iptables

已发布 2019-04-03 22:52:52

iptables

  • iptables
    • netfilter
      • The Linux kernel comes with a packet filtering framework named netfilter
      • It allows you to allow, drop and modify traffic leaving in and out of a system.
      • inside the Linux 2.4.x and later kernel series.
      • Software inside this framework enables packet filtering, network address (and port) translation (NA[P]T) and other packet mangling. It is the re-designed and heavily improved successor of the previous Linux 2.2.x ipchains and Linux 2.0.x ipfwadm systems.
      • features
        • stateless packet filtering (IPv4 and IPv6)
        • stateful packet filtering (IPv4 and IPv6)
        • all kinds of network address and port translation, e.g. NAT/NAPT (IPv4 and IPv6)
        • flexible and extensible infrastructure
        • multiple layers of API’s for 3rd party extensions
    • iptables is a generic table structure for the definition of rulesets.
    • Each rule within an IP table consists of a number of classifiers (iptables matches) and one connected action (iptables target)
    • iptables provides different commands for these protocols — iptables for IPv4 and ip6tables for IPv6
    • some abbreviations for iptables output
      • prot: protocol
      • opt: ?
      • dpt: destination port
      • ct: connect
    • special options
      • -m: extended match (may load extension) with help by some modules
        • tcp
        • multiport
        • icmp
        • conntrack
        • limit: the job of this module is to place a limit to the number of packets passing through.
        • recent
        • hashlimit
        • owner: block traffic on a per user basis
        • state: replaced by conntrack
      • --ctstate
        • INVALID
        • NEW
        • ESTABLISHED
        • RELATED
        • UNTRACKED
        • SNAT
        • DNAT
    • Unfortunately, it turns out that iptables rules aren’t persistent — they’re lost when you reboot your system.
      • commands iptables-save and iptables-restore
      • On distributions such as RHEL and CentOS, there’s a package named “iptables-services”
      • delete all rules currently insertediptables -F
  • concepts
    • tables
      • a table is something that allows you to process packets in specific ways
      • The default table is the filter table, although there are other tables too.
      • tables have chains attached to them
      • on a modern Linux distributions, there are four tables:
        • filter table
          • used to make decisions about whether a packet should be allowed to reach its destination
        • mangle table
          • to alter packet headers in various ways, such as changing TTL values
        • nat table
          • allows you to route packets to different hosts on NAT (Network Address Translation) networks by changing the source and destination addresses of packets
          • -j: target
            • DNAT
              • mainly used in cases where you have a public IP and want to redirect accesses to the firewall to some other host (on a DMZ for example). In other words, we change the destination address of the packet and reroute it to the host.
            • SNAT
              • changing the source address of packets
            • MASQUERADE: The MASQUERADE target is used basically the same as the SNAT target, but it does not require any --to-source option.
              • The reason for this is that the MASQUERADE target was made to work with, for example, dial-up connections, or DHCP connections, which gets dynamic IP addresses when connecting to the network in question. This means that you should only use the MASQUERADE target with dynamically assigned IP connections, which we don’t know the actual address of at all times.
              • If you have a static IP connection, you should instead use the SNAT target.
            • REDIRECT
        • raw table
          • iptables is a stateful firewall, which means that packets are inspected with respect to their “state”
          • The raw table allows you to work with packets before the kernel starts tracking its state.
          • In addition, you can also exempt certain packets from the state-tracking machinery.
      • in addition, some kernels also have a security table. It is used by SELinux to implement policies based on SELinux security contexts.
      • each of these tables are composed of a few default chains
    • chains
      • allow you to inspect traffic at various points
      • contain rules which associate with a target to match specific packets
      • a few default chains
        • PREROUTING chain
          • Rules in this chain apply to packets as they just arrive on the network interface.
          • This chain is present in the nat, mangle and raw tables.
        • INPUT chain
          • Rules in this chain apply to packets just before they’re given to a local process.
          • This chain is present in the mangle and filter tables.
        • OUTPUT chain
          • The rules here apply to packets just after they’ve been produced by a process.
          • This chain is present in the raw, mangle, nat and filter tables.
        • FORWARD chain
          • The rules here apply to any packets that are routed through the current host.
          • This chain is only present in the mangle and filter tables.
        • POSTROUTING chain
          • The rules in this chain apply to packets as they just leave the network interface.
          • This chain is present in the nat and mangle tables.
    • targets
      • a target decides the fate of a packet, such as allowing or rejecting it
      • some targets are terminating, the packet won’t be matched against any other rules. The most commonly used terminating targets are:
        • ACCEPT
        • DROP
          • To anyone trying to connect to your system, it would appear like the system didn’t even exist.
        • REJECT
          • It sends a “connection reset” packet in case of TCP, or a “destination host unreachable” packet in case of UDP or ICMP.
      • non-terminating targets
        • LOG
        • RETURN: return to the parent chain and match the other rules there
    • steps
      • When a packet arrives (or leaves, depending on the chain), iptables matches it against rules in these chains one-by-one. When it finds a match, it jumps onto the target and performs the action associated with it. If it doesn’t find a match with any of the rules, it simply does what the default policy of the chain tells it to. The default policy is also a target. By default, all chains have a default policy of allowing packets.

iptables --help

iptables v1.6.0

Usage: iptables -[ACD] chain rule-specification [options]
       iptables -I chain [rulenum] rule-specification [options]
       iptables -R chain rulenum rule-specification [options]
       iptables -D chain rulenum [options]
       iptables -[LS] [chain [rulenum]] [options]
       iptables -[FZ] [chain] [options]
       iptables -[NX] chain
       iptables -E old-chain-name new-chain-name
       iptables -P chain target [options]
       iptables -h (print this help information)

Commands:
Either long or short options are allowed.
  --append  -A chain		Append to chain
  --check   -C chain		Check for the existence of a rule
  --delete  -D chain		Delete matching rule from chain
  --delete  -D chain rulenum
				Delete rule rulenum (1 = first) from chain
  --insert  -I chain [rulenum]
				Insert in chain as rulenum (default 1=first)
  --replace -R chain rulenum
				Replace rule rulenum (1 = first) in chain
  --list    -L [chain [rulenum]]
				List the rules in a chain or all chains
  --list-rules -S [chain [rulenum]]
				Print the rules in a chain or all chains
  --flush   -F [chain]		Delete all rules in  chain or all chains
  --zero    -Z [chain [rulenum]]
				Zero counters in chain or all chains
  --new     -N chain		Create a new user-defined chain
  --delete-chain
            -X [chain]		Delete a user-defined chain
  --policy  -P chain target
				Change policy on chain to target
  --rename-chain
            -E old-chain new-chain
				Change chain name, (moving any references)
Options:
    --ipv4	-4		Nothing (line is ignored by ip6tables-restore)
    --ipv6	-6		Error (line is ignored by iptables-restore)
[!] --protocol	-p proto	protocol: by number or name, eg. `tcp'
[!] --source	-s address[/mask][...]
				source specification
[!] --destination -d address[/mask][...]
				destination specification
[!] --in-interface -i input name[+]
				network interface name ([+] for wildcard)
 --jump	-j target
				target for rule (may load target extension)
  --goto      -g chain
                              jump to chain with no return
  --match	-m match
				extended match (may load extension)
  --numeric	-n		numeric output of addresses and ports
[!] --out-interface -o output name[+]
				network interface name ([+] for wildcard)
  --table	-t table	table to manipulate (default: `filter')
  --verbose	-v		verbose mode
  --wait	-w [seconds]	wait for the xtables lock
  --line-numbers		print line numbers when listing
  --exact	-x		expand numbers (display exact values)
[!] --fragment	-f		match second or further fragments only
  --modprobe=<command>		try to insert modules using this command
  --set-counters PKTS BYTES	set the counter during insert/append
[!] --version	-V		print package version.

Valid ICMP Types

any
echo-reply (pong)
destination-unreachable
   network-unreachable
   host-unreachable
   protocol-unreachable
   port-unreachable
   fragmentation-needed
   source-route-failed
   network-unknown
   host-unknown
   network-prohibited
   host-prohibited
   TOS-network-unreachable
   TOS-host-unreachable
   communication-prohibited
   host-precedence-violation
   precedence-cutoff
source-quench
redirect
   network-redirect
   host-redirect
   TOS-network-redirect
   TOS-host-redirect
echo-request (ping)
router-advertisement
router-solicitation
time-exceeded (ttl-exceeded)
   ttl-zero-during-transit
   ttl-zero-during-reassembly
parameter-problem
   ip-header-bad
   required-option-missing
timestamp-request
timestamp-reply
address-mask-request
address-mask-reply

nftables

nftables replaces the popular {ip,ip6,arp,eb}tables. This software provides a new in-kernel packet classification framework that is based on a network-specific Virtual Machine (VM) and a new nft userspace command line tool. nftables reuses the existing Netfilter subsystems such as the existing hook infrastructure, the connection tracking system, NAT, userspace queueing and logging subsystem.

Extra common used rules

References

comments powered by Disqus