What is IP-Tables and how to use IPTables Full tutorial


ip tables tutorial

 

IPTABLES is an editing tool for packet filtering, with it you can analyze the header and make decisions about the destinations of these packets, it is not the only existing solution to control this filtering. We still have the old ipfwadm and ipchains, etc. It is important to note that in Gnu / Linux, packet filtering is built into the kernel.

Why not configure your installation in accordance with this article, since most distributions come with it enabled as a module or compiled directly into the kernel.

As by WIKI

 

iptables requires elevated privileges to operate and must be executed by user root, otherwise it fails to function. On most Linux systems, iptables is installed as /usr/sbin/iptables and documented in its man pages which can be opened using  man iptables when installed. It may also be found in /sbin/iptables, but since iptables is more like a service rather than an “essential binary”, the preferred location remains /usr/sbin.

The term iptables is also commonly used to inclusively refer to the kernel-level components. x_tables is the name of the kernel module carrying the shared code portion used by all four modules that also provides the API used for extensions; subsequently, Xtables is more or less used to refer to the entire firewall (v4, v6, arp, and eb) architecture.

STEP BY STEP

case “$1″ in
start)

Clearing Rules
iptables -t filter -F
iptables -t filter -X

Tips [ICMP ECHO-REQUEST] messages sent to broadcast or multicast
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

Protection against ICMP redirect request
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects

Do not send messages, ICMP redirected.
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects

(Ping) ICMP 
iptables -t filter -A INPUT -p icmp -j ACCEPT
iptables -t filter -A OUTPUT -p icmp -j ACCEPT

Packages logs with nonexistent addresses (due to wrong routes) on your network
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians

Enabling forwarding packets (required for NAT)
echo “1″ >/proc/sys/net/ipv4/ip_forward

SSH accepted
iptables -t filter -A INPUT -p tcp –dport 22 -j ACCEPT

Do not break established connections
iptables -A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m state –state RELATED,ESTABLISHED -j ACCEPT

Block all connections by default
iptables -t filter -P INPUT DROP
iptables -t filter -P FORWARD DROP
iptables -t filter -P OUTPUT DROP

IP spoofing protection
echo “1″ > /proc/sys/net/ipv4/conf/default/rp_filter
echo – Subindo proteção contra ip spoofing : [OK]

Disable sending the IPV4
echo 0 > /proc/sys/net/ipv4/ip_forward

SYN-Flood Protection
iptables -N syn-flood
iptables -A syn-flood -m limit –limit 10/second –limit-burst 50 -j RETURN
iptables -A syn-flood -j LOG –log-prefix “SYN FLOOD: “
iptables -A syn-flood -j DROP

# Loopback
iptables -t filter -A INPUT -i lo -j ACCEPT
iptables -t filter -A OUTPUT -o lo -j ACCEPT

Tips connections scans
iptables -A INPUT -m recent –name scan –update –seconds 600 –rttl –hitcount 3 -j DROP
iptables -A INPUT -m recent –name scan –update –seconds 600 –rttl –hitcount 3 -j LOG –log-level info –log-prefix “Scan recent”

Tips SYN packets invalid
iptables -A INPUT -p tcp –tcp-flags ALL ACK,RST,SYN,FIN -j DROP
iptables -A INPUT -p tcp –tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A INPUT -p tcp –tcp-flags SYN,RST SYN,RST -j DROP
iptables -A INPUT -p tcp –tcp-flags ALL ACK,RST,SYN,FIN -j LOG –log-level info –log-prefix “Packages SYN Detected”
iptables -A INPUT -p tcp –tcp-flags SYN,FIN SYN,FIN -j LOG –log-level info –log-prefix “Packages SYN Detected”
iptables -A INPUT -p tcp –tcp-flags SYN,RST SYN,RST -j LOG –log-level info –log-prefix “Packages SYN Detected”

# Tips SYN packets invalid
iptables -A OUTPUT -p tcp –tcp-flags ALL ACK,RST,SYN,FIN -j DROP
iptables -A OUTPUT -p tcp –tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A OUTPUT -p tcp –tcp-flags SYN,RST SYN,RST -j DROP
iptables -A INPUT -p tcp –tcp-flags ALL ACK,RST,SYN,FIN -j LOG –log-level info –log-prefix “Packages SYN Detected”
iptables -A INPUT -p tcp –tcp-flags SYN,FIN SYN,FIN -j LOG –log-level info –log-prefix “Packages SYN Detected”
iptables -A INPUT -p tcp –tcp-flags SYN,RST SYN,RST -j LOG –log-level info –log-prefix “Packages SYN Detected”

Certifies that new packets are SYN, otherwise they Tips
iptables -A INPUT -p tcp ! –syn -m state –state NEW -j DROP

Discard packets with fragments of entry. Attack that can cause data loss
iptables -A INPUT -f -j DROP
iptables -A INPUT -f -j LOG –log-level info –log-prefix “Packages fragmented entries”

Tips malformed XMAS packets
iptables -A INPUT -p tcp –tcp-flags ALL ALL -j DROP
iptables -A INPUT -p tcp –tcp-flags ALL ALL -j LOG –log-level info –log-prefix “malformed XMAS packets”

DNS In/Out
iptables -t filter -A OUTPUT -p tcp –dport 53 -j ACCEPT
iptables -t filter -A OUTPUT -p udp –dport 53 -j ACCEPT
iptables -t filter -A INPUT -p tcp –dport 53 -j ACCEPT
iptables -t filter -A INPUT -p udp –dport 53 -j ACCEPT

NTP Out
iptables -t filter -A OUTPUT -p udp –dport 123 -j ACCEPT

WHOIS Out
iptables -t filter -A OUTPUT -p tcp –dport 43 -j ACCEPT

FTP Out
iptables -t filter -A OUTPUT -p tcp –dport 20:21 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp –dport 30000:50000 -j ACCEPT

FTP In
iptables -t filter -A INPUT -p tcp –dport 20:21 -j ACCEPT
iptables -t filter -A INPUT -p tcp –dport 30000:50000 -j ACCEPT
iptables -t filter -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT

HTTP + HTTPS Out
iptables -t filter -A OUTPUT -p tcp –dport 80 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp –dport 443 -j ACCEPT

HTTP + HTTPS In
iptables -t filter -A INPUT -p tcp –dport 80 -j ACCEPT
iptables -t filter -A INPUT -p tcp –dport 443 -j ACCEPT

Mail SMTP:25
iptables -t filter -A INPUT -p tcp –dport 25 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp –dport 25 -j ACCEPT

Mail POP3:110
iptables -t filter -A INPUT -p tcp –dport 110 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp –dport 110 -j ACCEPT

Mail IMAP:143
iptables -t filter -A INPUT -p tcp –dport 143 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp –dport 143 -j ACCEPT

# Reverse
iptables -t filter -A INPUT -p tcp –dport 77 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp –dport 77 -j ACCEPT

MSF
iptables -t filter -A INPUT -p tcp –dport 7337 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp –dport 7337 -j ACCEPT

#######################################

WEB Management Firewall
touch /var/log/firewall
chmod +x /var/log/firewall
/var/log/firewall -A INPUT -p icmp -m limit –limit 1/s -j LOG –log-level info –log-prefix “ICMP Dropped “
/var/log/firewall -A INPUT -p tcp -m limit –limit 1/s -j LOG –log-level info –log-prefix “TCP Dropped “
/var/log/firewall -A INPUT -p udp -m limit –limit 1/s -j LOG –log-level info –log-prefix “UDP Dropped “
/var/log/firewall -A INPUT -f -m limit –limit 1/s -j LOG –log-level warning –log-prefix “FRAGMENT Dropped “
/var/log/firewall -A INPUT -m limit –limit 1/minute –limit-burst 3 -j LOG –log-level DEBUG –log-prefix “IPT INPUT packet died: “
/var/log/firewall -A INPUT -m limit –limit 3/minute –limit-burst 3 -j LOG –log-level DEBUG –log-prefix “IPT INPUT packet died: “
exit 0
;;

stop)
echo “turning off the firewall “
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -t filter -F
exit 0
;;

restart)
/etc/init.d/firewall stop
/etc/init.d/firewall start
;;

echo “Use: /etc/init.d/firewall {start|stop|restart}”
exit 1
;;
esac

Logs available:
/var/log/firewall

COMMANDS TO MONITOR LOGS:
tail -f /var/log/messages

Save: /etc/init.d/firewall

Be sure to Block unknown and unauthorized connections. You can specify what types of network protocols and services to be provided and you may control the packets from any un-trusted services.