1. TYPES OF IPTABLES
A. FILTER
B. NATC
C. MANGLE
-> Types of Filter
A. Forward
B. Input
C. Output
-> Types of NAT
A. Pre-routing
B. Post-routing
C. Output
-> Types of Mangle
1. Forward
2. INPUT
3. OUTPUT
4. Pre-routing
5. Post-routing
2. TYPES OF TARGET
1. Accept
2. Drop
3. Log
4. Reject
--------->
-t table
-s source
-d destination
-i interface
-j target
--d service's port num
---------->
-A Append
-F Flush
-R Replace
-D Delete
-L List
-I Insert
pkg : iptables
daemon : iptables
file : /etc/sysconfig/iptables
lokkit ->Enable firewall
INPUT IPTABLES
1. To List all iptables
iptables -L
2. To Flush all iptables
iptables -F
3. To List only Input iptables
iptables -t filter -L INPUT
4. No System can access any services in server using tcp connection .
iptables -t filter -A INPUT -s 0.0.0.0/0 -j REJECT
5. To Control access to ping for single IP to stop pinging(ICMP)
a> REJECT ->Reject pinging with ACK
iptables -t filter -A INPUT -s 192.168.0.20 -p icmp -j REJECT
iptables -F
b> DROP ->Drop pinging with no ACK
iptables -t filter -A INPUT -s 192.168.0.20 -p icmp -j DROP
iptables -F
c> LOG ->Allow pinging + Log messages
iptables -t filter -A INPUT -s 192.168.0.20 -p icmp -j LOG
tailf /var/log/messages
iptables -F
d> ACCEPT ->Allow pinging
iptables -t filter -A INPUT -s 192.168.0.20 -p icmp -j ACCEPT
6. To Control access to ping for Entire N/W to stop ping(ICMP)
iptables -t filter -A INPUT -s 192.168.0.0/24 -p icmp -j REJECT
7. To Deny everybody to access other than this network
iptables -t filter -A INPUT -s! 192.168.0.0/24 -p icmp -j REJECT
8. To Number the iptables
iptables -t filter -L INPUT --line-numbers -n
9. To Delete individual iptable
iptables -t filter -D INPUT 2
10. To Replace an iptables with other iptables
iptables -t filter -R INPUT 2 -s 192.168.0.53 -p icmp -j REJECT
11. To Insert iptables B/W 2 iptables
iptables -t filter -I INPUT 2 -s 192.168.0.53 -p icmp -j REJECT
12. To Control access to ssh
iptables -t filter -A INPUT -s 192.168.0.20 -p tcp --dport 22 -j REJECT
13. To Control access to ftp
iptables -t filter -A INPUT -s 192.168.0.20 -p tcp --dport 21 -j REJECT
14. To Control access to pop3
iptables -t filter -A INPUT -s 192.168.0.20 -p tcp --dport 110 -j REJECT
15. To Control access to imaps
iptables -t filter -A INPUT -s 192.168.0.20 -p tcp --dport 993 -j REJECT
OUTPUT IPTABLES EXAMPLES
1.TO Stop our server to ping to any machine
iptables -t filter -A OUTPUT -s 192.168.0.28 -p icmp -j DROP
2.TO Stop our server to ssh to any machine
iptables -t filter -A OUTPUT -s 192.168.0.28 -p tcp --dport 22 -j DROP
3.TO Stop our server to ftp to any machine
iptables -t filter -A OUTPUT -s 192.168.0.28 -p tcp --dport 21 -j DROP
FORWARD IP TABLES EXAMPLES
1. Set 2 diff ips of 2 diff n/w in router/server
2. vim /etc/sysctl.conf
3. sysctl -p
-> To stop Pinging b/w diff n/w. Though they pass thru routers
iptables -t filter -A FORWARD -s 10.0.0.20 -d 192.168.0.20 -p icmp -j REJECT
-> To stop ssh b/w diff n/w.
iptables -t filter -A FORWARD -s 10.0.0.20 -d 192.168.0.20 -p tcp --dport 22 -j REJECT
-> To stop ftp b/w diff n/w.
iptables -t filter -A FORWARD -s 10.0.0.20 -d 192.168.0.20 -p tcp --dport 21
-j REJECT
POSTROUTING OR SNAT
Anybody from public ip wants to connect to private ip. But they cant connect using public ip, So use routers private ip.
1. iptables -t nat -A POSTROUTING -j SNAT --to-source 10.0.0.1
2. From 192.168.0.20
# ssh 10.0.0.20
w
3. iptables -t nat -L POSTROUTING
4. iptables -t nat -F POSTROUTING
PREROUTING OR DNAT
Anybody from private wants to connect to public ip.
But they cant connect using private ip, So use routers public ip.
1. iptables -t nat -A PREROUTING -p tcp --dport 22 -j SNAT --to-source 10.0.0.1
2. From 10.0.0.20
# ssh 10.0.0.10
# ifconfig
3. iptables -t nat -L PREROUTING
4. iptables -t nat -F PREROUTING
If you found this post useful, I would really love it, if you can Like the Page, or share it with your Facebook/Google+/Twitter Friends... It will keep me motivated. Thank you!
No comments:
Post a Comment