Scribd
Upload
200 views13 pages

Iptables: System and Network Security

Iptables is the default firewall software that comes with most Linux distributions. It has four tables (Filter, NAT, Mangle, Raw) that contain built-in chains for processing packets. The Filter table is used by default to accept or drop incoming and outgoing packets. The NAT table performs network address translation to masquerade or redirect traffic. Iptables uses rules containing criteria like source/destination IP addresses and ports to match packets and apply targets such as ACCEPT, DROP, or LOG actions.

Uploaded by

Manoj Sk
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
200 views13 pages

Iptables: System and Network Security

Iptables is the default firewall software that comes with most Linux distributions. It has four tables (Filter, NAT, Mangle, Raw) that contain built-in chains for processing packets. The Filter table is used by default to accept or drop incoming and outgoing packets. The NAT table performs network address translation to masquerade or redirect traffic. Iptables uses rules containing criteria like source/destination IP addresses and ports to match packets and apply targets such as ACCEPT, DROP, or LOG actions.

Uploaded by

Manoj Sk
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 13

IPTables

System And Network Security


Introduction
• “iptables” is default firewall that comes with most modern
GNU/Linux distributions
• It also has the capability to block some type of Denial of
Service Attack.
• Also Filter based on MAC Address.
• IPTables perform Network Address Translation
Tables And Chains
Tables
• It has 4 Built in Tables
• Filter Table
• NAT Table
• Mangle Table
• Raw table
Filter Table
• Filter is default table for iptables
• Iptables’s filter table has the following built-in chains.
• INPUT chain
• Incoming to firewall. For packets coming to the local server.
• OUTPUT chain
• Outgoing from firewall. For packets generated locally and going out
of the local server.
• FORWARD chain
• Packet for another NIC on the local server. For packets routed
through the local server
NAT Table
• Iptable’s NAT table has the following built-in chains.
• PREROUTING chain
• Packet translation happens immediately after the packet comes to
the system ( before routing).
• Translate the destination ip address DNAT (destination NAT).
• POSTROUTING chain
• Packet translation happens when the packets are leaving the system.
• Translate the source ip address SNAT (source NAT).
• OUTPUT chain
• NAT for locally generated packets on the firewall
Mangle Table And Raw Table
• Iptables’s Mangle table is for specialized packet alteration.
• This alters QOS bits in the TCP header.
• Mangle table has the following built-in chains.
• PREROUTING chain
• OUTPUT chain
• FORWARD chain
• INPUT chain
• POSTROUTING chain
• Iptable’s Raw table is for configuration exceptions.
• Raw table has the following built-in chains.
• PREROUTING chain
• OUTPUT chain
IPTables Rules
• Rules contain a criteria and a target.
• If the criteria is matched, it goes to the rules specified in the
target (or) executes the special values mentioned in the
target.
• If the criteria is not matched, it moves on to the next rule.
• Some Target Values are:-
• ACCEPT
• DROP
• LOG
• REJECT
• MASQUERADE
Examples
• Syntax:
iptables –t <tablename> -A <chain> -j <target>
Example:
>>>iptables –F
>>>iptables -L
>>>iptables -A INPUT -p tcp -s 10.10.10.10 --dport 3306 -j ACCEPT
>>>iptables -A INPUT -p tcp -s 0/0 --sport 513:65535 -d 195.55.55.78 --
dport 22 -m state --state NEW,ESTABLISHED -j DROP
>>>iptables -A TCP_FLAGS -p tcp --tcp-flags ACK,FIN FIN -j REJECT
NAT
• DNAT
• Destination NAT is always done before routing.
• Done when the packet first comes off the wire.
• Port forwarding, load sharing, and transparent proxy are all forms
of DNAT.
• SNAT
• Source NAT is always done post-routing
• Done Just before the packet goes out onto the wire.
• Masquerading is a specialized form of SNAT.
Example SNAT
• iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
• MASQUERADE automatically chooses address
• MASQUERADE forgets old connections when interface goes down
• iptables -t nat -A POSTROUTING -p tcp -o eth0 -j SNAT --to-
source 194.236.50.155-194.236.50.160:1024-32000
Example DNAT
• iptables -t nat -A PREROUTING -d 10.10.20.99 -j DNAT --to-
destination 10.10.14.2

• iptables -t nat -A PREROUTING -p tcp -d 15.45.23.67 --dport 80


-j DNAT --to-destination 192.168.1.1-192.168.1.10
References
• http://www.linuxhomenetworking.com/wiki/index.php/Quick
_HOWTO_:_Ch14_:_Linux_Firewalls_Using_iptables#Targets_
And_Jumps
• http://www.cyberciti.biz/tips/linux-iptables-how-to-specify-a-
range-of-ip-addresses-or-ports.html
• http://www.billauer.co.il/ipmasq-html.html
• http://www.linuxtopia.org/Linux_Firewall_iptables/x3982.htm
l

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy