Tutorial IPTABLES Firewall, Manual of Basic Configuration

Introduction to Iptables | Iptables tutorial

As a result of a Project of the module for Linux Netfilter the Tool in charge is born to create and to form Firewalls: Iptables, unlike its Iptables predecessors has the possibility of generating Logs and filters using political of security. Iptables is a Firewall in form Script Linux that allows to form to our taste the filtrate rules which we wish.

configuration iptables

Tables

    They make reference to the different ways to process the packages of Network.
  • to filter:
    Filters of chains chains Input, Output, Forward
  • nat:
    It translates the Nat directions: Prerouting, Postrouting
  • mangrove:
    It controls the chains Input, Output, Forward, Prerouting, Postrouting

Types of Chains

    List of rules on the packages of network:
  • Input:
    Packages with destiny the own machine
  • Output:
    Packages that leave the own machine towards outside
  • Forward:
    Packages that cross the machine
  • Pre routing:
    Rules on the packages right before sending them to the network
  • Post routing:
    Rules on the packages right after sending them to the network

Commandos

- L/-list chain at the moment lists the rules in use in a chain - F-flush empty chain a chain
- F-flush chain vac ́Äa a chain
- Z-zero chain reinitiates the accountants of a chain - P-policy chain DROP/ACCEPT establishes the pl­tica by defect
- P-policy chain DROP/ACCEPT establishes the policy by defect

- To-append chain an ̃ade one regulates (condiciones+objetivos) to a chain - D-delete chain flock a rule of a chain
- D-delete chain flock a rule of a chain
- R-replace chain replaces a rule of a chain
- I/-insert chain inserts a rule of a chain

Conditions

  • direction IP:
    It can be a concrete physical address (- s 192.168.1.128), or you go of network (- s 192.168.1.0)
    origin: - s/€“ source
    destination: - d/€“ destionation
  • interface
    Interface by which it enters or it leaves the package network
    of exit: - i-in-interface (input, forward, prerouting)
    of entrance: - or-out-interface (output, forward, postrouting)
  • type of protocol
    Protocol by which he is transported: TCP, UDP, ICMP, ALL
    - p-protocol
  • ports
    Port of the service: (it can be the number of port or the name of the service)
    origin: - sport-source-port
    destiny: - dport/-destination-port
  • state control
    €“ state STATES
    INVALID: package nonassociated to any well-known connection.
    ESTABLISHED: package of network that already belongs to a valid and well-known connection.
    NEW: package that creates a new connection.
    RELATED: packages that initiate a new connection that associate with another is already established.

Objectives

- j SNAT €“ to-source. It realises SNAT (source-NAT) on the packages of network that leave (camouflage of directions)
It changes to direction IP (opc. port) of origin of the package (only available in postrouting)

- j MASQUERADE. Just as snat, but using dir. IP of the own equipment (useful in volatile connections) (only available in postrouting)

- j DNAT €“ to-destination. It realises DNAT (destination-NAT) on the incoming packages (port forwarding)
It changes to dir. IP (option port) of destiny of the package (only available in prerouting and option in output)

Iptables rules

Structure

iptables - t table commands conditions objective
The commandos put within a file SH who we will execute in the line of commandos as script: ./script-iptables.sh

Example of script iptables

Machine B will be our computer and the machine To a machine of tests without firewall, we are going to come to construct firewall with the following characteristics.
example firewall iptables
€“ Firewall will use a policy by defect to deny all the packages and in addition:
Machine B will allow to do ping of the machine To a
It will reject (REJECT) pings of machine B to the A. You verify the difference between the DROPS and the REJECT.
It will allow to do ssh from the two machines.
Mysql will allow to accept connections from the two machines
It will allow to connect itself of machine B to the machine To through webmin.
It will allow connections to Apache by HTTP/HTTPS in both felt.

Solution with Policy By Defect To deny

#! /bin/bash - F iptables - iptables iptables Xs - Z iptables - t nat - F iptables - P INPUT DROPS - iptables P OUTPUT DROPS - iptables P FORWARD DROPS - To INPUT - iptables is - iptables j ACCEPT - To OUTPUT - or - j ACCEPT - To INPUT - iptables p tcp - m state --state ESTABLISHED - iptables j ACCEPT - To OUTPUT - p tcp - m state --state ESTABLISHED - iptables j ACCEPT - To OUTPUT - d 192.168.0.2 - p ICMP - iptables j REJECT - To OUTPUT - d 192.168.0.2 - p tcp - iptables j ACCEPT - To INPUT - s 192.168.0.2 - i eth1 - p ICMP - j ACCEPT - To INPUT - iptables s 192.168.0.2 - i eth1 - p tcp --dport 22 - iptables j ACCEPT - To OUTPUT - d 192.168.0.2 - p tcp --dport 22 - iptables j ACCEPT - To INPUT - s 192.168.0.2 - i eth1 - p tcp --dport 3306 - iptables j ACCEPT - To OUTPUT - d 192.168.0.2 - or eth1 - p tcp --dport 3306 - iptables j ACCEPT - To OUTPUT - d 192.168.0.2 - i eth1 - p tcp --dport 10000 - iptables j ACCEPT - To INPUT - s 192.168.0.2 - i eth1 - p tcp --dport 80 - iptables j ACCEPT - To OUTPUT - d 192.168.0.2 - or eth1 - p tcp --dport 80 - iptables j ACCEPT - To INPUT - s 192.168.0.2 - i eth1 - p tcp --dport 443 - iptables j ACCEPT - To OUTPUT - d 192.168.0.2 - or eth1 - p tcp --dport 443 - j ACCEPT

Now we will use the same configuration with a policy by defect to accept.

Solution with Policy By Defect To accept

#! /bin/bash iptables - F iptables - iptables Xs - Z iptables - t nat - F iptables - P iptables INPUT ACCEPT - iptables P OUTPUT ACCEPT - P FORWARD ACCEPT iptables - To INPUT - i - iptables j ACCEPT - To OUTPUT - or - j ACCEPT - To INPUT - iptables p tcp - m state --state ESTABLISHED - iptables j ACCEPT - To OUTPUT - p tcp - m state --state ESTABLISHED - iptables j ACCEPT - To OUTPUT - d 192.168.0.2 - p ICMP - iptables j REJECT - To OUTPUT - d 192.168.0.2 - p tcp - iptables j ACCEPT - To INPUT - s 192.168.0.2 - i eth1 - p ICMP - j ACCEPT - To INPUT - iptables s 192.168.0.2 - i eth1 - p tcp --dport 22 - iptables j ACCEPT - To INPUT - s 192.168.0.2 - i eth1 - p tcp --dport 3306 - iptables j ACCEPT - To OUTPUT - d 192.168.0.2 - or eth1 - p tcp --dport 3306 - iptables j ACCEPT - To OUTPUT - d 192.168.0.2 - i eth1 - p tcp --dport 10000 - iptables j ACCEPT - To INPUT - s 192.168.0.2 - i eth1 - p tcp --dport 80 - iptables j ACCEPT - To OUTPUT - d 192.168.0.2 - or eth1 - p tcp --dport 80 - iptables j ACCEPT - To INPUT - s 192.168.0.2 - i eth1 - p tcp --dport 443 - iptables j ACCEPT - To OUTPUT - d 192.168.0.2 - or eth1 - p tcp --dport 443 - j ACCEPT


iptables - To INPUT - p tcp --dport 1:65535 - j DROPS iptables - To INPUT - p UDP --dport 1:65535 - j DROPS iptables - To OUTPUT - p tcp --dport 1:65535 - j DROPS iptables - To OUTPUT - p tcp --dport 1:65535 - j DROPS

If you liked this article comp¡rtelo please, Gracias

I hope that this article serves to you as help,
A greeting,
By “scar Carrillo