Difference between revisions of "Iptables"

From Christoph's Personal Wiki
Jump to: navigation, search
(See also)
(External links)
Line 297: Line 297:
 
*[http://snafu.priv.at/mystuff/recent-plus-pam.html pam_recent: an add-on to make iptables' recent match more useful]
 
*[http://snafu.priv.at/mystuff/recent-plus-pam.html pam_recent: an add-on to make iptables' recent match more useful]
 
*[http://www.learn-networking.com/tcp-ip/introduction-to-tcp-ip-protocol-suite.php An Introduction to TCP/IP]
 
*[http://www.learn-networking.com/tcp-ip/introduction-to-tcp-ip-protocol-suite.php An Introduction to TCP/IP]
 +
*[http://www.debian-administration.org/articles/390 Speedup DNS requests with a local cache]
  
 
[[Category:Linux Command Line Tools]]
 
[[Category:Linux Command Line Tools]]

Revision as of 02:25, 18 March 2008

Basic command options

Chain manipulation (three default chains, INPUT, FORWARD, OUTPUT, are always present):

  • Create a new chain (-N, --new-chain chain)
  • Delete an empty chain (-X, --delete-chain [chain])
  • Change the policy for a built-in chain (-P, --policy chain target)
  • List the rules in a chain (-L, --list [chain])
  • Flush the rules out of a chain (-F, --flush [chain])
  • Zero the packet and byte counters in all chains (-Z, --zero) (note: It is legal to specify the -L, --list (list) option as well, to see the counters immediately before they are cleared.)

Rule manipulation:

  • Append a new rule to a chain (-A, --append chain rule-specification)
  • Delete a rule at some position in a chain (-D, --delete chain rule-specification)

Help (-h)

Usage

iptables -[AD] chain rule-specification [options]
iptables -[RI] chain rulenum rule-specification [options]
iptables -D chain rulenum [options]
iptables -[LFZ] [chain] [options]
iptables -[NX] chain
iptables -E old-chain-name new-chain-name
iptables -P chain target [options]
iptables -h (print this help information)

Commands

Either long or short options are allowed.

--append -A chain 
append to chain
--delete -D chain 
delete matching rule from chain
--delete -D chain rulenum 
delete rule rulenum (1 = first) from chain
--insert -I chain [rulenum] 
insert in chain as rulenum (default 1=first)
--replace -R chain rulenum 
replace rule rulenum (1 = first) in chain
--list -L [chain] 
list the rules in a chain or all chains
--flush -F [chain] 
delete all rules in chain or all chains
--zero -Z [chain] 
zero counters in chain or all chains
--new -N chain 
create a new user-defined chain
--delete-chain -X [chain] 
delete a user-defined chain
--policy -P chain target 
change policy on chain to target
--rename-chain -E old-chain new-chain 
change chain name, (moving any references)

Options

--proto -p [!] proto 
protocol: by number or name, eg. 'tcp'
--source -s [!] address[/mask] 
source specification
--destination -d [!] address[/mask] 
destination specification
--in-interface -i [!] input name[+] 
network interface name ([+] for wildcard)
--jump -j target 
target for rule (may load target extension)
--goto -g chain 
jump to chain with no return
--match -m match 
extended match (may load extension)
--numeric -n 
numeric output of addresses and ports
--out-interface -o [!] output name[+] 
network interface name ([+] for wildcard)
--table -t table 
table to manipulate (default: 'filter')
--verbose -v 
verbose mode
--line-numbers 
print line numbers when listing
--exact -x 
expand numbers (display exact values)
[!] --fragment -f 
match second or further fragments only
--modprobe=<command> 
try to insert modules using this command
--set-counters PKTS BYTES 
set the counter during insert/append
[!] --version -V 
print package version.

Netmask

Netmask Bit Values
Addrs Bits Pref Class Mask
0 /32 255.255.255.255
2 1 /31 255.255.255.254
4 2 /30 255.255.255.252
8 3 /29 255.255.255.248
16 4 /28 255.255.255.240
32 5 /27 255.255.255.224
64 6 /26 255.255.255.192
128 7 /25 255.255.255.128
256 8 /24 1C 255.255.255.0
512 9 /23 2C 255.255.254.0
1K 10 /22 4C 255.255.252.0
2K 11 /21 8C 255.255.248.0
4K 12 /20 16C 255.255.240.0
8K 13 /19 32C 255.255.224.0
16K 14 /18 64C 255.255.192.0
32K 15 /17 128C 255.255.128.0
64K 16 /16 1B 255.255.0.0
128K 17 /15 2B 255.254.0.0
256K 18 /14 4B 255.252.0.0
512K 19 /13 8B 255.248.0.0
1M 20 /12 16B 255.240.0.0
2M 21 /11 32B 255.224.0.0
4M 22 /10 64B 255.192.0.0
8M 23 /9 128B 255.128.0.0
16M 24 /8 1A 255.0.0.0
32M 25 /7 2A 254.0.0.0
64M 26 /6 4A 252.0.0.0
128M 27 /5 8A 248.0.0.0
256M 28 /4 16A 240.0.0.0
512M 29 /3 32A 224.0.0.0
1024M 30 /2 64A 192.0.0.0
2048M 31 /1 128A 128.0.0.0
4096M 32 /0 256A 0.0.0.0

ICMP datagram types

see: RFC 1700 (Assigned Numbers)
/usr/include/netinet/ip_icmp.h
ICMP Datagram Types
Type number iptables mnemonic Type description
0 echo-reply Echo Reply
3 destination-unreachable Destination Unreachable
4 source-quench Source Quench
5 redirect Redirect
8 echo-request Echo Request
11 time-exceeded Time Exceeded
12 parameter-problem Parameter Problem
13 timestamp-request Timestamp Request
14 timestamp-reply Timestamp Reply
15 none Information Request
16 none Information Reply
17 address-mask-request Address Mask Request
18 address-mask-reply Address Mask Reply

Type Of Service (TOS)

Suggested Uses for TOS Bitmasks
TOS ANDmask XORmask Suggested Use
Minimum Delay 0x01 0x10 ftp, telnet, ssh
Maximum Throughput 0x01 0x08 ftp-data, www
Maximum Reliability 0x01 0x04 snmp, dns
Minimum Cost 0x01 0x02 nntp, smtp

Example script

#!/bin/bash

LOOPBACK="127.0.0.0/8"
CLASS_A="10.0.0.0/8"
CLASS_B="172.16.0.0/12"
CLASS_C="192.168.0.0/16"
CLASS_D="224.0.0.0/4"
CLASS_E="240.0.0.0/5"
BROADCAST_SRC="0.0.0.0"
BROADCAST_DEST="255.255.255.255"

########
# flush iptables
iptables -F
iptables -t nat -F
iptables -t mangle -F

########
# loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

########
# policies
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP

iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
iptables -t nat -P POSTROUTING ACCEPT

iptables -t mangle -P PREROUTING ACCEPT
iptables -t mangle -P OUTPUT ACCEPT

########
# allow related incoming
iptables -I INPUT 1 -m state --state ESTABLISHED,RELATED -j ACCEPT

########
# programs and stuff (add a line for each service you want to allow)

# SSH on local network
iptables -A INPUT -s $CLASS_A -p tcp --destination-port 22 -j ACCEPT

# apache server (on all interfaces/networks)
iptables -A INPUT -p tcp --destination-port 80 -j ACCEPT

# samba + network share
iptables -A INPUT -s $CLASS_A -p tcp --destination-port 137 -j ACCEPT
iptables -A INPUT -s $CLASS_A -p udp --destination-port 137 -j ACCEPT
iptables -A INPUT -s $CLASS_A -p tcp --destination-port 138 -j ACCEPT
iptables -A INPUT -s $CLASS_A -p udp --destination-port 138 -j ACCEPT
iptables -A INPUT -s $CLASS_A -p tcp --destination-port 139 -j ACCEPT
iptables -A INPUT -s $CLASS_A -p udp --destination-port 139 -j ACCEPT
iptables -A INPUT -s $CLASS_A -p tcp --destination-port 445 -j ACCEPT
iptables -A INPUT -s $CLASS_A -p udp --destination-port 445 -j ACCEPT

Map external IP address onto an internal one

Let's say your external IP address is 128.65.225.10 and your internal IP address is 10.0.17.10, then: 

-A PREROUTING -d 128.65.225.10 -j DNAT --to-destination 10.0.17.10
-A POSTROUTING -s 10.0.17.10 -j SNAT --to-source 128.65.225.10

Scripts

See also

  • Ettercap — a suite for man in the middle attacks on LAN. It features sniffing of live connections, content filtering on the fly and many other interesting tricks.
  • netfilter2html — a script wrote using GAWK to process netfilter logs and generate a nice HTML output.
  • Wflogs — a firewall log analysis tool. It can be used to produce a log summary report in plain text, HTML and XML, or to monitor firewalling logs in real-time.
  • Samba — contains extra iptables rules
  • dm-crypt: a device-mapper crypto target
  • loop-AES
  • tripwire

External links

Retrieved from "http://wiki.christophchamp.com/index.php?title=Iptables&oldid=4931"