Iptables
From Christoph's Personal Wiki
Contents
Basic command options
Chain manipulation (three default chains, INPUT, FORWARD, OUTPUT, are always present):
- Create a new chain (
-N, --new-chain chain) - Delete an empty chain (
-X, --delete-chain [chain]) - Change the policy for a built-in chain (
-P, --policy chain target) - List the rules in a chain (
-L, --list [chain]) - Flush the rules out of a chain (
-F, --flush [chain]) - Zero the packet and byte counters in all chains (
-Z, --zero) (note: It is legal to specify the-L, --list(list) option as well, to see the counters immediately before they are cleared.)
Rule manipulation:
- Append a new rule to a chain (
-A, --append chain rule-specification) - Delete a rule at some position in a chain (
-D, --delete chain rule-specification)
Help (-h)
Usage
iptables -[AD] chain rule-specification [options] iptables -[RI] chain rulenum rule-specification [options] iptables -D chain rulenum [options] iptables -[LFZ] [chain] [options] iptables -[NX] chain iptables -E old-chain-name new-chain-name iptables -P chain target [options] iptables -h (print this help information)
Commands
Either long or short options are allowed.
--append -A chain- append to chain
--delete -D chain- delete matching rule from chain
--delete -D chain rulenum- delete rule rulenum (1 = first) from chain
--insert -I chain [rulenum]- insert in chain as rulenum (default 1=first)
--replace -R chain rulenum- replace rule rulenum (1 = first) in chain
--list -L [chain]- list the rules in a chain or all chains
--flush -F [chain]- delete all rules in chain or all chains
--zero -Z [chain]- zero counters in chain or all chains
--new -N chain- create a new user-defined chain
--delete-chain -X [chain]- delete a user-defined chain
--policy -P chain target- change policy on chain to target
--rename-chain -E old-chain new-chain- change chain name, (moving any references)
Options
--proto -p [!] proto- protocol: by number or name, eg. 'tcp'
--source -s [!] address[/mask]- source specification
--destination -d [!] address[/mask]- destination specification
--in-interface -i [!] input name[+]- network interface name ([+] for wildcard)
--jump -j target- target for rule (may load target extension)
--goto -g chain- jump to chain with no return
--match -m match- extended match (may load extension)
--numeric -n- numeric output of addresses and ports
--out-interface -o [!] output name[+]- network interface name ([+] for wildcard)
--table -t table- table to manipulate (default: 'filter')
--verbose -v- verbose mode
--line-numbers- print line numbers when listing
--exact -x- expand numbers (display exact values)
[!] --fragment -f- match second or further fragments only
--modprobe=<command>- try to insert modules using this command
--set-counters PKTS BYTES- set the counter during insert/append
[!] --version -V- print package version.
Netmask
| Common Netmask Bit Values | |||
|---|---|---|---|
| Netmask | Bits | ||
| 255.0.0.0 | 8 | ||
| 255.255.0.0 | 16 | ||
| 255.255.255.0 | 24 | ||
| 255.255.255.128 | 25 | ||
| 255.255.255.192 | 26 | ||
| 255.255.255.224 | 27 | ||
| 255.255.255.240 | 28 | ||
| 255.255.255.248 | 29 | ||
| 255.255.255.252 | 30 | ||
ICMP datagram types
see: RFC 1700 (Assigned Numbers) /usr/include/netinet/ip_icmp.h
| ICMP Datagram Types | |||
|---|---|---|---|
| Type number | iptables mnemonic | Type description | |
| 0 | echo-reply | Echo Reply | |
| 3 | destination-unreachable | Destination Unreachable | |
| 4 | source-quench | Source Quench | |
| 5 | redirect | Redirect | |
| 8 | echo-request | Echo Request | |
| 11 | time-exceeded | Time Exceeded | |
| 12 | parameter-problem | Parameter Problem | |
| 13 | timestamp-request | Timestamp Request | |
| 14 | timestamp-reply | Timestamp Reply | |
| 15 | none | Information Request | |
| 16 | none | Information Reply | |
| 17 | address-mask-request | Address Mask Request | |
| 18 | address-mask-reply | Address Mask Reply | |
Type Of Service (TOS)
| Suggested Uses for TOS Bitmasks | |||
|---|---|---|---|
| TOS | ANDmask | XORmask | Suggested Use |
| Minimum Delay | 0x01 | 0x10 | ftp, telnet, ssh |
| Maximum Throughput | 0x01 | 0x08 | ftp-data, www |
| Maximum Reliability | 0x01 | 0x04 | snmp, dns |
| Minimum Cost | 0x01 | 0x02 | nntp, smtp |
Example script
#!/bin/bash LOOPBACK="127.0.0.0/8" CLASS_A="10.0.0.0/8" CLASS_B="172.16.0.0/12" CLASS_C="192.168.0.0/16" CLASS_D="224.0.0.0/4" CLASS_E="240.0.0.0/5" BROADCAST_SRC="0.0.0.0" BROADCAST_DEST="255.255.255.255" ######## # flush iptables iptables -F iptables -t nat -F iptables -t mangle -F ######## # loopback iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT ######## # policies iptables -P INPUT DROP iptables -P OUTPUT ACCEPT iptables -P FORWARD DROP iptables -t nat -P PREROUTING ACCEPT iptables -t nat -P OUTPUT ACCEPT iptables -t nat -P POSTROUTING ACCEPT iptables -t mangle -P PREROUTING ACCEPT iptables -t mangle -P OUTPUT ACCEPT ######## # allow related incoming iptables -I INPUT 1 -m state --state ESTABLISHED,RELATED -j ACCEPT ######## # programs and stuff (add a line for each service you want to allow) # SSH on local network iptables -A INPUT -s $CLASS_A -p tcp --destination-port 22 -j ACCEPT # apache server (on all interfaces/networks) iptables -A INPUT -p tcp --destination-port 80 -j ACCEPT # samba + network share iptables -A INPUT -s $CLASS_A -p tcp --destination-port 137 -j ACCEPT iptables -A INPUT -s $CLASS_A -p udp --destination-port 137 -j ACCEPT iptables -A INPUT -s $CLASS_A -p tcp --destination-port 138 -j ACCEPT iptables -A INPUT -s $CLASS_A -p udp --destination-port 138 -j ACCEPT iptables -A INPUT -s $CLASS_A -p tcp --destination-port 139 -j ACCEPT iptables -A INPUT -s $CLASS_A -p udp --destination-port 139 -j ACCEPT iptables -A INPUT -s $CLASS_A -p tcp --destination-port 445 -j ACCEPT iptables -A INPUT -s $CLASS_A -p udp --destination-port 445 -j ACCEPT
Map external IP address onto an internal one
Let's say your external IP address is 128.65.225.10 and your internal IP address is 10.0.17.10, then:
-A PREROUTING -d 128.65.225.10 -j DNAT --to-destination 10.0.17.10 -A POSTROUTING -s 10.0.17.10 -j SNAT --to-source 128.65.225.10
Scripts
- rc.flush-iptables — resets iptables to default values
- fail2ban
See also
- Ettercap — a suite for man in the middle attacks on LAN. It features sniffing of live connections, content filtering on the fly and many other interesting tricks.
- netfilter2html — a script wrote using GAWK to process netfilter logs and generate a nice HTML output.
- Wflogs — a firewall log analysis tool. It can be used to produce a log summary report in plain text, HTML and XML, or to monitor firewalling logs in real-time.
- Samba — contains extra iptables rules
External links
- netfilter.org
- GNU Firewall Free Software Directory
- Iptables Tutorial 1.2.2 — by Oskar Andreasson
- Linux Networking-concepts HOWTO
- Iptables - Example Firewall Rulesets — by James Stephens
- Iptables On A Linksys-Cisco WRT54GL Broadband Router HOWTO — by James Stephens
- the DD-WRT Wiki — a third party developed firmware for many 802.11g wireless routers based on a Broadcom chip reference design.
- Firewall for Single Host with Iptables
- Netfilter Log Format
- Linux Network Administrator's Guide, 2nd Edition - Chapter 9: TCP/IP Firewall
- TCP/IP Network Administration, 3rd Edition - Chapter 9: Local Network Services
- Step-By-Step Configuration of NAT with iptables
- Easy Firewall Generator for IPTables
- Firewalling with netfilter/iptables — on linux.ie
- Beating Sandvine with Linux iptables — for legal downloads only.
- pam_recent: an add-on to make iptables' recent match more useful
- An Introduction to TCP/IP
