IPTABLES

//IPTABLES use a set of chain rules.// ( THERE R MORE)
1. **INPUT** = Filters packets destined to the firewall. 2. **OUTPUT** = Filters packets originating from the firewall 3. **FORWARD** = Filters packets to servers accessible by another NIC on the firewall. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

EXAMPLES: Checks to see if they are running:
 * 1) iptables -L

Block IP Address: (were xxx are add ip address you want to block)
 * 1) iptables -A INPUT -s xxx.xxx.xxx.xxx -j DROP

Unblock IP Address: (reference above for xxx.xxx. ^^^)
 * 1) iptables -D INPUT -s xxx.xxx.xxx.xxx. -j DROP

Flushes your Iptables ie. deletes them :
 * 1) iptables -F

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
 * 1) service iptables stop
 * 2) service iptables start
 * 3) service iptables restart
 * 4) service iptables save

NAT = ( Network Address Translation ) 1. **PREROUTING** **=** Address translation occurs before routing. Facilitates the transformation of the destination IP address to be compatible with the firewall's routing table. Used with NAT of the destination IP address, also known as **destination NAT** or **DNAT** 2. **POSTROUTING** **=** Address translation occurs after routing. This implies that there was no need to modify the destination IP address of the packet as in pre-routing. Used with NAT of the source IP address using either one-to-one or many-to-one NAT. This is known as **source NAT**, or **SNAT**. 3. **OUTPUT =** Network address translation for packets generated by the firewall. (Rarely used in SOHO environments)

Basic Commands
Typing sudo iptables -L lists your current rules in iptables. If you have just set up your server, you will have no rules, and you should see Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT )target prot opt source destination

Basic Iptables Options
Here are explanations for some of the iptables options you will see in this tutorial. Don't worry about understanding everything here now, but remember to come back and look at this list as you encounter new options later on.
 * - Append this rule to a rule chain. Valid chains for what we're doing are INPUT, FORWARD and OUTPUT, but we mostly deal with INPUT in this tutorial, which affects only incoming traffic.
 * - List the current filter rules.
 * - Allow filter rules to match based on connection state. Permits the use of the option.
 * - Define the list of states for the rule to match on. Valid states are:
 * NEW - The connection has not yet been seen.
 * RELATED - The connection is new, but is related to another connection already permitted.
 * ESTABLISHED - The connection is already established.
 * INVALID - The traffic couldn't be identified for some reason.
 * - Require the rule to match only a limited number of times. Allows the use of the option. Useful for limiting logging rules.
 * - The maximum matching rate, given as a number followed by "/second", "/minute", "/hour", or "/day" depending on how often you want the rule to match. If this option is not used and is used, the default is "3/hour".
 * - The connection protocol used.
 * - The destination port(s) required for this rule. A single port may be given, or a range may be given as, which will match all ports from to , inclusive.
 * - Jump to the specified target. By default, iptables allows four targets:
 * - Accept the packet and stop processing rules in this chain.
 * - Reject the packet and notify the sender that we did so, and stop processing rules in this chain.
 * - Silently ignore the packet, and stop processing rules in this chain.
 * - Log the packet, and continue processing more rules in this chain. Allows the use of the and  options.
 * - When logging, put this text before the log message. Use double quotes around the text to use.
 * - Log using the specified syslog level. 7 is a good choice unless you specifically need something else.
 * - Only match if the packet is coming in on the specified interface.
 * - Inserts a rule. Takes two options, the chain to insert the rule into, and the rule number it should be.
 * would insert the rule into the INPUT chain and make it the 5th rule in the list.
 * - Display more information in the output. Useful for if you have rules that look similar without using.
 * - address[/mask] source specification
 * - address[/mask] destination specification
 * - output name[+] network interface name ([+] for wildcard)

Allowing Established Sessions
We can allow established sessions to receive traffic: sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT If the line above doesn't work, you may be on a castrated VPS whose provider has not made available the extension, in which case an inferior version can be used as last resort: sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 * The above rule has no spaces either side of the comma in ESTABLISHED,RELATED

Allowing Incoming Traffic on Specific Ports
You could start by blocking traffic, but you might be working over SSH, where you would need to allow SSH before blocking everything else. To allow incoming traffic on the default SSH port (22), you could tell iptables to allow all TCP traffic on that port to come in. sudo iptables -A INPUT -p tcp --dport ssh -j ACCEPT Referring back to the list above, you can see that this tells iptables: Lets check the rules: (only the first few lines shown, you will see more) sudo iptables -LChain INPUT (policy ACCEPT)target prot opt source destinationACCEPT all -- anywhere anywhere state RELATED,ESTABLISHEDACCEPT tcp -- anywhere anywhere tcp dpt:ssh Now, let's allow all incoming web traffic sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT Checking our rules, we have sudo iptables -LChain INPUT (policy ACCEPT)target prot opt source destinationACCEPT all -- anywhere anywhere state RELATED,ESTABLISHEDACCEPT tcp -- anywhere anywhere tcp dpt:sshACCEPT tcp -- anywhere anywhere tcp dpt:www We have specifically allowed tcp traffic to the ssh and web ports, but as we have not blocked anything, all traffic can still come in.
 * append this rule to the input chain (-A INPUT) so we look at incoming traffic
 * check to see if it is TCP (-p tcp).
 * if so, check to see if the input goes to the SSH port (--dport ssh).
 * if so, accept the input (-j ACCEPT).

Blocking Traffic
Once a decision is made to accept a packet, no more rules affect it. As our rules allowing ssh and web traffic come first, as long as our rule to block all traffic comes after them, we can still accept the traffic we want. All we need to do is put the rule to block all traffic at the end. sudo iptables -A INPUT -j DROP sudo iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ACCEPT tcp -- anywhere anywhere tcp dpt:www DROP all -- anywhere anywhere Because we didn't specify an interface or a protocol, any traffic for any port on any interface is blocked, except for web and ssh.

Editing iptables
The only problem with our setup so far is that even the loopback port is blocked. We could have written the drop rule for just eth0 by specifying -i eth0, but we could also add a rule for the loopback. If we append this rule, it will come too late - after all the traffic has been dropped. We need to insert this rule before that. Since this is a lot of traffic, we'll insert it as the first rule so it's processed first. sudo iptables -I INPUT 1 -i lo -j ACCEPT sudo iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ACCEPT tcp -- anywhere anywhere tcp dpt:www DROP all -- anywhere anywhere The first and last lines look nearly the same, so we will list iptables in greater detail. sudo iptables -L -v Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- lo any anywhere anywhere 0 0 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED 0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:ssh 0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:www 0 0 DROP all -- any any anywhere anywhere You can now see a lot more information. This rule is actually very important, since many programs use the loopback interface to communicate with each other. If you don't allow them to talk, you could break those programs!

Logging
In the above examples none of the traffic will be logged. If you would like to log dropped packets to syslog, this would be the quickest way: sudo iptables -I INPUT 5 -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7 See Tips section for more ideas on logging.

Saving iptables
If you were to reboot your machine right now, your iptables configuration would disappear. Rather than type this each time you reboot, however, you can save the configuration, and have it start up automatically. To save the configuration, you can use and.

Useful Commands

 * iptables -L -vn --line-numbers # displays how many times a rule has been used as well as line-numbers for easy deletion

IPtables ride along

 * Forwarding Packets**
 * **Step** || **Table** || **Chain** || **ETC** ||
 * 1 ||  ||   || On wire ||
 * 2 ||  ||   || in to interface ||
 * 3 || raw || PREROUTING ||  ||
 * 4 ||  ||   || Connection tracking is applied ||
 * 5 || mangle || PREROUTING ||  ||
 * 6 || nat || PREROUTING ||  ||
 * 7 ||  ||   || Routing Decision ||
 * 8 || mangle || FORWARD || Trusting and Dropping of IPs is located here ||
 * 9 || filter || FORWARD || Nfqueue is located here ||
 * 10 || mangle || POSTROUTING ||  ||
 * 11 || nat || POSTROUTING ||  ||
 * 12 ||  ||   || Out of interface ||
 * 13 ||  ||   || Onto wire ||


 * Local Machine is Destination**
 * **Step** || **Table** || **Chain** || **ETC** ||
 * 1 ||  ||   || On wire ||
 * 2 ||  ||   || In to interface ||
 * 3 || raw || PREROUTING ||  ||
 * 4 ||  ||   || Connection tracking is applied ||
 * 5 || mangle || PREROUTING ||  ||
 * 6 || nat || PREROUTING ||  ||
 * 7 ||  ||   || Routing Decision ||
 * 8 || mangle || INPUT ||  ||
 * 9 || filter || INPUT ||  ||
 * 10 ||  ||   || Local Daemon ||


 * Local Machine is Source**
 * **Step** || **Table** || **Chain** || **ETC** ||
 * 1 ||  ||   || Local Daemon ||
 * 2 ||  ||   || Routing Decision ||
 * 3 || raw || OUTPUT ||  ||
 * 4 ||  ||   || Connection tracking is applied ||
 * 5 || mangle || OUTPUT ||  ||
 * 6 || nat || OUTPUT ||  ||
 * 7 ||  ||   || Routing Decision ||
 * 8 || filter || OUTPUT ||  ||
 * 9 || mangle || POSTROUTING ||  ||
 * 10 || nat || POSTROUTING ||  ||
 * 11 ||  ||   || Out of interface ||
 * 12 ||  ||   || Onto wire ||