Docsity
Docsity

Prepara i tuoi esami
Prepara i tuoi esami

Studia grazie alle numerose risorse presenti su Docsity


Ottieni i punti per scaricare
Ottieni i punti per scaricare

Guadagna punti aiutando altri studenti oppure acquistali con un piano Premium


Guide e consigli
Guide e consigli


Appunti firewall iptables, Appunti di Sistemi di reti

Appunti firewall iptables, utilizzo e sintassi

Tipologia: Appunti

2022/2023

Caricato il 11/05/2023

manuel-tentori
manuel-tentori 🇮🇹

4.4

(10)

23 documenti

1 / 7

Toggle sidebar

Questa pagina non è visibile nell’anteprima

Non perderti parti importanti!

bg1
Iptables
Commands
iptables -COMMAND CHAIN_NAME matches -j TARGET
Table Command CHAIN matches Target/Jump
filter (default) -A (append) INPUT -s source_ip ACCEPT
nat -I (insert) OUTPUT -d dest_ip DROP
mangle -D (delete) FORWARD -p protocol REJECT
-R (replace) PREROUTING —sport source_p LOG
-F (flush) POSTROUTING —dport dest_p SNAT
-Z (zero) USER_DEFINED -i incoming_int DNAT
-L (list) -o outgoing_int MASQUERADE
-S (snow) -m mac LIMIT
-N -m time RETURN
-X -m quota TEE
-m limit TOS
-m recent TTL
examples
# -A -> appends a rule at the end of the CHAIN
iptables -A OUTPUT -p tcp --dport 443 -j DROP
# -I -> inserts a rule on top (1st position) of the CHAIN
iptables -I OUTPUT -p tcp --dport 443 -d www.linux.com -j
ACCEPT
pf3
pf4
pf5

Anteprima parziale del testo

Scarica Appunti firewall iptables e più Appunti in PDF di Sistemi di reti solo su Docsity!

Iptables

Commands

iptables -COMMAND CHAIN_NAME matches -j TARGET Table Command CHAIN matches Target/Jump filter (default) -A (append) INPUT -s source_ip ACCEPT nat -I (insert) OUTPUT -d dest_ip DROP mangle -D (delete) FORWARD -p protocol REJECT -R (replace) PREROUTING —sport source_p LOG -F (flush) POSTROUTING —dport dest_p SNAT -Z (zero) USER_DEFINED -i incoming_int DNAT -L (list) -o outgoing_int MASQUERADE -S (snow) -m mac LIMIT -N -m time RETURN -X -m quota TEE -m limit TOS -m recent TTL examples

-A -> appends a rule at the end of the CHAIN

iptables -A OUTPUT -p tcp --dport 443 -j DROP

-I -> inserts a rule on top (1st position) of the CHAIN

iptables -I OUTPUT -p tcp --dport 443 -d www.linux.com -j ACCEPT

-F -> flushes the CHAIN

iptables -t filter -F OUTPUT

-Z -> zeroises the packet and byte counters

iptables -t filter -Z

-D -> deletes a rule

iptables -D OUTPUT 2

-P -> sets the default POLICY

iptables -P INPUT ACCEPT

-N -> creates a user-defined CHAIN

iptables -N TCP_TRAFFIC

-X -> delete a user-defined CHAIN

iptables -X TCP_TRAFFIC Structure of commands

Chains

Tables

  1. INPUT: filter incoming packets (ex. incoming request, as ping o ssh);
  2. OUTPUT: filter outgoing packets (ex. outgoing request, block visibility of a website);
  3. FORWARD: filter routed packets;
  4. PREROUTING: port forwarding;
  5. POSTROUTING: masquerade.
  6. filter: default table (INPUT, OUTPUT and FORWARD);
  7. nat: for port forwarding (PREROUTING, POSTROUTING and OUTPUT); mangle: packets alteration (ex. modify header with time to live (TTL), or type of service) (PREROUTING, INPUT, FORWARD, OUTPUT, POSTROUTING);

raw: mark packets that should no be handled by the connection tracking system (PREROUTING and OUTPUT).

iptables -t nat -vnL

listing just a CHAIN

iptables -t nat -vnL POSTROUTING

Setting Policy

Policy can be changed only for INPUT, OUTPUT and FORWARD chains. Policy can be changed using - P option.

By default POLICY is ACCEPT on all CHAINS

!!! If there is no rule that accepts packets and the policy is

set to drop, all traffic will be dropped.

Change the default policy with caution!

Setting the DROP Policy on FORWARD chain

iptables -P FORWARD DROP

Setting the ACCEPT Policy on OUTPUT chain

iptables -P OUTPUT ACCEPT

Setting the DROP Policy on INPUT chain

iptables -P INPUT DROP

Deleting Firewall

Delete all rules in chains and flush all tables from all chains. #1. Set the ACCEPT POLICY an all CHAINS iptables -P INPUT ACCEPT iptables -P OUTPUT ACCEPT iptables -P FORWARD ACCEPT #2. Flush all tables from all CHAINS iptables -t filter -F

iptables -t nat -F iptables -t mangle -F #3. Delete user-defined CHAINS (if there is any) iptables -X Matches

Filter by IP or NET

Match by Source IP or Network Address Match: -s IP Example : iptables -A INPUT -s 100.0.0.0/16 -j DROP Match by Destination IP or Network Address Match: -d IP Example : iptables -A OUTPUT -d www.ubuntu.com -j DROP

flushing the firewall

iptables -F

dropping all traffic from 100.0.0.

iptables -A INPUT -s 100.0.0.1 -j DROP

accepting all ssh traffic from network 80.0.0.0/

iptables -A INPUT -s 80.0.0.0/16 -p tcp --dport 22 -j ACCEPT

dropping all outgoing HTTPS traffic to www.ubuntu.com (dns

traffic must be permitted) iptables -A OUTPUT -p tcp --dport 443 -d www.ubuntu.com -j DROP

Filter by IP Range

Match by Source IP Range Match: -m iprange —src-range ip_start-ip_end -m iprange —dst-range ip_start-ip_end

Negating Matches

dropping all incoming ssh traffic accepting packets from

100.0.0.1 (management station) iptables -A INPUT -p tcp --dport 22! -s 100.0.0.1 -j DROP

dropping all outgoing https traffic excepting to www.linux.com

iptables -A OUTPUT -p tcp --dport 443! -d www.linux.com -j DROP

dropping all communication excepting that with the default

gateway (mac is b4:6d:83:77:85:f4) iptables -A INPUT -m mac! --mac-source b4:6d:83:77:85:f4 -j DROP TODO: TARGET CONNTRACK FILTER BY INTERFACE