Changes

Jump to: navigation, search

IPTables

5,211 bytes added, 15:40, 22 November 2010
Sample Scripts from our Lab Material
= IPTables Command Structure and Overview = The intended audience for this document is Andrew Grimo's the OPS235 linux admin class. It is a guide to IPTables iptables in the context of what OPS235 is currently studying and therefore a variety of its complexities will not be explored here. All are welcome to reference this document and refine what it is trying to convey to be more accurate or precise.
This is an outline of
* how IPTables iptables command lines are structured and understood
* an explanation of the rule specifications that we use
* sample commands that can be seen in the labs to relate to this document
 
** the items listed with [ ] square brackets are optional in the command
 <pre> #iptables command chain rule-spec([match,] target/jump )
------- --------- ----------------------
#iptables -A chain rule-spec (Appends a rule)
# service iptables save (Saves the current configuration
into /etc/sysconfig/iptables )
</pre>
 
 
== Options for Elements in the Structure ==
 
Considering the commands, chains, matches and targets/jumps... there are only a few of those that we will actually use, at least for this course. Matches can get a bit more complex and will be discussed next, but the others will be listed here.
 
The items that are listed in ( ) round brackets are there for informational purposes as we don't use them in our course for our configurations.
 
=== Brief Listing of Choices ===
 
<pre>
Commands Chains Matches Targets -j
------------ --------- ------- ----------
-A ...Append INPUT -p protocol ACCEPT
-I ...Insert OUTPUT -s src-address[/mask][,...] DROP
-D ...Delete (FORWARD) -d dst-address[/mask][,...] LOG
-R ...Replace --dport port (REJECT)
-P ...Policy --sport port
-F ...Flush
-L ...List
-S ...Show
</pre>
 
Above we can see that when it comes down to it, our chains and targets are limited and few. The commands we are dealing with aren't that many either. These few things help us establish the core basic foundation for our understanding of Iptables and what it offers.
 
"REJECT" - This target is the same as DROP, except that it returns a define-able error message to the sender. This informs the sender that the port, host, or service is unreachable and defeats the potential stealth mode that "DROP" alone offers.
 
=== Match Statements ===
 
Here's a bit more definition to our match statements. Essentially:
* a match is based on a protocol ( TCP, UDP, ICMP,...)
* source and destination addresses can define
** a single ip address with or without a netmask
** a network ip address with its netmask
** a network name or a hostname (defined locally - not through DNS)
** and a comma separated list of these
* source and destination ports can use either:
** port number
** port name (resolved in /etc/services)
 
== INPUT / OUTPUT ... Source / Destination ==
 
So where is that packet, coming or going?
 
<pre>
--------------- ---------------
| INPUT | <--destination-------------------<--source--< |OUTPUT |
| | | |
| F12Host | | Fedora2 |
| | | |
| OUTPUT| >-source-->----------------->-destination--> |INPUT |
--------------- ---------------
 
</pre>
 
The question of whether a packet is arriving, or leaving can be more easily visualized by the above chart. As you can see, source and destination are a matter of perspective. If you are configuring your iptables on your F12host machine, your point of reference for your Fedora2 machine will be different, or opposite.
 
Hopefully this chart will provide a visual for determining how to configure your scripts.
 
== INPUT/OUTPUT Chain processing ==
 
The following diagrams hope to visually define the hand off process of a packet as it enters or leaves a given server. This outlines in a brief sketch, what is happening on the INPUT and OUTPUT chains.
 
=== INPUT Chain ===
 
<pre> dest.
src. -------------------
--------- | routing localhost Local process
|F12Host|>-wire--->eth0|Fedora2 -> decision --> INPUT chain -->filtering --> or application
--------- | is made \ of rules
------------------- \
some routed elsewhere
or sent to FORWARD chain
</pre>
 
=== OUTPUT Chain ===
 
<pre>
src.
---------------------- dest.
| Local process routing localhost ---------
|Fedora2 --> or applicaiton -> decision-> OUTPUT chain -->filtering-> eth0-> wire->|F12Host|
| is made of rules interface ---------
----------------------
</pre>
 
== Sample Scripts from our Lab Material ==
 
<pre>
# iptables -F // flushes the rules from the table
# iptables -L // lists the rules running in memory
# iptables -P INPUT DROP // creates a policy to DROP packets inbound
# iptables -A OUTPUT -j LOG // logs outgoing traffic to /var/log/messages
# iptables -I 1 OUTPUT -p tcp -s 0/0 -d 0/0 --dport 80 -j DROP // drop outbound web
// requests and inserts
// at line 1 in the chain
 
# iptables -I INPUT 3 -p tcp -s 192.168.235.0/24 -d f12host --dport ssh -j DROP
 
</pre>
Cheping
1
edit
Retrieved from "https://wiki.cdot.senecapolytechnic.ca/wiki/Special:MobileDiff/42552...50483"

Navigation menu