Some Tricky Rules with Iptables!

Welcome Friends, today we i’ll present some rules that might be beneficial to you! I’ll write about

  • blocking IP Address
  • allow incoming SSH
  • allow incoming HTTP
  • allow ping from inside to outside
  • Logging of packets
  • and some ICMP queries

How to block a specific IP address?

# suppose you have an ip address, you want to block, it might be of any website or computer, as an example if I don’t want to allow someone to watch youtube on my PC, what i will do is just ping youtube and copy the IP address or from DNS queries. Then I will run the following command:

ip_address=”x.x.x.x” # storing ip address in variable for further use

sudo iptables –append INPUT –source “$ip_address” –jump Drop

The above command tells the iptables to make an input rule to drop packets coming from that particular IP address. (It’s not complete solution but a starting point.)

How to allow Incoming SSH?

Run this command:

sudo iptables –append INPUT –source 192.168.0.0/16 –match state –state NEW –protocol tcp –dport 223 –jump ACCEPT

The above command is making another input policy rule, saying if anything comes from port 223 (actually the port is 22, i’ve configured ssh to work on 223) and from network 192.168.0.0/16 (you can change it, currenlty it is for LAN), with the condition that the state of packet is NEW, it means someone from LAN is initiating the connection to our host, let the packet in.

If you have read my previous post, you will know that for established connection, I’ve a rule, that let the packets in and out in Established state. So I’ve to just make sure once the connection is established by allowing incoming new packet.

How to allow Incoming HTTP?

Run this command:

sudo iptables –append INPUT –source 192.168.0.0/16 –match state –state NEW –protocol tcp –dport 80 –jump ACCEPT

Just like the SSH rule, this command will work on HTTP, as we have specified port number 80 here. So if you have a web server, anyone can access that on local network.  In the same way you can allow any kind of services by just changing the port numbers and running the above commands.

Allow ping from inside to outside!

Why not from outside to inside? well, if you are not giving any service to outside world, it’s not good to allow outside world to ping you, It will allow script kiddies to know that you are there, and they will try to get information, even launch their attacks on you, and may be able to hack into you. (terrible!)

Okay, the command is:

sudo iptables –append OUTPUT –protocol icmp –icmp-type echo-request –jump ACCEPT

sudo iptables –append INPUT –protocol icmp –icmp-type echo-request –jump DROP

The first rule append to output policy for ICMP protocol, saying, let the ping request go to outside world. The second rule says drop the packets if any echo/ ping request is received, so that my computer will not reply to outside world. (and people will think, i’m sleeping). NOTE: it’s not enough!

Logging of Packets!

well as you see and know, logging means just keep record of something, here we are keep record of packets, so that I may find out who was doing what?

For just a simple rule:

sudo iptables –append INPUT –jump LOG –log-prefix “INPUT: “

here, we are appending logging rule to input policy, and logging everything that is coming inside, and attaching a string “INPUT: ” to it, so that when we have to check input rules in log file, it will be easy.

sudo iptables –append OUTPUT –jump LOG –log-prefix “OUTPUT: “

The same command for outgoing packets, logging every output packet!

These are simple rules, just to make understand, we can add matching states and manything, but this tutorial is for just beginner. I’ll describe these thing later.

ICMP queries rule!

Now what is this? well in short it means Internet Control Message Protocol. It communicates error messages and other conditions that require attention. Just like we have made a ping request, and we will get ping reply. There are many types of queries and error messages with ICMP, we often used Ping. Ping is just one of them.

I’m stating two more queries of ICMP here,

sudo iptables –append OUTPUT –protocol icmp –icmp-type timestamp-request –jump ACCEPT

sudo iptables –append INPUT –protocol icmp –icmp-type timestamp-request –jump DROP

The above two are for timestamp request, it is also a good method to find out if the host is available, if he is dropping packets of ping request. So be carefull about this too. Another one is:

sudo iptables –append OUTPUT –protocol icmp –icmp-type address-mask-request –jump ACCEPT

sudo iptables –append INPUT –protocol icmp –icmp-type address-mask-request –jump DROP

Now overall your firewall.sh will look like this (if you have made one, from my previous post ):


#! /bin/bash

sudo iptables –flush

sudo iptables –policy INPUT DROP

sudo iptables –policy OUTPUT DROP

sudo iptables –policy FORWARD DROP

sudo iptables –append INPUT –in-interface lo –jump ACCEPT

sudo iptables –append OUTPUT –out-interface lo –jump ACCEPT

# logging rule before any input rule but after localhost rule, we don’t want to collect local packets, it’s of no use.

sudo iptables –append INPUT –jump LOG –log-prefix “INPUT: “

# actually you don’t need echo request rule, because we have configured our system to drop new incoming packets by default.

sudo iptables –append INPUT –protocol icmp –icmp-type echo-request –jump DROP

sudo iptables –append INPUT –source 192.168.0.0/16 –match state –state NEW –protocol tcp –dport 22 –jump ACCEPT

sudo iptables –append INPUT –source 192.168.0.0/16 –match state –state NEW –protocol tcp –dport 80 –jump ACCEPT

sudo iptables –append INPUT –match state –state ESTABLISHED, RELATED –jump ACCEPT

# logging outside going packets, but not localhost because, we have placed it after localhost rule and before outgoing rules.

sudo iptables –append OUTPUT –jump LOG –log-prefix “OUTPUT: “

# actually you don’t need echo request rule, because we have configured our system to allow outgoing.

sudo iptables –append OUTPUT –protocol icmp –icmp-type echo-request –jump ACCEPT

sudo iptables –append OUTPUT –match state –state NEW,ESTABLISHED –jump ACCEPT

sudo iptables-save | sudo tee /etc/iptables/iptables.rules


Now, change the executable permission to let the script run, run it and see the result by:

sudo iptables –list –verbose

Featured post

How to make iptable rules in Arch Linux?

This tutorial is for beginners who wants to learn iptable (the firewall system) in linux and use it on Arch. I am Shantanu Sharma. Welcome to my blog. Let’s start!

First of all, with Arch newly installed systems, iptables is available as System Service.

First of all let’s check whether it is active or not by running command: sudo systemctl status iptables.

you will see something like this as output:

[shansharma@no3 ~]$ sudo systemctl status iptables
● iptables.service – Packet Filtering Framework
   Loaded: loaded (/usr/lib/systemd/system/iptables.service; disabled; vendor preset: disabled)
   Active: inactive (dead)

Apr 22 18:44:42 no3 systemd[1]: Starting Packet Filtering Framework…
Apr 22 18:44:43 no3 systemd[1]: Started Packet Filtering Framework.
Apr 22 19:15:32 no3 systemd[1]: Stopping Packet Filtering Framework…
Apr 22 19:15:32 no3 iptables-flush[1300]: /usr/sbin/iptables
Apr 22 19:15:32 no3 systemd[1]: Stopped Packet Filtering Framework.

To start the iptables service, run: sudo systemctl start iptables, but it is enabled for only this session, to make it permanently run after rebooting, use another command too: sudo systemctl enable iptables. After running both the commands, to start and to enable iptables, you wil see something like this:

[shansharma@no3 ~]$ sudo systemctl status iptables
● iptables.service – Packet Filtering Framework
   Loaded: loaded (/usr/lib/systemd/system/iptables.service; enabled; vendor preset: disabled)
   Active: active (exited) since Sat 2017-04-22 19:18:56 IST; 1min 30s ago
 Main PID: 1366 (code=exited, status=0/SUCCESS)

Apr 22 19:18:56 no3 systemd[1]: Starting Packet Filtering Framework…
Apr 22 19:18:56 no3 systemd[1]: Started Packet Filtering Framework.

You will see an active status and enabled written in the same line, it means now your iptables is ready to work everytime you start your pc. Now, let’s learn some rules first:

To flush all rules, for example suppose you have already some rules, you can run:

sudo iptables –flush # this command will clear all rules.

now let’s make some default actions, firewall has 3 default actions for incoming packets, outgoing packets and forwarding packets (forwarding is used when we are using the system as router, will talk about this later), to make default action for all these packets, run

sudo iptables –policy INPUT DROP

sudo iptables –policy OUTPUT DROP

sudo iptables –policy FORWARD DROP

Now, as we have made some default rules, any packet that does not match our rules( which we are going to understand later) will go for default and drop. It provides a little bit of safety for the system.

now, let’s make some rules for input:

sudo iptables –append INPUT –in-interface lo –jump ACCEPT

The above command will append a rule to INPUT policy to allow/accept packets coming from local interface, so that the system can work easily. we have to also add a rule for outgoing packets on local interface:

sudo iptables –append OUTPUT –out-interface lo –jump ACCEPT

Now lets make some rules to talk with outside world.

sudo iptables –append OUTPUT –match state –state NEW,ESTABLISHED –jump ACCEPT

sudo iptables –append INPUT –match state –state ESTABLISHED, RELATED –jump ACCEPT

here first we have appended a rule for OUTPUT policy, to match packets that are new and/or established and let them out, so that we can send packets ( means initiate connection with outside world ).

The second rule tells the INPUT policy to let the packets in that are from established/related connection, not from New connection, it means we can initiate connection, but not someone from other side of the world. So, overall it’s a security measure.

Now last step we have to save our rules somewhere, so that we don’t have to write again and again. Save all your rules in a text file and save it as something like firewall.sh

Now let’s add a line at the end of file:

sudo iptables-save | sudo tee /etc/iptables/iptables.rules

The above line stats that, save iptable rules, then we are using pipe operator, and sending the result to tee command, this command reads from standard input and write to standard output and files. Here it is writing rules in /etc/iptables directory, with the name iptables.rules, it makes easy for the system to reload rules when we reboot the system.


Finally your script file ‘firewall.sh’ will look like this:

#! /bin/bash # dont’ forget this line at the top of script.

sudo iptables –flush

sudo iptables –policy INPUT DROP

sudo iptables –policy OUTPUT DROP

sudo iptables –policy FORWARD DROP

sudo iptables –append INPUT –in-interface lo –jump ACCEPT

sudo iptables –append OUTPUT –out-interface lo –jump ACCEPT

sudo iptables –append OUTPUT –match state –state NEW,ESTABLISHED –jump ACCEPT

sudo iptables –append INPUT –match state –state ESTABLISHED, RELATED –jump ACCEPT

sudo iptables-save | sudo tee /etc/iptables/iptables.rules

Now change permission, make it executable sudo chmod u+x firewall.sh

and run it: ./firewall.sh.


Suppose you want to check what are the rules currently in force? Run this command:

sudo iptables –list –verbose

you will get output like this:

# first of all rules for input

Chain INPUT (policy DROP 3 packets, 156 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   97  416K ACCEPT     all  —  lo     any     anywhere             anywhere            
 7488 5268K ACCEPT     all  —  any    any     anywhere             anywhere             state RELATED,ESTABLISHED

# then forward rules, it will be blank
Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

# and then output rules
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   97  416K ACCEPT     all  —  any    lo      anywhere             anywhere            
 7257  867K ACCEPT     all  —  any    any     anywhere             anywhere             state NEW,ESTABLISHED

These were some little things. Next time, i will update this Post and add some more rules. keep it in touch!

 

Featured post

Create a free website or blog at WordPress.com.

Up ↑