEPT
iptables -A INPUT -s $CLASS_A -p tcp --destination-port 445 -j ACCEPT
iptables -A INPUT -s $CLASS_A -p udp --destination-port 445 -j ACCEPT

External links