• VMware

    Learn about VMware virtualization for its products like vsphere ESX and ESXi, vCenter Server, VMware View, VMware P2V and many more

  • Linux

    Step by step configuration tutorials for many of the Linux services like DNS, DHCP, FTP, Samba4 etc including many tips and tricks in Red Hat Linux.

  • Database

    Learn installation and configuration of databases like Oracle, My SQL, Postgresql, etc including many other related tutorials in Linux.

  • Life always offers you a second chance ... Its called tomorrow !!!

    Friday, September 13, 2013

    Basic iptables tutorial with examples in Linux I

    For those who are not sure of the term iptables let me clarify you (From Wiki) iptables are the tables provided by the Linux kernel firewall (implemented as different Netfilter modules) and the chains and rules it stores. 

    Few important points on iptables
    • iptables requires elevated privileges to operate and must be executed by user root, otherwise it fails to function. 
    • On most Linux systems, iptables is installed as /usr/sbin/iptables and documented in its man pages which can be opened using man iptables when installed. It may also be found in /sbin/iptables, but since iptables is more like a service rather than an "essential binary", the preferred location remains /usr/sbin.
    • It generally works in Layer 3 and layer 4 i.e. network and transport layer.
    • iptables is also responsible for managing ICMP (Internet Control messaging Protocol) that comes in data link layer
    • iptables also supports MAC level filtering so it works on Layer 2 as well (Data Link layer)
    • Layer 3 focuses on source (192.168.0.x) and destination (172.168.0.x) addresses.
    • Layer 4 focuses on protocols, ports, TCP : 80, UDP : 69 (Most of the applications are dependent on TCP and UDP ports.
    NOTE: TCP/UDP ports use a 16-bit range (0-65535) and IP addresses are based on 32-bit ranges (4 billion)

    Package

    Verify that iptables rpm is installed in your machine
    # rpm -qa | grep iptables
    iptables-1.4.7-4.el6.i686
    iptables-ipv6-1.4.7-4.el6.i686

    To check if kernel is compiled to use iptables (here config-2.6.x.x may vary as per your kernel)
    # less /boot/config-2.6.32-220.el6.i686 | grep CONFIG_NETFILTER
    CONFIG_NETFILTER=y

    Make sure the first line as shown above should be "y"

    Types of tables in iptables

    1. mangle - alter packets (TOS/TTL) with TCP/UDP/ICMP
    2. NAT (Network Address Translation)
    3. Filter (IP packet filtering)
    NOTE: NAT allows to change IP address along with the port

    ACL syntax for iptables

    1. name of chain - action (Append/Insert/Replace)
    2. name of table (filter) - mangle/nat/user-defined
    3. layer 3 object (source/destination)
    4. optionally layer 4 subject (tcp/udp protocols/ports)
    5. Jump/Target -j - ACCEPT/DROP/DENY/REJECT/LOG
    Some Examples
    Block a source IP 192.168.0.20 from communicating with our system

    # iptables -A INPUT -s 192.168.0.30 -j DROP
    So here I am appending a rule into the input chain for the source 192.168.0.30 and the action to be taken is DROP all the packets coming from the source machine.

    To view the current rules in iptables
    # iptables -L
    Chain INPUT (policy ACCEPT)
    target     prot opt source               destination
    DROP       all  --  192.168.0.30         anywhere
    ACCEPT     tcp  --  anywhere             anywhere            tcp spt:ssh
    DROP       tcp  --  anywhere             anywhere            tcp dpt:telnet

    Chain FORWARD (policy ACCEPT)
    target     prot opt source               destination

    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination

    So now if 192.168.0.30 tries to connect to our local machine it would get a request time out.

    Other commands to view the iptables
    # iptables -L -v
    Chain INPUT (policy ACCEPT
    2559 packets, 223K bytes)
     pkts bytes target     prot opt in     out   source        destination
        0    0 DROP       all  --  any    any   192.168.0.30    anywhere
        0    0 ACCEPT     tcp  --  any    any   anywhere        anywhere            tcp spt:ssh
        0    0 DROP       tcp  --  any    any   anywhere        anywhere            tcp dpt:telnet

    Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
     pkts bytes target     prot opt in     out     source               destination

    Chain OUTPUT (policy ACCEPT 297 packets, 40151 bytes)
     pkts bytes target     prot opt in     out     source               destination
    Here -v reveals bytes in (k/M/G) which means the bytes of packets blocked or allowed for any rule which was applied in iptables

    # iptables -L --line-numbers
    Chain INPUT (policy ACCEPT)
    num  target     prot opt source               destination
    1    DROP       all  --  192.168.0.30         anywhere
    2    ACCEPT     tcp  --  anywhere             anywhere          tcp spt:ssh
    3    DROP       tcp  --  anywhere             anywhere          tcp dpt:telnet

    Chain FORWARD (policy ACCEPT)
    num  target     prot opt source               destination

    Chain OUTPUT (policy ACCEPT)
    num  target     prot opt source               destination

    # iptables --list
    Chain INPUT (policy ACCEPT)
    target     prot opt source               destination
    DROP       all  --  192.168.0.30         anywhere
    ACCEPT     tcp  --  anywhere             anywhere            tcp spt:ssh
    DROP       tcp  --  anywhere             anywhere            tcp dpt:telnet

    Chain FORWARD (policy ACCEPT)
    target     prot opt source               destination

    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination

    Appending/Inserting rules

    You can either Append a new rule into any chain or you can insert the rule where the difference is while appending the rule will end up in the last row while if you want your rule to be preferred first beofre any other rule in the chain then use INSERT along with iptables as shown below

    # iptables -I INSERT -s 192.168.0.30 -j DROP

    Some more examples
    Create a rule to permit ssh connection from everyone to your local machine
    # iptables -A INPUT -p tcp --dport 22 -j ACCEPT

    Create a rule to deny telnet access from everyone to your local machine
    # iptables -A INPUT -p tcp --dport telnet -j DROP

    Deleting rules

    For deleting any rule from the chain you will require line number

    For Example:
    # iptables -L --line-numbers
    Chain INPUT (policy ACCEPT)
    num  target     prot opt source               destination
    1    DROP       all  --  192.168.0.30         anywhere
    2    ACCEPT     tcp  --  anywhere             anywhere          tcp spt:ssh
    3    DROP       tcp  --  anywhere             anywhere          tcp dpt:telnet

    Chain FORWARD (policy ACCEPT)
    num  target     prot opt source               destination

    Chain OUTPUT (policy ACCEPT)
    num  target     prot opt source               destination

    Suppose I want to delete the rule for source 192.168.0.30
    # iptables -D INPUT 1

    In case you want to go the hard way, you will have to delete rule on the basis of the first match by giving the complete rule along with D switch
    # iptables -D INPUT -s 192.168.0.30 -j DROP

    Replace rules

    You can also replace rules instead of deleting and creating any rule if there are some change which you want to do.

    For example in the above question suppose we want to block communication from 192.168.0.25 instead of 192.168.0.30 so we can easily replace the rule

    # iptables -R INPUT 1 -s 192.168.0.25 -j DROP

    Saving or Restoring rules in iptables

    # iptables -save (defaults dumps to STDOUT)

    # iptables -restore (default reads rule from STDIN)

    Example:
    # iptables-save > rules.txt
    # iptables-restore < rules.txt

    Flushing rules

    This term is used to delete all the rules from all the chains.
    # iptables -F

    This command will temporarily remove all the rules but once you restart your iptables services all the rules will come back to default setup.

    Related Articles
    Iptables rules to allow/block ssh incoming/outgoing connection in Linux
    Iptables rules to block/allow icmp ping request in Linux
    iptables rules for Samba 4 in Red Hat Linux
    Basic iptables tutorial in Linux II
    Iptables for Samba server


    Follow the below links for more helpful tutorials

    0 comments:

    Post a Comment