• Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
341
On Slideshare
0
From Embeds
0
Number of Embeds
1

Actions

Shares
Downloads
10
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. 22 Mar 2014 IPTables Part - 2 Nishanth Kumar n|u Bangalore chapter Lead n|u / OWASP meet
  • 2. Agenda 22 Mar 2014 • Review of Part – 1 • Understanding of IPTables Rules • Options available in Writing IPTables Rules • Some customized commands • Demo with examples
  • 3. Structure of IPTables 22 Mar 2014 IPTables Tables Chains Rules
  • 4. Parameters for Rules 22 Mar 2014  The following are the Parameters available for Rules.  -A - Add / Append Rule  -I – Insert Rule  -D – Delete Rule  -R – Replace Rule  -P – Set a default policy for chain  -N – Create a New Chain  -X – Delete a Chain  -J – Attach a Chain
  • 5. IPTables Tables 22 Mar 2014  Filter Table  NAT Table  Mangle Table  Raw Table
  • 6. Filter Table  Default Table and used to filter packets  3 built in Chains  INPUT chain – Incoming to firewall packets coming to local server  OUTPUT chain – Outgoing from firewall packets generated locally and going out of the local server  FORWARD chain – packet for another NIC on the local server packets routed through the local server 22 Mar 2014
  • 7. NAT Table  Used for natting the packets src & dst IP  PREROUTING chain – alters packets before routing  POSTROUTING chain – alters packets after routing  OUTPUT chain – NAT for locally generated packets on firewall 22 Mar 2014
  • 8. Mangle Table  Used for Specialized Packet alteration like QOS bits in TCP header o PREROUTING chain o OUTPUT chain o FORWARD chain o INPUT chain o POSTROUTING chain 22 Mar 2014
  • 9. Few 0ptions - 1  -p is for Protocol  Possible values are tcp , udp , 6 , 17  We can also use --protocol  -j is for Target  Jump to target --jump  Specifies what need to happen to the packet that matches this firewall rule  Possible values are ACCEPT , DROP , QUEUE , RETURN  We can also specify other user defined chain as target value 22 Mar 2014
  • 10. Few options - 2  -s is for Source  Source of the Packet  Ip address , network address , hostname  Ex: -s 192.168.1.5 , --src 192.168.1.0/24  -d is for Destination  destination of the Packet  Ip address , network address , hostname  Ex: -d 192.168.1.5 , --dst 192.168.1.0/24 22 Mar 2014
  • 11. Few options - 3  -i for interface  Input interface  Ex: -i eth0 indicates that this rule should consider the incoming packets coming through interface eth0  -o for interface  Output interface  Ex: -o eth1 indicates that this rule should consider the outgoing packets are going through interface eth1 If we don’t specify , all available interfaces on the system will be considered for input or output packets 22 Mar 2014
  • 12. Few options - 4  --sport – for source port  Ex: --sport 22 , --sport ssh  Port range is as follow --sport 22:150  --dport – for destination port  Ex: --dport 22 , --dport ssh  Port range is as follow –dport 22:150 Using port numbers in the rules is better than using port name 22 Mar 2014
  • 13. Few options - 5  --tcp-flags is for TCP flags ( for –p tcp )  Contain multiple values separated by comma  Values : SYN, ACK, FIN, RST, URG, PSH , NONE, ALL  Ex : --tcp-flags ARG1 ARG2  Ex : --tcp-flags SYN FIN  --icmp-type is for ICMP Type ( for –p icmp )  We can use the above , when are using ‘-p icmp’  Values :  ‘ - - icmp-type 0’ – Echo Reply  ‘ - - icmp-type 8’ – Echo Request 22 Mar 2014
  • 14. Targets 22 Mar 2014  ACCEPT – IPTables stop further Processing. Packet is handed over to the end of application or the operating system for processing .  DROP – IPTables stops further processing. ( The Packet is Blocked )  REJECT – Works like the DROP target, but will also return an error message to the host sending the packet the packet was blocked
  • 15. Targets 22 Mar 2014  DNAT – Used to do destination network address translation . ( rewriting the destination IP address of packet )  SNAT – Used to do source network address translation rewriting the source IP address of the Packet ( The source IP address is user defined ) .  MASQUARADE – Used to do Source Network Address translation. ( By default the source ip address is the same as that used by the firewall’s interface )
  • 16. Few more iptables commands  service iptables save  To save the iptables rules ( Centos , RHEL , Fedora )  service iptables restart  To restore the iptables rules ( Centos , RHEL , Fedora )  iptables-save > /path/to/dir/filename  To save the iptables rules ( for some other linux distro)  iptables-restore < /path/to/dir/filename  To save the iptables rules ( for some other linux distro) 22 Mar 2014
  • 17. Thank you 22 Mar 2014