Blast from the past… IPTABLES explained…

This used to be a part of my personal OneNote memos, check it out –>>

Packet filtering is something I’ve always hard a hard time getting my head around. Not the basics; that’s easy enough. It’s just the incredible level of detail, the difficulty of keeping it all in your head at once…

For me, IP Tables is the ultimate Filtering and NATing tool ever existed, but it has always been hard to understand and to deal with…

Check this graph below and let get to it…

This article isn’t about the syntax or the command arguments, these can be googled for, this artical is about how it actually works…

Basics

The basic idea of any packet filtering is to look at a network packet and decide what to do with it: accept it as is and let it go on its way, stop it dead, or change it in some way (which usually involves sending it somewhere other than where it was originally headed).

Chains and Tables

Iptables starts with five built in chains. You can add more chains, (generally for convenience). Let’s understand what it comes with first.

  • PREROUTING
  • FORWARD
  • INPUT
  • OUTPUT
  • POSTROUTING

It is important to first understand what packets these chains see, this illustration may help you a bit…

image

As soon as the packet arrives to the interface and reaches the TCP/IP stack, it’s examined by the PREROUTING chain.

Afterwards a routing decision is taken; whether the packet will be forwarded or is it for this machine; this part is controlled by the routing tables in the OS.

A packet coming TO this machine goes through the INPUT chain before reaching the OS & processes.

A packet being forwarded to another machine would go through the FORWARD chain.

If a packet comes from this machine (is generated by an application running on this machine), it will go to the OUTPUT chain before going any further.

The last part of the IPTABLES, is the POSTROUTING, it’s the final station the kernel will see the packet before it leaves to the copper line or fiber or whatever…

There’re three main tables in the IPTABLES, each table is used go do some job…

  • filter
  • nat
  • mangle

The table filter has these chains assigned to it, FORWARD, INPUT and OUTPUT, it’s mainly used (as name implies) to apply filtering rules, you filter what goes through your TCP/IP stack to other hosts, filter what comes to your machine, filter what goes out of your machine…

The table nat has three chains assigned to it, PREROUTE, POSTROUTE, OUTPUT, it’s mainly used for all kind of natting, however you can still apply filtering rules through these chains in the nat table, you can do DNAT, SNAT, MASQUERADE, along with normal filtering rules…

The table mangle, has all five chains assigned to it, it’s mainly used to alter packet properties, I’m not sure how to use it effectively, so i won’t say much here on this one…

You can still create your own chains just for the convenience, but you’ll have to feed them packets from conditions from these standard chains…

Enough talking, let’s get to the examples…

To do DNAT from public IP 1.2.3.4 to private IP 10.10.10.1:

iptables -A PREROUTING -d 1.2.3.4 -j DNAT –to-destination 10.10.10.1

This will statically map the external IP to the private IP, no filtering is done though…

IMPORTANT: After this rule, the packet passes through the kernel with the final destination’s IP in the header not the original one, so further filtering rules must have the IP 10.10.10.1 in order for them to work….

To accept only connections to port 80 and drop the rest for the above example:

iptables -A FORWARD -d 192.168.1.202 -p tcp -m tcp –dport 80 -j ACCEPT

iptables -A FORWARD -d 192.168.1.202 -j DROP

iptables -A FORWARD -m state –state RELATED,ESTABLISHED -j ACCEPT

Another example, to totally supress ICMP protocol from reaching your network (assuming that linux is your router)

iptables -A FORWARD -p icmp -j DROP

But this would still allow ping requests targeted to your firewall/router, so we add

iptables -A INPUT -p icmp -j DROP

Alternatively you can have one line to do the trick, a quick look to the graph, and you’ll figure it out

iptables -A PREROUTING -p icmp -j DROP

Advertisements

One Response

  1. ma sha2 Allah, very cool work.
    keep going ya man

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: