Tutorial Mini of IP tables

Several tutorials

Tutorial Mini of IP tables

Mensagempor BrazilFW » Seg Dez 24, 2007 8:20 pm

Tutorial Mini of IP tables:



Commands of iptables

- the chain - Attached rules to the end of a chain. If a name of host is supplied,
as source or as destination, a rule is added for each related IP to this host.

- D chain - one Erases or more rules of the specified chain

- D chain regra_num - the resident rule in the position indicated for regra_num of the specified chain Erases.
The first rule in the chain is of number 1.

- R chain regra_num - I substituted the rule regra_num of the chain specified for the given rule

- I chain regra_num - one Inserts or more rules in the start of the chain. If a name of host is supplied,
as source or as destination, a rule is added for each related IP to this host.

- L [ chain ] - List all the rules in a chain. In case that it does not have no specified chain,
all the rules in all the chains are listed.

- F [ chain ] - It removes all the rules of a chain. If no chain will be specified,
removes the rules of all the existing chains, also of the user.

- Z [ chain ] - It restores the accountants of datagramas and bytes in all the rules of the chains specified for zero,
or for all the chains if none it will be specified.

- N chain - a chain defined for the user with the specified name Creates.

- X [ chain ] - the chain defined for the user Erases or all if will not be specified one.

- C chain - the described datagrama for the rule specified against the specified chain Verifies.
This command returns a message describing as the chain processed the datagrama.
That is very useful to test the configuracão of firewall, and for a posterior analysis.

- P chain politics - the politics Defines standard for a chain of one politics inside specified.
The valid politics: ACCEPT, DROP, QUEUE and RETURN. ACCEPT allows the ticket of the datagrama.
DROP discards the datagrama. QUEUE passes the datagrama for area of the user for posterior processing.
RETURN force the code of firewall to return for the previous chain and continues the processing
in the following rule to that it returned.


Rules The following rules can be used:

- p[!] Protocol - the rule Defines the protocol to which if it applies.
The parameter protocol can be any numerical value of the archive /etc/protocol or
one of the words key: tcp, UDP or ICMP

- s [!] addres[/mask ] - the rule Defines the origin of the package to which if it applies.
The parameter address can be a name of host, a name of net or an address IP with a mask of optional net.

- d [!] address[/mask ] - the rule Defines the destination of the package to which if it applies.
The address and the door are defined using the same used rules to define these values for the origin of the package.

- j - it if rabbet in this rule Define a target for the package case.
The possible targets are ACCEPT, DROP, QUEUE or RETURN.
It is possible to specify a chain of the user. Also it is possible to specify an extension.

- i [!] interface_name - the name of the interface Defines by where the datagrama was received.
A name of partial interface can be used locking up it with a signal of "+"; for example,
eth+ would correspond to all the initiated Ethernet interfaces with eth.

-o [ !] interface_name - the name of the interface Defines by where the datagrama will be transmitted.

[!] - f - Indicates that the rule is only mentioned to as I break up and to the subsequent ones of fragamentados packages. Comment: The symbol "!" he is used in the rules as a negation of the expression.


Example:

- s 192.168.0.10/32 is equivalent to the address of origin 192.168.0.10,

- s!192.168.0.10/32 is equivalent to all the addresses except the 192.168.0.10.


Options

- v - Exit in way verbose. Richer in terms of details on what it is happening or being made.

- n - Exit in numerical way and not for name of host, net or door.

- x - It shows the accurate value of the package and the accountants of bytes instead of arrendondar
them for the thousand, million or next billion.

-- line-numbers - When it lists the rules, inside adds a line number to the start of each rule,
corresponding to the position of the rule of the chain.

Extensions

Utilitarian iptables is extensible through a library of optional module shared.

To make use das extensions is necessary to specify its name using

parameter - m [ argument ] for that iptables carregue this module.


In some cases the parameter is usuado - p to determine the protocol

(in certain cases the parameter is not necessary - m therefore it is loaded automatically,

for example when tcp is used, UDP or ICMP).


Extension TCP: used with - m tcp - p tcp

-- sport [! ] [ port[:port ] ] - the door Specifies that the origin of the datagrama uses.
Doors can be specified with a set specifying itself its upper/lower limit separate for colon
(. For example, 20:25 also describe all the doors numbered of 20 up to 25.
Also it is possible to use caracter "!" to invert the expression.

-- dport [ !] [ port[:port ] ] - the door Specifies that the destination of the datagrama uses.

-- tcp-flags [ !] mask comp - It specifies that this rule will only be validated when flags of datagrama
TCP will coincide with specified in mask and comp. Mask is a separate list for commas of
flags that they must be examined when will be made the test. Comp is a separate list for
commas of flas that they must be configured. Flags valid is: SYN, ACK, END, RST, URG, PSH, ALL or NONE.

-- syn - It specifies that regre must only find datagramas with on bit SYN and the off bits ACK and END.
Datagramas with these options is used to request beginning of connection TCP.


Extension UDP: used with - m UDP - p UDP

-- sport[!][port[:port ] ] - This parameter has idênyico functioning to the one of extension TCP.

-- dport[!][port[:port ] ] - This parameter has identical functioning to the one of extension TCP.



Extension ICMP: used with - m ICMP - p ICMP


-- ICMP-TYPE [ !] typername - the type of message ICMP Specifies that the rule must satisfy.
The type can be determined by a number or name.
Some valid names are: echo-request, echo-reply, source-quench, teams-exceeded, destionation-unreachable, network-unreachable, host-unreanchable, protocol-unreachable and port-unreachable.


Extension MAC: used with - m mac

-- mac-source [!] address - the Ethernet address Specifies of host that it transmitted the datagrama
that this rule must find. Protection against IP Spoofing

- the IP Spoofing is one technique to forge false addresses IP to execute attacks to a machine in web.
Generally they use IP false in nets 10.0.0.0, 172.16.0.0 and 192.168.0.0. To block these addresses:



For machines with net interface:

# iptables - the INPUT - s 10.0.0.0/8 - i eth0 - j DROP

# iptables - the INPUT - s 172.16.0.0/8 - i eth0 - j DROP

# iptables - the INPUT - s 192.168.0.0/8 - i eth0 - j DROP



For machines with interface with modems ADSL:

# iptables - the INPUT - s 10.0.0.0/8 - i ppp0 - j DROP

# iptables - the INPUT - s 172.16.0.0/8 - i ppp0 - j DROP

# iptables - the INPUT - s 192.168.0.0/8 - i ppp0 - j DROP



To guarantee the navigation of our equipment:



# iptables - the INPUT - m state - state RELATED, ESTABLISHED - j ACCEPT


Without this command, the station would not sail. The module ip_conntrack allows to specify rules in accordance with the

state of the connection of the package. That is made through the parameter - state.



NEW - It confers the packages that establish new connections.

ESTABLISHED - It confers the packages with established connections already.

RELATED - It confers with packages related indirectly to a connection, as error messages.

INVALID - It confers with packages that could not be identified by some reason. As unknown answers of connection.


To register connections the not authorized doors - It is important to know when we are being monitored,
in order to foresee and if to defend of possible attacks. For this we can make with that iptables registers
in messages of the Linux connection attempts the doors blocked in the systems.

# iptables - the INPUT - s 0.0.0.0/0 - i eth0 - j LOG - log-prefix "forbidden Connection"

If to want to close some doors specifically:

# iptables - the INPUT - p tcp - dport 21 - j LOG - log-prefix "Service: ftp "

# iptables - the INPUT - p tcp - dport 23 - j LOG - log-prefix "Serviço:telnet"

The size of the message for the parameter - log-prefix is of 64 characters.

To filter message echo-request of ping or traceroute - Through the command ping,

we can discover which the operational system is executing in a server. Of ownership of this information,

it is possible programs attacks and explorations directed for this system.
In case that let us not want that somebody executes one ping in our machine.

# iptables - the INPUT - p ICMP - ICMP-TYPE echo-request - j DROP
BrazilFW
 

Voltar para Several tutorials

Quem está online

Usuários navegando neste fórum: Nenhum usuário registrado e 0 visitantes