IP Tables Firewall in Linux
IP Tables is a firewall that plays an essential role in network security for most Linux systems
The packet filtering mechanism provided by iptables is organized into three different kinds of structures: tables, chains and targets
========>The default table is the filter table
=======>The default policy is also a target. By default, all chains have a default policy of allowing packets.
======>A target decides the fate of a packet, such as allowing or rejecting it.
===========================================
The packet filtering mechanism provided by iptables is organized into three different kinds of structures: tables, chains and targets
========>The default table is the filter table
=======>The default policy is also a target. By default, all chains have a default policy of allowing packets.
======>A target decides the fate of a packet, such as allowing or rejecting it.
===========================================
IP Table configuration tool: e.g., fwbuilder, bastille and ufw
===================================
Ip table main file: /etc/sysconfig/iptables
====================================================
====================================================
Tables
There are three tables.
Filter
Rules to modify the packets
This is the default and perhaps the most widely used table. It is used to make decisions about whether a packet should be allowed to reach its destination.
NAT
PREROUTING
POSTROUTING
Mangle
Rules to modify the packets
This table allows you to alter packet headers in various ways, such as changing TTL values
In addition, some kernels also have a security table. It is used by SELinux to implement policies based on SELinux security contexts.
==================================================
Filter
Rules to modify the packets
This is the default and perhaps the most widely used table. It is used to make decisions about whether a packet should be allowed to reach its destination.
NAT
PREROUTING
POSTROUTING
Mangle
Rules to modify the packets
This table allows you to alter packet headers in various ways, such as changing TTL values
In addition, some kernels also have a security table. It is used by SELinux to implement policies based on SELinux security contexts.
==================================================
Chain.
There are four iptable chain.
INPUT : Default chain originating to system.
OUTPUT : Default chain generating from system.
FORWARD : Default chain packets are send through another interface.
RH-Firewall-1-INPUT : The user-defined custom chain.
================================================
There are four iptable chain.
INPUT : Default chain originating to system.
OUTPUT : Default chain generating from system.
FORWARD : Default chain packets are send through another interface.
RH-Firewall-1-INPUT : The user-defined custom chain.
================================================
To Check:
List all the rule.
#iptables -S
to see putpu of a specific politics
keenable@isgec:~$ sudo iptables -S TCP
List Rules as Tables
# iptables -L
or
# iptables -L -n -v
Checking the status of IPTables / Firewall. Options “-L” (List ruleset), “-v” (Verbose) and “-n”
If you want to limit the output to a specific chain (INPUT, OUTPUT, TCP, etc.), you can specify the chain name directly after the -L option.
keenable@isgec:~$ sudo iptables -L INPUT
option:
target: If a packet matches the rule, the target specifies what should be done with it. For example, a packet can be accepted, dropped, logged
sent to another chain to be compared against more rules
prot:
The protocol, such as tcp, udp, icmp, or all
opt:
Rarely used, this column indicates IP options
source:
The source IP address or subnet of the traffic, or anywhere
destination:
The destination IP address or subnet of the traffic, or anywhere
==============================================
List all the rule.
#iptables -S
to see putpu of a specific politics
keenable@isgec:~$ sudo iptables -S TCP
List Rules as Tables
# iptables -L
or
# iptables -L -n -v
Checking the status of IPTables / Firewall. Options “-L” (List ruleset), “-v” (Verbose) and “-n”
If you want to limit the output to a specific chain (INPUT, OUTPUT, TCP, etc.), you can specify the chain name directly after the -L option.
keenable@isgec:~$ sudo iptables -L INPUT
option:
target: If a packet matches the rule, the target specifies what should be done with it. For example, a packet can be accepted, dropped, logged
sent to another chain to be compared against more rules
prot:
The protocol, such as tcp, udp, icmp, or all
opt:
Rarely used, this column indicates IP options
source:
The source IP address or subnet of the traffic, or anywhere
destination:
The destination IP address or subnet of the traffic, or anywhere
==============================================
To clear the counters for all chains and rules, use the -Z option by itself
#sudo iptables -Z
to clear the INPUT chain counters run this command:
#sudo iptables -Z INPUT
to zero the counters for the 1st rule in the INPUT chain, run this:
#sudo iptables -Z INPUT 1
#sudo iptables -Z
to clear the INPUT chain counters run this command:
#sudo iptables -Z INPUT
to zero the counters for the 1st rule in the INPUT chain, run this:
#sudo iptables -Z INPUT 1
------------------------------------------------------------------
To apply the policy
#iptables -P CHAIN POLITICS
Allowing a particular ip.
# iptables -A INPUT -s 192.168.100.0/24 -j ACCEPT
Blocking a particular ip
iptables -t filter -A INPUT -s 59.45.175.62 -j REJECT
You can also block IP ranges by using the CIDR notation. If you want to block all IPs ranging from
59.145.175.0 to 59.145.175.255, you can do so with:
iptables -A INPUT -s 59.45.175.0/24 -j REJECT
================================================
Allowing the internet traffic
# iptables -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
Allowing all outbound traffic
# iptables -A OUTPUT -j ACCEPT
Allowing HTTP and HTTPS connections from anywhere (the normal ports for websites
# iptables -A INPUT -p tcp –dport 80 -j ACCEPT
# iptables -A INPUT -p tcp –dport 443 -j ACCEPT
Allowing SSH connections. The –dport number is the same as in /etc/ssh/sshd_confi
# iptables -A INPUT -p tcp -m state –state NEW –dport 22 -j ACCEPT
Blocking an ip address with iptables
The Politics for INPUT must be DROP
Add a new rule to drop the traffic for the correspondent ip address (archlinux.org ip)
# iptables -A INPUT -s 66.211.214.131 -j DROP
Add a new rule to allow the rest of the internet traffic (All the rules to drop traffic must be created before this rule
# iptables -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
================================================
# iptables -A OUTPUT -j ACCEPT
Allowing HTTP and HTTPS connections from anywhere (the normal ports for websites
# iptables -A INPUT -p tcp –dport 80 -j ACCEPT
# iptables -A INPUT -p tcp –dport 443 -j ACCEPT
Allowing SSH connections. The –dport number is the same as in /etc/ssh/sshd_confi
# iptables -A INPUT -p tcp -m state –state NEW –dport 22 -j ACCEPT
Blocking an ip address with iptables
The Politics for INPUT must be DROP
Add a new rule to drop the traffic for the correspondent ip address (archlinux.org ip)
# iptables -A INPUT -s 66.211.214.131 -j DROP
Add a new rule to allow the rest of the internet traffic (All the rules to drop traffic must be created before this rule
# iptables -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
================================================
Common iptables options:
-A Append, this option is to add a new rule
-I Insert a new rule
-D Delete a rule
-R Change the position of a rule
-L List the rules
-L –line-numbers====Show the position number of each rule
-F Delete all the rules
-F CHAIN =Delete the rules of an specific chain
-N CHAIN_NAME==Create a new chain
-X CHAIN=Delete a chain
-P=Change a politics
iptables -A CHAIN -p=Specify a source (ip address)
iptables -A CHAIN -p=Specify the protocol
iptables -A CHAIN -p tcp –dport=Specify the port
iptables -A CHAIN … -j=Determine a politics for an specific rule
==========================================
-A Append, this option is to add a new rule
-I Insert a new rule
-D Delete a rule
-R Change the position of a rule
-L List the rules
-L –line-numbers====Show the position number of each rule
-F Delete all the rules
-F CHAIN =Delete the rules of an specific chain
-N CHAIN_NAME==Create a new chain
-X CHAIN=Delete a chain
-P=Change a politics
iptables -A CHAIN -p=Specify a source (ip address)
iptables -A CHAIN -p=Specify the protocol
iptables -A CHAIN -p tcp –dport=Specify the port
iptables -A CHAIN … -j=Determine a politics for an specific rule
==========================================
Delete Rule
(Delete Rule by Specification)
#sudo iptables -D INPUT -m conntrack --ctstate INVALID -j DROP
or
iptables -D INPUT -s 221.194.47.0/24 -j REJECT
Delete Rule by Chain and Number
The other way to delete iptables rules is by its chain and line number.
To determine a rule’s line number, list the rules in the table format and add the --line-numbers option:
sudo iptables -L --line-numbers
--------------------------------------
For example, if we want to delete the input rule that drops invalid packets,
we can see that it’s rule 3 of the INPUT chain. So we should run this command:
sudo iptables -D INPUT 3
Flush
Flush a Single Chain
#sudo iptables -F INPUT
Flush All Chains
sudo iptables -F
Flush All Rules, Delete All Chains, and Accept All
sudo iptables -P INPUT ACCEPT
sudo iptables -P FORWARD ACCEPT
sudo iptables -P OUTPUT ACCEPT
Then flush the nat and mangle tables, flush all chains (-F), and delete all non-default chains (-X):
sudo iptables -t nat -F
sudo iptables -t mangle -F
sudo iptables -F
sudo iptables -X
(Delete Rule by Specification)
#sudo iptables -D INPUT -m conntrack --ctstate INVALID -j DROP
or
iptables -D INPUT -s 221.194.47.0/24 -j REJECT
Delete Rule by Chain and Number
The other way to delete iptables rules is by its chain and line number.
To determine a rule’s line number, list the rules in the table format and add the --line-numbers option:
sudo iptables -L --line-numbers
--------------------------------------
For example, if we want to delete the input rule that drops invalid packets,
we can see that it’s rule 3 of the INPUT chain. So we should run this command:
sudo iptables -D INPUT 3
Flush
Flush a Single Chain
#sudo iptables -F INPUT
Flush All Chains
sudo iptables -F
Flush All Rules, Delete All Chains, and Accept All
sudo iptables -P INPUT ACCEPT
sudo iptables -P FORWARD ACCEPT
sudo iptables -P OUTPUT ACCEPT
Then flush the nat and mangle tables, flush all chains (-F), and delete all non-default chains (-X):
sudo iptables -t nat -F
sudo iptables -t mangle -F
sudo iptables -F
sudo iptables -X
Comments
Post a Comment