http://www.adminsehow.com/2011/09/iptables-packet-traverse-
map/
Syntax for IPTables Rules
iptables -A INPUT -i eth0 -p tcp -s 10.0.0.0/8
-d 192.168.1.0/24 -j DROP
class B
172.16.0.0 172.31.255.255
172.16.0.0/12 (255.240.0.0)
class C
192.168.0.0 192.168.255.255
192.168.0.0/16 (255.255.0.0)
IPTables Rules
Options
Specify Protocol
-p tcp, -p udp
Specify Source/Destination
-s 192.168.0.1/255.255.255.0 or -s ! 10.0.0.0/8
-d 192.168.0.5/255.255.255.0 or -d ! 10.0.0.0/8
Specify Interface
-i eth0 or -i eth+ (input, forward chains)
-o eth0 or -o eth+ (output, forward chains)
#these rules are checked first, in exactly this order; packet is treated
according to the first rule that matches
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p udp -s $MYSERVER --sport 53 -j ACCEPT
iptables -A INPUT -p tcp --syn -j REJECT
iptables -A INPUT -p udp -j REJECT
#default rules, applied last (usually they are specified on top of file)
iptables -P INPUT ACCEPT
What is the problem
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT with this script?
Simple IPTables Firewall:
allow in only DNS responses
#flush old rules
iptables -F
iptables X
# Replace xxx.xxx.xxx.xxx with IP address of name server
MYSERVER=xxx.xxx.xxx.xxx #no hardwiring; work with variables
#these rules are checked first, in exactly this order; packet is treated
according to the first rule that matches
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p udp -s $MYSERVER --sport 53 -j ACCEPT
#iptables -A INPUT -p tcp --syn -j REJECT
#iptables -A INPUT -p udp -j REJECT
#default rules, applied last (usually they are specified on top of file)
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
Advanced IPTables Firewall
Implementation
Two basic network flavors: private network
behind a NAT, or servers in DMZ
IPTables can do:
Packet Forwarding
Network Address Translation (NAT)
Destination NAT
Source NAT
Masquerading
Enabling Linux Routing
DMZ Setup
SOHO Setup
Private
NAT Public
network
network
Public and Private
Firewall F has:
prF: private IP on internal interface IIF
pubF: public IP on external interface EIF
Server S is DNATed; it has:
prS: private IP
pubS: public IP
where pubS = pubF
Client C is SNATed; it has:
prC: private IP
pubC: public IP
where pubC = pubF
Packet Forwarding
Multi-homed hosts
Filter packets traversing network interfaces
Routing host or router
Forwarded packets traverse the IPTables FORWARD
chain associated with the filter table.
Add rules to the FORWARD chain to control flow of traffic
between networks.
IIF=eth0 #internal interface
EIF=eth1 #external interface
iptables -P FORWARD DROP
iptables -A FORWARD -i $IIF -o $EIF -j ACCEPT
iptables -A FORWARD -i $EIF -o $IIF -j ACCEPT
Packet Forwarding
Example
iptables -P FORWARD j DROP
Example:
iptables -t nat -A PREROUTING -i eth0 -o eth1 \
-p tcp -d 112.0.34.1 --dport 80 -j DNAT \
--to-destination 192.168.1.12:8080
For example:
If internal client accesses WebServer using the WebServer's public
address, the routing host performs DNAT and forwards request
to WebServer.
WebServer sees unmodified source address and sends replies
directly to the requestor.
Client does not properly associate replies with requests, since
IP addresses don't match.
Accessing a DNAT Host from the local
network, cntd.
Example: server at 192.168.1.1 is DNATed as 112.0.34.1.
So: When a local host contacts the server at 112.0.34.1,
firewall DNATs it to 192.168.1.1 and gives it to the server;
the server replies directly to the client instead of replying
via the firewall, using source IP of 112.168.1.1, so the
client cannot associate this reply with its original request.
Fixes
Split-horizon DNS
DNS server configured to handle internal requests differently from external
requests.
Router performs both SNAT and DNAT when handling internal
requests, so responses are sent via the router.
Accessing a DNAT Host from the local
network cntd.
Solution1: substitute the IP address of the
firewall as the source IP of packets destined
to the server; server replies to firewall
192.168.1.1; firewall gives to the client
iptables -t nat -A PREROUTING \
-i eth0 -o eth1 -d 192.0.34.72 \
-j DNAT --to-destination 192.168.1.72
iptables -t nat -A POSTROUTING
-s 192.168.1.0/24 -d 192.168.1.72 \
-j SNAT --to-source 192.168.1.1
Accessing a DNAT Host from the
local network general formula
In general:
Firewall F has private IP prF and public IP pubF
Server S is DNATed; it has private IP prS and
public IP pubS, where pubS = pubF
Client C is SNATed; it has private IP prC and
public IP pubC, where pubC = pubF
Problem: Client C contacts server at pubS, so the
packet ends at F and F forwards to prS. Since
the packet has sourceIP = prC, S replies directly
to prC, so sourceIP =prS, and C cannot tell that
the reply is associated with the request to pubS.
Accessing a DNAT Host from the local
network general formula cntd.
Recap: Firewall F has private IP prF and public IP
pubF
Server S is DNATed; it has private IP prS and
public IP pubS, where pubS = pubF
Client C is SNATed; it has private IP prC and
public IP pubC, where pubC = pubF