Archive

Articles taggués ‘filtering’

Control Network Traffic with iptables

23/11/2015 Comments off

Packet filtering using network rules such as NAT (network address translation) can be accomplished by using iptables. Iptables utilize ports and protocols and may also be used as a firewall.

Using iptables for IPv4

By default, the iptables tool is included with your Linode supplied distribution. In order to use iptables, you will have to have root privileges to make changes. The location of the iptables files is in the /sbin directory. However, you will make changes to these files by invoking commands, not with a text editor.

The iptables Command

There are a number of options that can be used with iptables. Before you begin, you need to understand how iptables work. As stated above, iptables are used to set the rules governing network traffic. You can define different tables to handle these rules. The table contains a variety of built-in chains, but you can add your own chains. A chain is a list of rules that match a set of packets.

Basic iptables Parameters

In order to start using iptables, you will need to understand some basics about the command syntax. For example:

iptables -I INPUT -s 12.34.56.78 -j DROP

In the sample above you are invoking iptables by its name. The -I option is for insertion. Using a rule with the insertion option will add it at the beginning of a chain, it will also be the rule that is applied first. You may also use a number with -I option to indicate its placement in the chain. The -s parameter along with the IP address (12.34.56.78) indicates the source. Finally the -j parameter is for jump. It specifies the target of the rule i.e. what action it is to perform if the packet is a match.

For example, the rule above is added to the beginning of the chain, and it will drop all packets from the address 12.34.56.78 received from anywhere.

Parameter Description
-p, -- protocol The rule, such as TCP, UDP, etc.
-s, -- source Can be an address, network name, hostname, etc.
-d, -- destination An address, hostname, network name, etc.
-j, -- jump Specifies the target of the rule; i.e. what to do if the packet matches.
-g, --goto chain Specifies that the processing will continue in a user specified chain.
-i, --in-interface Names the interface from where packets are received.
-o, --out-interface Name of the interface by which a packet is being sent.
-f, --fragment The rule will only be applied to the second and further fragments of fragmented packets.
-c, --set-counters Enables the admin to initialize the packet and byte counters of a rule.

Default Tables

A root or sudo user can create tables. Tables are comprised of built-in chains and may also contain user-defined chains. The built-in tables present will depend on the kernel configuration and the installed modules. Below is a list of the tables available.

The default tables are as follows:

  • Filter – this is the default table. Its built-in chains are:
    • Input – is for packets going to local sockets
    • Forward – is for packets routed through the server
    • Output – is for locally-generated packets
  • Nat – when a packet creates a new connection this is the table that is used. Its built-in chains are Prerouting, Output, and Postrouting
    • Prerouting is for packets when they come in
    • Output is for locally-generated packets before routing takes place
    • Postrouting is for altering packets on the way out
  • Mangle – is used for special altering of packets. Its chains are Pre/Post routing, Forward, Input, and Output
    • Prerouting is for incoming packets
    • Postrouting is for packets going out
    • Output is for locally generated packets that are being altered.
    • Input is for packets coming directly into the server
    • Forward is for packets being routed through the server
  • Raw – is used primarily for configuring exemptions from connection tracking. The built-in chains are Prerouting and Output.
    • Prerouting is for packets that arrive by the network interface
    • Output is for processes that are locally generated
  • Security – is used for Mandatory Access Control (MAC) rules. After the filter table, the security table is accessed next. The built-in chains are Input, Output, and Forward.
    • Input pertains to packets entering the server
    • Output is for locally-generated packets
    • Forward is for packet passing through the server

Lire la suite…