Netfilter/Iptables 101

Iptables command structure:

iptables -t table_name -CHAIN_OPERATION CHAIN_NAME -criteria -j TARGET
ex:
iptables -t filter -A INPUT -p tcp --dport 80 -j ACCEPT

(if table_name is omited the default value is filter)

Table Name:

  • filter
  • nat
  • raw
  • mangle

Chain Operations:

  • -A -> add rule at the end of the specific chain table;
  • -I -> add rule at the beginning of the specific chain table;
  • -D -> delete a specific rule;
  • -L -> list rules;
  • -P -> policy, default rule if there is no match for the packet;
  • -N -> create new user defined chain;
  • -X -> delete user defined chain;
  • -F -> flush, deletes rules from a specific chain table;
  • -Z -> zero, reset counters;

Chain Names:

  • PREROUTING
  • INPUT
  • OUTPUT
  • FORWARD
  • POSTROUTING

Targets:

  • ACCEPT -> accept packet;
  • DROP -> drop packet;
  • REJECT -> packet is rejected and the host responds with an error message to the source;
  • LOG -> logs/saves information about the packet in a file;
  • LIMIT -> limits the number of packets in a period of time;
  • SNAT -> source nat;
  • MASQUERADE -> used with source nat;
  • DNAT -> destination nat/port forwarding;
  • TTL -> modifies the TTL from a packet (IP header);

Criteria:

  • -s IP_source (ex: -s 192.168.1.0/24)
  • -d IP_destination (ex: -d 0/0)
  • -p protocol (ex: -p tcp)
  • –sport source_port (ex: –sport 22)
  • –dport destination_port (ex: –dport 80)
  • -i interface_in (ex: -i eth0)
  • -o interface_out (ex: -o eth1)

Example of Source NAT where 223.80.45.32 is the public IP:

iptables -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 -j SNAT --to-source 223.80.45.32
iptables -t nat -A POSTROUTING -j MASQUERADE     //only if public IP is dinamic

Example of Destination NAT(port forwarding) where 192.168.1.10 is the web server:

iptables -t nat -A PREROUTING -p tcp -d 224.56.90.50 --dport 80 -j DNAT --to-destination 192.268.1.10:8080
iptables -t nat -A POSTROUTING -j MASQUERADE
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT 
iptables -A FORWARD -j REJECT --reject-with icmp-host-prohibited

Example of inbound port opening:

iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 5900 -j ACCEPT
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s