-
Notifications
You must be signed in to change notification settings - Fork 0
/
iptables1
154 lines (127 loc) · 7.56 KB
/
iptables1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
######################################
IPTABLES
######################################
######################################
1 TABLES :
######################################
1-1 filter
1-2 nat
1-3 mangle
1-4 raw
1-5 security
######################################
2 chain
######################################
2-1 PREROUTING
2-2 POSTROUTING
2-3 INPUT
2-4 OUTPUT
2-5 FORWARD
######################################
3 target
######################################
3-1 ACCEPT
3-2 DROP
3-3 REJECT
3-4 MASQUERADE
3-5 MARK
3-6 DNAT
3-7 SNAT
3-8 TO-PORT
######################################
4 switches
######################################
#################################################################################################################################
# 1 # -A # Append one or more rules to the end of the selected chain. #
# 2 # -C # Check whether a rule matching the specification does exist in the selected chain. #
# 3 # -D # Delete one or more rules from the selected chain. #
# 4 # -I # Insert one or more rules in the selected chain as the given rule number. #
# 5 # -R # Insert one or more rules in the selected chain as the given rule number. #
# 6 # -L # List all rules in the selected chain. #
# 7 # -S # Print all rules in the selected chain. #
# 8 # -F # Flush the selected chain (all the chains in the table if none is given). #
# 9 # -Z # Zero the packet and byte counters in all chains, or only the given chain, or only the given rule in a chain. #
#10 # -N # Create a new user-defined chain by the given name. #
#11 # -X # Delete the optional user-defined chain specified. #
#12 # -P # Set the policy for the built-in (non-user-defined) chain to the given target. #
#13 # -E # Rename the user specified chain to the user supplied name. #
#14 # -h # Help #
#15 # -o # output interfce #
#16 # -i # incoming interface #
#17 # -s # source ip address #
#18 # -d # destination ip address #
#19 # -t # specific tables #
#20 # -j # specific target #
#21 # --dport # specific destination port #
#22 # --sport # specific source port #
#23 # -p # specific protocol (tcp,udp,ip,icmp) #
#################################################################################################################################
######################################
1.1 Filter
######################################
The filter table is the default table for any rule. It is where the bulk of the work in an iptables firewall occurs. Avoid filtering in any other table as it may not work.
This table contains three chains:
1. INPUT: used for traffic which is entering our system and belongs to an IP address which is on our local machine
2. OUTPUT: used for traffic which originated on the local system, otherwise known as the firewall
3. FORWARD: used for traffic which is being routed between two network interfaces on our firewall
There are three main targets for a rule within the filter table.
1. ACCEPT: allows the packet to be passed through the firewall without any noticeable interaction
2. DROP: simply drops the packet as if it has never been in the system
3. REJECT: drops the packet then sends a ICMP reply back to the client telling it why the connection failed
######################################
1.2 Nat
######################################
This table is consulted when a packet that creates a new connection is encountered.
1.2.1 Destination Network Address Translation (DNAT)
iptables -t nat -A PREROUTING --dst $INET_IP -p tcp --dport 80 -j DNAT \ --to-destination $HTTP_IP
Exp :
iptables -t nat -A PREROUTING -p tcp -d 10.10.20.99 --dport 80 -j DNAT --to-destination 10.10.14.2
{final des is 10.10.20.99 router des is 10.10.14.2}
1.2.2 Source Network Address Translation (SNAT)
iptables -t nat -A POSTROUTING -p tcp --dst $HTTP_IP --dport 80 -j SNAT \ --to-source $LAN_IP
Exp:
iptables -t nat -A POSTROUTING -s 172.17.10.200/32 -j MASQUERADE
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.103.0/24 -j SNAT --to 211.23.112.25
######################################
1.3 Mangle
######################################
This table is used for specialized packet alteration.
######################################
1.4 raw
######################################
This table is used mainly for configuring exemptions from connection tracking in combination with the NOTRACK target.
######################################
1.5 security
######################################
This table is used for Mandatory Access Control (MAC) networking rules, such as those enabled by the SECMARK and CONNSECMARK targets.
######################################
Example
######################################
# change default policy of chains
iptables -t $table -P chain new-target
Exp :
iptables -P INPUT DROP
# create new chain
iptables -t $table -N new-chain
Ext :
iptables -t nat -N NEWCHAIN
# change name of chains
iptables -t $table -E old-chain new-chain
Ext :
iptables -t mangle -E OLDCHAIN NEWCHAIN
# delete chains
iptables -t $table -X chain-name
Ext :
iptables -t nat -X NAMECHAIN
# Accept tcp packets on destination port 6881 (bittorrent)
iptables -A INPUT -p tcp --dport 6881 -j ACCEPT
# Accept tcp packets on destination ports 6881-6890
iptables -A INPUT -p tcp --dport 6881:6890 -j ACCEPT
# Accept tcp packets on destination port 22 (SSH) from private LAN
iptables -A INPUT -p tcp -s 192.168.0.0/24 --dport 22 -j ACCEPT
# Accept packets from trusted IP addresses
iptables -A INPUT -s 192.168.0.4 -m mac --mac-source 00:50:8D:FD:E6:32 -j ACCEPT
If we wanted to block packets heading to 172.25.0.1 from anything on the 10.0.0.0/8 network, we would do:
iptables -A INPUT -s 10.0.0.0/8 -d 172.25.0.1 -j DROP
NOTE: for permanent all iptables rules you must set this cammand:
/etc/init.d/iptables save