netfilter.org -- iptables 1.4

fhleung · 08-20-2008, 08:20 AM

Have anyone ever download the new iptables source then compile and install successfuly?

jomen · 08-20-2008, 11:08 AM

Yes - I think everyone using Gentoo (unstable) has - why?

fhleung · 08-21-2008, 10:00 AM

Having problems compiling the source, which version of source you had changed and make sucessfully?

jomen · 08-21-2008, 09:28 PM

I run Gentoo on a Pentium M (i686)
gcc-4.3.1
kernel 2.6.26
iptables-version 1.4.1.1

configured with options:

Code:

./configure --prefix=/usr --host=i686-pc-linux-gnu
--mandir=/usr/share/man --infodir=/usr/share/info --datadir=/usr/share --sysconfdir=/etc --localstatedir=/var/lib --sbindir=/sbin
--libexecdir=/lib --without-kernel
--enable-devel --enable-libipq
--build=i686-pc-linux-gnu

no patches - I did not change anything - it compiles without any problem.

fhleung · 09-09-2008, 08:01 AM

I set IPTABLES some rules jump to the LOG target, log some packets. But seems not all the packets was log. I mean the number of LOG packet not match with the kernel log.

Code:

iptables -vnL
pkts bytes target     prot opt in     out     source               destination
   N     X LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0

Also the following from kernel log /var/log/file

DROP IN=ppp0 OUT= MAC= SRC= DST= LEN=90 TOS=0x00 PREC=0x00 TTL=115 ID=202 PROTO=UDP SPT=9602 DPT=8399 LEN=70

What if I want to check the LOGed packet in deep? like the content inside packet in bit level? How to do this?

fhleung · 05-12-2011, 05:32 AM

Can anyone explain what the following iptables rule does?

Code:

iptables -A PREROUTING
iptables -A POSTROUTING
iptables -A FORWARD

I usually use INPUT and OUTPUT in my firewall script, what is PREROUTING, POSTROUTING and FORWARD for?

The following firewall script only got single network interface for workstation/laptop. There is no FORWARD, PREROUTING, POSTROUTING chain. It is simple, easy to start but may not work with iptables version 1.3 below.

Code:

IPTABLES="/sbin/iptables"
#IP6TABLES="/sbin/ip6tables"
LOG="LOG --log-level debug --log-tcp-sequence --log-tcp-options"
LOG="$LOG --log-ip-options"

KKK="-m limit --limit 3/s --limit-burst 8"


OUT_IF=eth0

PHIGH="1024:65535"


echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

# Disable IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 0 > /proc/sys/net/ipv4/ip_forward

echo 16 > /proc/sys/net/ipv4/tcp_max_orphans
echo 1 > /proc/sys/net/ipv4/tcp_syncookies


# inside conf
for i in /proc/sys/net/ipv4/conf/*/accept_redirects; do echo 0 > $i; done
for i in /proc/sys/net/ipv4/conf/*/accept_source_route; do echo 0 > $i; done
for i in /proc/sys/net/ipv4/conf/*/bootp_relay; do echo 0 > $i; done

## can not write mc_forwarding  operation not permitted
#for i in /proc/sys/net/ipv4/conf/*/mc_forwarding; do echo 0 > $i; done
##

for i in /proc/sys/net/ipv4/conf/*/proxy_arp; do echo 0 > $i; done
for i in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $i; done

for i in /proc/sys/net/ipv4/conf/*/secure_redirects; do echo 0 > $i; done
for i in /proc/sys/net/ipv4/conf/*/send_redirects; do echo 0 > $i; done


#-------------------
# default policy
#-------------------
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT DROP

$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT

$IPTABLES -t mangle -P PREROUTING ACCEPT
$IPTABLES -t mangle -P INPUT ACCEPT
$IPTABLES -t mangle -P FORWARD ACCEPT
$IPTABLES -t mangle -P OUTPUT ACCEPT
$IPTABLES -t mangle -P POSTROUTING ACCEPT



#-------------
# cleanup
#-------------

$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -t mangle -F

$IPTABLES -X
$IPTABLES -t nat -X
$IPTABLES -t mangle -X

$IPTABLES -Z
$IPTABLES -t nat -Z
$IPTABLES -t mangle -Z

#$IPTABLES -t RH-Firewall -X


#####################
# define DROPLOG
#####################
$IPTABLES -N DROPLOG
$IPTABLES -A DROPLOG -j $LOG $KKK --log-prefix "DROP "
$IPTABLES -A DROPLOG -j DROP
$IPTABLES -A INPUT -p icmp -j DROP
$IPTABLES -A OUTPUT -p icmp -j DROP
$IPTABLES -A FORWARD -p icmp -j DROP
$IPTABLES -A INPUT -p sctp -j DROP
$IPTABLES -A OUTPUT -p sctp -j DROP
$IPTABLES -A FORWARD -p sctp -j DROP
$IPTABLES -A INPUT -p ah -j DROP
$IPTABLES -A OUTPUT -p ah -j DROP
$IPTABLES -A FORWARD -p ah -j DROP
$IPTABLES -A INPUT -p esp -j DROP
$IPTABLES -A OUTPUT -p esp -j DROP
$IPTABLES -A FORWARD -p esp -j DROP
$IPTABLES -A FORWARD -j DROPLOG
#$IPTABLES -A INPUT -p tcp -m state --state NEW,RELATED --tcp-flags ALL ACK -j DROP
#$IPTABLES -A OUTPUT -p tcp -m state --state NEW,RELATED --tcp-flags ALL ACK -j DROP

$IPTABLES -A INPUT -p tcp --tcp-flags ALL ACK -m state --state NEW,RELATED -j DROP
$IPTABLES -A OUTPUT -p tcp --tcp-flags ALL ACK -m state --state NEW,RELATED -j DROP

$IPTABLES -A INPUT -p tcp --tcp-flags ALL ACK,PSH -m state --state RELATED -j DROP
#$IPTABLES -A OUTPUT -p tcp --tcp-flags ALL ACK,PSH -m state --state RELATED -j DROP

$IPTABLES -A INPUT -p tcp --tcp-flags ALL RST -m state --state NEW,RELATED -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags ALL ACK,SYN -m state --state NEW,RELATED -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags ALL ACK,FIN -m state --state NEW,RELATED -j DROP

$IPTABLES -A INPUT -p tcp -m multiport --ports ! 80,443 -j DROPLOG
$IPTABLES -A INPUT -p udp -m multiport --ports ! 53 -j DROPLOG


$IPTABLES -A OUTPUT -p tcp -m multiport --dport ! 80,443 -j DROPLOG
$IPTABLES -A OUTPUT -p udp -m multiport --dport ! 53 -j DROPLOG

# drop invalid traffic
$IPTABLES -A INPUT -m state --state INVALID -j DROP
# $IPTABLES -A OUTPUT -m state --state INVALID -j DROP

## for portscanner
#$IPTABLES -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
#$IPTABLES -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
## end of portscanner

## more anti spoof/scan
# 4. Xmas scan   3. NMAP fin scan

$IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags ALL FIN -j DROP

$IPTABLES -A INPUT -p tcp --tcp-flags ALL ACK,URG -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags ALL ACK,URG,FIN -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags ALL SYN,PSH -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags ALL SYN,ACK,PSH -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags ALL RST,ACK,PSH -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags ALL RST,ACK,URG -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP

$IPTABLES -A INPUT -p tcp --tcp-flags ALL RST,ACK,PSH,URG -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags ALL FIN,ACK,PSH,URG -j DROP

$IPTABLES -A INPUT -p tcp --tcp-flags ALL SYN,RST,FIN,ACK,URG -j DROP

$IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,URG SYN,URG -j DROP


$IPTABLES -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP


$IPTABLES -A INPUT -p tcp --tcp-flags SYN,ACK NONE -j DROP

$IPTABLES -A INPUT -p tcp --syn -j DROP

## end of anti spoof
## reserved address
$IPTABLES -A INPUT -s 0.0.0.0/7 -j DROP
$IPTABLES -A INPUT -s 2.0.0.0/8 -j DROP
$IPTABLES -A INPUT -s 5.0.0.0 -j DROP
$IPTABLES -A INPUT -s 7.0.0.0 -j DROP
$IPTABLES -A INPUT -s 10.0.0.0 -j DROP

##################################
#  special
##################################
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT

# put this output after outbound below
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
##################################
#  outbound connections allowed  #
##################################
$IPTABLES -A OUTPUT -m state --state NEW -p udp --dport 53 -j ACCEPT
#$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 53 -j ACCEPT

$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT

$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

##################################
#  inbound connections allowed   #
##################################
$IPTABLES -A INPUT -m state --state NEW -p udp --dport 53 -j ACCEPT
$IPTABLES -A INPUT -m state --state NEW -p tcp --dport 53 -j ACCEPT

$IPTABLES -A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT
$IPTABLES -A INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT



##############################################
#  explicitly log and reject everything else #
##############################################

$IPTABLES -A INPUT -j DROPLOG
$IPTABLES -A OUTPUT -j DROPLOG
$IPTABLES -A FORWARD -j DROPLOG


exit 0

Reference: http://www.hermann-uwe.de/files/fw_laptop http://www.hermann-uwe.de/files/fw_blockall

countach74 · 05-12-2011, 09:21 AM

FORWARD is used to control the flow of packets between interfaces. PREROUTING and POSTROUTING are available only to mangle and NAT tables. It takes place before all routing table processing (before the packet arrives and is processed, it goes to PREROUTING). POSTROUTING affects packets leaving the system. It happens after all other routing processing is done.

Iptables is a bit frustrating to learn because, not only are there a lot of complicated rules and combinations (I'm still very much learning), the documentation online is often dead wrong. There are a few sites I've found that explain things thoroughly and accurately, but don't have them bookmarked anymore. Tread lightly when learning about iptables. Don't be afraid to drop the tutorial you're using to search out another. That's my advice, anyways.

Quick example of FORWARD:

Let's say you have a Linux iptables box setup as your gateway. It is connected to the internet/WAN on eth0 and your LAN on eth1. If you have the FORWARD policy set to DROP (iptables -P FORWARD DROP) with nothing else in the FORWARD chain, the two interfaces will not be able to relay packets. What comes in to eth0 from the internet will not be allowed to forwarded to the machines connected to eth1 and vice versa.

And an example PREROUTING:

iptables -t nat -A PREROUTING -p tcp --dport 4022 -j DNAT --to 192.168.1.105:22

This rule basically does the following: In the NAT table, before the packet has been routed (PREROUTING), forward incoming port 4022 on the gateway/firewall to IP address 192.168.1.105, but send it to port 22 on that local IP, rather than 4022. I try to avoid public-facing port 22's. Too many people try to brute force it.

In order for the NAT to work on outbound, you then have to add a POSTROUTING rule:

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Please note that these rules are extremely generic and not tailored that well. The iptables man pages have a pretty good explanation of Masquerade:

Code:

 
   MASQUERADE
       This target is only valid in the nat table, in the  POSTROUTING  chain.
       It  should  only  be used with dynamically assigned IP (dialup) connec‐
       tions: if you have a static IP address, you should use the SNAT target.
       Masquerading is equivalent to specifying a mapping to the IP address of
       the interface the packet is going out, but also  has  the  effect  that
       connections  are  forgotten  when the interface goes down.  This is the
       correct behavior when the next dialup is  unlikely  to  have  the  same
       interface  address (and hence any established connections are lost any‐
       way).  It takes one option:

       --to-ports port[-port]
              This specifies a range of source ports to  use,  overriding  the
              default SNAT source port-selection heuristics (see above).  This
              is only valid if the rule also specifies -p tcp or -p udp.

       --random
              Randomize source port mapping If option --random  is  used  then
              port mapping will be randomized (kernel >= 2.6.21).

fhleung · 05-13-2011, 09:56 PM

First of all, thank you so much for the reply.

PREROUTING and POSTROUTING are available only to mangle and NAT tables. Its hard to understand the details of these two tables so I may forget about this at this moment.

I got following in my firewall script, DISable packet forwarding for IPv4

Code:

echo 0 > /proc/sys/net/ipv4/ip_forward

My question is, the above rule is anything to do with FORWARD chain you talking about? Did I mix up the concept there are two different things?

countach74 · 05-13-2011, 11:28 PM

IP Forwarding simply allows the interfaces to communicate to each other, as far as I know. While a "drop all" policy on the FORWARD chain will accomplish pretty much the same thing to my knowledge, it's not typically used for that. In order for the FORWARD chain to work properly, IP forwarding must be enabled.

If someone else knows more technical details, please by all means pipe in because I don't and would like to learn.

fhleung · 05-15-2011, 11:40 PM

I heard that altering this value(ip_forward) resets all configuration parameters to their default values; specifically, RFC1122 for hosts and RFC1812 for routers.

What need to be take care if I enable the /proc/sys/net/ipv4/ip_forward ? I got more than one network interface.

Also I found one interface know as sit0 when I ifconfig -a
What was that interface? Ans: sit is use to setup of point-to-point tunnel. sit is an acronym for "simple internet transition" and is basically a device capable of encapsulating ipv6 in ipv4 datagrams.