SlideShare une entreprise Scribd logo

Iptables presentation

Emin Abdul Azeez
Emin Abdul Azeez

IP tables-the linux firewall. This link shows the pdf document that you can download.This is a useful document for the beginners, lays the attention to know more about the topic.

Technologie
1  sur  22
Télécharger pour lire hors ligne
IPTABLESIPTABLES The Linux FirewallThe Linux Firewall Presented ByPresented By Emin Asif A SEmin Asif A S
IntroductionIntroduction ● Network security is a primary consideration in any decision to host aNetwork security is a primary consideration in any decision to host a website as the threats are becoming more widespread and persistentwebsite as the threats are becoming more widespread and persistent every day.every day. ● We can convert a Linux server into:We can convert a Linux server into: A firewall while simultaneously being our home website's mail,A firewall while simultaneously being our home website's mail, web and DNS server.web and DNS server. A router that will use NAT and port forwarding to both protectA router that will use NAT and port forwarding to both protect your home network and have another web server on your home networkyour home network and have another web server on your home network while sharing the public IP address of ourfirewall.while sharing the public IP address of ourfirewall.
WhatWhat Is Iptables?Is Iptables? Originally, the most popular firewall/NAT package running on Linux wasOriginally, the most popular firewall/NAT package running on Linux was ipchains, but it had a number of shortcomings. To rectify this, the Netfilteripchains, but it had a number of shortcomings. To rectify this, the Netfilter organization decided to create a new product called iptables, giving itorganization decided to create a new product called iptables, giving it such improvements as:such improvements as: ● Better integration with the Linux kernel.Better integration with the Linux kernel. ● Stateful packet inspection.Stateful packet inspection. ● Filtering packets.Filtering packets. ● System logging.System logging. ● Better network address translation.Better network address translation. Considered a faster and more secure alternative to ipchains, iptables hasConsidered a faster and more secure alternative to ipchains, iptables has become the default firewall package installed under RedHat and Fedorabecome the default firewall package installed under RedHat and Fedora Linux.Linux.
Managing the iptables ServerManaging the iptables Server Different Linux distributions use different daemon managementDifferent Linux distributions use different daemon management systems.systems. ● The most commonly used daemon management systems are SysVThe most commonly used daemon management systems are SysV and Systemd.and Systemd. ● The daemon isThe daemon is iptablesiptables.. Armed with this information we can know how to:Armed with this information we can know how to: ● Start the daemons automatically on bootingStart the daemons automatically on booting ● Stop, start and restart them later on during troubleshooting or when aStop, start and restart them later on during troubleshooting or when a configuration file change needs to be applied.configuration file change needs to be applied.
Packet Processing In iptablesPacket Processing In iptables All packets inspected by iptables pass through a sequence of built-in tablesAll packets inspected by iptables pass through a sequence of built-in tables (queues) for processing.There are three tables in total.(queues) for processing.There are three tables in total. ➢ The first is the mangle table which is responsible for the alteration of qualityThe first is the mangle table which is responsible for the alteration of quality of service bits in the TCP header.of service bits in the TCP header. ➢ The second table is the filter queue which is responsible for packet filtering.The second table is the filter queue which is responsible for packet filtering. It has three built-in chains in which you can place your firewall policy rules.It has three built-in chains in which you can place your firewall policy rules. These are the:These are the: Forward chain: Filters packets to servers protected by the firewall.Forward chain: Filters packets to servers protected by the firewall. Input chain: Filters packets destined for the firewall.Input chain: Filters packets destined for the firewall. Output chain: Filters packets originating from the firewall.Output chain: Filters packets originating from the firewall. ➢ The third table is the nat queue which is responsible for network addressThe third table is the nat queue which is responsible for network address translation. It has two built-in chains; these are:translation. It has two built-in chains; these are: Pre-routing chain: NATs packets when the destination address of the packetPre-routing chain: NATs packets when the destination address of the packet needs to be changed.needs to be changed. Post-routing chain: NATs packets when the source address of the packetPost-routing chain: NATs packets when the source address of the packet needs to be changedneeds to be changed
Check if iptables installedCheck if iptables installed ● $ rpm -q iptables$ rpm -q iptables iptables-1.4.7-5.1.el6_2.x86_64iptables-1.4.7-5.1.el6_2.x86_64 ● use the -L switch to inspect the currently loadeduse the -L switch to inspect the currently loaded rules:rules: # iptables -L# iptables -L ● If iptables is not running, you can enable it byIf iptables is not running, you can enable it by running:running: # system-config-securitylevel# system-config-securitylevel
Switch OperationsSwitch Operations -t <-table->-t <-table-> tables include: filter, nat, mangletables include: filter, nat, mangle -j <target>-j <target> Jump to the specified target chain when the packet matchesJump to the specified target chain when the packet matches the current rule.the current rule. -A-A Append rule to end of a chainAppend rule to end of a chain -F-F Flush. Deletes all the rules in the selected tableFlush. Deletes all the rules in the selected table -p <protocol-type>-p <protocol-type> icmp, tcp, udp, and allicmp, tcp, udp, and all -s <ip-address>-s <ip-address> source IP addresssource IP address -d <ip-address>-d <ip-address> destination IP addressdestination IP address -i <interface-name>-i <interface-name> "input" interface on which the packet enters."input" interface on which the packet enters. -o <interface-name>-o <interface-name> "output" interface on which the packet exits"output" interface on which the packet exits
Targets And JumpsTargets And Jumps ● ACCEPTACCEPT iptables stops further processing. The packet isiptables stops further processing. The packet is handed overhanded over toto the end application or the operating system for processing.the end application or the operating system for processing. ● DROPDROP iptablesiptables stopsstops further processing. The packet isfurther processing. The packet is blockedblocked.. ● LOGLOG The packet information is sent to the syslog daemon for loggingThe packet information is sent to the syslog daemon for logging iptables continues processing with the next rule in the table.iptables continues processing with the next rule in the table. ● REJECTREJECT Works like theWorks like the DROPDROP target, but will alsotarget, but will also return an errorreturn an error messagemessage to the host sending the packet that the packet was blocked.to the host sending the packet that the packet was blocked. ● DNATDNAT Used to doUsed to do destination network address translationdestination network address translation. ie. rewriting. ie. rewriting the destination IP address of the packet.the destination IP address of the packet. ● SNATSNAT Used to doUsed to do source network address translationsource network address translation rewriting the sourcerewriting the source IP address of the packet. The source IP address is user definedIP address of the packet. The source IP address is user defined ● MASQUERADEMASQUERADE Used to doUsed to do Source Network Address TranslationSource Network Address Translation. By default. By default the source IP address is the same as that used by the firewall's interfacethe source IP address is the same as that used by the firewall's interface
InterfacesInterfaces #iptables -A INPUT -i#iptables -A INPUT -i lolo -j ACCEPT-j ACCEPT /*allows localhost/*allows localhost interfaceinterface 127.0.0.1*/127.0.0.1*/ #iptables -A INPUT -i#iptables -A INPUT -i eth0eth0 -j ACCEPT-j ACCEPT /*allows eth0 which is our internal LAN connection, (eth0 and eth1 are ethernet/*allows eth0 which is our internal LAN connection, (eth0 and eth1 are ethernet interfaces, they can be either internet or private network interfaces)*/interfaces, they can be either internet or private network interfaces)*/ #iptables -A INPUT -i#iptables -A INPUT -i ppp0ppp0 -j ACCEPT-j ACCEPT /*allows ppp0 dialup modem which is our external internet connection*//*allows ppp0 dialup modem which is our external internet connection*/
Common Extended Match CriteriaCommon Extended Match Criteria -m multiport --sports <port, port>-m multiport --sports <port, port> A variety of TCP/UDP source ports separated by commas. Unlike whenA variety of TCP/UDP source ports separated by commas. Unlike when -m-m isn't used, they do notisn't used, they do not have to be within a range.have to be within a range. -m multiport --dports <port, port>-m multiport --dports <port, port> A variety of TCP/UDP destination ports separated by commas. Unlike whenA variety of TCP/UDP destination ports separated by commas. Unlike when -m-m isn't used, they doisn't used, they do not have to be within a range.not have to be within a range. -m multiport --ports <port, port>-m multiport --ports <port, port> A variety of TCP/UDP ports separated by commas. Source and destination ports are assumed to beA variety of TCP/UDP ports separated by commas. Source and destination ports are assumed to be the same and they do not have to be within a range.the same and they do not have to be within a range. -m --state <state>-m --state <state> The most frequently tested states are:The most frequently tested states are: ESTABLISHED:ESTABLISHED: The packet is part of a connection that has seen packets in bothThe packet is part of a connection that has seen packets in both directionsdirections NEW:NEW: The packet is the start of a new connectionThe packet is the start of a new connection RELATED:RELATED: The packet is starting a new secondary connection. This is a commonThe packet is starting a new secondary connection. This is a common feature of such protocols such as an FTP data transfer, or an ICMP error.feature of such protocols such as an FTP data transfer, or an ICMP error.
Accept packets from trusted IPAccept packets from trusted IP addressesaddresses ● To allow the packets from a single IPTo allow the packets from a single IP iptables -A INPUT -iptables -A INPUT -ss 192.168.0.4 -192.168.0.4 -jj ACCEPTACCEPT [-s source -j jump to the target action (here ACCEPT) ][-s source -j jump to the target action (here ACCEPT) ] ● To allow incoming packets from a range of IP addressesTo allow incoming packets from a range of IP addresses iptables -A INPUT -s 192.168.0.0/24 -j ACCEPTiptables -A INPUT -s 192.168.0.0/24 -j ACCEPT oror iptables -A INPUT -s 192.168.0.0/255.255.255.0 -j ACCEPTiptables -A INPUT -s 192.168.0.0/255.255.255.0 -j ACCEPT
Ports and ProtocolsPorts and Protocols [ -p[ -p protocol (tcp,udp,icmp,all) ]protocol (tcp,udp,icmp,all) ] [ -[ --dport-dport destination portdestination port ]] [--sport source port ][--sport source port ] ● Accept tcp packets on destination port 6881 (bittorrent)Accept tcp packets on destination port 6881 (bittorrent) #iptables -A INPUT -#iptables -A INPUT -pp tcp --tcp --dportdport 6881 -j ACCEPT6881 -j ACCEPT ● To include a port rangeTo include a port range Accept tcp packets on destination ports 6881-6890Accept tcp packets on destination ports 6881-6890 #iptables -A INPUT -p tcp --dport 6881:6890 -j ACCEPT#iptables -A INPUT -p tcp --dport 6881:6890 -j ACCEPT
Writing a Simple Rule SetWriting a Simple Rule Set # iptables -# iptables -PP INPUT ACCEPTINPUT ACCEPT //If connecting remotely we must first temporarily set the default//If connecting remotely we must first temporarily set the default policypolicy on theon the INPUT chain to ACCEPT,otherwise we will be locked out of our server once weINPUT chain to ACCEPT,otherwise we will be locked out of our server once we flush the current rules.flush the current rules. # iptables -# iptables -FF //to//to flushflush all existing rules so we start with a clean state from which to add newall existing rules so we start with a clean state from which to add new rules.rules. # iptables -A INPUT -i# iptables -A INPUT -i lolo -j ACCEPT //to communicate with the localhost-j ACCEPT //to communicate with the localhost adaptor.adaptor. # iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT# iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT //to allow only the incoming packets that are part of an already established connection or//to allow only the incoming packets that are part of an already established connection or related to and already established connection.related to and already established connection.
Writing a Simple Rule Set (Contd.)Writing a Simple Rule Set (Contd.) # iptables -A INPUT -p tcp --dport 22 -j ACCEPT# iptables -A INPUT -p tcp --dport 22 -j ACCEPT // to prevent accidental lockouts// to prevent accidental lockouts when working on remote systems over an SSH connection.when working on remote systems over an SSH connection. # iptables -P INPUT DROP# iptables -P INPUT DROP //if an incoming packet does not match one of the//if an incoming packet does not match one of the following rules it will be dropped.following rules it will be dropped. # iptables -P FORWARD DROP# iptables -P FORWARD DROP //set the default policy on the FORWARD chain to//set the default policy on the FORWARD chain to DROP as we're not using our computer as a router so there should not be any packetsDROP as we're not using our computer as a router so there should not be any packets passing through our computer.passing through our computer. # iptables -P OUTPUT ACCEPT# iptables -P OUTPUT ACCEPT //set the default policy on the OUTPUT chain to//set the default policy on the OUTPUT chain to ACCEPT as we want to allow all outgoing traffic (as we trust our users).ACCEPT as we want to allow all outgoing traffic (as we trust our users). # iptables -L -v# iptables -L -v //we can list (-L) the rules we've just added to check they've been//we can list (-L) the rules we've just added to check they've been loaded correctly.loaded correctly. # /sbin/service iptables save# /sbin/service iptables save //to save our rules so that next time we reboot our//to save our rules so that next time we reboot our computer our rules are automatically reloadedcomputer our rules are automatically reloaded
Masquerading (Many to One NAT)Masquerading (Many to One NAT) Traffic from all devices on one or more protected networks will appear as if itTraffic from all devices on one or more protected networks will appear as if it originated from a single IP address on the Internet side of the firewall.originated from a single IP address on the Internet side of the firewall. echo 1 > /proc/sys/net/ipv4/ip_forward //to enable routing between internetecho 1 > /proc/sys/net/ipv4/ip_forward //to enable routing between internet & private network interfaces of the firewall.& private network interfaces of the firewall. Masquerading has been achieved using the POSTROUTING chain of the natMasquerading has been achieved using the POSTROUTING chain of the nat table,table, #iptables -A POSTROUTING -t nat -o eth0 -s 192.168.1.0/24 -d 0/0 -j#iptables -A POSTROUTING -t nat -o eth0 -s 192.168.1.0/24 -d 0/0 -j MASQUERADEMASQUERADE Use the FORWARD chain of the filter table. NEW and ESTABLISHEDUse the FORWARD chain of the filter table. NEW and ESTABLISHED connections will be allowed outbound to the Internet,connections will be allowed outbound to the Internet, #iptables -A FORWARD -t filter -o eth0 -m state --state#iptables -A FORWARD -t filter -o eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPTNEW,ESTABLISHED,RELATED -j ACCEPT But only packets related to ESTABLISHED connections will be allowed inbound.But only packets related to ESTABLISHED connections will be allowed inbound. #iptables -A FORWARD -t filter -i eth0 -m state --state#iptables -A FORWARD -t filter -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPTESTABLISHED,RELATED -j ACCEPT This helps to protect the home network from anyone trying to initiateThis helps to protect the home network from anyone trying to initiate connections from the Internetconnections from the Internet
Recovering From A Lost ScriptRecovering From A Lost Script Sometimes the script you created to generate iptables rules may getSometimes the script you created to generate iptables rules may get corrupted or lost, To recover:corrupted or lost, To recover: Export the iptables-save output to a text file named firewall-configExport the iptables-save output to a text file named firewall-config [root@bigboy tmp]# iptables-save > firewall-config[root@bigboy tmp]# iptables-save > firewall-config [root@bigboy tmp]# cat firewall-config[root@bigboy tmp]# cat firewall-config We can reload it into the active firewall rule set with the iptables-restoreWe can reload it into the active firewall rule set with the iptables-restore command.command. [root@bigboy tmp]# iptables-restore < firewall-config[root@bigboy tmp]# iptables-restore < firewall-config [root@bigboy tmp]# service iptables save[root@bigboy tmp]# service iptables save
TroubleshootingTroubleshooting iptablesiptables ● Checking The Firewall LogsChecking The Firewall Logs LoLog and drop packets to the /var/log/messages file.g and drop packets to the /var/log/messages file. iptables -A OUTPUT -j LOGiptables -A OUTPUT -j LOG iptables -A INPUT -j LOGiptables -A INPUT -j LOG iptables -A FORWARD -j LOGiptables -A FORWARD -j LOG iptables -A OUTPUT -j DROPiptables -A OUTPUT -j DROP iptables -A INPUT -j DROPiptables -A INPUT -j DROP iptables -A FORWARD -j DROPiptables -A FORWARD -j DROP
Allowing DNS Access To Your FirewallAllowing DNS Access To Your Firewall #iptables -A OUTPUT -p udp -o eth0 --dport 53 --sport 1024:65535 #iptables -A OUTPUT -p udp -o eth0 --dport 53 --sport 1024:65535 -j ACCEPT-j ACCEPT #iptables -A INPUT -p udp -i eth0 --sport 53 --dport 1024:65535 #iptables -A INPUT -p udp -i eth0 --sport 53 --dport 1024:65535 -j ACCEPT-j ACCEPT
Allowing WWW And SSH Access ToAllowing WWW And SSH Access To Your FirewallYour Firewall ● Interface eth0 is the internet interfaceInterface eth0 is the internet interface #iptables -A OUTPUT -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT#iptables -A OUTPUT -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT ● Allow port 80 (www) and 22 (SSH) connections to the firewallAllow port 80 (www) and 22 (SSH) connections to the firewall #iptables -A INPUT -p tcp -i eth0 --dport 22 --sport 1024:65535#iptables -A INPUT -p tcp -i eth0 --dport 22 --sport 1024:65535 -m state --state NEW -j ACCEPT-m state --state NEW -j ACCEPT #iptables -A INPUT -p tcp -i eth0 --dport 80 --sport 1024:65535#iptables -A INPUT -p tcp -i eth0 --dport 80 --sport 1024:65535 -m state --state NEW -j ACCEPT-m state --state NEW -j ACCEPT
Allowing Your Firewall To Access TheAllowing Your Firewall To Access The InternetInternet ● Allow port 80 (www) and 443 (https) connections from the firewallAllow port 80 (www) and 443 (https) connections from the firewall #iptables -A OUTPUT -j ACCEPT -m state --state NEW,ESTABLISHED,RELATED#iptables -A OUTPUT -j ACCEPT -m state --state NEW,ESTABLISHED,RELATED -o eth0 -p tcp -m multiport --dports 80,443 --sport 1024:65535-o eth0 -p tcp -m multiport --dports 80,443 --sport 1024:65535 ● Allow previously established connectionsAllow previously established connections Interface eth0 is the internet interfaceInterface eth0 is the internet interface #iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED -i eth0#iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED -i eth0 -p tcp-p tcp
Allow Your Home Network To AccessAllow Your Home Network To Access The FirewallThe Firewall Allow all bidirectional traffic from your firewall to the protected networkAllow all bidirectional traffic from your firewall to the protected network Interface eth1 is the private network interfaceInterface eth1 is the private network interface #iptables -A INPUT -j ACCEPT -p all -s 192.168.1.0/24 -i eth1#iptables -A INPUT -j ACCEPT -p all -s 192.168.1.0/24 -i eth1 #iptables -A OUTPUT -j ACCEPT -p all -d 192.168.1.0/24 -o eth1#iptables -A OUTPUT -j ACCEPT -p all -d 192.168.1.0/24 -o eth1
THANK YOUTHANK YOU

Recommandé

Iptables the Linux Firewall
Iptables the Linux Firewall Iptables the Linux Firewall
Iptables the Linux Firewall Syed fawad Gillani
 
GRE (Generic Routing Encapsulation)
GRE (Generic Routing Encapsulation)GRE (Generic Routing Encapsulation)
GRE (Generic Routing Encapsulation)NetProtocol Xpert
 
IDS and IPS
IDS and IPSIDS and IPS
IDS and IPSSantosh Khadsare
 
Iptables in linux
Iptables in linuxIptables in linux
Iptables in linuxMandeep Singh
 
Nat pat
Nat patNat pat
Nat patCYBERINTELLIGENTS
 
Basics of firewall, ebtables, arptables and iptables
Basics of firewall, ebtables, arptables and iptablesBasics of firewall, ebtables, arptables and iptables
Basics of firewall, ebtables, arptables and iptablesPrzemysław Piotrowski
 
BGP (border gateway routing protocol)
BGP (border gateway routing protocol)BGP (border gateway routing protocol)
BGP (border gateway routing protocol)Netwax Lab
 
Intrusion prevention system(ips)
Intrusion prevention system(ips)Intrusion prevention system(ips)
Intrusion prevention system(ips)Papun Papun
 

Recommandé

Iptables the Linux Firewall
Iptables the Linux Firewall Iptables the Linux Firewall
Iptables the Linux Firewall Syed fawad Gillani
 
GRE (Generic Routing Encapsulation)
GRE (Generic Routing Encapsulation)GRE (Generic Routing Encapsulation)
GRE (Generic Routing Encapsulation)NetProtocol Xpert
 
IDS and IPS
IDS and IPSIDS and IPS
IDS and IPSSantosh Khadsare
 
Iptables in linux
Iptables in linuxIptables in linux
Iptables in linuxMandeep Singh
 
Nat pat
Nat patNat pat
Nat patCYBERINTELLIGENTS
 
Basics of firewall, ebtables, arptables and iptables
Basics of firewall, ebtables, arptables and iptablesBasics of firewall, ebtables, arptables and iptables
Basics of firewall, ebtables, arptables and iptablesPrzemysław Piotrowski
 
BGP (border gateway routing protocol)
BGP (border gateway routing protocol)BGP (border gateway routing protocol)
BGP (border gateway routing protocol)Netwax Lab
 
Intrusion prevention system(ips)
Intrusion prevention system(ips)Intrusion prevention system(ips)
Intrusion prevention system(ips)Papun Papun
 
Network address translation
Network address translationNetwork address translation
Network address translationVarsha Honde
 
Bgp protocol
Bgp protocolBgp protocol
Bgp protocolSmriti Tikoo
 
Ospf.ppt
Ospf.pptOspf.ppt
Ospf.pptEdgardo Scrimaglia
 
TCP/IP 3-way Handshake
TCP/IP 3-way Handshake TCP/IP 3-way Handshake
TCP/IP 3-way Handshake Alok Tripathi
 
CCNA PPT
CCNA PPTCCNA PPT
CCNA PPTAIRTEL
 
Intrusion Prevention System
Intrusion Prevention SystemIntrusion Prevention System
Intrusion Prevention SystemVishwanath Badiger
 
Eigrp.ppt
Eigrp.pptEigrp.ppt
Eigrp.pptEdgardo Scrimaglia
 
Firewall and Types of firewall
Firewall and Types of firewallFirewall and Types of firewall
Firewall and Types of firewallCoder Tech
 
Vlan
Vlan Vlan
Vlan sanss40
 
Packet analysis using wireshark
Packet analysis using wiresharkPacket analysis using wireshark
Packet analysis using wiresharkBasaveswar Kureti
 
Open shortest path first (ospf)
Open shortest path first (ospf)Open shortest path first (ospf)
Open shortest path first (ospf)Respa Peter
 
Iptables Configuration
Iptables ConfigurationIptables Configuration
Iptables Configurationstom123
 
CCNA ppt Day 1
CCNA ppt Day 1CCNA ppt Day 1
CCNA ppt Day 1VISHNU N
 
CCNAv5 - S2: Chapter5 Inter Vlan Routing
CCNAv5 - S2: Chapter5 Inter Vlan RoutingCCNAv5 - S2: Chapter5 Inter Vlan Routing
CCNAv5 - S2: Chapter5 Inter Vlan RoutingVuz Dở Hơi
 
Zone Based Policy Firewall
Zone Based Policy FirewallZone Based Policy Firewall
Zone Based Policy Firewallpitt2k
 
DMVPN
DMVPNDMVPN
DMVPNNetProtocol Xpert
 
Iptables
IptablesIptables
Iptablesleminhvuong
 
GRE Tunnel Configuration
GRE Tunnel ConfigurationGRE Tunnel Configuration
GRE Tunnel ConfigurationNetProtocol Xpert
 
Switch security
Switch securitySwitch security
Switch securitynullowaspmumbai
 
ccna networking ppt
ccna networking pptccna networking ppt
ccna networking pptEr. Anmol Bhagat
 
Linux booting procedure
Linux booting procedureLinux booting procedure
Linux booting procedureDhaval Kaneria
 
Linux booting process!!
Linux booting process!!Linux booting process!!
Linux booting process!!sourav verma
 

Contenu connexe

Tendances

Network address translation
Network address translationNetwork address translation
Network address translationVarsha Honde
 
TCP/IP 3-way Handshake
TCP/IP 3-way Handshake TCP/IP 3-way Handshake
TCP/IP 3-way Handshake Alok Tripathi
 
CCNA PPT
CCNA PPTCCNA PPT
CCNA PPTAIRTEL
 
Firewall and Types of firewall
Firewall and Types of firewallFirewall and Types of firewall
Firewall and Types of firewallCoder Tech
 
Packet analysis using wireshark
Packet analysis using wiresharkPacket analysis using wireshark
Packet analysis using wiresharkBasaveswar Kureti
 
Open shortest path first (ospf)
Open shortest path first (ospf)Open shortest path first (ospf)
Open shortest path first (ospf)Respa Peter
 
Iptables Configuration
Iptables ConfigurationIptables Configuration
Iptables Configurationstom123
 
CCNA ppt Day 1
CCNA ppt Day 1CCNA ppt Day 1
CCNA ppt Day 1VISHNU N
 
CCNAv5 - S2: Chapter5 Inter Vlan Routing
CCNAv5 - S2: Chapter5 Inter Vlan RoutingCCNAv5 - S2: Chapter5 Inter Vlan Routing
CCNAv5 - S2: Chapter5 Inter Vlan RoutingVuz Dở Hơi
 
Zone Based Policy Firewall
Zone Based Policy FirewallZone Based Policy Firewall
Zone Based Policy Firewallpitt2k
 

Tendances (20)

Network address translation
Network address translationNetwork address translation
Network address translation
 
Bgp protocol
Bgp protocolBgp protocol
Bgp protocol
 
Ospf.ppt
Ospf.pptOspf.ppt
Ospf.ppt
 
TCP/IP 3-way Handshake
TCP/IP 3-way Handshake TCP/IP 3-way Handshake
TCP/IP 3-way Handshake
 
CCNA PPT
CCNA PPTCCNA PPT
CCNA PPT
 
Intrusion Prevention System
Intrusion Prevention SystemIntrusion Prevention System
Intrusion Prevention System
 
Eigrp.ppt
Eigrp.pptEigrp.ppt
Eigrp.ppt
 
Firewall and Types of firewall
Firewall and Types of firewallFirewall and Types of firewall
Firewall and Types of firewall
 
Vlan
Vlan Vlan
Vlan
 
Packet analysis using wireshark
Packet analysis using wiresharkPacket analysis using wireshark
Packet analysis using wireshark
 
Open shortest path first (ospf)
Open shortest path first (ospf)Open shortest path first (ospf)
Open shortest path first (ospf)
 
Iptables Configuration
Iptables ConfigurationIptables Configuration
Iptables Configuration
 
CCNA ppt Day 1
CCNA ppt Day 1CCNA ppt Day 1
CCNA ppt Day 1
 
CCNAv5 - S2: Chapter5 Inter Vlan Routing
CCNAv5 - S2: Chapter5 Inter Vlan RoutingCCNAv5 - S2: Chapter5 Inter Vlan Routing
CCNAv5 - S2: Chapter5 Inter Vlan Routing
 
Zone Based Policy Firewall
Zone Based Policy FirewallZone Based Policy Firewall
Zone Based Policy Firewall
 
DMVPN
DMVPNDMVPN
DMVPN
 
Iptables
IptablesIptables
Iptables
 
GRE Tunnel Configuration
GRE Tunnel ConfigurationGRE Tunnel Configuration
GRE Tunnel Configuration
 
Switch security
Switch securitySwitch security
Switch security
 
ccna networking ppt
ccna networking pptccna networking ppt
ccna networking ppt
 

En vedette

Linux booting procedure
Linux booting procedureLinux booting procedure
Linux booting procedureDhaval Kaneria
 
Linux booting process!!
Linux booting process!!Linux booting process!!
Linux booting process!!sourav verma
 
System and network administration network services
System and network administration network servicesSystem and network administration network services
System and network administration network servicesUc Man
 
6 stages of linux boot process
6 stages of linux boot process6 stages of linux boot process
6 stages of linux boot processTeja Bheemanapally
 
Packet Filtering Using Iptables
Packet Filtering Using IptablesPacket Filtering Using Iptables
Packet Filtering Using IptablesAhmed Mekkawy
 
Linux process management
Linux process managementLinux process management
Linux process managementRaghu nath
 
Process management in linux
Process management in linuxProcess management in linux
Process management in linuxMazenetsolution
 

En vedette (8)

Linux booting procedure
Linux booting procedureLinux booting procedure
Linux booting procedure
 
Linux booting process!!
Linux booting process!!Linux booting process!!
Linux booting process!!
 
System and network administration network services
System and network administration network servicesSystem and network administration network services
System and network administration network services
 
6 stages of linux boot process
6 stages of linux boot process6 stages of linux boot process
6 stages of linux boot process
 
Packet Filtering Using Iptables
Packet Filtering Using IptablesPacket Filtering Using Iptables
Packet Filtering Using Iptables
 
Linux process management
Linux process managementLinux process management
Linux process management
 
Process management in linux
Process management in linuxProcess management in linux
Process management in linux
 
Processes
ProcessesProcesses
Processes
 

Similaire à Iptables presentation

nftables - the evolution of Linux Firewall
nftables - the evolution of Linux Firewallnftables - the evolution of Linux Firewall
nftables - the evolution of Linux FirewallMarian Marinov
 
introduction of iptables in linux
introduction of iptables in linuxintroduction of iptables in linux
introduction of iptables in linuxNouman Baloch
 
Chapter 6 firewall
Chapter 6 firewallChapter 6 firewall
Chapter 6 firewallnewbie2019
 
Firewalls rules using iptables in linux
Firewalls rules using iptables in linuxFirewalls rules using iptables in linux
Firewalls rules using iptables in linuxaamir lucky
 
In depth understanding network security
In depth understanding network securityIn depth understanding network security
In depth understanding network securityThanawan Tuamyim
 
How to convert your Linux box into Security Gateway - Part 1
How to convert your Linux box into Security Gateway - Part 1How to convert your Linux box into Security Gateway - Part 1
How to convert your Linux box into Security Gateway - Part 1n|u - The Open Security Community
 
Linux internet server security and configuration tutorial
Linux internet server security and configuration tutorialLinux internet server security and configuration tutorial
Linux internet server security and configuration tutorialannik147
 
Iptablesrocks
IptablesrocksIptablesrocks
Iptablesrocksqwer_asdf
 
iptable casestudy by sans.pdf
iptable casestudy by sans.pdfiptable casestudy by sans.pdf
iptable casestudy by sans.pdfAdmin621695
 
The Next Generation Firewall for Red Hat Enterprise Linux 7 RC
The Next Generation Firewall for Red Hat Enterprise Linux 7 RCThe Next Generation Firewall for Red Hat Enterprise Linux 7 RC
The Next Generation Firewall for Red Hat Enterprise Linux 7 RCThomas Graf
 
Router Commands Overview
Router Commands OverviewRouter Commands Overview
Router Commands OverviewMuhammed Niyas
 
DoS and DDoS mitigations with eBPF, XDP and DPDK
DoS and DDoS mitigations with eBPF, XDP and DPDKDoS and DDoS mitigations with eBPF, XDP and DPDK
DoS and DDoS mitigations with eBPF, XDP and DPDKMarian Marinov
 
Arp Dan Ipconfig Syntax
Arp Dan Ipconfig SyntaxArp Dan Ipconfig Syntax
Arp Dan Ipconfig Syntaxguestcc37e8c
 
Iptables fundamentals
Iptables fundamentalsIptables fundamentals
Iptables fundamentalsram_b17
 

Similaire à Iptables presentation (20)

IPTABLES
IPTABLESIPTABLES
IPTABLES
 
Firewall
FirewallFirewall
Firewall
 
03 linuxfirewall1
03 linuxfirewall103 linuxfirewall1
03 linuxfirewall1
 
nftables - the evolution of Linux Firewall
nftables - the evolution of Linux Firewallnftables - the evolution of Linux Firewall
nftables - the evolution of Linux Firewall
 
introduction of iptables in linux
introduction of iptables in linuxintroduction of iptables in linux
introduction of iptables in linux
 
I ptable
I ptableI ptable
I ptable
 
Chapter 6 firewall
Chapter 6 firewallChapter 6 firewall
Chapter 6 firewall
 
Firewalls rules using iptables in linux
Firewalls rules using iptables in linuxFirewalls rules using iptables in linux
Firewalls rules using iptables in linux
 
In depth understanding network security
In depth understanding network securityIn depth understanding network security
In depth understanding network security
 
How to convert your Linux box into Security Gateway - Part 1
How to convert your Linux box into Security Gateway - Part 1How to convert your Linux box into Security Gateway - Part 1
How to convert your Linux box into Security Gateway - Part 1
 
Ip6 tables in linux
Ip6 tables in linuxIp6 tables in linux
Ip6 tables in linux
 
Linux internet server security and configuration tutorial
Linux internet server security and configuration tutorialLinux internet server security and configuration tutorial
Linux internet server security and configuration tutorial
 
Iptablesrocks
IptablesrocksIptablesrocks
Iptablesrocks
 
iptable casestudy by sans.pdf
iptable casestudy by sans.pdfiptable casestudy by sans.pdf
iptable casestudy by sans.pdf
 
The Next Generation Firewall for Red Hat Enterprise Linux 7 RC
The Next Generation Firewall for Red Hat Enterprise Linux 7 RCThe Next Generation Firewall for Red Hat Enterprise Linux 7 RC
The Next Generation Firewall for Red Hat Enterprise Linux 7 RC
 
Using linux as_a_router
Using linux as_a_routerUsing linux as_a_router
Using linux as_a_router
 
Router Commands Overview
Router Commands OverviewRouter Commands Overview
Router Commands Overview
 
DoS and DDoS mitigations with eBPF, XDP and DPDK
DoS and DDoS mitigations with eBPF, XDP and DPDKDoS and DDoS mitigations with eBPF, XDP and DPDK
DoS and DDoS mitigations with eBPF, XDP and DPDK
 
Arp Dan Ipconfig Syntax
Arp Dan Ipconfig SyntaxArp Dan Ipconfig Syntax
Arp Dan Ipconfig Syntax
 
Iptables fundamentals
Iptables fundamentalsIptables fundamentals
Iptables fundamentals
 

Dernier

Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DaySri Ambati
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 

Dernier (20)

Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 

Iptables presentation

  • 1. IPTABLESIPTABLES The Linux FirewallThe Linux Firewall Presented ByPresented By Emin Asif A SEmin Asif A S
  • 2. IntroductionIntroduction ● Network security is a primary consideration in any decision to host aNetwork security is a primary consideration in any decision to host a website as the threats are becoming more widespread and persistentwebsite as the threats are becoming more widespread and persistent every day.every day. ● We can convert a Linux server into:We can convert a Linux server into: A firewall while simultaneously being our home website's mail,A firewall while simultaneously being our home website's mail, web and DNS server.web and DNS server. A router that will use NAT and port forwarding to both protectA router that will use NAT and port forwarding to both protect your home network and have another web server on your home networkyour home network and have another web server on your home network while sharing the public IP address of ourfirewall.while sharing the public IP address of ourfirewall.
  • 3. WhatWhat Is Iptables?Is Iptables? Originally, the most popular firewall/NAT package running on Linux wasOriginally, the most popular firewall/NAT package running on Linux was ipchains, but it had a number of shortcomings. To rectify this, the Netfilteripchains, but it had a number of shortcomings. To rectify this, the Netfilter organization decided to create a new product called iptables, giving itorganization decided to create a new product called iptables, giving it such improvements as:such improvements as: ● Better integration with the Linux kernel.Better integration with the Linux kernel. ● Stateful packet inspection.Stateful packet inspection. ● Filtering packets.Filtering packets. ● System logging.System logging. ● Better network address translation.Better network address translation. Considered a faster and more secure alternative to ipchains, iptables hasConsidered a faster and more secure alternative to ipchains, iptables has become the default firewall package installed under RedHat and Fedorabecome the default firewall package installed under RedHat and Fedora Linux.Linux.
  • 4. Managing the iptables ServerManaging the iptables Server Different Linux distributions use different daemon managementDifferent Linux distributions use different daemon management systems.systems. ● The most commonly used daemon management systems are SysVThe most commonly used daemon management systems are SysV and Systemd.and Systemd. ● The daemon isThe daemon is iptablesiptables.. Armed with this information we can know how to:Armed with this information we can know how to: ● Start the daemons automatically on bootingStart the daemons automatically on booting ● Stop, start and restart them later on during troubleshooting or when aStop, start and restart them later on during troubleshooting or when a configuration file change needs to be applied.configuration file change needs to be applied.
  • 5. Packet Processing In iptablesPacket Processing In iptables All packets inspected by iptables pass through a sequence of built-in tablesAll packets inspected by iptables pass through a sequence of built-in tables (queues) for processing.There are three tables in total.(queues) for processing.There are three tables in total. ➢ The first is the mangle table which is responsible for the alteration of qualityThe first is the mangle table which is responsible for the alteration of quality of service bits in the TCP header.of service bits in the TCP header. ➢ The second table is the filter queue which is responsible for packet filtering.The second table is the filter queue which is responsible for packet filtering. It has three built-in chains in which you can place your firewall policy rules.It has three built-in chains in which you can place your firewall policy rules. These are the:These are the: Forward chain: Filters packets to servers protected by the firewall.Forward chain: Filters packets to servers protected by the firewall. Input chain: Filters packets destined for the firewall.Input chain: Filters packets destined for the firewall. Output chain: Filters packets originating from the firewall.Output chain: Filters packets originating from the firewall. ➢ The third table is the nat queue which is responsible for network addressThe third table is the nat queue which is responsible for network address translation. It has two built-in chains; these are:translation. It has two built-in chains; these are: Pre-routing chain: NATs packets when the destination address of the packetPre-routing chain: NATs packets when the destination address of the packet needs to be changed.needs to be changed. Post-routing chain: NATs packets when the source address of the packetPost-routing chain: NATs packets when the source address of the packet needs to be changedneeds to be changed
  • 6. Check if iptables installedCheck if iptables installed ● $ rpm -q iptables$ rpm -q iptables iptables-1.4.7-5.1.el6_2.x86_64iptables-1.4.7-5.1.el6_2.x86_64 ● use the -L switch to inspect the currently loadeduse the -L switch to inspect the currently loaded rules:rules: # iptables -L# iptables -L ● If iptables is not running, you can enable it byIf iptables is not running, you can enable it by running:running: # system-config-securitylevel# system-config-securitylevel
  • 7. Switch OperationsSwitch Operations -t <-table->-t <-table-> tables include: filter, nat, mangletables include: filter, nat, mangle -j <target>-j <target> Jump to the specified target chain when the packet matchesJump to the specified target chain when the packet matches the current rule.the current rule. -A-A Append rule to end of a chainAppend rule to end of a chain -F-F Flush. Deletes all the rules in the selected tableFlush. Deletes all the rules in the selected table -p <protocol-type>-p <protocol-type> icmp, tcp, udp, and allicmp, tcp, udp, and all -s <ip-address>-s <ip-address> source IP addresssource IP address -d <ip-address>-d <ip-address> destination IP addressdestination IP address -i <interface-name>-i <interface-name> "input" interface on which the packet enters."input" interface on which the packet enters. -o <interface-name>-o <interface-name> "output" interface on which the packet exits"output" interface on which the packet exits
  • 8. Targets And JumpsTargets And Jumps ● ACCEPTACCEPT iptables stops further processing. The packet isiptables stops further processing. The packet is handed overhanded over toto the end application or the operating system for processing.the end application or the operating system for processing. ● DROPDROP iptablesiptables stopsstops further processing. The packet isfurther processing. The packet is blockedblocked.. ● LOGLOG The packet information is sent to the syslog daemon for loggingThe packet information is sent to the syslog daemon for logging iptables continues processing with the next rule in the table.iptables continues processing with the next rule in the table. ● REJECTREJECT Works like theWorks like the DROPDROP target, but will alsotarget, but will also return an errorreturn an error messagemessage to the host sending the packet that the packet was blocked.to the host sending the packet that the packet was blocked. ● DNATDNAT Used to doUsed to do destination network address translationdestination network address translation. ie. rewriting. ie. rewriting the destination IP address of the packet.the destination IP address of the packet. ● SNATSNAT Used to doUsed to do source network address translationsource network address translation rewriting the sourcerewriting the source IP address of the packet. The source IP address is user definedIP address of the packet. The source IP address is user defined ● MASQUERADEMASQUERADE Used to doUsed to do Source Network Address TranslationSource Network Address Translation. By default. By default the source IP address is the same as that used by the firewall's interfacethe source IP address is the same as that used by the firewall's interface
  • 9. InterfacesInterfaces #iptables -A INPUT -i#iptables -A INPUT -i lolo -j ACCEPT-j ACCEPT /*allows localhost/*allows localhost interfaceinterface 127.0.0.1*/127.0.0.1*/ #iptables -A INPUT -i#iptables -A INPUT -i eth0eth0 -j ACCEPT-j ACCEPT /*allows eth0 which is our internal LAN connection, (eth0 and eth1 are ethernet/*allows eth0 which is our internal LAN connection, (eth0 and eth1 are ethernet interfaces, they can be either internet or private network interfaces)*/interfaces, they can be either internet or private network interfaces)*/ #iptables -A INPUT -i#iptables -A INPUT -i ppp0ppp0 -j ACCEPT-j ACCEPT /*allows ppp0 dialup modem which is our external internet connection*//*allows ppp0 dialup modem which is our external internet connection*/
  • 10. Common Extended Match CriteriaCommon Extended Match Criteria -m multiport --sports <port, port>-m multiport --sports <port, port> A variety of TCP/UDP source ports separated by commas. Unlike whenA variety of TCP/UDP source ports separated by commas. Unlike when -m-m isn't used, they do notisn't used, they do not have to be within a range.have to be within a range. -m multiport --dports <port, port>-m multiport --dports <port, port> A variety of TCP/UDP destination ports separated by commas. Unlike whenA variety of TCP/UDP destination ports separated by commas. Unlike when -m-m isn't used, they doisn't used, they do not have to be within a range.not have to be within a range. -m multiport --ports <port, port>-m multiport --ports <port, port> A variety of TCP/UDP ports separated by commas. Source and destination ports are assumed to beA variety of TCP/UDP ports separated by commas. Source and destination ports are assumed to be the same and they do not have to be within a range.the same and they do not have to be within a range. -m --state <state>-m --state <state> The most frequently tested states are:The most frequently tested states are: ESTABLISHED:ESTABLISHED: The packet is part of a connection that has seen packets in bothThe packet is part of a connection that has seen packets in both directionsdirections NEW:NEW: The packet is the start of a new connectionThe packet is the start of a new connection RELATED:RELATED: The packet is starting a new secondary connection. This is a commonThe packet is starting a new secondary connection. This is a common feature of such protocols such as an FTP data transfer, or an ICMP error.feature of such protocols such as an FTP data transfer, or an ICMP error.
  • 11. Accept packets from trusted IPAccept packets from trusted IP addressesaddresses ● To allow the packets from a single IPTo allow the packets from a single IP iptables -A INPUT -iptables -A INPUT -ss 192.168.0.4 -192.168.0.4 -jj ACCEPTACCEPT [-s source -j jump to the target action (here ACCEPT) ][-s source -j jump to the target action (here ACCEPT) ] ● To allow incoming packets from a range of IP addressesTo allow incoming packets from a range of IP addresses iptables -A INPUT -s 192.168.0.0/24 -j ACCEPTiptables -A INPUT -s 192.168.0.0/24 -j ACCEPT oror iptables -A INPUT -s 192.168.0.0/255.255.255.0 -j ACCEPTiptables -A INPUT -s 192.168.0.0/255.255.255.0 -j ACCEPT
  • 12. Ports and ProtocolsPorts and Protocols [ -p[ -p protocol (tcp,udp,icmp,all) ]protocol (tcp,udp,icmp,all) ] [ -[ --dport-dport destination portdestination port ]] [--sport source port ][--sport source port ] ● Accept tcp packets on destination port 6881 (bittorrent)Accept tcp packets on destination port 6881 (bittorrent) #iptables -A INPUT -#iptables -A INPUT -pp tcp --tcp --dportdport 6881 -j ACCEPT6881 -j ACCEPT ● To include a port rangeTo include a port range Accept tcp packets on destination ports 6881-6890Accept tcp packets on destination ports 6881-6890 #iptables -A INPUT -p tcp --dport 6881:6890 -j ACCEPT#iptables -A INPUT -p tcp --dport 6881:6890 -j ACCEPT
  • 13. Writing a Simple Rule SetWriting a Simple Rule Set # iptables -# iptables -PP INPUT ACCEPTINPUT ACCEPT //If connecting remotely we must first temporarily set the default//If connecting remotely we must first temporarily set the default policypolicy on theon the INPUT chain to ACCEPT,otherwise we will be locked out of our server once weINPUT chain to ACCEPT,otherwise we will be locked out of our server once we flush the current rules.flush the current rules. # iptables -# iptables -FF //to//to flushflush all existing rules so we start with a clean state from which to add newall existing rules so we start with a clean state from which to add new rules.rules. # iptables -A INPUT -i# iptables -A INPUT -i lolo -j ACCEPT //to communicate with the localhost-j ACCEPT //to communicate with the localhost adaptor.adaptor. # iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT# iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT //to allow only the incoming packets that are part of an already established connection or//to allow only the incoming packets that are part of an already established connection or related to and already established connection.related to and already established connection.
  • 14. Writing a Simple Rule Set (Contd.)Writing a Simple Rule Set (Contd.) # iptables -A INPUT -p tcp --dport 22 -j ACCEPT# iptables -A INPUT -p tcp --dport 22 -j ACCEPT // to prevent accidental lockouts// to prevent accidental lockouts when working on remote systems over an SSH connection.when working on remote systems over an SSH connection. # iptables -P INPUT DROP# iptables -P INPUT DROP //if an incoming packet does not match one of the//if an incoming packet does not match one of the following rules it will be dropped.following rules it will be dropped. # iptables -P FORWARD DROP# iptables -P FORWARD DROP //set the default policy on the FORWARD chain to//set the default policy on the FORWARD chain to DROP as we're not using our computer as a router so there should not be any packetsDROP as we're not using our computer as a router so there should not be any packets passing through our computer.passing through our computer. # iptables -P OUTPUT ACCEPT# iptables -P OUTPUT ACCEPT //set the default policy on the OUTPUT chain to//set the default policy on the OUTPUT chain to ACCEPT as we want to allow all outgoing traffic (as we trust our users).ACCEPT as we want to allow all outgoing traffic (as we trust our users). # iptables -L -v# iptables -L -v //we can list (-L) the rules we've just added to check they've been//we can list (-L) the rules we've just added to check they've been loaded correctly.loaded correctly. # /sbin/service iptables save# /sbin/service iptables save //to save our rules so that next time we reboot our//to save our rules so that next time we reboot our computer our rules are automatically reloadedcomputer our rules are automatically reloaded
  • 15. Masquerading (Many to One NAT)Masquerading (Many to One NAT) Traffic from all devices on one or more protected networks will appear as if itTraffic from all devices on one or more protected networks will appear as if it originated from a single IP address on the Internet side of the firewall.originated from a single IP address on the Internet side of the firewall. echo 1 > /proc/sys/net/ipv4/ip_forward //to enable routing between internetecho 1 > /proc/sys/net/ipv4/ip_forward //to enable routing between internet & private network interfaces of the firewall.& private network interfaces of the firewall. Masquerading has been achieved using the POSTROUTING chain of the natMasquerading has been achieved using the POSTROUTING chain of the nat table,table, #iptables -A POSTROUTING -t nat -o eth0 -s 192.168.1.0/24 -d 0/0 -j#iptables -A POSTROUTING -t nat -o eth0 -s 192.168.1.0/24 -d 0/0 -j MASQUERADEMASQUERADE Use the FORWARD chain of the filter table. NEW and ESTABLISHEDUse the FORWARD chain of the filter table. NEW and ESTABLISHED connections will be allowed outbound to the Internet,connections will be allowed outbound to the Internet, #iptables -A FORWARD -t filter -o eth0 -m state --state#iptables -A FORWARD -t filter -o eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPTNEW,ESTABLISHED,RELATED -j ACCEPT But only packets related to ESTABLISHED connections will be allowed inbound.But only packets related to ESTABLISHED connections will be allowed inbound. #iptables -A FORWARD -t filter -i eth0 -m state --state#iptables -A FORWARD -t filter -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPTESTABLISHED,RELATED -j ACCEPT This helps to protect the home network from anyone trying to initiateThis helps to protect the home network from anyone trying to initiate connections from the Internetconnections from the Internet
  • 16. Recovering From A Lost ScriptRecovering From A Lost Script Sometimes the script you created to generate iptables rules may getSometimes the script you created to generate iptables rules may get corrupted or lost, To recover:corrupted or lost, To recover: Export the iptables-save output to a text file named firewall-configExport the iptables-save output to a text file named firewall-config [root@bigboy tmp]# iptables-save > firewall-config[root@bigboy tmp]# iptables-save > firewall-config [root@bigboy tmp]# cat firewall-config[root@bigboy tmp]# cat firewall-config We can reload it into the active firewall rule set with the iptables-restoreWe can reload it into the active firewall rule set with the iptables-restore command.command. [root@bigboy tmp]# iptables-restore < firewall-config[root@bigboy tmp]# iptables-restore < firewall-config [root@bigboy tmp]# service iptables save[root@bigboy tmp]# service iptables save
  • 17. TroubleshootingTroubleshooting iptablesiptables ● Checking The Firewall LogsChecking The Firewall Logs LoLog and drop packets to the /var/log/messages file.g and drop packets to the /var/log/messages file. iptables -A OUTPUT -j LOGiptables -A OUTPUT -j LOG iptables -A INPUT -j LOGiptables -A INPUT -j LOG iptables -A FORWARD -j LOGiptables -A FORWARD -j LOG iptables -A OUTPUT -j DROPiptables -A OUTPUT -j DROP iptables -A INPUT -j DROPiptables -A INPUT -j DROP iptables -A FORWARD -j DROPiptables -A FORWARD -j DROP
  • 18. Allowing DNS Access To Your FirewallAllowing DNS Access To Your Firewall #iptables -A OUTPUT -p udp -o eth0 --dport 53 --sport 1024:65535 #iptables -A OUTPUT -p udp -o eth0 --dport 53 --sport 1024:65535 -j ACCEPT-j ACCEPT #iptables -A INPUT -p udp -i eth0 --sport 53 --dport 1024:65535 #iptables -A INPUT -p udp -i eth0 --sport 53 --dport 1024:65535 -j ACCEPT-j ACCEPT
  • 19. Allowing WWW And SSH Access ToAllowing WWW And SSH Access To Your FirewallYour Firewall ● Interface eth0 is the internet interfaceInterface eth0 is the internet interface #iptables -A OUTPUT -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT#iptables -A OUTPUT -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT ● Allow port 80 (www) and 22 (SSH) connections to the firewallAllow port 80 (www) and 22 (SSH) connections to the firewall #iptables -A INPUT -p tcp -i eth0 --dport 22 --sport 1024:65535#iptables -A INPUT -p tcp -i eth0 --dport 22 --sport 1024:65535 -m state --state NEW -j ACCEPT-m state --state NEW -j ACCEPT #iptables -A INPUT -p tcp -i eth0 --dport 80 --sport 1024:65535#iptables -A INPUT -p tcp -i eth0 --dport 80 --sport 1024:65535 -m state --state NEW -j ACCEPT-m state --state NEW -j ACCEPT
  • 20. Allowing Your Firewall To Access TheAllowing Your Firewall To Access The InternetInternet ● Allow port 80 (www) and 443 (https) connections from the firewallAllow port 80 (www) and 443 (https) connections from the firewall #iptables -A OUTPUT -j ACCEPT -m state --state NEW,ESTABLISHED,RELATED#iptables -A OUTPUT -j ACCEPT -m state --state NEW,ESTABLISHED,RELATED -o eth0 -p tcp -m multiport --dports 80,443 --sport 1024:65535-o eth0 -p tcp -m multiport --dports 80,443 --sport 1024:65535 ● Allow previously established connectionsAllow previously established connections Interface eth0 is the internet interfaceInterface eth0 is the internet interface #iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED -i eth0#iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED -i eth0 -p tcp-p tcp
  • 21. Allow Your Home Network To AccessAllow Your Home Network To Access The FirewallThe Firewall Allow all bidirectional traffic from your firewall to the protected networkAllow all bidirectional traffic from your firewall to the protected network Interface eth1 is the private network interfaceInterface eth1 is the private network interface #iptables -A INPUT -j ACCEPT -p all -s 192.168.1.0/24 -i eth1#iptables -A INPUT -j ACCEPT -p all -s 192.168.1.0/24 -i eth1 #iptables -A OUTPUT -j ACCEPT -p all -d 192.168.1.0/24 -o eth1#iptables -A OUTPUT -j ACCEPT -p all -d 192.168.1.0/24 -o eth1