akde/infosec

Information security is ultimately about managing risk

iptables / netfilter

,

Note that ipt­a­bles and ip6tables should be used always together!

Tables

Ipt­a­bles man­ages a set of tables which act as ACL Access Con­trol Lists.

  • fil­ter: default table 
    • INPUT han­dles all pack­ets for this system.
    • OUTPUT han­dles all pack­ets from this system.
    • FORWARD han­dles all pack­ets which are not from nor for this system.
  • nat: table for net­work translation 
    • PREROUTING mod­i­fies pack­ets when they arrive.
    • POSTROUTING mod­i­fies pack­ets before they leaving.
    • OUTPUT mod­i­fies pack­ets which are from this system.
  • man­gle: table for manip­u­lat­ing packets
  • raw: high-pri­or­i­ty table for super­set oth­er rules
  • secu­ri­ty: addi­tion­al table for tools like SELinux.

Actions

Actions are defined via the -j option.

  • ACCEPT allows a packet
  • REJECT rejects a packet
  • DROP ignors a packet
  • LOG logs a packet
  • SNAT mod­i­fies the source address (only in the nat table)
  • DNAT mod­i­fies the des­ti­na­tion address (only in the nat table)
  • MASQUERADE mod­i­fies a pack­et (only in the nat table)

Examples

Show all rules

iptables -L
ip6tables -L

Ignore all pack­ets from a network:

iptables -A INPUT -s 192.168.5.1/32 -j DROP
ip6tables -A INPUT -s fd75:943b:5f2e:0:a4:45a1:b753:4152 -j DROP

Allow a spe­cif­ic port from everywhere:

iptables -A INPUT -p tcp --dport 80 --destination $LOCALIP -j ACCEPT
ip6tables -A INPUT -p tcp --dport 80 --destination $LOCALIP6 -j ACCEPT

Allow only pack­ets which belong to an exist­ing connection:

iptables -A INPUT --destination $LOCALIP -m state --state ESTABLISHED,RELATED -j ACCEPT
ip6tables -A INPUT --destination $LOCALIP6 -m state --state ESTABLISHED,RELATED -j ACCEPT

Persist netfilter rules

Via init script:

vi /etc/systemd/system/iptables.service
---
[Unit]
After=network.target

[Service]
Type=simple
RemainAfterExit=yes
ExecStart=/etc/init.d/iptables start
ExecStop=/etc/init.d/iptables stop
ExecReload=/etc/init.d/iptables restart

[Install]
WantedBy=multi-user.target
---
systemctl enable iptables

Or via sys­temd / networkd:

auto eth0
iface eth0 inet static
    ...
    up /etc/init.d/iptables

Measure traffic from/to a location

iptables -I INPUT 1 -s 10.10.10.10 -j ACCEPT
iptables -I OUTPUT 1 -d 10.10.10.10 -j ACCEPT
iptables -Z

Now per­form the actions. Then

iptables -nv -L

Leave a Reply

About

Personal collection of some infosec stuff. Primary purpose of this site is to collect and organize for myself.

Note: Some content is not publicly visible due to copyright issues. Therefore, some links could be broken.

Checklists

Categories

Checklists: Ports

python -c 'import pty;pty.spawn("/bin/bash")';

python3 -c 'import pty;pty.spawn("/bin/bash")';