more Iptables!

2 views

Skip to first unread message

naresh

unread,

Nov 5, 2007, 9:18:08 AM11/5/07

to Delhi/NCR Linux Users Group

Hi All,

Some very helpful and useful iptables . I hope this will help
understating the iptables in a bit more depth.

Logging connections with IPtables
________________________________________
Logging ALL incomming and outgoing traffic

iptables -A OUTPUT -j LOG
iptables -A INPUT -j LOG
iptables -A FORWARD -j LOG
iptables -t nat -A PREROUTING -j LOG
iptables -t nat -A POSTROUTING -j LOG
iptables -t nat -A OUTPUT -j LOG

Description: Above commands will enable logging for all input/output/
forwarded/routed traffic in /var/log/messages file. (Log file depend
on syslog setting).
A Customized Logging Chain to Log all ssh connections

iptables -N LOGIT # special chain to log all except fragments
iptables -A LOGIT -m state --state ESTABLISHED -j RETURN # don't log
frags
iptables -A LOGIT -j LOG
iptables -A LOGIT -j RETURN

Above commands will create a new chain LOGIT and will set it to log
all except fragments. Now lets use this chain.

iptables -A INPUT -p tcp --dport 22 -j LOGIT

Description: It will log all connections to port 22 (SSH).

Below is the complete shell script for above loging.
#!/bin/bash
iptables -N LOGIT # special chain to log all except fragments

iptables -A LOGIT -m state --state ESTABLISHED -j RETURN # don't log
frags
iptables -A LOGIT -j LOG
iptables -A LOGIT -j RETURN

iptables -A INPUT -p tcp --dport 22 -j LOGIT
#end

Reverse script to delete above iptables config.
#!/bin/bash

iptables -D LOGIT -m state --state ESTABLISHED -j RETURN
iptables -D LOGIT -j LOG
iptables -D LOGIT -j RETURN

iptables -D INPUT -p tcp --dport 22 -j LOGIT
iptables -X LOGIT

#end

________________________________________
Blocking traffic with IPtables
________________________________________
Blocking an IP (Drop connection)
Example: iptables -A INPUT -s 192.168.0.1 -j DROP

Blocking an IP (Rejecting connection)
Example: iptables -A INPUT -s 192.168.0.1 -j REJECT

Blocking access of an ip to a certain port
Example: iptables -A INPUT -p tcp -s 192.168.1.50 --dport 110 -j
REJECT
Description: This will reject connection from 192.168.1.50 at port
110.

Example: iptables -A INPUT -p udp -s 192.168.1.50 --dport 52 -j REJECT
Description: This will reject udp traffic from 192.168.1.50 at port 52

Blocking All Incomming Traffic at a port
Example: iptables -A INPUT -p tcp --dport 110 -j REJECT
Description: This will reject ALL Incomming connections/Traffic at
port 110.

Blocking Incomming Pings
Example: iptables -A INPUT -p icmp -j DROP
Description: Usefull to protect against automated network scans to
detect live ips.

Blocking access to an external ip from within your server
Example: iptables -A OUTPUT -p tcp -d 192.168.1.50 -j REJECT
Description: This will block access to 192.168.1.50 from with in your
server. Means your server users can not access that ip from with in
the server

Blocking access to an external port of an external ip
Example: iptables -A OUTPUT -p tcp -d 192.168.1.50 --dport 25 -j
REJECT
Description: Port 25 of 192.168.1.50 will not be accessable from with
in your server
________________________________________
Routing with IPtables
________________________________________
Redirecting a tcp port to another port
Example: iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --
to-ports 8080
Description: Port 80 will be redirected to port 8080, Means if you
will connect at port 80 of this server then you will actually
connected to 8080

Redirecting traffic from specific ip at a tcp port to another port
Example: iptables -t nat -A PREROUTING -p tcp -s 192.168.1.40 --dport
80 -j REDIRECT --to-ports 8080
Description: All traffic from 192.168.1.40 at Port 80 will be
redirected to port 8080, Means if 192.168.1.40 will connect at port 80
of this server then it will actually connected to 8080

Note: REDIRECT target can be used only to redirect traffic to the
machine itself. To route traffic to other places, Use DNAT (see below)

Routing traffic from specific port to another server

Example:
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
iptables -t nat -A PREROUTING -p tcp -d 10.10.10.10 --dport 72 -j DNAT
--to 33.55.37.226:25
Description: Above commands will route the traffic for port 72 of ip
10.10.10.10 to port 25 of ip 33.55.37.226 .
________________________________________
Listing and Deleting current rules
________________________________________
Example: iptables -L
Description: It will list all chains and rules

Example: iptables -L chain_name
Description: It will list all rules in a specific chain

Example: iptables -D LOGIT -j LOG
Description: It will delete the specific rule. The rule must be exact
as it was executed.

Example: iptables -F chain_name
Description: It will delete all rules in chain_name

Example: iptables -F
Description: It will delete all rules in all chains

Thanks,
Naresh Kumar

Reply all

Reply to author

Forward

0 new messages