170 likes | 349 Views
Iptables. Linux Firewall. Iptables is a Linux firewall that also is capable of doing NAT Consists of a set of rules Rules are normally in a config- script and are written as Iptables-commands. The two most important tables in Iptables are FILTER and NAT. FILTER.
E N D
Iptables Linux Firewall
Iptables is a Linux firewall that also is capable of doing NAT • Consists of a set of rules • Rules are normally in a config- script and are written as Iptables-commands. • The two most important tables in Iptables are FILTER and NAT
FILTER • Consists of the chains INPUT, OUTPUT and FORWARD • The rules in these chains decides if the incoming packets are dropped (DROP) or accepted (ACCEPT)
INPUT • INPUT deals with all packets received and that have the machine that runs iptables as destination. This means that only packets that are ment for the machine that runs iptables will be processed by this chain. • Packets ment for other machines are processed by the FORWARD chain.
FORWARD • FOWARD deals with the packets that are incoming to the machine that runs iptables, but are ment to be forwarded to other machines. • They can be forwarded to a machine on the local network or to a machine on an external network.
OUTPUT • OUTPUT deals with packets that has their origin in the machine that runs iptables and are going out to another machine. • Packets coming from the local net and going out, will not be processed in this chain but in the FORWARD chain.
NAT • Consists of the chains POSTROUTING, PREROUTING and OUTPUT • The rules in these chains decides how the adresses are to be translated
PREROUTING • PREROUTING deal with external, incoming packets before the IP-stack has desided where it is going. • Is responsible for performing NAT on these packets and send them to the desired loaction.
POSTROUTING • POSTROUTING deals with packets after the IP-stack has desided where its going. • Used when you want to change the sender adress on a outgoing packet thats from a local machine.
OUTPUT • Like the OUTPUT chain in the FILTER-table, OUTPUT deals with outgoing packets that has their origin in the machine that runs iptables.
The firewall script • Close the firewall completely • Flush all pre-existing rules • Open for the packets that you want to allow and use NAT for the ones that has to be rerouted • If necessary, use a timer on your script when configuring the script from a remote location
#/root/timer& • iptables --policy INPUT DROP • iptables --policy OUTPUT DROP • iptables --policy FORWARD DROP • iptables -t filter -F • iptables -t nat -F
Allows access to the internet from the machine: • iptables -A OUTPUT -o eth1 -p tcp --dport 80 -m state --state NEW -j ACCEPT • Allows ssh access to the machine: • iptables -A INPUT -i eth1 -p tcp --dport 22 -m state --state NEW -j ACCEPT
Reroutes packets on port 5901 to port 5900 • iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 5901 -j DNAT --to-destination 10.0.0.4:5900 • Allows incoming packets on port 5900 to a local machine. • iptables -A FORWARD -i eth1 -p tcp --dport 5900 -m state --state NEW -j ACCEPT