Upload
denys-haryachyy
View
676
Download
1
Embed Size (px)
Citation preview
Understanding iptablesLinux firewall basics
Netfilter hooks stages
Socket
App
NIC
INPUT
PRE_ROUTING POST_ROUTING
OUTPUTFORWARD
Stateless firewalliptables -A INPUT -p tcp --dport 80 -j ACCEPT
Stateful firewalliptables -A INPUT -p tcp -m conntrack --ctstate ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -m conntrack --ctstate NEW -j ACCEPT
Loggingiptables -A INPUT -p tcp --dport 80 -m conntrack --ctstate NEW -j LOG --log-prefix “In Http:”
Tables overviewFilter is a default table.
So, if you don’t define you own table, you’ll be using filter table.
Each table has a number of predefined chains inside.
You can create your own chain.
Filter
Input
Forward
Output
Nat
Output
Prerouting
Postrouting
Mangle
Input
Prerouting
Postrouting
Output
Forward
Raw
Output
Prerouting
Tables in shelliptables -t mangle -A POSTROUTING -o $NETCARD -p tcp -m connbytes --connbytes 10000000: --connbytes-mode bytes --connbytes-dir both -j CONNMARK --set-mark 999
iptables -t mangle -A INPUT -i eth0 -p tcp --dport 80 -m string --string ”get /admin http/” --icase --algo bm -m conntrack --ctstate ESTABLISHED -j DROP
iptables -t filter -A input -p tcp --dport 22 -m time --datestart “” --datestop “” --utc --j DROP
Custom chainsCreate a new chain
iptables -N LOGDROP
Add chain rules
iptables -A LOGDROP -j LOG --log-level 4 --log-prefix 'SourceDrop '
iptables -A LOGDROP -j DROP
Add chain rules to iptables rules
iptables -A INPUT -s 10.0.0.0/8 -j LOGDROP
Netfilter in user landlibnetfilter_queue is used to divert traffic to user application
Packets are not duplicated
User application has to inject a packet back
Useful for debugging rules
ip setsConstant time hash lookup
modprobe ip_set
ipset -N droplist nethash
ipset -add droplist 192.168.1.0/24
iptables -A INPUT -m set --set droplistsrc -j DROP
Useful commandsDrop all rules
iptables -F
Quickly restore rules
iptables-restore <rules list file>
ReferencesDesigning and Implementing Linux Firewalls with QoS using netfilter, iproute2, NAT and L7-filter
Netfilter & Iptables Elements
Linux Firewall Tutorial: IPTables Tables, Chains, Rules Fundamentals
Understanding Linux Network Internals
iptables book
Iptables targets and jumps
Security in Linux