You are on page 1of 15

Packet Filtering

using iptables
Ahmed Mekkawy
AKA nuxawy
What s
ptabes/netfter?
The natve frewa n GNU/Lnux s
ptabes/netfter.
Netfter s a kerne patch (now t's basc n a
modern kernes, uness you comped your own
wthout t)
Iptabes s |ust a confguraton too for netfter.
You can unnsta ptabes, but not netfter.
Netfter cannot be stopped. Anyway you can
remove a rues so t doesn't do anythng.
Iptabes rues are voate, you have to put them
n a startup scrpt to start wth bootng.
What are the tabes/
chans?
Tabes => Chans => Rues
We have 3 tabes:
Fter tabe
Nat tabe
Mange tabe
We w focus on the fter tabe today, n fter
tabe we have 3 man chans, whch are:
INPUT chan
FORWARD chan
OUTPUT chan
Packets path
fe:///home/nuxawy/Presentatons/ptabes.png
Iptabes syntax
How to add a rue:
ptabes -t tabe -A/I chan condton -| target
ptabes -A INPUT -p tcp --dport 80 -| ACCEPT
How to st rues:
ptabes -t (tabe) -L (-n) (--ne-number)
How to deete a rue:
ptabes -t (tabe) -D (chan) (condton) (acton)
ptabes -t (tabe) -D (chan) (rue number)
condtons
-p tcp,udp,cmp,a
-s source_p
-d destnaton_p
--sport source_port
--dport destnaton_port
- nput_nterface
-o output_nterface
-m state --state NEW,ESTABLISHED,RELATED
... etc
-p tcp -s IP --sport 80 --d IP -m state --state NEW
Targets
ACCEPT: et t pass
DROP: gnore t, and don't send any responce.
RE|ECT: drop the packet, and repy wth error
message (e.g port not used, host unreachabe, ..
etc) - to be used f you want the attacker not to
know that you are usng a frewa.
COSTOM_CHAIN: to drect the packet to a
custom chan.
SNAT, DNAT, .... : not used n fter tabe, to be
used n the nat and mange tabe, expaned n
other sessons sA.
3-way connecton
The 3-way connecton s the most commony used
connecton. That happens n 3 steps:
Step 1: cent ntates the connecton to the
server. The connecton type s now NEW.
Step 2: server repes wth acknowedgment, the
connecton s now n the ESTABLISHED state.
Step 3: the cent acknowedges the server, and
starts to send ts data n an ESTABLISHED
connecton.
After that, the connecton contnues n both ways
normay.
Frst, we fush a chans, deete custom chans, zero a
counters:
ptabes -F
ptabes -X
ptabes -Z
Turn off IP forwardng:
echo 0 > /proc/sys/net/pv4/p_forward
Enabe dynamc IP support. 1: enabe, 2: verbose, 0:
dsabe
echo "1" > /proc/sys/net/pv4/p_dynaddr
To use RELATED n ftp rues, add p_conntrack_ftp:
modprobe p_conntrack_ftp
ptabes ntazaton
Set poces, enabe
oopback
Set defaut pocy to DROP:
ptabes -P INPUT DROP
ptabes -P OUTPUT DROP
ptabes -P FORWARD DROP
Enabe a connectons on the oopback nterface:
ptabes -A INPUT - o -| ACCEPT
ptabes -A OUTPUT - o -| ACCEPT
Enabe pngs
Enabe ncomng/outgong pngs:
Incomng:
ptabes -A INPUT -p cmp --cmp-type echo-
request -| ACCEPT
ptabes -A OUTPUT -p cmp --cmp-type echo-
repy -| ACCEPT
Outgong:
ptabes -A OUTPUT -p cmp --cmp-type echo-
request -| ACCEPT
ptabes -A INPUT -p cmp --cmp-type echo-repy -
| ACCEPT
Add your rues
Exampe: web server
sport dport
============>
CLIENT SERVER
<============
dport sport
ptabes (-t fter) -A INPUT -p tcp --dport 80 -m
state --state NEW,ESTABLISHED -| ACCEPT
ptabes (-t fter) -A OUTPUT -p tcp --sport 80 -m
state --state ESTABLISHED -| ACCEPT
Speca connectons:
ftp
You must enabe kerne modue p_conntrack_ftp
FTP has 3 types of connectons:
Contro Port: Port 21, norma 3 way connecton
ntated by cent.
Actve connecton: Port 20, norma 3 way
connecton RELATED to the prevous connecton,
ntated by cent
Passve connecton: 3 way connecton RELATED
to the contro connecton, ntated by the server
from a random port on the server to a random
port at the cent
ftp - contnued
# Contro Port:
ptabes -A OUTPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED -|
ACCEPT
ptabes -A INPUT -p tcp --sport 21 -m state --state ESTABLISHED -| ACCEPT
# Actve mode:
ptabes -A OUTPUT -p tcp --dport 20 --sport 1024: -m state --state
RELATED,ESTABLISHED -| ACCEPT
ptabes -A INPUT -p tcp --sport 20 --dport 1024: -m state --state
ESTABLISHED -| ACCEPT
# Passve mode:
ptabes -A OUTPUT -p tcp --dport 1024: --sport 1024: -m state --state
ESTABLISHED -| ACCEPT
ptabes -A INPUT -p tcp --sport 1024: --dport 1024: -m state --state
RELATED,ESTABLISHED -| ACCEPT
Thank you
Ouestons??
ahmed.mekkawy@espace.com.eg

You might also like