Difference between revisions of "Iptables"
From Christoph's Personal Wiki
| Line 58: | Line 58: | ||
;<code>--set-counters PKTS BYTES</code> : set the counter during insert/append | ;<code>--set-counters PKTS BYTES</code> : set the counter during insert/append | ||
;<code>[!] --version -V</code> : print package version. | ;<code>[!] --version -V</code> : print package version. | ||
| + | |||
| + | ==Netmask== | ||
| + | <div style="float:left; margin:0px 20px 20px 0px;"> | ||
| + | {| align="center" style="border: 1px solid #999; background-color:#FFFFFF" | ||
| + | |- | ||
| + | ! colspan="4" bgcolor="#EFEFEF" | '''Common Netmask Bit Values''' | ||
| + | |-align="center" bgcolor="#1188ee" color="#fff" | ||
| + | !Netmask | ||
| + | !Bits | ||
| + | |- align="left" | ||
| + | |255.0.0.0 || 8 | ||
| + | |--bgcolor="#eeeeee" align="left" | ||
| + | |255.255.0.0 || 16 | ||
| + | |- | ||
| + | |255.255.255.0 || 24 | ||
| + | |--bgcolor="#eeeeee" align="left" | ||
| + | |255.255.255.128 || 25 | ||
| + | |- | ||
| + | |255.255.255.192 || 26 | ||
| + | |--bgcolor="#eeeeee" align="left" | ||
| + | |255.255.255.224 || 27 | ||
| + | |- | ||
| + | |255.255.255.240 || 28 | ||
| + | |--bgcolor="#eeeeee" align="left" | ||
| + | |255.255.255.248 || 29 | ||
| + | |- | ||
| + | |255.255.255.252 || 30 | ||
| + | |} | ||
| + | </div> | ||
| + | |||
| + | ==ICMP datagram types== | ||
| + | see: RFC 1700 (Assigned Numbers) | ||
| + | /usr/include/netinet/ip_icmp.h | ||
| + | <div style="float:left; margin:0px 20px 20px 0px;"> | ||
| + | {| align="center" style="border: 1px solid #999; background-color:#FFFFFF" | ||
| + | |- | ||
| + | ! colspan="4" bgcolor="#EFEFEF" | '''ICMP Datagram Types''' | ||
| + | |-align="center" bgcolor="#1188ee" color="#fff" | ||
| + | !Type number | ||
| + | !iptables mnemonic | ||
| + | !Type description | ||
| + | |- align="left" | ||
| + | |0 || echo-reply || Echo Reply | ||
| + | |--bgcolor="#eeeeee" align="left" | ||
| + | |3 || destination-unreachable || Destination Unreachable | ||
| + | |- | ||
| + | |4 || source-quench || Source Quench | ||
| + | |--bgcolor="#eeeeee" align="left" | ||
| + | |5 || redirect || Redirect | ||
| + | |- | ||
| + | |8 || echo-request || Echo Request | ||
| + | |--bgcolor="#eeeeee" align="left" | ||
| + | |11 || time-exceeded || Time Exceeded | ||
| + | |- | ||
| + | |12 || parameter-problem || Parameter Problem | ||
| + | |--bgcolor="#eeeeee" align="left" | ||
| + | |13 || timestamp-request || Timestamp Request | ||
| + | |- | ||
| + | |14 || timestamp-reply || Timestamp Reply | ||
| + | |--bgcolor="#eeeeee" align="left" | ||
| + | |15 || none || Information Request | ||
| + | |- | ||
| + | |16 || none || Information Reply | ||
| + | |--bgcolor="#eeeeee" align="left" | ||
| + | |17 || address-mask-request || Address Mask Request | ||
| + | |- | ||
| + | |18 || address-mask-reply || Address Mask Reply | ||
| + | |} | ||
| + | </div> | ||
| + | |||
| + | ==Type Of Service (TOS)== | ||
| + | <div style="float:left; margin:0px 20px 20px 0px;"> | ||
| + | {| align="center" style="border: 1px solid #999; background-color:#FFFFFF" | ||
| + | |- | ||
| + | ! colspan="4" bgcolor="#EFEFEF" | '''Suggested Uses for TOS Bitmasks''' | ||
| + | |-align="center" bgcolor="#1188ee" color="#fff" | ||
| + | !TOS | ||
| + | !ANDmask | ||
| + | !XORmask | ||
| + | !Suggested Use | ||
| + | |- align="left" | ||
| + | |Minimum Delay || 0x01 || 0x10 || ftp, telnet, ssh | ||
| + | |--bgcolor="#eeeeee" align="left" | ||
| + | |Maximum Throughput || 0x01 || 0x08 || ftp-data, www | ||
| + | |- | ||
| + | |Maximum Reliability || 0x01 || 0x04 || snmp, dns | ||
| + | |--bgcolor="#eeeeee" align="left" | ||
| + | |Minimum Cost || 0x01 || 0x02 || nntp, smtp | ||
| + | |} | ||
| + | </div> | ||
==Example script== | ==Example script== | ||
Revision as of 01:46, 4 March 2007
Contents
Basic command options
Chain manipulation (three default chains, INPUT, FORWARD, OUTPUT, are always present):
- Create a new chain (
-N, --new-chain chain) - Delete an empty chain (
-X, --delete-chain [chain]) - Change the policy for a built-in chain (
-P, --policy chain target) - List the rules in a chain (
-L, --list [chain]) - Flush the rules out of a chain (
-F, --flush [chain]) - Zero the packet and byte counters in all chains (
-Z, --zero) (note: It is legal to specify the-L, --list(list) option as well, to see the counters immediately before they are cleared.)
Rule manipulation:
- Append a new rule to a chain (
-A, --append chain rule-specification) - Delete a rule at some position in a chain (
-D, --delete chain rule-specification)
Help (-h)
Usage
iptables -[AD] chain rule-specification [options] iptables -[RI] chain rulenum rule-specification [options] iptables -D chain rulenum [options] iptables -[LFZ] [chain] [options] iptables -[NX] chain iptables -E old-chain-name new-chain-name iptables -P chain target [options] iptables -h (print this help information)
Commands
Either long or short options are allowed.
--append -A chain- append to chain
--delete -D chain- delete matching rule from chain
--delete -D chain rulenum- delete rule rulenum (1 = first) from chain
--insert -I chain [rulenum]- insert in chain as rulenum (default 1=first)
--replace -R chain rulenum- replace rule rulenum (1 = first) in chain
--list -L [chain]- list the rules in a chain or all chains
--flush -F [chain]- delete all rules in chain or all chains
--zero -Z [chain]- zero counters in chain or all chains
--new -N chain- create a new user-defined chain
--delete-chain -X [chain]- delete a user-defined chain
--policy -P chain target- change policy on chain to target
--rename-chain -E old-chain new-chain- change chain name, (moving any references)
Options
--proto -p [!] proto- protocol: by number or name, eg. 'tcp'
--source -s [!] address[/mask]- source specification
--destination -d [!] address[/mask]- destination specification
--in-interface -i [!] input name[+]- network interface name ([+] for wildcard)
--jump -j target- target for rule (may load target extension)
--goto -g chain- jump to chain with no return
--match -m match- extended match (may load extension)
--numeric -n- numeric output of addresses and ports
--out-interface -o [!] output name[+]- network interface name ([+] for wildcard)
--table -t table- table to manipulate (default: 'filter')
--verbose -v- verbose mode
--line-numbers- print line numbers when listing
--exact -x- expand numbers (display exact values)
[!] --fragment -f- match second or further fragments only
--modprobe=<command>- try to insert modules using this command
--set-counters PKTS BYTES- set the counter during insert/append
[!] --version -V- print package version.
Netmask
| Common Netmask Bit Values | |||
|---|---|---|---|
| Netmask | Bits | ||
| 255.0.0.0 | 8 | ||
| 255.255.0.0 | 16 | ||
| 255.255.255.0 | 24 | ||
| 255.255.255.128 | 25 | ||
| 255.255.255.192 | 26 | ||
| 255.255.255.224 | 27 | ||
| 255.255.255.240 | 28 | ||
| 255.255.255.248 | 29 | ||
| 255.255.255.252 | 30 | ||
ICMP datagram types
see: RFC 1700 (Assigned Numbers) /usr/include/netinet/ip_icmp.h
| ICMP Datagram Types | |||
|---|---|---|---|
| Type number | iptables mnemonic | Type description | |
| 0 | echo-reply | Echo Reply | |
| 3 | destination-unreachable | Destination Unreachable | |
| 4 | source-quench | Source Quench | |
| 5 | redirect | Redirect | |
| 8 | echo-request | Echo Request | |
| 11 | time-exceeded | Time Exceeded | |
| 12 | parameter-problem | Parameter Problem | |
| 13 | timestamp-request | Timestamp Request | |
| 14 | timestamp-reply | Timestamp Reply | |
| 15 | none | Information Request | |
| 16 | none | Information Reply | |
| 17 | address-mask-request | Address Mask Request | |
| 18 | address-mask-reply | Address Mask Reply | |
Type Of Service (TOS)
| Suggested Uses for TOS Bitmasks | |||
|---|---|---|---|
| TOS | ANDmask | XORmask | Suggested Use |
| Minimum Delay | 0x01 | 0x10 | ftp, telnet, ssh |
| Maximum Throughput | 0x01 | 0x08 | ftp-data, www |
| Maximum Reliability | 0x01 | 0x04 | snmp, dns |
| Minimum Cost | 0x01 | 0x02 | nntp, smtp |
Example script
#!/bin/bash LOOPBACK="127.0.0.0/8" CLASS_A="10.0.0.0/8" CLASS_B="172.16.0.0/12" CLASS_C="192.168.0.0/16" CLASS_D="224.0.0.0/4" CLASS_E="240.0.0.0/5" BROADCAST_SRC="0.0.0.0" BROADCAST_DEST="255.255.255.255" ######## # flush iptables iptables -F iptables -t nat -F iptables -t mangle -F ######## # loopback iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT ######## # policies iptables -P INPUT DROP iptables -P OUTPUT ACCEPT iptables -P FORWARD DROP iptables -t nat -P PREROUTING ACCEPT iptables -t nat -P OUTPUT ACCEPT iptables -t nat -P POSTROUTING ACCEPT iptables -t mangle -P PREROUTING ACCEPT iptables -t mangle -P OUTPUT ACCEPT ######## # allow related incoming iptables -I INPUT 1 -m state --state ESTABLISHED,RELATED -j ACCEPT ######## # programs and stuff (add a line for each service you want to allow) # SSH on local network iptables -A INPUT -s $CLASS_A -p tcp --destination-port 22 -j ACCEPT # apache server (on all interfaces/networks) iptables -A INPUT -p tcp --destination-port 80 -j ACCEPT # samba + network share iptables -A INPUT -s $CLASS_A -p tcp --destination-port 137 -j ACCEPT iptables -A INPUT -s $CLASS_A -p udp --destination-port 137 -j ACCEPT iptables -A INPUT -s $CLASS_A -p tcp --destination-port 138 -j ACCEPT iptables -A INPUT -s $CLASS_A -p udp --destination-port 138 -j ACCEPT iptables -A INPUT -s $CLASS_A -p tcp --destination-port 139 -j ACCEPT iptables -A INPUT -s $CLASS_A -p udp --destination-port 139 -j ACCEPT iptables -A INPUT -s $CLASS_A -p tcp --destination-port 445 -j ACCEPT iptables -A INPUT -s $CLASS_A -p udp --destination-port 445 -j ACCEPT
External links
- netfilter.org
- Iptables Tutorial 1.2.2 — by Oskar Andreasson
- Linux Networking-concepts HOWTO
- Iptables - Example Firewall Rulesets — by James Stephens
- Iptables On A Linksys-Cisco WRT54GL Broadband Router HOWTO — by James Stephens
- the DD-WRT Wiki — a third party developed firmware for many 802.11g wireless routers based on a Broadcom chip reference design.
- Firewall for Single Host with Iptables
- Netfilter Log Format
