Friday, August 12, 2011

Introduction to Iptables usage in Linux

I am going to explain the generic matches, the ones that apply to all the IP packets. In general, the patch pattern looks like "-s (--src, --source).

For example:
iptables -A INPUT -s 10.10.10.5 -j DROP

The IP address could also be a hostname, in that case it would be resolved to an ip address before being added to the chain. The field of the IP address could also be a range of addresses using a netmask. This instruction is applied in the INPUT chain, but it could be used also in the OUTPUT chain if the machine has more than one ip address.

iptables -A INPUT -s 10.10.10.0/24 -j DROP

This instructions matches the first 24 bits of the address. This means, it matches addresses between 10.10.10.0 - 10.10.10.255.

iptables -A INPUT -s ! 10.10.10.5 -j DROP

The exclamation mark negates the ipaddress, this matches the packets where the source IP is no 10.10.10.5

The "-d (--dst --destination)" matches the destination address of the packets and is used generaly on the OUTPUT chain. The same rules than in the -s option apply (address ranges can be specified as hostnames, a single IP address or a range, and negation of the addresses). For example:

iptables -A OUTPUT -d ! 10.10.10.4 -j REJECT

The "-i (--in-interface) " specify on which network interface the rule should take effect, for example "eth0". This options could be used in the FORWARD, INPUT and PREROUTING chains. The network interface also accepts wildcards, for example, if you want to filter all the traffic from a privat eaddress such as 10.10.10.2 in all the interfaces:

iptables -A INPUT -s 10.10.10.2 -i eth* -j DROP

This would drop all packets arriving on eth0, eth1, eth2, etc.

A final "-p" option allows to work with a specific protocol, for example, if you want to drop all the UDP packets:

iptables -A INPUT -p udp -j DROP

The protocols that can be used are:
TCP, UDP, ICMP, ALL (this is for all the protocols).

 i explained some general packet matching with Iptables, now i am going to explain the TCP packet matching generalities, where the commands displayed following, all match specific values from the TCP packet headers, for example the source and destination ports, tcp options, tcp flags (for example the syn, fin, etc).

You use the --protocol argument to match TCP packets, and optionally, the source port of the packet can be specified with "--sport (--source-port) ", the source port can be a numeric value or the name of the port, that should match the port number we want in the /etc/servicesfile.

Here are two examples:
iptables -A INPUT -p tcp --sport 23 -j REJECTiptables -A INPUT -p tcp --sport telnet -j REJECT

This rules do the same, they reject the inbound traffic from the TCP port 23 of the remote host). The usage of port names instead of the number, creates a little more cpu consume and could be told as "speed penalty" in large rulesets.

It is possible also to specify a range of ports in the rules, lower and upper port separated by a colon. Here i filter all the ports between 10 and 999:
iptables -A OUTPUT -p tcp --sport 10:999 -j REJECT

All TCP source ports except the 80 are accepted with this rule:
iptables -A INPUT -p tcp --sport ! 80 -j ACCEPT

The same can be done with a range of ports:
iptables -A INPUT -p tcp --sport ! 1024:40000 -j LOG

If the first port is numerically higher than the second, iptables swaps both numbers around automatically.

To specify a TCP destination port, the "-dport (--destination-port) [port]" is used, and its rules are the same than in TCP source port matching.

For example, to stop users in your private network to connect to IRC, supposing that IRC uses the ports between 6667 to 66670, you may want to add this rule:
iptables -A OUTPUT -p tcp --dport 6667:6670 -j REJECT

To match a specific flag in the TCP header, you have to make use of "--tcp-flags [mask] [flags]".

The [mask] argument is a list of flags separated by commas, which should be matched.
The [flags] argument is a list of flags that must be set, any flag listed in the [mask] argument, but not in the second, this means that the flag must be unset.

The possible flags are: SYN, ACK, FIN, RST, PSH and URG. ALL and NONE are also possible.

In this example, the SYN,ACK and FIN flags are the mask, and the SYN flag is the one that has to be set:
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN SYN -j ACCEPT

The mask can also be inverted, meaning that the ACK and FIN should be set, but not the SYN:
iptables -A FORWARD -p tcp --tcp-flags ! SYN,ACK,FIN SYN -j ACCEPT

Matching a particular TCP flag:
This is accomplished with the "--syn" flag, it is usefull because the SYN flag is the TCP start sequence also known as the "3 way handshake", explained in this picture:

iptables -A FORWARD -p tcp --syn -j ACCEPT iptables -A FORWARD -p tcp ! --syn -j ACCEPT



In this case i am going to explain some iptables features related with UDP. UDP (User Datagram Protocol) has the characteristic of being connectionless.

The packets format is this:
In this packet format can be seen that UDP has no flags like TCP. UDP cares only about the source and destination addresses.

In Iptables, udp is specified with the "-p udp" argument. Similar rules apply to udp than with TCP matching, negation and port ranges are allowed:

-sport (--source-port) 
--dport (--destination-port) 

This rule matches any UDP packet with source port of 161 (SNMP)
iptables -A INPUT -p udp --sport 161 -j ACCEPT

This rule logs all the packets with destination port with range from 161 to 180
iptables -A INPUT -p udp --dport 161:180 -j LOG

To learn more about UDP, see the RFS 768