Where *nix and security meet the general public
IPTables Explained : Part 1 (a tutorial to UNDERSTANDING and CREATING your own rules)
CREATING:Now that we understand what is going on inside IPTables, let’s start with creating the script. Create a new file called iptables.sh and fill in the following:
#/bin/sh #variables first! ipt="/sbin/iptables" std_ports="22,80,443" lan="10.0.0.0/24,192.168.0.0/24" any="0.0.0.0/0"
As you can see in the beginning we start a standard shell script, and then we made 4 variables, ipt, std_ports, lan and out. The ipt variable is more of a convenience then anything else. It allows us later to start each line that will be added to IPTables with $ipt instead of typing /sbin/iptables. The second variable, std_ports, is actually a listing of ports that we consider “standard access” in our example. It is SSH, HTTP (www) and HTTPS (ssl www). The lan and any variables are actually networks, as with the port list, you can have multiple listings.
Now follows the first “real” thing. We want to clear out any old rules before we apply our own. To do that we add these 3 lines:
$ipt -F $ipt -Z $ipt -X
This will do 3 things, it will FLUSH (-F) all standard chains, or all rules one by one. ZERO (-Z) all standard chains and statistic counters, and ERASE (-X) all user created chains.
So now we have a clean slate and we can actually start making our own policies and rules. First up, the policies, these are created by appending a -P , the policy and then the default action after the ipt command:
$ipt -P INPUT -j DROP $ipt -P FORWARD -j DROP $ipt -P OUTPUT -J DROP
By default we want to deny all traffic by default that comes TO this machine, drop all traffic destined for OTHER machines and accept traffic coming FROM this machine. This means that if there is no rule matched with a packet that comes from/to/through this machine, it will drop it.
Now that the policies are set we are ready to create our first chain.
Our first chain that we will create is the state chain. The state chain checks if you already have had a connection to/from this machine. In which case it will not traverse all chains or rules again but just let you through. This speeds things up considerably and is very useful. This is not a security risk as the firewall keeps track of the connections. It is nearly impossible to “slip” through.
to create a state table add this to your script:
$ipt -N states $ipt -A states -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT $ipt -A states -m state --state NEW -s $lan ! -d
192.168.0.250/32 -j ACCEPT $ipt -A states -j DROP
This is now already a pretty complex example and requires a bit of explanation. However, when you understand each building block, you will already grasp quite a bit of how IPTables rules are made.
In the first line, we created a new chain called states. When you make a new chain or filter-set you HAVE to have a -N ,which stands for NEW. So you first create the chain with -N and then you APPEND filters to the table with -A. This should explain the structure of a chain - First create it and then add to it. Please remember: all filters are matched top-to-bottom first match and exit. This means that the traffic will stop at the first matched rule. So if you first block all traffic in a table and then allow certain traffic in the next line, all traffic will be stopped as the first rule matches.
Now, to the next part in our second line, -i eth0 specifies that this rule will apply to the network interface eth0. In other words you can bind different rules to different interfaces.If no interface is given, it is applied to ALL. The -m tells IPTables to use a specific IPTables module, in this case the state module which controls and manages statefulness. For a complete listing of all moduels and what they do (with a syntax explanation) check a later of this series. Some modules have more options that’s why you have to specify with the –state what part of the module you are using (the short example is the multiport module which has –dport and –sport options). After you specified the –state you need to specify WHICH state you you want to control with this rule. There are 3 states, NEW, ESTABLISHED and RELATED. In this case what we want is to allow already established and their related connections in and out. The last part then is the action to take, -j ACCEPT will jump to ACCEPT all related and established connections. If you would put there DROP it would do just that.
The third line is just as the second except for a few changes after the –state. In this case it will accept new (–state NEW ) connection attempts from (-s) the lans ($lan) that are NOT (!) destined (-d) to 192.168.0.250 directly. This is useful for example if that machine is your local IP address and you do not want direct connections to it. The last line just tells the filter to DROP all the other state related things as they do not match any rules we specified. So, so far our script looks already more like a script as you can see here:
#/bin/sh #variables first! ipt="/sbin/iptables" std_ports="22,80,443" lan="10.0.0.0/24,192.168.0.0/24" any="0.0.0.0/0" $ipt -F $ipt -Z $ipt -X $ipt -P INPUT -j DROP $ipt -P FORWARD -j DROP $ipt -P OUTPUT -J DROP $ipt -N states $ipt -A states -m state --state ESTABLISHED,RELATED -j ACCEPT $ipt -A states -m state --state NEW -s $lan ! -d
192.168.0.250/32 -j ACCEPT $ipt -A states -j DROP
To summarize IPTables are not hard, just complex. Once you have the basics down, writing very complex and long rule sets becomes more and more easy. Something that helps is to visually draw your rules before you start. Also something that could help is to make flowcharts of your rule flow with the actions laid out.
There are many nifty things you can do with iptables, one of them is explained here at unwakeable and ssh brute forcing (not only relying on iptables but working with it)
//Flosse
If you are interested in the full series,pick another part, or just go to the category root:
- Category: /sbin/iptables
- IPTables explained: Part 1 (a tutorial to understanding and creating your own rules)
- IPTABLES explained : Part 2 ( or a how to for iptables about efficient rule design)
- IPTABLES explained: Part 3 (Creating a complex IPTables script)
Popularity: 15% [?]
Pages: 1 2
[…] IPTABLES explained : Part 2 ( or a how for iptables to about efficient rule design) So , in the last post or tutorial (here) we went through how itables works and how to start writing your own script. […]
[…] IPTABLES Explained Part 4: IPTables and Portsentry, the dynamic duo (how to dynamically block IPs and unblock automagically) IMPORTANT: This tutorial is oriented for Fedora, but shouldn’t be hard to adapt to Debian/Ubuntu. If someone knows the startup scripts well, mail me or please leave a comment with the changes needed. Ok, as we saw in the previous chapters of this tutorial series, iptables is an amazingly flexible and powerful tool. By now you should have a good grasp of what iptables can do. It is time to bring in the sidekick: Portsentry. Due to the fact that portsentry has no pre-built packages (to my knowledge) for any distributions, you will have to download it from here:[Sourceforge] ; and build it. The process is very easy BUT (yes there is always a but) it requires you to edit one file. More on that a bit down the road. First, what does Portsentry do? Well, you see Portsentry is a nifty little program that listens on your Linux (or any Unix, but for now Linux) box on a set of defined (by you) ports. That way, when someone port scans you to find open ports, say for example ssh or web or any other open port that they could attack, Portsentry will notice this and take an appropriate action (also defined by you!). […]
[…] IPTables Explained : Part 1 (a tutorial to UNDERSTANDING and CREATING your own rules) […]
this was definitely very helpful in explaining iptables. per your script, though, how does iptables know what ports you’re wanting to mess with?