Thursday, 20 June 2013

How to block Packets using iptables

iptables -F   ------ To flush all iptables rules

iptables -P INPUT DROP
iptables -P FORWARD DROP

These permit outgoing traffic but drop incoming or forwarded packets.

1.Enabling Source Address Verification

Task: To prevent remote hosts from spoofing incoming packets as if they had come from your local machine.

Solution: Turn on source address verification in kernal.(ip spoofing protection)

echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter


change it in this file

# vi /etc/sysctl.conf
# Controls source route verification
net.ipv4.conf.default.rp_filter = 1

 and run sysctl to reread the configuration immediately
# sysctl -p

Source address verifiction is a kernel-level feature that drops packets that appear to come from your internal network, but do not. Enabling this feature should be your first network-related security task. you can setup this same effect using firewall rules as well.

1.1 Blocking Spoofed Addresses

Task: Need to prevent remote hosts frrom pretending to be local to your network,

Solution: For a single machine to prevent remote hosts from pretending to be that machine,

# iptables -A INPUT -i external_interface -s your_IP_Address -j REJECT

If you have a linux machine acting as a firewall fir your internal network(say, 192.168.0.*) with two network interfaces, one internal and one external,and you want to prevent remote machines from spoofing internal IP address to the external interface, use the following

# iptables -A INPUT -i external_interface -s -j REJECT


DROP simply swallows the packet, never to be seen again and emits no response. REJECT in contrast responds to the packet with a friendly message back to the sender, something about REJECT the connection.

REJECT helps to understand why not able to connect to a network because of response message it sends, But DROP didnt give you any clue why not able to connect, it leaves you less chance to trouble shoot the error in connection.

REJECT can leave you open to denial of service attack(DOS). If a third party hack a system(victim) and sends message from victim to your machine and in response you reject the packets, returning them not to the third party but to victim, owner of the source address. You are unintentionally flooding victim with rejections.

 So better to choose DROP to prevent them from being abused in such a manner.(Better in a large network). If you are a home user REJECT is better.When Rejecting we can reject with different messages using --reject-with option.

2.3 Blocking all Network traffic

Problem: you want to block all network traffic by firewall

iptables -F
iptables -A INPUT -j REJECT
iptables -A OUTPUT -j REJECT
iptables -A FORWARD -j REJECT

2.4 Blocking Incoming Traffic

Problem: You want to block all incoming network traffic, except from your system itself. Do not affect outgoing traffic,

iptables -F INPUT
iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -j REJECT

# iptables -A INPUT -p tcp --syn -j REJECT
# iptables -A INPUT -p udp --dport 0:1023 -j REJECT

Here in rule iptables takes advantage of statefulness, permitting incoming packets only if they are part of established outgoing connections. All other incoming packets are rejected.

Don't simply drop all input packets

# ipchains -F INPUT
# ipchains -A INPUT -j REJECT

as this will block responses returning from your legitimate outgoing connections,

iptables also supports the --syn flag to process tcp packets,

# iptables -A INPUT -p tcp --syn -j REJECT

2.5 Blocking outgoing traffic

Problem: Drop all outgoing network traffic, possible do not affect incoming traffic

iptables -F OUTPUT
iptables -A OUTPUT -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -j REJECT

Here iptables takes advantage of statefulness, iptables can tell the difference between outgoing traffic initiated from the local machine and outgoing traffic in response to established incoming connections, The latter is permitted but the former is not.

 2.6 Blocking incoming service requests

Problem: Want to block connections to a particular network service, examp HTTP


iptables -A INPUT -p tcp --dport www -j REJECT

iptables -A INPUT -p tcp -i lo --dport www -j ACCEPT
iptables -A INPUT -p tcp --dport www -j REJECT

2.7 Blocking Access from a remote host

Problem: Need to block incoming traffic from a particular host


Block all access by that host
# iptables -A INPUT -s remote_ip_address -j REJECT

To block request for one particular service, say the SMTP mail service:

# iptables -A INPUT -p tcp -s remote_ip_address --dport 

  smtp -j REJECT

To admit some hosts but block all others:

# iptables -A INPUT -s ip_address_1 [-p protocol --dport service] -j ACCEPT

# iptables -A INPUT -s ip_address_2 [-p protocol --dport service] -j ACCEPT

# iptables -A INPUT -s ip_address_3 [-p protocol --dport service] -j ACCEPT

# iptables -A INPUT [-p protocol --dport service] -j REJECT
2.8 Blocking access to a remote host

Problem: You want to block outgoing traffic to a particular host,


 To block all access,

# iptables -A OUTPUT -d remote_ip_address -j REJECT

To block a particular service, such as a remote web site:

# iptables -A OUTPUT -p tcp -d remote_ip_address --dport 

  www -j REJECT

2.9 Blocking outgoing access to all web servers on a 

Problem: Want to prevent outgoing access to a network, eg all web servers at

Solution: Figure out how to specify the network, eg: and reject web access:

# iptables -A OUTPUT -p tcp -d --dport 

  www -j REJECT

You can also specify hostname instead of ip address in your firewall rule. If DNS report multiple ip address for that  hostname, a seperate rule must create for each ip address.

# host  ------ Will give all ip-address of

              has address has address has address has address has address has address has IPv6 address 2a00:1450:4013:c01::69

so better block access to

# iptables -A OUTPUT -d -j REJECT
# iptables -L OUTPUT

security experts recommend that you use only IP addresses in your rues, not hostnames. Since an attacker could poison your DNS and circumvent rules defined for hostnames. However the hostnames are relevent only at the moment you run iptables to define a rule, as the program looks up the underlying IP address immediately and

stores them in the rule.

2.10 Blocking Remote access, but permitting local

Problem: You want only local users to acces a TCP service: remote requests should be denied.

Solution: Permit connections via the loopback interface and reject all others

# iptables -A INPUT -p tcp -i lo --dport service -j ACCEPT
# iptables -A INPUT -p tcp --dport service -j REJECT

You can also single out your local IP address specifically:

# iptables -A INPUT -p tcp ! -s your_ip address --dport 

  service -j REJECT

2.11 Controlling access by MAC Address

Problem: You want only a particuler machine, identified by its MAC address, to access your system


# iptables -F INPUT
# iptables -A INPUT -i lo -j ACCEPT
# iptables -A INPUT -m mac --mac-source 12:34:56:89:90:ab 

# iptables -A INPUT -j REJECT

This will work only within your local network. If you receive a packets from a machine outside your subnet, it will contain your gateway's MAC address, not that of the orginal source machine.

MAC address can be spoofed. Suppose you have a machine called MACHINE, whose MAC address is trusted by your firewall. If an intruder discovers this fact and MACHINE is down, the intruder could spoof MACHINE's MAC address and your firewall would be none the wiser. On the other hand if MACHINE is up during the spoofing
its kernel will start screaming(via syslog) about duplicate MAC address.

2.12 Permitting SSH Access only

Problem: you want to permit incoming SSH access but no other incoming access. Allow local connections to all services

# iptables -F INPUT
# iptables -A INPUT -p tcp --dport ssh -j ACCEPT
# iptables -A INPUT -i lo -j ACCEPT
# iptables -A INPUT -j REJECT

A common setup is to permit access to a remote machine only by ssh.If you want this access limited to certain hosts or networks, list them by IP address as follows,

# iptables -A INPUT -p tcp -s --dport ssh -j ACCEPT
# iptables -A INPUT -p tcp -s --dport ssh -j ACCEPT
# iptables -A INPUT -p tcp -s --dport ssh -j

# iptables -A INPUT -j REJECT

The REJECT rule in the preceding prevents all other incoming connections. If you want to prevent only SSH connections use this REJECT rule instead

# iptables -A INPUT -p tcp --dport ssh -j REJECT

2.13 Prohibiting outgoing Telnet connections

Problem: You want to block all outgoing telnet connections,

# iptables -A OUTPUT -p tcp --dport tenlet -j REJECT

To block all outgoing telnet connections except to yourself from yourself

# iptables -A OUTPUT -p tcp -o lo --dport telnet -j ACCEPT
# iptables -A OUTPUT -p tcp --dport tenet -j REJECT

2.14 Protecting Dedicated server

Problem: You want to run a specific set of services on your machine, accessible to the outside world. All other services should be rejected and logged. Internally, however, local users can access all services.

Solution: suppose your services are www,ssh,smtp

# iptables -F INPUT
# iptables -A INPUT -i lo -j ACCEPT
# iptables -A INPUT -m multiport -p tcp --dport 

   www,ssh,smtp -j ACCEPT
# iptables -A INPUT -j LOG -m limit
# iptables -A INPUT -j REJECT

Local connections from your own host arrive via the loopback interface.

2.15 Preventing pings

Problem: You don't want remote sites to receive responses if they ping you,

# iptables -A INPUT -p icmp --icmp-type echo-request -j DROP

Don't make the mistake of dropping all ICMP messages,

Wrong, Don't do this
# iptables -A INPUT -p icmp -j DROP

Because pings are only one type of ICMP message, and you might not want to block all types. List the available ICMP messages with

# iptables -p icmp -h

2.16 Listing your firewall rules

Problem: You want to see your firewall rules

# iptables -L [chain]

For more detailed output, append the -v option

If iptable takes a long time to print the rule list, try appending thee -n option to disable reverse DNS lookups. Such lookups of local addresses, such as may cause delays due to timeouts.

2.17 Deleting firewall rules

Problem: You want to delete firewall rules, individually or all at once.

Solution: To delete rules en masse, also called flushing a chain, do the following:

# iptables -F [chain]
To delete rules individually:-

# iptables -D chain rule_number
Rules are numbered beginning with 1. To list the rules,

# iptables -L

Select one to delete(say,rule 4 on the input chain), and type

# iptables -D INPUT 4

If you have previously saved your rules and want your deletions to remain in effect after the next reboot, re-save the new configuration.

2.18 Inserting firewall rule

Problem: Rather than appending a rule to a chain, you want to insert or replace one else where in the chain,

Solution: Instead of the -A option, use -I to insert or -R to replace. You'll need to know the numeric position, within the existing rules, of the new rule.

For instance, to insert a new rule in the fourth position in the chain:

# iptables -I chain 4 ......specification.........

To replace the second rule in a chain:

# iptables -R chain 2 ......specification......

When you insert a rule at position N in a chain, the old rule N becomes rule N+1, the rule N+1 becomes the rule N+2 and so on.

2.19 Saving a firewall configuration

Problem: you want to save your firewall configuration

Solution: Save your settings

# iptables-save > /etc/sysconfig/iptables

2.20 Loading a firewall configuration

Problem: you want to load your firewall rules, eg: at boot time

Solution: use iptables-restore. Assuming you've saved your firewall configuration in /etc/sysconfig

echo 1 > /proc/sys/net/ipv4/ip_forward  (optional)
iptables-restore < /etc/sysconfig/iptables

to load firewall at boot time,
# chkconfig iptables on

2.21 Building complex rule trees

Problem: you want to construct complex firewall behaviors, but you are getting lost in the complexity.

Be modular: isolate behaviors into their own chains. Then connect the chains in the desired manner

# iptables -N CHAIN1
# iptables -N CHAIN2
# iptables -N CHAIN3
# iptables -N CHAIN4
# iptables -N CHAIN5

Add your rules to each chain, Then connect the chains; for examp

# iptables -A INPUT ......specification...... -j CHAIN1
# iptables -A CHAIN1 ......specification...... -j CHAIN2
# iptables -A CHAIN2 ......specification...... -j CHAIN3
# iptables -A INPUT ......specification...... -j CHAIN4
# iptables -A INPUT ......specification...... -j CHAIN5

Connecting chains is like a modular programming with subroutines, the rule:

# iptables -A CHAIN1 ......specification...... -j CHAIN2

creates a jump point to CHAIN2 from this rule in CHAIN1, if the rule is satisfied. Once CHAIN2 has been traversed, control returns to the next rule in CHAIN1,similar to 

 returning from a subroutine.

2.22 Logging

Problem: You want firewall to log and drop certain packets

Solution: Create a new rule chain that logs and drops in sequence:

# iptables -N LOG_DROP
# iptables -A LOG_DROP -j LOG --log-level warning 

  --log-prefix "dropped" -m limit
# iptables -A LOG_DROP -j DROP

then use it as a target in any relevant rules:

# iptables ......specification...... -j LOG_DROP

iptables's LOG targeet causes the kernel to log packets that matches your given specification. 

The "--log-level" option sets the syslog level for these
log messages and "--log-prefix" adds an identifiable string to the log entries.

The further options "--log-prefix", "--log-tcp-sequence", "--log-tcp-options" and "--log-ip-options" affect the 
 information written to the log.

LOG is usually combined with the limit module (-m limit) to limit the number of redundant log entries made per time period, to flooding your logs.

2.23 Open port 80 and 110 in server machine

-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT

-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 110 -j ACCEPT
Verify that port is open
 # netstat -tulpn | less

Make sute iptable is allowing port 80 / 110
 # iptables -L -n

1 comment:

  1. You can use this technique to secure a confidential data that can be misused if the packets are received at the wrong end .

    Silvester Norman

    Change Mac Address