|
iptables is a tool used to configure IPv4 packet filtering ruleset.(ip6tables is used for IPv6) |
|
It could be used on routers as well as hosts. |
|
filter table, nat table, and mangling table are three objects in ip-tables used to control packet filtering, network address translation, and TCP packet options modification respectively. |
|
In this document we explain filter table. |
|
Filter tables consists of three chains; INPUT, OUTPUT, and FORWARD.
| | INPUT chain consists of an ordered list of rules used to process incoming packets destined to the machine on which iptables running -i.e. source address field of the packet is one of the interfaces hosted by the machine- |
| | OUTPUT chain consists of an ordered list of rules used to process outgoing packets originated to the machine on which iptables running -i.e. destination address field of the packet is one of the interfaces hosted by the machine- |
| | FORWARD chain consists of an ordered list of rules used to process packets to be relayed. In this case the machine needs to relay the arrived packet from one of its interfaces to another. |
|
|
A rule is just a set of packet field analysis checks and an action (called jump target) to be executed after a match occurs. |
|
Order of the rules is important because the first matching rule's jump target is the only one get executed. |
|
There are four jump targets: ACCEPT grants permission, REJECT denies the packet and sends back an acknowledgement, DROP denies packet silently, LOG logs the information about the packet to "/var/log/firewall". |
|
The basic rule syntax is :
iptables (table name) (qualifier) (chain name) (layer 2 match criteria) (layer 3 match criteria) (layer 4 match criteria) (jump target)
| | (table name) | denotes the table that the rule is intended for [e.g. "-t filter" or "-t nat", if not given "-t filter" is the default] |
| | (qualifier) | specifies the what you want to do with the rule [e.g. "-A" means append to the list "-I (chain name) 8" means insert to the position 8 in the list "-R (chain name) 8" means replace with the rule at position 8] |
| | (chain name) | is the name of the chain [e.g. INPUT, OUTPUT, or FORWARD] |
| | (layer 2 match criteria) | criteria related to the interface names such as eth0 |
| | (layer 3 match criteria) | criteria related to the fields of IP level packet such as source/destination address or upper layer protocol
|
| | (layer 4 match criteria) | criteria related to the fields of TCP/UDP level packet such as source/destination port number |
|
|
The following html tables groups the switches used to define different levels of match criteria.
| IP/INTERFACE MATCH CRITERIA |
| | Switch | Description |
| -p protocol-type | Match protocol. Types include, icmp, tcp, udp, and all |
| | -s ip-address | Match source IP address |
| | -d ip-address | Match destination IP address |
| | -i interface-name | Match "input" interface on which the packet enters. |
| | -o interface-name | Match "output" interface on which the packet exits |
| TCP/UDP MATCH CRITERIA |
| | Switch | Description |
| | -p tcp --sport port | TCP source port. Can be a single value or a range in the format: start-port-number:end-port-number |
| | -p tcp --dport port | TCP destination port. Can be a single value or a range in the format: starting-port:ending-port |
| | -p tcp --syn | Used to identify a new TCP connection request. ! --syn means, not a new connection request |
| | -p udp --sport port | UDP source port. Can be a single value or a range in the format: starting-port:ending-port |
| | -p udp --dport port | UDP destination port. Can be a single value or a range in the format: starting-port:ending-port |
| ICMP MATCH CRITERIA |
| | Switch | Description |
| | --icmp-type type | The most commonly used types are echo-reply and echo-request |
| SOME EXTENDED MATCH CRITERIA |
| | Switch | Description |
| | -m multiport --sports port1, port2, port3, ... | A variety of TCP/UDP source ports separated by commas. Unlike when -m isn't used, they do not have to be within a range. |
| | -m multiport --dports port1, port2, port3, ... | A variety of TCP/UDP destination ports separated by commas. Unlike when -m isn't used, they do not have to be within a range. |
|
| | |
| | |
| | |
|
To be able to understand iptables you'd better go through the following examples:
| | iptables -t filter -A INPUT -s 100.100.100.100 -j ACCEPT |
| | Accept (-j ACCEPT) all incoming packets destined to this host (INPUT) from source 100.100.100.100 (-s 100.100.100.100) and append (-A) this rule to the end of the input chain (INPUT) of filter table (-t filter) |
| | iptables -I INPUT 10 -p udp --dport 4444 -j DROP |
| | Drop (-j DROP) all incoming packets destined to this host (INPUT) via protocol UDP (-p udp) to the destination port (--dport) 4444 and insert (-I) this rule at position ten (10) of filter table (default table) |
| | iptables -A INPUT -s 0/0 -i eth0 -d 100.100.100.100 -p tcp -j ACCEPT |
| | Accept (-j ACCEPT) TCP packets (-p tcp) coming through interface eth0 (-i eth0) from any IP address (-s 0/0 means any IP address) destined to the hosts IP address of 100.100.100.100 (-d 100.100.100.100) and append this rule to the end of INPUT chain |
| | iptables -A FORWARD -s 100.100.100/24 -i eth0 -d 200.200.200.200 -o eth1 -p TCP --sport 4444:5555 --dport 80 -j ACCEPT |
| | Accept TCP packets (-p TCP) originating from an address in the subnet 100.100.100/24 (-s 100.100.100/24) having a source port number between 4444 and 5555 (--sport 4444:5555) and destination port number 80 (--dport 80) for forwarding (FORWARD) when they enter through interface eth0 (-i eth0) and destined to 200.200.200.200 (-d 200.200.200.200) which is reached through interface eth1 (-o eth1) |
| | iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT |
| | Grant permission (-j ACCEPT) to ICMP packets (-p icmp) having type field set to echo request (--icmp-type echo-request) originated by this host to leave the machine and append this rule to the end of output chain (-A OUTPUT) |
| | iptables -A INPUT -i eth0 -p tcp --syn --destination-port ! 80 -j DROP |
| | Drop (-j DROP) tcp protocol (-p tcp) connection request packets (--syn) coming through interface eth0 (-i eth0) destined to any port other than 80 (! 80) |
| | iptables -A OUTPUT -p tcp -m multiports --dport 80, 8080 -j DROP |
| | Drop (-j DROP) tcp packets (-p tcp) generated by this host (OUTPUT) with destination ports 80 or 8080 (-m multiports --dport 80, 8080). Basically cuts the connection of the host to the http servers. |
|
|
Cisco IP Access Control List filters the incoming/outgoing traffic into a router. |
|
A Cisco routers can have multiple access lists and each access list contains multiple entries (rules) |
|
Traffic incoming into the router are compared to ACL entries in the order of entry occurance. If no matches found the traffic is denied! (Compare with iptables) |
Traffic outgoing from the router -i.e. generated by the router- are compared to ACL entries in the order of entry occurance. If no matches found the traffic is permitted! (Compare with iptables) |
|
The access lists are kept in a text file so that you can modify the entries and order |
|
The syntax for an access list entry is:
access-list <number 100-199> <permit | deny> <protocol> <source> < source-
mask> <operator source port> < destination> <destination-mask> < operator
destination port> <options> < log>
- access list number is a number between [100-199] grouping together the entries in the same access list
- permit | deny tells whether to permit or deny a packet if conditions in the entry match
- protocol IP, ICMP, SNMP, UDP or TCP. If omitted, then this command pertains to all network traffic regardless of protocol
- source, source-mask source address field. "any" for any IP address. You can set an IP address with a mask to match multiple IP addresses sharing a common prefix or a single IP address. Alternatively a single source can be specified with "host" keyword as in "host 192.168.212.110"
- The mask is different from the subnet masks a bit 0 means "exact match" and 1 means "don't care"
For example, to match traffic from a subnet 111.111.111.0/24 the cisco IP access mask is 0.0.0.255
- operator source port lt, gt, eq, neq, range (less than, greater than, equal,not equal) and a port number. For range, you must specify two different port numbers.
- destination, destination-mask similar to "source, source-mask" for destination address
- operator destination port similar to "operator source port" for destination port
- options takes value "est" for matching connection establishment packets
- log to log the operation to "syslog" file.
<number 100-199> <permit | deny> and either <source> < source-mask> or destination> <destination-mask> are required fields the rest is optional.
|
|
Examples:
| | access-list 111 permit tcp any host 152.8.1.1 eq 80 |
| | Permit tcp traffic coming from any source address destined to port 80 of host 152.8.1.1 |
| | access-list 123 deny any 178.22.8.9 0.0.255.255 |
| | Deny traffic from any source address destined to the network 178.22.0.0/16 regardless of the protocol |
|
Note: This document is partially compiled from WWW to provide a clear, simple but enough extensive guide to the Linux iptables tool.