Important iptables Command Switch Operations -CodeIdol

Important iptables Command Switch Operations

Each line of an iptables script not only has a jump, but they also have a number of command line options that are used to append rules to chains that match your defined packet characteristics, such the source IP address and TCP port. There are also options that can be used to just clear a chain so you can start all over again. Figure through 14.7 list the most common options.

Figure General `iptables` Match Criteria
`iptables` Command Switch	Description
`-t <table>`	If you don't specify a table, then the filter table is assumed. The possible built-in tables include: filter, nat, mangle.
`-j <target>`	Jump to the specified target chain when the packet matches the current rule.
`-A`	Append rule to end of a chain.
`-F`	Flush. Deletes all the rules in the selected table.
`-p <protocol-type>`	Match protocol. Types include `icmp`, `tcp`, `udp` and `all`.
`-s <ip-address>`	Match source IP address.
`-d <ip-address>`	Match destination IP address.
`-i <interface-name>`	Match input interface on which the packet enters.
`-o <interface-name>`	Match output interface on which the packet exits.

In this command switches example:

     ipFigureA INPUT -s 0/0 -i eth0 -d 192.168.1.1 -p TCP -j ACCEPT

iptables is being configured to allow the firewall to accept TCP packets coming in on interface eth0 from any IP address destined for the firewall's IP address of 192.168.1.1. The 0/0 representation of an IP address means any.

Common TCP and UDP Match Criteria
Switch	Description
`-p tcp --sport <port>`	TCP source port; can be a single value or a range in the format:start-port-number: end-port-number
`-p tcp --dport <port>`	TCP destination port; can be a single value or a range in the format: starting-port: ending-port
`-p tcp --syn`	Used to identify a new connection request; !--syn means, not a new connection request
`-p udp --sport <port>`	UDP source port; Can be a single value or a range in the format: starting-port: ending-port
`-p udp --dport <port>`	UDP destination port; can be a single value or a range in the format:starting-port: ending-port

In this example:

     ipFigureA FORWARD -s 0/0 -i eth0 -d 192.168.1.58 -o eth1 -p TCP \
              --sport 1024:65535 --dport 80 -j ACCEPT

iptables is being configured to allow the firewall to accept TCP packets for routing when they enter on interface eth0 from any IP address and are destined for an IP address of 192.168.1.58 that is reachable via interface eth1. The source port is in the range 1024 to 65535 and the destination port is port 80 (www/http).

Common ICMP (Ping) Match Criteria
Matches used with `---icmp-type`	Description
`--icmp-type <type>`	The most commonly used types are `echo-reply` and `echo-request`

In this example:

     ipFigureA OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
     ipFigureA INPUT  -p icmp --icmp-type echo-reply   -j ACCEPT

iptables is being configured to allow the firewall to send ICMP echo-requests (pings) and in turn, accept the expected ICMP echo-replies.

Consider another example:

     ipFigureA INPUT -p icmp --icmp-type echo-request \
              -m limit --limit 1/s -i eth0 -j ACCEPT

The limit feature in iptables specifies the maximum average number of matches to allow per second. You can specify time intervals in the format /second, /minute, /hour, or /day, or you can use abbreviations so that 3/second is the same as 3/s.

In this example, ICMP echo requests are restricted to no more than one per second. When tuned correctly, this feature allows you to filter unusually high volumes of traffic that characterize denial of service (DOS) attacks and Internet worms.

     ipFigureA INPUT -p tcp --syn -m limit --limit 5/s -i eth0 -j ACCEPT

You can expand on the limit feature of iptables to reduce your vulnerability to certain types of denial of service attacks. Here a defense for SYN flood attacks was created by limiting the acceptance of TCP segments with the SYN bit set to no more than five per second.

Common Extended Match Criteria
Switch	Description
`-m --sport <port, port>`	A variety of TCP/UDP source ports separated by commas. Unlike when `-m` isn't used, they do not have to be within a range.
`-m --dport <port, port>`	A variety of TCP/UDP destination ports separated by commas. Unlike when `-m` isn't used, they do not have to be within a range.
`-m --ports <port, port>`	A variety of TCP/UDP ports separated by commas. Source and destination ports are assumed to be the same and they do not have to be within a range.
`-m --state <state>`	The most frequently tested states are: ESTABLISHED: The packet is part of a connection that has seen packets in both directions. NEW: The packet is the start of a new connection. RELATED: The packet is starting a new secondary connection. This is a common feature of such protocols as an FTP data transfer, or an ICMP error. INVALID: The packet couldn't be identified. Could be due to insufficient system resources or ICMP errors that don't match an existing data flow.

This is an expansion on the previous example:

     ipFigureA FORWARD -s 0/0 -i eth0 -d 192.168.1.58 -o eth1 -p TCP \
             --sport 1024:65535 -m multiport --dport 80,443 -j ACCEPT

     ipFigureA FORWARD -d 0/0 -o eth0 -s 192.168.1.58 -i eth1 -p TCP \
              -m state --state ESTABLISHED -j ACCEPT

Here iptables is being configured to allow the firewall to accept TCP packets to be routed when they enter on interface eth0 from any IP address destined for IP address of 192.168.1.58 that is reachable via interface eth1. The source port is in the range 1024 to 65535 and the destination ports are port 80 (www/http) and 443 (https). The return packets from 192.168.1.58 are allowed to be accepted too. Instead of stating the source and destination ports, you can simply allow packets related to established connections using the -m state and --state ESTABLISHED options.

May 24, 2009, 11:30 a.m.
posted by whitehat

Important iptables Command Switch Operations