DebianThis forum is for the discussion of Debian Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I set IPTABLES some rules jump to the LOG target, log some packets. But seems not all the packets was log. I mean the number of LOG packet not match with the kernel log.
Code:
iptables -vnL
pkts bytes target prot opt in out source destination
N X LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0
Can anyone explain what the following iptables rule does?
Code:
iptables -A PREROUTING
iptables -A POSTROUTING
iptables -A FORWARD
I usually use INPUT and OUTPUT in my firewall script, what is PREROUTING, POSTROUTING and FORWARD for?
The following firewall script only got single network interface for workstation/laptop. There is no FORWARD, PREROUTING, POSTROUTING chain. It is simple, easy to start but may not work with iptables version 1.3 below.
Code:
IPTABLES="/sbin/iptables"
#IP6TABLES="/sbin/ip6tables"
LOG="LOG --log-level debug --log-tcp-sequence --log-tcp-options"
LOG="$LOG --log-ip-options"
KKK="-m limit --limit 3/s --limit-burst 8"
OUT_IF=eth0
PHIGH="1024:65535"
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
# Disable IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 0 > /proc/sys/net/ipv4/ip_forward
echo 16 > /proc/sys/net/ipv4/tcp_max_orphans
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
# inside conf
for i in /proc/sys/net/ipv4/conf/*/accept_redirects; do echo 0 > $i; done
for i in /proc/sys/net/ipv4/conf/*/accept_source_route; do echo 0 > $i; done
for i in /proc/sys/net/ipv4/conf/*/bootp_relay; do echo 0 > $i; done
## can not write mc_forwarding operation not permitted
#for i in /proc/sys/net/ipv4/conf/*/mc_forwarding; do echo 0 > $i; done
##
for i in /proc/sys/net/ipv4/conf/*/proxy_arp; do echo 0 > $i; done
for i in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $i; done
for i in /proc/sys/net/ipv4/conf/*/secure_redirects; do echo 0 > $i; done
for i in /proc/sys/net/ipv4/conf/*/send_redirects; do echo 0 > $i; done
#-------------------
# default policy
#-------------------
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES -t mangle -P PREROUTING ACCEPT
$IPTABLES -t mangle -P INPUT ACCEPT
$IPTABLES -t mangle -P FORWARD ACCEPT
$IPTABLES -t mangle -P OUTPUT ACCEPT
$IPTABLES -t mangle -P POSTROUTING ACCEPT
#-------------
# cleanup
#-------------
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -t mangle -F
$IPTABLES -X
$IPTABLES -t nat -X
$IPTABLES -t mangle -X
$IPTABLES -Z
$IPTABLES -t nat -Z
$IPTABLES -t mangle -Z
#$IPTABLES -t RH-Firewall -X
#####################
# define DROPLOG
#####################
$IPTABLES -N DROPLOG
$IPTABLES -A DROPLOG -j $LOG $KKK --log-prefix "DROP "
$IPTABLES -A DROPLOG -j DROP
$IPTABLES -A INPUT -p icmp -j DROP
$IPTABLES -A OUTPUT -p icmp -j DROP
$IPTABLES -A FORWARD -p icmp -j DROP
$IPTABLES -A INPUT -p sctp -j DROP
$IPTABLES -A OUTPUT -p sctp -j DROP
$IPTABLES -A FORWARD -p sctp -j DROP
$IPTABLES -A INPUT -p ah -j DROP
$IPTABLES -A OUTPUT -p ah -j DROP
$IPTABLES -A FORWARD -p ah -j DROP
$IPTABLES -A INPUT -p esp -j DROP
$IPTABLES -A OUTPUT -p esp -j DROP
$IPTABLES -A FORWARD -p esp -j DROP
$IPTABLES -A FORWARD -j DROPLOG
#$IPTABLES -A INPUT -p tcp -m state --state NEW,RELATED --tcp-flags ALL ACK -j DROP
#$IPTABLES -A OUTPUT -p tcp -m state --state NEW,RELATED --tcp-flags ALL ACK -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags ALL ACK -m state --state NEW,RELATED -j DROP
$IPTABLES -A OUTPUT -p tcp --tcp-flags ALL ACK -m state --state NEW,RELATED -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags ALL ACK,PSH -m state --state RELATED -j DROP
#$IPTABLES -A OUTPUT -p tcp --tcp-flags ALL ACK,PSH -m state --state RELATED -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags ALL RST -m state --state NEW,RELATED -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags ALL ACK,SYN -m state --state NEW,RELATED -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags ALL ACK,FIN -m state --state NEW,RELATED -j DROP
$IPTABLES -A INPUT -p tcp -m multiport --ports ! 80,443 -j DROPLOG
$IPTABLES -A INPUT -p udp -m multiport --ports ! 53 -j DROPLOG
$IPTABLES -A OUTPUT -p tcp -m multiport --dport ! 80,443 -j DROPLOG
$IPTABLES -A OUTPUT -p udp -m multiport --dport ! 53 -j DROPLOG
# drop invalid traffic
$IPTABLES -A INPUT -m state --state INVALID -j DROP
# $IPTABLES -A OUTPUT -m state --state INVALID -j DROP
## for portscanner
#$IPTABLES -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
#$IPTABLES -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
## end of portscanner
## more anti spoof/scan
# 4. Xmas scan 3. NMAP fin scan
$IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags ALL FIN -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags ALL ACK,URG -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags ALL ACK,URG,FIN -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags ALL SYN,PSH -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags ALL SYN,ACK,PSH -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags ALL RST,ACK,PSH -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags ALL RST,ACK,URG -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags ALL RST,ACK,PSH,URG -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags ALL FIN,ACK,PSH,URG -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags ALL SYN,RST,FIN,ACK,URG -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,URG SYN,URG -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,ACK NONE -j DROP
$IPTABLES -A INPUT -p tcp --syn -j DROP
## end of anti spoof
## reserved address
$IPTABLES -A INPUT -s 0.0.0.0/7 -j DROP
$IPTABLES -A INPUT -s 2.0.0.0/8 -j DROP
$IPTABLES -A INPUT -s 5.0.0.0 -j DROP
$IPTABLES -A INPUT -s 7.0.0.0 -j DROP
$IPTABLES -A INPUT -s 10.0.0.0 -j DROP
##################################
# special
##################################
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT
# put this output after outbound below
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
##################################
# outbound connections allowed #
##################################
$IPTABLES -A OUTPUT -m state --state NEW -p udp --dport 53 -j ACCEPT
#$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 53 -j ACCEPT
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
##################################
# inbound connections allowed #
##################################
$IPTABLES -A INPUT -m state --state NEW -p udp --dport 53 -j ACCEPT
$IPTABLES -A INPUT -m state --state NEW -p tcp --dport 53 -j ACCEPT
$IPTABLES -A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT
$IPTABLES -A INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT
##############################################
# explicitly log and reject everything else #
##############################################
$IPTABLES -A INPUT -j DROPLOG
$IPTABLES -A OUTPUT -j DROPLOG
$IPTABLES -A FORWARD -j DROPLOG
exit 0
FORWARD is used to control the flow of packets between interfaces. PREROUTING and POSTROUTING are available only to mangle and NAT tables. It takes place before all routing table processing (before the packet arrives and is processed, it goes to PREROUTING). POSTROUTING affects packets leaving the system. It happens after all other routing processing is done.
Iptables is a bit frustrating to learn because, not only are there a lot of complicated rules and combinations (I'm still very much learning), the documentation online is often dead wrong. There are a few sites I've found that explain things thoroughly and accurately, but don't have them bookmarked anymore. Tread lightly when learning about iptables. Don't be afraid to drop the tutorial you're using to search out another. That's my advice, anyways.
Quick example of FORWARD:
Let's say you have a Linux iptables box setup as your gateway. It is connected to the internet/WAN on eth0 and your LAN on eth1. If you have the FORWARD policy set to DROP (iptables -P FORWARD DROP) with nothing else in the FORWARD chain, the two interfaces will not be able to relay packets. What comes in to eth0 from the internet will not be allowed to forwarded to the machines connected to eth1 and vice versa.
This rule basically does the following: In the NAT table, before the packet has been routed (PREROUTING), forward incoming port 4022 on the gateway/firewall to IP address 192.168.1.105, but send it to port 22 on that local IP, rather than 4022. I try to avoid public-facing port 22's. Too many people try to brute force it.
In order for the NAT to work on outbound, you then have to add a POSTROUTING rule:
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
Please note that these rules are extremely generic and not tailored that well. The iptables man pages have a pretty good explanation of Masquerade:
Code:
MASQUERADE
This target is only valid in the nat table, in the POSTROUTING chain.
It should only be used with dynamically assigned IP (dialup) connec‐
tions: if you have a static IP address, you should use the SNAT target.
Masquerading is equivalent to specifying a mapping to the IP address of
the interface the packet is going out, but also has the effect that
connections are forgotten when the interface goes down. This is the
correct behavior when the next dialup is unlikely to have the same
interface address (and hence any established connections are lost any‐
way). It takes one option:
--to-ports port[-port]
This specifies a range of source ports to use, overriding the
default SNAT source port-selection heuristics (see above). This
is only valid if the rule also specifies -p tcp or -p udp.
--random
Randomize source port mapping If option --random is used then
port mapping will be randomized (kernel >= 2.6.21).
Last edited by countach74; 05-12-2011 at 09:38 AM.
Reason: Edited to include more information about FORWARD
PREROUTING and POSTROUTING are available only to mangle and NAT tables. Its hard to understand the details of these two tables so I may forget about this at this moment.
I got following in my firewall script, DISable packet forwarding for IPv4
Code:
echo 0 > /proc/sys/net/ipv4/ip_forward
My question is, the above rule is anything to do with FORWARD chain you talking about? Did I mix up the concept there are two different things?
IP Forwarding simply allows the interfaces to communicate to each other, as far as I know. While a "drop all" policy on the FORWARD chain will accomplish pretty much the same thing to my knowledge, it's not typically used for that. In order for the FORWARD chain to work properly, IP forwarding must be enabled.
If someone else knows more technical details, please by all means pipe in because I don't and would like to learn.
I heard that altering this value(ip_forward) resets all configuration parameters to their default values; specifically, RFC1122 for hosts and RFC1812 for routers.
What need to be take care if I enable the /proc/sys/net/ipv4/ip_forward ? I got more than one network interface.
Also I found one interface know as sit0 when I ifconfig -a
What was that interface? Ans: sit is use to setup of point-to-point tunnel. sit is an acronym for "simple internet transition" and is basically a device capable of encapsulating ipv6 in ipv4 datagrams.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.