Wednesday, October 28, 2009

Linux Securirty Notes 15: IPTables 2: Chain Management

IPTables Chain Management

Listing all the chains in Table Filter
# iptables -L -n

    It lists INPUT, FORWARD and OUTPUT chains and rules associated with. Each of the chains will have a default policy. i.e the default policy is accept the traffic in IPTables.
# iptables -L OUTPUT

    It will list all the rules in the chain OUTPUT for the default table.

Listing all the chains in Table NAT.
# iptables -L -n -t nat

     It contains the chains PREROUTING(will use NAT before routing occurred -destination nat-),  POSTROUTING(uses NAT to after the packets get routed  -source nat-) & OUTPUT (Reserved for packets that sourced locally that need the NAT)

Listing all the chains in Table Mangle.
# iptables -L -n -t mangle

    It contains chains INPUT,OUTPUT,FORWARD, PREROUTE & POSTROUTE. Mangle Table is the ANDing of Filter & NAT table.

To List the amount of traffic that processed by the a chain
# iptables -L -n -v -t filter

    This will show the total amount of traffic in each chains. Even if there is no rule defined it shows the traffic in chains. This is because there is default rule of accept all in IPTables.

Determine the Line number of the rule in a chain
# iptables -L -n -v --line-numbers
# iptables -L -n -v --line-numbers -t nat

    This will show the line numbers column for all the chains.

Appending(-A) and Inserting(-I) rules to Chains

    We will  try to understand each chains with a real time scenario
Source ( to -> destination (192.168.254)
    In this case the source sends a ICMP (echo-request) packet to 192.168.254 which pass across the OUTPUT chain in filter table. Once the request reaches the destination it responds with a echo-reply to the source which pass across the INPUT chain in filter table.

Now we will create rule in source all traffic for SSH will be permitted and Telnet traffic will be denied
Appending a rule(-A):
# iptables -A INPUT -p tcp --dport 22 -j ACCEPT
# iptables -A INPUT -p tcp --dport 23 -j DROP

    This will make the server to accept only the ssh based connection and telnet sessions wll be droped.
The append (-A) will add the rule to the last rule in the chain(to the end of the rule list in chain).
# iptables -L -n -v --line-number

    This will list the newly added rule

Inserting a rule (-I):
We can insert the rule into a particular line number using this option. (Keep in mind the iptable checks the rule from above to bottom and once it matches the criteria it executes the rule).(We can even insert a same rule to the chain, creating a duplicate rule. IPTables doesn't have a feature to detect the duplicate rules that have appended or inserted.
# iptables -I INPUT 1 -p tcp --dport 23 -j DROP
# iptables -L -n -v --line-number

    Here we can see that the rule for dropping the telnet session has been added to first line in the chain. So IPTables will process the rule number 1 before it hitting the rule number 2.
Other examples:
# iptables -I INPUT 2 -p tcp --dport 21 -j DROP

    It inserts a rule to line number 2 in INPUT Chain for the table Filter,for Dropping all FTP traffic.

Deleting(-D) and Replacing(-R) Rules
Deleting a Rule:
Syntax for deleting the rule from the chain:
# iptables -D
# iptables -D

Type 1
# iptables -L -n -v --line-number
# iptables -D INPUT 2

    This will delete the 2nd rule in the chain INPUT.
Type 2
# iptables -D INPUT -p tcp --dport 21 -j DROP

    This will delete the rule as mentioned . This need the exact match and in case of any duplicate rules the first match will be deleted.

Replacing Rules:
# iptables -R

# iptables -L -n -v --line-number
# iptables -R INPUT 1 -p tcp --dport 23 -j ACCEPT

    This will replace the existing rule from DROP to ACCEPT (we had previously denied the telnet access)

Flush(-F) rules and Zero counters (-Z)

Flush rules:
# iptables -F

# iptables -F INPUT

    This will flush all the rules in the chain INPUT.
# iptables -F

    This will flush all the rules from all the chains in default Table. But the flusing will not zero the packet counters (iptables -L -v).

Zero Counters:
# iptables -Z

# iptables -Z INPUT
# iptables -L -n -v

    This will reset the packet count for the chain INPUT
# iptables -Z

    This will reset all the chain packet counts in default table.
# iptables -Z POSTROUTING -t nat

    This will reset the packet counter for the chain POSTROUTING for table nat.

User Defined Tables/Chains (Creating (-N) and Renaming (-E old new)):
    IPTables ships with 3 default tables which cannot be deleted.

Creating a New chain called INTRANET
# iptables -N INTRANET
# iptables -L -n

    This will create a new chain called INTRANET in the filter table. This will create a chain with the default refereces as "0". reference is the link towards the default chains(INPUT, OUTPUT & FORWARD).
Now we define the new chain INTRANET how to behave. i.e, which traffic should be this chain responsilbe for.
# iptables -R INPUT 1 -s -j INTRANET

    This will tell IPTables that - In rule number 1, any trafic having the source network ID should be contacted the chain INTRANET
# iptables -L -n

    Here we can see that a new entry for the Chain is added into the Line number 1 stating that for all the packages having source address in the network should jump to target chain INTRANET.

Now create the rules
# iptables -A INTRANET    -p tcp --dport 23 -j DROP

    So when a packet comes with a source address in with the destination port 23. The iptables will refer from the INPUT chain to the INTRANET chain and Then IPTables will start matching the rule. If the packet has the destitantion port 23 then it will DROP.

    User defined chains must have unique names. Because it function has the target (-j).

Rename a Chain(-E):
    If we need to rename a user defined chain
# iptables -E

    This will rename the chain to SUBINTRANET. The iptables "will update the references as well"(The reference to the default chain).
Chain Policy (-P):
    It is usually "accept" in RedHat environment for all the chains in filter table. should be very careful while setting the chain default policy to DROP(Update the iptables to permit the appropriate access, else if we are using a remote session this may freez the access).
# iptables -P

# iptables -P INPUT DROP
    This will make the default policy of INPUT chain to DROP.
# iptables -L -n
    Check the "chain INPUT (policy DROP)" to verify.
    Default DROP Policy may prevent typical TCP/UDP/ICMP communication.So a state matching rule should be added in case of such scenarios.

No comments:

Post a Comment

tag ur valuable ideas below