################################ Iptables ###################################
******************** Note: there is following target which use by iptables. ************************
Accept: iptables stops further processing.
The packet is handed over to the end application or the operating system for processing
Drop : iptables stops further processing.
The packet is blocked
Log : The packet information is sent to the syslog daemon for logging
iptables continues processing with the next rule in the table
As you can't log and drop at the same time, it is common to have two similar rules in sequence. The first will log the packet, the second will drop it.
REJECT : Works like the DROP target, but will also return an error message to the host sending the packet that the packet was blocked
DNAT : Used to do destination network address translation. ie. rewriting the destination IP address of the packet .
SNAT : Used to do source network address translation rewriting the source IP address of the packet
The source IP address is user defined
MASQUERADE : Used to do Source Network Address Translation.
By default the source IP address is the same as that used by the firewall's interface
*********** type of processing tables in iptables ************************************
Forward : Filters packets to servers accessible by another NIC on the firewall.
Input : Filters packets destined to the firewall.
Output : Filters packets originating from the firewall
Prerouting : Address translation occurs before routing. Facilitates the transformation of the destination IP address to be compatible with the firewall's routing table.
Used with NAT of the destination IP address, also known as destination NAT or DNAT.
Postrouting : Address translation occurs after routing. This implies that there was no need to modify the destination IP address of the packet as in pre-routing.
Used with NAT of the source IP address using either one-to-one or many-to-one NAT. This is known as source NAT, or SNAT.
********************************** iptables command Switch *************************************
-t <-table-> If you don't specify a table, then the filter table is assumed. As discussed before, the possible built-in tables include: filter, nat, mangle
-j <target> Jump to the specified target chain when the packet matches the current rule.
-A Append rule to end of a chain
-F Flush. Deletes all the rules in the selected table
-p <protocol-type> Match protocol. Types include, icmp, tcp, udp, and all
-s <ip-address> Match source IP address
-d <ip-address> Match destination IP address
-i <interface-name> Match "input" interface on which the packet enters.
-o <interface-name> Match "output" interface on which the packet exits .
-p tcp --sport <port> TCP source port. Can be a single value or a range in the format: start-port-number:end-port-number
-p tcp --dport <port> TCP destination port. Can be a single value or a range in the format: starting-port:ending-port
-p tcp --syn Used to identify a new TCP connection request. ! --syn means, not a new connection request
-p udp --sport <port> UDP source port. Can be a single value or a range in the format: starting-port:ending-port
-p udp --dport <port> UDP destination port. Can be a single value or a range in the format: starting-port:ending-port
******** there is one command for save your rules in iptables ************
iptables-save
iptables-restore < firewall-config
service iptables save .
################# Basic command of iptables #################################
iptables -P INPUT DROP // set default policy to DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables -F // flush all chains
iptables -X // delete all chains
##############Type the following command to list current IPs in tables###########
iptables -L -n
iptables -L -n -v
iptables -L chain-name -n -v
iptables -L spamips -n -v
############ To display line number along with other information, enter ############
iptables -L INPUT -n --line-numbers
iptables -L OUTPUT -n --line-numbers
iptables -L OUTPUT -n --line-numbers | less
Note: You will get the list of all blocked IP. Look at the number on the left, then use number to delete it. For example delete line number 10
iptables -D INPUT 10
###### HOW to block particular port for particular IP #####################
iptables -A INPUT -p tcp -s IP address --dport 22 -j DROP
###############how to block particular port for all #############
iptables -A INPUT p tcp --dport 22 -j DROP
###How to redirect network traffic from particular ports to a particular port and ip address################
iptables -t nat -A PREROUTING -d 192.168.194.0 -p tcp -m multiport --dports 80,443 -j DNAT --to-destination 192.168.194.145:3128
******************** Note: there is following target which use by iptables. ************************
Accept: iptables stops further processing.
The packet is handed over to the end application or the operating system for processing
Drop : iptables stops further processing.
The packet is blocked
Log : The packet information is sent to the syslog daemon for logging
iptables continues processing with the next rule in the table
As you can't log and drop at the same time, it is common to have two similar rules in sequence. The first will log the packet, the second will drop it.
REJECT : Works like the DROP target, but will also return an error message to the host sending the packet that the packet was blocked
DNAT : Used to do destination network address translation. ie. rewriting the destination IP address of the packet .
SNAT : Used to do source network address translation rewriting the source IP address of the packet
The source IP address is user defined
MASQUERADE : Used to do Source Network Address Translation.
By default the source IP address is the same as that used by the firewall's interface
*********** type of processing tables in iptables ************************************
Forward : Filters packets to servers accessible by another NIC on the firewall.
Input : Filters packets destined to the firewall.
Output : Filters packets originating from the firewall
Prerouting : Address translation occurs before routing. Facilitates the transformation of the destination IP address to be compatible with the firewall's routing table.
Used with NAT of the destination IP address, also known as destination NAT or DNAT.
Postrouting : Address translation occurs after routing. This implies that there was no need to modify the destination IP address of the packet as in pre-routing.
Used with NAT of the source IP address using either one-to-one or many-to-one NAT. This is known as source NAT, or SNAT.
********************************** iptables command Switch *************************************
-t <-table-> If you don't specify a table, then the filter table is assumed. As discussed before, the possible built-in tables include: filter, nat, mangle
-j <target> Jump to the specified target chain when the packet matches the current rule.
-A Append rule to end of a chain
-F Flush. Deletes all the rules in the selected table
-p <protocol-type> Match protocol. Types include, icmp, tcp, udp, and all
-s <ip-address> Match source IP address
-d <ip-address> Match destination IP address
-i <interface-name> Match "input" interface on which the packet enters.
-o <interface-name> Match "output" interface on which the packet exits .
-p tcp --sport <port> TCP source port. Can be a single value or a range in the format: start-port-number:end-port-number
-p tcp --dport <port> TCP destination port. Can be a single value or a range in the format: starting-port:ending-port
-p tcp --syn Used to identify a new TCP connection request. ! --syn means, not a new connection request
-p udp --sport <port> UDP source port. Can be a single value or a range in the format: starting-port:ending-port
-p udp --dport <port> UDP destination port. Can be a single value or a range in the format: starting-port:ending-port
******** there is one command for save your rules in iptables ************
iptables-save
iptables-restore < firewall-config
service iptables save .
################# Basic command of iptables #################################
iptables -P INPUT DROP // set default policy to DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables -F // flush all chains
iptables -X // delete all chains
##############Type the following command to list current IPs in tables###########
iptables -L -n
iptables -L -n -v
iptables -L chain-name -n -v
iptables -L spamips -n -v
############ To display line number along with other information, enter ############
iptables -L INPUT -n --line-numbers
iptables -L OUTPUT -n --line-numbers
iptables -L OUTPUT -n --line-numbers | less
Note: You will get the list of all blocked IP. Look at the number on the left, then use number to delete it. For example delete line number 10
iptables -D INPUT 10
###### HOW to block particular port for particular IP #####################
iptables -A INPUT -p tcp -s IP address --dport 22 -j DROP
###############how to block particular port for all #############
iptables -A INPUT p tcp --dport 22 -j DROP
###How to redirect network traffic from particular ports to a particular port and ip address################
iptables -t nat -A PREROUTING -d 192.168.194.0 -p tcp -m multiport --dports 80,443 -j DNAT --to-destination 192.168.194.145:3128
No comments:
Post a Comment