22 Mar 2014
IPTables
Part - 2
Nishanth Kumar
n|u Bangalore chapter Lead
n|u / OWASP meet
Agenda
22 Mar 2014
• Review of Part – 1
• Understanding of IPTables Rules
• Options available in Writing IPTables Rules
• ...
Structure of IPTables
22 Mar 2014
IPTables
Tables
Chains
Rules
Parameters for Rules
22 Mar 2014
 The following are the Parameters available for Rules.
 -A - Add / Append Rule
 -I – I...
IPTables Tables
22 Mar 2014
 Filter Table
 NAT Table
 Mangle Table
 Raw Table
Filter Table
 Default Table and used to filter packets
 3 built in Chains
 INPUT chain – Incoming to firewall
packets c...
NAT Table
 Used for natting the packets src & dst IP
 PREROUTING chain – alters packets before routing
 POSTROUTING cha...
Mangle Table
 Used for Specialized Packet alteration
like QOS bits in TCP header
o PREROUTING chain
o OUTPUT chain
o FORW...
Few 0ptions - 1
 -p is for Protocol
 Possible values are tcp , udp , 6 , 17
 We can also use --protocol
 -j is for Tar...
Few options - 2
 -s is for Source
 Source of the Packet
 Ip address , network address , hostname
 Ex: -s 192.168.1.5 ,...
Few options - 3
 -i for interface
 Input interface
 Ex: -i eth0 indicates that this rule should consider the
incoming p...
Few options - 4
 --sport – for source port
 Ex: --sport 22 , --sport ssh
 Port range is as follow --sport 22:150
 --dp...
Few options - 5
 --tcp-flags is for TCP flags ( for –p tcp )
 Contain multiple values separated by comma
 Values : SYN,...
Targets
22 Mar 2014
 ACCEPT – IPTables stop further Processing.
Packet is handed over to the end of application or
the op...
Targets
22 Mar 2014
 DNAT – Used to do destination network address
translation . ( rewriting the destination IP address o...
Few more iptables commands
 service iptables save
 To save the iptables rules ( Centos , RHEL , Fedora )
 service iptab...
Thank you
22 Mar 2014
Upcoming SlideShare
Loading in...5
×

IP Tables Getting Started - Part 2

585

Published on

null Bangalore Chapter - March 2014 Meet

Published in: Education, Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
585
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
30
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

IP Tables Getting Started - Part 2

  1. 1. 22 Mar 2014 IPTables Part - 2 Nishanth Kumar n|u Bangalore chapter Lead n|u / OWASP meet
  2. 2. Agenda 22 Mar 2014 • Review of Part – 1 • Understanding of IPTables Rules • Options available in Writing IPTables Rules • Some customized commands • Demo with examples
  3. 3. Structure of IPTables 22 Mar 2014 IPTables Tables Chains Rules
  4. 4. Parameters for Rules 22 Mar 2014  The following are the Parameters available for Rules.  -A - Add / Append Rule  -I – Insert Rule  -D – Delete Rule  -R – Replace Rule  -P – Set a default policy for chain  -N – Create a New Chain  -X – Delete a Chain  -J – Attach a Chain
  5. 5. IPTables Tables 22 Mar 2014  Filter Table  NAT Table  Mangle Table  Raw Table
  6. 6. Filter Table  Default Table and used to filter packets  3 built in Chains  INPUT chain – Incoming to firewall packets coming to local server  OUTPUT chain – Outgoing from firewall packets generated locally and going out of the local server  FORWARD chain – packet for another NIC on the local server packets routed through the local server 22 Mar 2014
  7. 7. NAT Table  Used for natting the packets src & dst IP  PREROUTING chain – alters packets before routing  POSTROUTING chain – alters packets after routing  OUTPUT chain – NAT for locally generated packets on firewall 22 Mar 2014
  8. 8. Mangle Table  Used for Specialized Packet alteration like QOS bits in TCP header o PREROUTING chain o OUTPUT chain o FORWARD chain o INPUT chain o POSTROUTING chain 22 Mar 2014
  9. 9. Few 0ptions - 1  -p is for Protocol  Possible values are tcp , udp , 6 , 17  We can also use --protocol  -j is for Target  Jump to target --jump  Specifies what need to happen to the packet that matches this firewall rule  Possible values are ACCEPT , DROP , QUEUE , RETURN  We can also specify other user defined chain as target value 22 Mar 2014
  10. 10. Few options - 2  -s is for Source  Source of the Packet  Ip address , network address , hostname  Ex: -s 192.168.1.5 , --src 192.168.1.0/24  -d is for Destination  destination of the Packet  Ip address , network address , hostname  Ex: -d 192.168.1.5 , --dst 192.168.1.0/24 22 Mar 2014
  11. 11. Few options - 3  -i for interface  Input interface  Ex: -i eth0 indicates that this rule should consider the incoming packets coming through interface eth0  -o for interface  Output interface  Ex: -o eth1 indicates that this rule should consider the outgoing packets are going through interface eth1 If we don’t specify , all available interfaces on the system will be considered for input or output packets 22 Mar 2014
  12. 12. Few options - 4  --sport – for source port  Ex: --sport 22 , --sport ssh  Port range is as follow --sport 22:150  --dport – for destination port  Ex: --dport 22 , --dport ssh  Port range is as follow –dport 22:150 Using port numbers in the rules is better than using port name 22 Mar 2014
  13. 13. Few options - 5  --tcp-flags is for TCP flags ( for –p tcp )  Contain multiple values separated by comma  Values : SYN, ACK, FIN, RST, URG, PSH , NONE, ALL  Ex : --tcp-flags ARG1 ARG2  Ex : --tcp-flags SYN FIN  --icmp-type is for ICMP Type ( for –p icmp )  We can use the above , when are using ‘-p icmp’  Values :  ‘ - - icmp-type 0’ – Echo Reply  ‘ - - icmp-type 8’ – Echo Request 22 Mar 2014
  14. 14. Targets 22 Mar 2014  ACCEPT – IPTables stop further Processing. Packet is handed over to the end of application or the operating system for processing .  DROP – IPTables stops further processing. ( The Packet is Blocked )  REJECT – Works like the DROP target, but will also return an error message to the host sending the packet the packet was blocked
  15. 15. Targets 22 Mar 2014  DNAT – Used to do destination network address translation . ( rewriting the destination IP address of packet )  SNAT – Used to do source network address translation rewriting the source IP address of the Packet ( The source IP address is user defined ) .  MASQUARADE – Used to do Source Network Address translation. ( By default the source ip address is the same as that used by the firewall’s interface )
  16. 16. Few more iptables commands  service iptables save  To save the iptables rules ( Centos , RHEL , Fedora )  service iptables restart  To restore the iptables rules ( Centos , RHEL , Fedora )  iptables-save > /path/to/dir/filename  To save the iptables rules ( for some other linux distro)  iptables-restore < /path/to/dir/filename  To save the iptables rules ( for some other linux distro) 22 Mar 2014
  17. 17. Thank you 22 Mar 2014
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×