RH 253: IP TABLES



1. TYPES OF IPTABLES

A.  FILTER
B.  NATC

C.  MANGLE

->  Types of Filter
A.  Forward
B.  Input
C.  Output

->  Types of NAT
A.  Pre-routing

B.  Post-routing
C.  Output

->  Types of Mangle
1.  Forward
2.  INPUT
3.  OUTPUT
4.  Pre-routing
5.  Post-routing




2. TYPES OF TARGET

1. Accept  
2. Drop
3. Log
4. Reject


--------->
-t  table 
-s source
-d destination
-i interface
-j target
--d  service's port num

---------->
-A Append
-F Flush
-R Replace
-D Delete
-L List
-I Insert




pkg    : iptables
daemon : iptables
file   : /etc/sysconfig/iptables

lokkit  ->Enable firewall






INPUT IPTABLES

1. To List all iptables
   iptables  -L

2. To Flush all iptables
   iptables  -F

3. To List only  Input iptables
   iptables  -t filter -L INPUT


4. No System can access any services in server using tcp connection .
   iptables -t filter -A INPUT -s 0.0.0.0/0 -j REJECT

5. To Control access to ping  for single IP to stop pinging(ICMP)

a> REJECT   ->Reject pinging with ACK
   iptables -t filter -A INPUT -s 192.168.0.20 -p icmp -j REJECT
   iptables -F


b> DROP  ->Drop pinging with no ACK
   iptables -t filter -A INPUT -s 192.168.0.20 -p icmp -j DROP
   iptables -F


c> LOG    ->Allow pinging + Log messages
   iptables -t filter -A INPUT -s 192.168.0.20 -p icmp -j LOG
   tailf /var/log/messages
   iptables -F


d> ACCEPT   ->Allow pinging
   iptables -t filter -A INPUT -s 192.168.0.20 -p icmp -j ACCEPT
  

6. To Control access to ping  for Entire N/W to stop ping(ICMP)
   iptables -t filter -A INPUT -s 192.168.0.0/24 -p icmp -j REJECT

7. To Deny everybody to access other than this network
   iptables -t filter -A INPUT -s! 192.168.0.0/24 -p icmp -j REJECT

8. To Number  the iptables
   iptables -t filter -L INPUT --line-numbers -n

9. To Delete individual iptable
   iptables -t filter -D INPUT 2

10. To Replace an iptables with other iptables
    iptables -t filter -R INPUT 2 -s 192.168.0.53 -p icmp -j REJECT
 
11. To Insert  iptables B/W 2 iptables
    iptables -t filter -I INPUT 2 -s 192.168.0.53 -p icmp -j REJECT


12. To Control access to ssh
iptables -t filter -A INPUT -s 192.168.0.20 -p tcp --dport 22 -j REJECT

13. To Control access to ftp
iptables -t filter -A INPUT -s 192.168.0.20 -p tcp --dport 21 -j REJECT

14. To Control access to pop3
iptables -t filter -A INPUT -s 192.168.0.20 -p tcp --dport 110 -j REJECT

15. To Control access to imaps
iptables -t filter -A INPUT -s 192.168.0.20 -p tcp --dport 993 -j REJECT



  OUTPUT IPTABLES EXAMPLES

1.TO Stop our server to ping to any machine
  iptables -t filter -A OUTPUT -s 192.168.0.28 -p  icmp -j DROP


2.TO Stop our server to ssh to any machine
  iptables -t filter -A OUTPUT -s 192.168.0.28 -p tcp --dport 22  -j DROP

3.TO Stop our server to ftp to any machine
  iptables -t filter -A OUTPUT -s 192.168.0.28 -p tcp --dport 21  -j DROP




 FORWARD  IP TABLES  EXAMPLES


1. Set 2 diff ips of 2 diff n/w in router/server
2. vim /etc/sysctl.conf
3. sysctl -p

-> To stop  Pinging b/w diff n/w. Though they pass thru routers


iptables -t filter -A FORWARD -s 10.0.0.20  -d 192.168.0.20 -p icmp -j REJECT

-> To stop  ssh b/w diff n/w.


iptables -t filter -A FORWARD -s 10.0.0.20  -d 192.168.0.20 -p tcp --dport 22 -j REJECT

-> To stop  ftp b/w diff n/w.

 
iptables -t filter -A FORWARD -s 10.0.0.20  -d 192.168.0.20 -p tcp --dport 21
 -j REJECT




    POSTROUTING OR SNAT

Anybody from public ip wants to connect to private ip. But they cant connect using public ip, So use routers private ip.

1. iptables -t nat -A POSTROUTING -j  SNAT --to-source 10.0.0.1


2. From 192.168.0.20
   # ssh 10.0.0.20
     w

3. iptables -t nat -L POSTROUTING

    
4. iptables -t nat -F POSTROUTING    







    PREROUTING OR DNAT

Anybody from private wants to connect to public ip.
But they cant connect using private ip, So use routers public ip.

1. iptables -t nat -A PREROUTING -p tcp --dport 22 -j  SNAT      --to-source 10.0.0.1

2. From 10.0.0.20
   # ssh 10.0.0.10
   # ifconfig 


3. iptables -t nat -L PREROUTING    


4. iptables -t nat -F PREROUTING    













If you found this post useful, I would really love it, if you can Like the Page, or share it with your Facebook/Google+/Twitter Friends... It will keep me motivated. Thank you!

No comments:

Post a Comment