Saturday, July 30, 2016

IP TABLES ( FIREWALL ) - 2

IPtables

What is IP tables:- Originally, the most popular firewall/NAT package running on Linux was ipchains, but it had a number of shortcomings. To rectify this, the Netfilter organization decided to create a new product called iptables, giving it such improvements as:
Better integration with the Linux kernel with the capability of loading iptables-specific kernel modules designed for improved speed and reliability.
Stateful packet inspection. This means that the firewall keeps track of each connection passing through it and in certain cases will view the contents of data flows in an attempt to anticipate the next action of certain protocols. This is an important feature in the support of active FTP and DNS, as well as many other network services.
Filtering packets based on a MAC address and the values of the flags in the TCP header. This is helpful in preventing attacks using malformed packets and in restricting access from locally attached servers to other networks in spite of their IP addresses.
System logging that provides the option of adjusting the level of detail of the reporting.
Better network address translation.
Support for transparent integration with such Web proxy programs as Squid.
A rate limiting feature that helps iptables block some types of denial of service (DoS) attacks.
Considered a faster and more secure alternative to ipchains, iptables has become the default firewall package installed under RedHat and Fedora Linux.

Notes:- Iptables work on the network layer and transport layer of OSI model.
1. check where ip table resides:-
[root@noc boot]# which iptables

2. check ipables rpm:-
[root@noc boot]# rpm -qa |grep iptables
iptables-ipv6-1.4.7-4.el6.x86_64
iptables-1.4.7-4.el6.x86_64

3. check the installed file of iptables:-
[root@noc ~]# rpm -ql iptables-1.4.7-4.el6.x86_64

4. As we know it is default compiled with the kernal to check its module check the kernal:- change you directory to boot
[root@noc ~]#cd /boot
[root@noc ~]# ls -ltr
config-2.6.32-220.el6.x86_64( this is the kernal open using vim command and check the iptable is complied or not)

5. Lets talk about target:-A firewall rule specifies criteria for a packet, and a target. If the packet does not match, the next rule in the chain is the examined; if it does match, then the next rule is specified by the value of the target, which can be the name of a user-defined chain or one of the special values ACCEPT, DROP, QUEUE, or RETURN. ACCEPT means to let the packet through. DROP means to drop the packet on the floor. QUEUE means to pass the packet to userspace. (How the packet can be received by a userspace process differs by the particu- lar queue handler. 2.4.x and 2.6.x kernels up to 2.6.13 include the ip_queue queue handler. Kernels 2.6.14 and later additionally include the nfnetlink_queue queue handler. Packets with a target of QUEUE will be sent to queue number ’0’ in this case. Please also see the NFQUEUE target. RETURN means stop traversing this chain and resume at the next rule in the previous (calling) chain. If the end of a built-in chain is reached or a rule in a built-in chain with target RETURN is matched, the target specified by the chain policy determines the fate of the packet.

6.Targets And Jumps:- Each firewall rule inspects each IP packet and then tries to identify it as the target of some sort of operation. Once a target is identified, the packet needs to jump over to it forfurther processing. Below are the lists of built-in targets that iptables uses.
1. filter:-This is the default table (if no -t option is passed). It contains the built-in chains INPUT (for packets destined to local sockets), FORWARD(for packets being routed through the box), and OUTPUT (for locally-generated packets).
2. nat:-This table is consulted when a packet that creates a new connection is encountered. It con-
sists of three built-ins: PREROUTING (for altering packets as soon as they come in), OUTPUT (for altering locally-generated packets before routing), and POSTROUTING (for altering packets as they are about to go out).

3. mangle:-This table is used for specialized packet alteration. Until kernel 2.4.17 it had two built-in
chains: PREROUTING (for altering incoming packets before routing) and OUTPUT (for altering
locally-generated packets before routing). Since kernel 2.4.18, three other built-in chains are also supported: INPUT (for packets coming into the box itself), FORWARD (for altering packets being routed through the box), and POSTROUTING (for altering packets as they are about to go out).

4. raw:- This table is used mainly for configuring exemptions from connection tracking in combination with the NOTRACK target. It registers at the netfilter hooks with higher priority and is thus called before ip_conntrack, or any other IP tables. It provides the following built-in chains: PREROUTING (for packets arriving via any network interface) OUTPUT (for packets generated by local processes) .

7. JUMPS:- Once a target is identified, the packet needs to jump over to it forfurther processing. Below are the lists of built-in targets that iptables uses.
1. ACCEPT
2.DROP
3.LOG
4.REJECT
5.DNAT
6.SNAT
7.MASQUERADE

 8. General Iptables Match Criteria:-
-t(table):-If you don't specify a table, then the filter table is assumed. As discussed before, the possible built-in tables include: filter,nat, mangle
-j(target):-Jump to the specified target chain when the packet matches the current rule.
-A:- Append rule to end of a chain
-F:- (Flush) Deletes all the rules in the selected table
-p (protocol-type):-Match protocol. Types include, icmp, tcp, udp, and all
-s (ip-address):-Match source IP address
-d (ip-address):-Match destination IP address
-i (interface-name):-Match "input" interface on which the packet enters.
-o (interface-name):-Match "output" interface on which the packet exits.

9.Common TCP and UDP Match Criteria:-
-p tcp --sport <port>:- TCP source port. Can be a single value or a range in the format: start-port-number:end-port-number
-p tcp --dport <port>:- TCP destination port. Can be a single value or a range in the format: starting-port:ending-port
-p tcp –syn:- Used to identify a new TCP connection request. ! --syn means, not a new connection request
-p udp --sport <port>:- UDP source port. Can be a single value or a range in the format: starting-port:ending-port
-p udp --dport <port>:- UDP destination port. Can be a single value or a range in the format: starting-port:ending-port

10. Displaying the Status of Your Firewall:-
[root@noc ~]# iptables -L
or
[root@noc ~]# iptables -L -n -v
Where:-
-L : List rules.
-v : Display detailed information. This option makes the list command show the interface name, the rule options, and the TOS masks. The packet and byte counters are also listed, with the suffix 'K', 'M' or 'G' for 1000, 1,000,000 and 1,000,000,000 multipliers respectively.
-n : Display IP address and port in numeric format. Do not use DNS to resolve names. This will speed up listing.
11. To inspect firewall with line numbers, enter:-
[root@noc ~]# iptables -n -L -v –line-numbers
12. To display INPUT or OUTPUT chain rules, enter:-
[root@noc ~]# iptables -L INPUT -n -v
[root@noc ~]# iptables -L INPUT -n -v
13. Stop / Start / Restart the Firewall:-
14. Stop and flush the firewall:-
[root@noc ~]# iptables -F (Deleting (flushing) all the rules)
[root@noc ~]# iptables -X (Delete chain).
[root@noc ~]# iptables -t nat -F (Select table (called nat or mangle) and delete/flush rules.)
[root@noc ~]# iptables -t nat -X[root@noc ~]# iptables -t mangle -F[root@noc ~]# iptables -t mangle -X
[root@noc ~]# iptables -P INPUT ACCEPT (Set the default policy (such as DROP, REJECT, or ACCEPT)
[root@noc ~]# iptables -P OUTPUT ACCEPT[root@noc ~]# iptables -P FORWARD ACCEPT
15. Delete Firewall Rules:-
1. To display line number along with other information for existing rules, enter:-
[root@noc ~]# iptables -L INPUT -n –line-numbers
[root@noc ~]# iptables -L OUTPUT -n –line-numbers
[root@noc ~]# iptables -L OUTPUT -n --line-numbers | less
[root@noc ~]# iptables -L OUTPUT -n --line-numbers | grep 192.168.8.9
2. You will get the list of IP. Look at the number on the left, then use number to delete it. For example delete line number 4, enter:-
[root@noc ~]# iptables -D INPUT 4
1. OR find source 192.168.8.9 and delete from rule:
[root@noc ~]# iptables -D INPUT -s 192.168.8.9 -j DROP

16. Inserting Firewall rules:-
Bllock all the port for perticular host and subent:- this will close all the port for this host
[root@noc ~]#iptables -A INPUT -s 192.168.122.111 -j DROP
[root@noc ~]#service iptables save
Now go to the server and tray to access

17 .Set the Default Firewall Policies:
1. To drop all traffic:-
[root@noc ~]# iptables -P INPUT DRO
[root@noc ~]# iptables -P OUTPUT DROP
[root@noc ~]# iptables -P FORWARD DROP
[root@noc ~]# iptables -L -v -n
Note:- #### you will not able to connect anywhere as all traffic is dropped ###

18. Only Block Incoming Traffic:-
1. drop all incoming / forwarded packets, but allow outgoing traffic, enter:
[root@noc ~]# iptables -P INPUT DROP
[root@noc ~]# iptables -P FORWARD DROP
[root@noc ~]# iptables -P OUTPUT ACCEPT
[root@noc ~]# iptables -A INPUT -m state --state NEW,ESTABLISHED -jACCEPT

Note: now you will be able to send the traffice to outside but the incomming traffic will be blocked.

19. Drop Private Network Address On Public Interface:-
IP spoofing is nothing but to stop the following IPv4 address ranges for private networks on your public interfaces. Packets with non-routable source addresses should be rejected using the following syntax:
[root@noc ~]# iptables -A INPUT -i eth1 -s 192.168.8.0/24 -j DROP
[root@noc ~]# iptables -A INPUT -i eth1 -s 10.0.0.0/8 -j DROP

20. Blocking an IP Address or sybnet (BLOCK IP):- to block any perticular IP address.
[root@noc ~]# iptables -A INPUT -s 192.168.8.9 -j DROP
[root@noc ~]# iptables -A INPUT -s 192.168.8.0/24 -j DROP

21.Block Incoming Port Requests (BLOCK PORT):-
[root@noc ~]# iptables -A INPUT -p tcp --dport 80 -j DROP
[root@noc ~]# iptables -A INPUT -i eth1 -p tcp --dport 80 -j DROP

22. To block port 80 only for an ip address:-
[root@noc ~]# iptables -A INPUT -p tcp -s 1.2.3.4 --dport 80 -j DROP
[root@noc ~]# iptables -A INPUT -i eth1 -p tcp -s 192.168.1.0/24 --dport 80 -j DROP

23. Block Outgoing IP Address:-
[root@noc ~]# iptables -A OUTPUT -d 192.168.8.9 -j DROP

24.You can use a subnet as follows:-
[root@noc ~]# iptables -A OUTPUT -d 192.168.8.0/24 -j DROP
[root@noc ~]# iptables -A OUTPUT -o eth1 -d 192.168.8.0/24 -j DROP

25. Log and Drop Packets:-Type the following to log and block IP spoofing on public interface called eth1.
[root@noc ~]# iptables -A INPUT -i eth1 -s 10.0.0.0/8 -j LOG --log-prefix "IP_SPOOF A: "
[root@noc ~]# iptables -A INPUT -i eth1 -s 10.0.0.0/8 -j DROP

By default everything is logged to /var/log/messages file.
[root@noc ~]# tail -f /var/log/messages[root@noc ~]# grep --color 'IP SPOOF' /var/log/messages

26.Log and Drop Packets with Limited Number of Log Entries:-
[root@noc ~]# iptables -A INPUT -i eth1 -s 10.0.0.0/8 -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix "IP_SPOOF A: "
[root@noc ~]# iptables -A INPUT -i eth1 -s 10.0.0.0/8 -j DROP

27.Block or Allow ICMP Ping Request
[root@noc ~]# iptables -A INPUT -p icmp --icmp-type echo-request -j DROP[root@noc ~]# iptables -A INPUT -i eth1 -p icmp --icmp-type echo-request -j DROP

Ping responses can also be limited to certain networks or hosts:-

[root@noc ~]#iptables -A INPUT -s 192.168.1.0/24 -p icmp --icmp-type echo-request -j ACCEPT

28.The following only accepts limited type of ICMP requests:
### ** assumed that default INPUT policy set to DROP ** ##########
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
iptables -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
iptables -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
## ** all our server to respond to pings ** ##
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT

29.Open Range of Ports:-
[root@noc ~]# iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 7000:7010 -j ACCEPT

30.Open Range of IP Addresses
## only accept connection to tcp port 80 (Apache) if ip is between 192.168.1.100 and 192.168.1.200 ##
[root@noc ~]# iptables -A INPUT -p tcp --destination-port 80 -m iprange --src-range 192.168.1.100-192.168.1.200 -j ACCEPT


#############################   END  ###############################

25 Most Frequently Used Linux IPTables Rules


# 1. Delete all existing rules
iptables -F

# 2. Set default chain policies
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

# 3. Block a specific ip-address
#BLOCK_THIS_IP="x.x.x.x"
#iptables -A INPUT -s "$BLOCK_THIS_IP" -j DROP

# 4. Allow ALL incoming SSH
#iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
#iptables -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT

# 5. Allow incoming SSH only from a sepcific network
#iptables -A INPUT -i eth0 -p tcp -s 
192.168.200.0/24 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
#iptables -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT

# 6. Allow incoming HTTP
#iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
#iptables -A OUTPUT -o eth0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT

# Allow incoming HTTPS
#iptables -A INPUT -i eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
#iptables -A OUTPUT -o eth0 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT

# 7. MultiPorts (Allow incoming SSH, HTTP, and HTTPS)
iptables -A INPUT -i eth0 -p tcp -m multiport --dports 22,80,443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -m multiport --sports 22,80,443 -m state --state ESTABLISHED -j ACCEPT

# 8. Allow outgoing SSH
iptables -A OUTPUT -o eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT

# 9. Allow outgoing SSH only to a specific network
#iptables -A OUTPUT -o eth0 -p tcp -d 
192.168.101.0/24 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
#iptables -A INPUT -i eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT

# 10. Allow outgoing HTTPS
iptables -A OUTPUT -o eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT

# 11. Load balance incoming HTTPS traffic
#iptables -A PREROUTING -i eth0 -p tcp --dport 443 -m state --state NEW -m nth --counter 0 --every 3 --packet 0 -j DNAT --to-destination 
192.168.1.101:443
#iptables -A PREROUTING -i eth0 -p tcp --dport 443 -m state --state NEW -m nth --counter 0 --every 3 --packet 1 -j DNAT --to-destination 
192.168.1.102:443
#iptables -A PREROUTING -i eth0 -p tcp --dport 443 -m state --state NEW -m nth --counter 0 --every 3 --packet 2 -j DNAT --to-destination 
192.168.1.103:443

# 12. Ping from inside to outside
iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT

# 13. Ping from outside to inside
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT

# 14. Allow loopback access
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# 15. Allow packets from internal network to reach external network.
# if eth1 is connected to external network (internet)
# if eth0 is connected to internal network (192.168.1.x)
iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT

# 16. Allow outbound DNS
#iptables -A OUTPUT -p udp -o eth0 --dport 53 -j ACCEPT
#iptables -A INPUT -p udp -i eth0 --sport 53 -j ACCEPT

# 17. Allow NIS Connections
# rpcinfo -p | grep ypbind ; This port is 853 and 850
#iptables -A INPUT -p tcp --dport 111 -j ACCEPT
#iptables -A INPUT -p udp --dport 111 -j ACCEPT
#iptables -A INPUT -p tcp --dport 853 -j ACCEPT
#iptables -A INPUT -p udp --dport 853 -j ACCEPT
#iptables -A INPUT -p tcp --dport 850 -j ACCEPT
#iptables -A INPUT -p udp --dport 850 -j ACCEPT

# 18. Allow rsync from a specific network
iptables -A INPUT -i eth0 -p tcp -s 
192.168.101.0/24 --dport 873 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 873 -m state --state ESTABLISHED -j ACCEPT

# 19. Allow MySQL connection only from a specific network
iptables -A INPUT -i eth0 -p tcp -s 
192.168.200.0/24 --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 3306 -m state --state ESTABLISHED -j ACCEPT

# 20. Allow Sendmail or Postfix
iptables -A INPUT -i eth0 -p tcp --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 25 -m state --state ESTABLISHED -j ACCEPT

# 21. Allow IMAP and IMAPS
iptables -A INPUT -i eth0 -p tcp --dport 143 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 143 -m state --state ESTABLISHED -j ACCEPT

iptables -A INPUT -i eth0 -p tcp --dport 993 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 993 -m state --state ESTABLISHED -j ACCEPT

# 22. Allow POP3 and POP3S
iptables -A INPUT -i eth0 -p tcp --dport 110 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 110 -m state --state ESTABLISHED -j ACCEPT

iptables -A INPUT -i eth0 -p tcp --dport 995 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 995 -m state --state ESTABLISHED -j ACCEPT

# 23. Prevent DoS attack
iptables -A INPUT -p tcp --dport 80 -m limit --limit 25/minute --limit-burst 100 -j ACCEPT

# 24. Port forwarding 422 to 22
iptables -t nat -A PREROUTING -p tcp -d 192.168.102.37 --dport 422 -j DNAT --to 
192.168.102.37:22
iptables -A INPUT -i eth0 -p tcp --dport 422 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 422 -m state --state ESTABLISHED -j ACCEPT

# 25. Log dropped packets
iptables -N LOGGING
iptables -A INPUT -j LOGGING
iptables -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables Packet Dropped: " --log-level 7
iptables -A LOGGING -j DROP

No comments:

Post a Comment