IPTables Building Rules with Source, Destination of IP, MAC, Protocols & Port
Here we will deal with the possibilities to match the traffic to define the rule, i.e, matching destination & source IP/MAC/PORT/PROTOCOL, Interfaces,Usage of Wildcards etc.
Matching the traffic based on Source and destination:
These are the switches used to match the source and destination of the traffic. Widely used while rules created based on source and destination address
Blocking all the traffic from a source (192.168.1.200) (--src)
# iptables -A INPUT --src 192.168.1.200 -j DROP
Blocking all the traffic To a destination from our server (--dst)
# iptables -A OUTPUT --dst 192.168.1.200 -j DROP
Matching Based on Interface:
It is useful while creating the rules based on a particular interface.
(-i eth0/eth1.. etc)
switch "-i" is used to match the traffic with the interface to define the rule.
# iptables -A INPUT -i eth1 --src 192.168.1.200 -j DROP
# iptables -A INPUT -i eth1 --src !192.168.1.200 -j DROP
# iptables -A INPUT -i eth1 -j DROP
Wildcard for Matching all interfaces(eth+):
IF we have more interfaces like eth0, eth1, eth2, eth3, eth4 etc and need to define a rule that matched all the interface, we can use the wild-card eth+ . eth+ will match all the interfaces starting with "eth".
# iptables -A INPUT -i eth+ -p tcp --dport 23 -j DROP
TCP Based Matching (--protocol/-p): (Connection Oriented)
Majority of the rules are based on TCP . TCP is on Transport Layer (layer 4).
-p tcp/ --protocol tcp
This switch will make IPTables to initiate the tcp modules and allow/deny the tcp based traffic. This switch makes sense to IPTables about the three way handshake of TCP. The protocol type (tcp/udp) has to be specified while using the "-p" match.
Generally the --sport of TCP client will be greater than 1024, and it is generaly picked arbitrarily from greater than 1024. So usally we wont filter based on the source port for TCP based traffic until and unless we know exactly how a application behaves.
This is the common match that used along with the "-p" switch. Each and every TCP connection will have a well defined destination port. so based on this destination port we created/matched the rule.
--tcp-flags SYN, ACK SYN, ACK, FIN
This is used to match the three way handshake of the tcp protocols.
SYN - Step 1 of Three way Handshake (Initial synchronization) (From Server)
ACK SYN - Step 2 of three way Handshake (To Acknowledge that the SYN has recieved) (From Client)
ACK - Step 3 of Three way HandShake(From Server)
FIN (Finishing a TCP Session)
# iptables -A INPUT -p tcp --dport 23 -j DROP
# iptables -A OUTPUT -p tcp --dport 21 -j DROP
UDP Based Match: (Connection Less)
Some of the UDP based applications are TFTP:69, Syslog:514, NTP:123, DHCP:67/68, DNS:53
-p udp/--protocol udp
In majority of the cases, the UDP based traffic having same source port as the destination port.Eg:- The NTP client packets has same destination-port and source-port as 123 in header.
If we are running the syslogd daemon we have to block all other traffic to the service other than the syslog server.
# iptables -A INPUT -p udp --dport 514 -s !192.168.1.3 -j DROP
ICMP based traffic Match.
This is designed to communicate the status information.
various types of ICMP:
echo-request - PING (sends the request via output chains using echo-request to destination)
echo-reply - PONG (Remote system Recieves the echo-request and responds with an echo-reply (PONG))
-p icmp/--protocol icmp
Here defines the protocol type
--icmp-type name/number of icmp type
Here we specifies the ICMP-Types. It can be name or number.eg:- echo-reply, icmp-request etc.
To get the list of icmp types that supported by the IPTables
# iptables -p icmp --help
# iptables -p tcp --help
# iptables -p udp --help
# iptables -A INPUT -p icmp --icmp-type echo-reply -j DROP
Rule to drop all the echo-request to our filrewall from all outbound destination.
# iptables -A INPUT -i eth1 -p icmp --icmp-type echo-request -j DROP
Multiport Matching in single rule (-m):
This feature uses to match multiple ports in a single rule.
Checking the Multiport module installation
# rpm -ql iptables |grep multiport
Here we defined the multiple ports in single rule.
# iptables -A INPUT -p tcp -m multiport --dport 21,23 -j DROP
Matching Layer 2 Traffic (MAC-address):
The MAC address is least changable.
Checking the capability of iptables to match the Layer 2 traffic
# rpm -ql iptables |grep mac
This will tell iptables to consult the libipt_mac.so module for processing the rule
Source MAC address. Same as the --src option in Layer 3 (IP Adress)
Destination MAC address. Same as the --dst option in Layer 3 (IP Address)
# iptables -A INPUT -p tcp -m mac --mac-source 00:09:8F:3E:10:3A -j DROP
Filtering based on Layer 2 (MAC Address) is more secure because the IP Address can easily be changed.