How to block Packets using iptables

iptables -F   ------ To flush all iptables rules

iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP

These permit outgoing traffic but drop incoming or forwarded packets.

1.Enabling Source Address Verification

Task: To prevent remote hosts from spoofing incoming packets as if they had come from your local machine.

Solution: Turn on source address verification in kernal.(ip spoofing protection)

echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter

OR

change it in this file

# vi /etc/sysctl.conf
# Controls source route verification
net.ipv4.conf.default.rp_filter = 1

 and run sysctl to reread the configuration immediately
# sysctl -p

Source address verifiction is a kernel-level feature that drops packets that appear to come from your internal network, but do not. Enabling this feature should be your first network-related security task. you can setup this same effect using firewall rules as well.

1.1 Blocking Spoofed Addresses

Task: Need to prevent remote hosts frrom pretending to be local to your network,

Solution: For a single machine to prevent remote hosts from pretending to be that machine,

# iptables -A INPUT -i external_interface -s your_IP_Address -j REJECT

If you have a linux machine acting as a firewall fir your internal network(say, 192.168.0.*) with two network interfaces, one internal and one external,and you want to prevent remote machines from spoofing internal IP address to the external interface, use the following

# iptables -A INPUT -i external_interface -s 192.168.0.0/24 -j REJECT

DROP v/s REJECT

DROP simply swallows the packet, never to be seen again and emits no response. REJECT in contrast responds to the packet with a friendly message back to the sender, something about REJECT the connection.

REJECT helps to understand why not able to connect to a network because of response message it sends, But DROP didnt give you any clue why not able to connect, it leaves you less chance to trouble shoot the error in connection.

REJECT can leave you open to denial of service attack(DOS). If a third party hack a system(victim) and sends message from victim to your machine and in response you reject the packets, returning them not to the third party but to victim, owner of the source address. You are unintentionally flooding victim with rejections.
 So better to choose DROP to prevent them from being abused in such a manner.(Better in a large network). If you are a home user REJECT is better.When Rejecting we can reject with different messages using --reject-with option.

2.3 Blocking all Network traffic

Problem: you want to block all network traffic by firewall

Solution:
iptables -F
iptables -A INPUT -j REJECT
iptables -A OUTPUT -j REJECT
iptables -A FORWARD -j REJECT
 
2.4 Blocking Incoming Traffic

Problem: You want to block all incoming network traffic, except from your system itself. Do not affect outgoing traffic,

iptables -F INPUT
iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -j REJECT
--------
# iptables -A INPUT -p tcp --syn -j REJECT
# iptables -A INPUT -p udp --dport 0:1023 -j REJECT
--------
Here in rule iptables takes advantage of statefulness, permitting incoming packets only if they are part of established outgoing connections. All other incoming packets are rejected.

Don't simply drop all input packets
 
# ipchains -F INPUT
# ipchains -A INPUT -j REJECT

as this will block responses returning from your legitimate outgoing connections,

iptables also supports the --syn flag to process tcp packets,
 
# iptables -A INPUT -p tcp --syn -j REJECT

2.5 Blocking outgoing traffic

Problem: Drop all outgoing network traffic, possible do not affect incoming traffic

Solution:
iptables -F OUTPUT
iptables -A OUTPUT -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -j REJECT

Here iptables takes advantage of statefulness, iptables can tell the difference between outgoing traffic initiated from the local machine and outgoing traffic in response to established incoming connections, The latter is permitted but the former is not.

 2.6 Blocking incoming service requests

Problem: Want to block connections to a particular network service, examp HTTP

Solution:

iptables -A INPUT -p tcp --dport www -j REJECT
TO BLOCK INCOMING http TRAFFIC BUT PERMIT LOCAL HTTP traffic,

iptables -A INPUT -p tcp -i lo --dport www -j ACCEPT
iptables -A INPUT -p tcp --dport www -j REJECT

2.7 Blocking Access from a remote host

Problem: Need to block incoming traffic from a particular host

Solution:

Block all access by that host
# iptables -A INPUT -s remote_ip_address -j REJECT

To block request for one particular service, say the SMTP mail service:

# iptables -A INPUT -p tcp -s remote_ip_address --dport 
  smtp -j REJECT

To admit some hosts but block all others:

# iptables -A INPUT -s ip_address_1 [-p protocol --dport service] -j ACCEPT
 
# iptables -A INPUT -s ip_address_2 [-p protocol --dport service] -j ACCEPT
 
# iptables -A INPUT -s ip_address_3 [-p protocol --dport service] -j ACCEPT
 
# iptables -A INPUT [-p protocol --dport service] -j REJECT
 
2.8 Blocking access to a remote host

Problem: You want to block outgoing traffic to a particular host,

Solution:

 To block all access,

# iptables -A OUTPUT -d remote_ip_address -j REJECT

To block a particular service, such as a remote web site:

# iptables -A OUTPUT -p tcp -d remote_ip_address --dport 
  www -j REJECT

2.9 Blocking outgoing access to all web servers on a 
    network

Problem: Want to prevent outgoing access to a network, eg all web servers at yahoo.com.

Solution: Figure out how to specify the yahoo.com network, eg: 64.58.76.0/24 and reject web access:

# iptables -A OUTPUT -p tcp -d 64.58.76.0/24 --dport 
  www -j REJECT

You can also specify hostname instead of ip address in your firewall rule. If DNS report multiple ip address for that  hostname, a seperate rule must create for each ip address.

# host www.google.com  ------ Will give all ip-address of
                       google.com

www.google.com has address 173.194.75.103
www.google.com has address 173.194.75.104
www.google.com has address 173.194.75.105
www.google.com has address 173.194.75.106
www.google.com has address 173.194.75.147
www.google.com has address 173.194.75.99
www.google.com has IPv6 address 2a00:1450:4013:c01::69

so better block access to www.google.com

# iptables -A OUTPUT -d www.google.com -j REJECT
# iptables -L OUTPUT

security experts recommend that you use only IP addresses in your rues, not hostnames. Since an attacker could poison your DNS and circumvent rules defined for hostnames. However the hostnames are relevent only at the moment you run iptables to define a rule, as the program looks up the underlying IP address immediately and
stores them in the rule.

2.10 Blocking Remote access, but permitting local

Problem: You want only local users to acces a TCP service: remote requests should be denied.

Solution: Permit connections via the loopback interface and reject all others

# iptables -A INPUT -p tcp -i lo --dport service -j ACCEPT
# iptables -A INPUT -p tcp --dport service -j REJECT

You can also single out your local IP address specifically:

# iptables -A INPUT -p tcp ! -s your_ip address --dport 
  service -j REJECT

2.11 Controlling access by MAC Address

Problem: You want only a particuler machine, identified by its MAC address, to access your system

Solution:

# iptables -F INPUT
# iptables -A INPUT -i lo -j ACCEPT
# iptables -A INPUT -m mac --mac-source 12:34:56:89:90:ab 
  -j ACCCEPT
# iptables -A INPUT -j REJECT

This will work only within your local network. If you receive a packets from a machine outside your subnet, it will contain your gateway's MAC address, not that of the orginal source machine.

MAC address can be spoofed. Suppose you have a machine called MACHINE, whose MAC address is trusted by your firewall. If an intruder discovers this fact and MACHINE is down, the intruder could spoof MACHINE's MAC address and your firewall would be none the wiser. On the other hand if MACHINE is up during the spoofing
its kernel will start screaming(via syslog) about duplicate MAC address.

2.12 Permitting SSH Access only

Problem: you want to permit incoming SSH access but no other incoming access. Allow local connections to all services

Solutions:
# iptables -F INPUT
# iptables -A INPUT -p tcp --dport ssh -j ACCEPT
# iptables -A INPUT -i lo -j ACCEPT
# iptables -A INPUT -j REJECT

A common setup is to permit access to a remote machine only by ssh.If you want this access limited to certain hosts or networks, list them by IP address as follows,

# iptables -A INPUT -p tcp -s 128.220.13.4 --dport ssh -j ACCEPT
# iptables -A INPUT -p tcp -s 71.54.121.19 --dport ssh -j ACCEPT
# iptables -A INPUT -p tcp -s 152.16.91.0/24 --dport ssh -j
  ACCEPT
# iptables -A INPUT -j REJECT

The REJECT rule in the preceding prevents all other incoming connections. If you want to prevent only SSH connections use this REJECT rule instead

# iptables -A INPUT -p tcp --dport ssh -j REJECT
 
2.13 Prohibiting outgoing Telnet connections

Problem: You want to block all outgoing telnet connections,

Solution:
# iptables -A OUTPUT -p tcp --dport tenlet -j REJECT

To block all outgoing telnet connections except to yourself from yourself

# iptables -A OUTPUT -p tcp -o lo --dport telnet -j ACCEPT
# iptables -A OUTPUT -p tcp --dport tenet -j REJECT

2.14 Protecting Dedicated server

Problem: You want to run a specific set of services on your machine, accessible to the outside world. All other services should be rejected and logged. Internally, however, local users can access all services.

Solution: suppose your services are www,ssh,smtp

# iptables -F INPUT
# iptables -A INPUT -i lo -j ACCEPT
# iptables -A INPUT -m multiport -p tcp --dport 
   www,ssh,smtp -j ACCEPT
# iptables -A INPUT -j LOG -m limit
# iptables -A INPUT -j REJECT

Local connections from your own host arrive via the loopback interface.

2.15 Preventing pings

Problem: You don't want remote sites to receive responses if they ping you,

Solution:
# iptables -A INPUT -p icmp --icmp-type echo-request -j DROP

Don't make the mistake of dropping all ICMP messages,

Wrong, Don't do this
# iptables -A INPUT -p icmp -j DROP

Because pings are only one type of ICMP message, and you might not want to block all types. List the available ICMP messages with
 
# iptables -p icmp -h

2.16 Listing your firewall rules

Problem: You want to see your firewall rules
 
Solution:
# iptables -L [chain]

For more detailed output, append the -v option

If iptable takes a long time to print the rule list, try appending thee -n option to disable reverse DNS lookups. Such lookups of local addresses, such as 192.168.0.2 may cause delays due to timeouts.

2.17 Deleting firewall rules

Problem: You want to delete firewall rules, individually or all at once.

Solution: To delete rules en masse, also called flushing a chain, do the following:

# iptables -F [chain]
To delete rules individually:-

# iptables -D chain rule_number
Rules are numbered beginning with 1. To list the rules,

# iptables -L

Select one to delete(say,rule 4 on the input chain), and type

# iptables -D INPUT 4

If you have previously saved your rules and want your deletions to remain in effect after the next reboot, re-save the new configuration.

2.18 Inserting firewall rule

Problem: Rather than appending a rule to a chain, you want to insert or replace one else where in the chain,

Solution: Instead of the -A option, use -I to insert or -R to replace. You'll need to know the numeric position, within the existing rules, of the new rule.
 
For instance, to insert a new rule in the fourth position in the chain:

# iptables -I chain 4 ......specification.........

To replace the second rule in a chain:

# iptables -R chain 2 ......specification......

When you insert a rule at position N in a chain, the old rule N becomes rule N+1, the rule N+1 becomes the rule N+2 and so on.

2.19 Saving a firewall configuration

Problem: you want to save your firewall configuration

Solution: Save your settings

# iptables-save > /etc/sysconfig/iptables

2.20 Loading a firewall configuration

Problem: you want to load your firewall rules, eg: at boot time

Solution: use iptables-restore. Assuming you've saved your firewall configuration in /etc/sysconfig

#!/bin/bash
echo 1 > /proc/sys/net/ipv4/ip_forward  (optional)
iptables-restore < /etc/sysconfig/iptables

to load firewall at boot time,
# chkconfig iptables on

2.21 Building complex rule trees

Problem: you want to construct complex firewall behaviors, but you are getting lost in the complexity.
 
Solution:
Be modular: isolate behaviors into their own chains. Then connect the chains in the desired manner

# iptables -N CHAIN1
# iptables -N CHAIN2
# iptables -N CHAIN3
# iptables -N CHAIN4
# iptables -N CHAIN5

Add your rules to each chain, Then connect the chains; for examp

# iptables -A INPUT ......specification...... -j CHAIN1
# iptables -A CHAIN1 ......specification...... -j CHAIN2
# iptables -A CHAIN2 ......specification...... -j CHAIN3
# iptables -A INPUT ......specification...... -j CHAIN4
# iptables -A INPUT ......specification...... -j CHAIN5

Connecting chains is like a modular programming with subroutines, the rule:

# iptables -A CHAIN1 ......specification...... -j CHAIN2

creates a jump point to CHAIN2 from this rule in CHAIN1, if the rule is satisfied. Once CHAIN2 has been traversed, control returns to the next rule in CHAIN1,similar to 
 returning from a subroutine.

2.22 Logging

Problem: You want firewall to log and drop certain packets

Solution: Create a new rule chain that logs and drops in sequence:

# iptables -N LOG_DROP
# iptables -A LOG_DROP -j LOG --log-level warning 
  --log-prefix "dropped" -m limit
# iptables -A LOG_DROP -j DROP

then use it as a target in any relevant rules:

# iptables ......specification...... -j LOG_DROP

iptables's LOG targeet causes the kernel to log packets that matches your given specification. 

The "--log-level" option sets the syslog level for these
log messages and "--log-prefix" adds an identifiable string to the log entries.

The further options "--log-prefix", "--log-tcp-sequence", "--log-tcp-options" and "--log-ip-options" affect the 
 information written to the log.

LOG is usually combined with the limit module (-m limit) to limit the number of redundant log entries made per time period, to flooding your logs.

2.23 Open port 80 and 110 in server machine

-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT

-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 110 -j ACCEPT
  
Verify that port is open
 # netstat -tulpn | less

Make sute iptable is allowing port 80 / 110
 # iptables -L -n

Iptables Help

Iptables used for packet filtering and as a firewall to some extent.

A rate limiting feature that helps iptables block some types of denial of service (DoS) attacks.

All packets inspected by iptables pass through a sequence of built-in tables (queues) for processing. Each of these queues is dedicated to a particular type of packet activity and is controlled by an associated packet

 transformation/filtering chain.

There are three tables in total:-
 
The first is the mangle table which is responsible for the alteration of quality of service bits in the TCP header. This is hardly used in a home 
 or SOHO  environment.

The second table is the filter queue which is responsible for packet filtering. It has three built-in chains in which you can place your firewall policy rules.
 
These are the:
 
Forward chain: Filters packets to servers protected by the firewall.
 
Input chain: Filters packets destined for the firewall ie, Packets coming
 towards Firewall
 
Output chain: Filters packets originating from the firewall ie, Packets 
going out from Firewall

The third table is the nat queue which is responsible for network address translation. It has two built-in chains; these are:

Pre-routing chain: NATs packets when the destination address of the packet needs to be changed.
 
Post-routing chain: NATs packets when the source address of the packet needs to be changed.

Queue-Type:       Filter
Queue-Function:  Packet filtering
Packet-Transformation-Chain-in-Queue: FORWARD
Chain-Function:  Filters packets to servers accessible by another NIC on the firewall.[if a machine has two interfaces its used FORWARD from 
 one to the other, from local machine to router to the internet.]


Queue-Type:       Filter
Queue-Function:  Packet filtering
Packet-Transformation-Chain-in-Queue: INPUT
Chain-Function: Filters packets destined to the firewall.

Queue-Type:       Filter
Queue-Function:  Packet filtering
Packet-Transformation-Chain-in-Queue: OUTPUT
Chain-Function: Filters packets originating from the firewall.

Queue-Type: Nat      
Queue-Function: Network Address Translation
Packet-Transformation-Chain-in-Queue: PREROUTING
Chain-Function: Address translation occurs before routing. Facilitates the transformation of the destination IP address to be compatible with the firewall's routing table. Used with NAT of the destination IP address,
 also known as destination NAT or DNAT.

Queue-Type: Nat      
Queue-Function: Network Address Translation
Packet-Transformation-Chain-in-Queue: POSTROUTING
Chain-Function: Address translation occurs after routing. This implies that there was no need to modify the destination IP address of the packet as in pre-routing. Used with NAT of the source IP address using either one-to-one or many-to-one NAT. This is known as source NAT, or SNAT.

Queue-Type: Nat      
Queue-Function: Network Address Translation
Packet-Transformation-Chain-in-Queue: OUTPUT
Chain-Function: Network address translation for packets generated by the firewall. (Rarely used in SOHO environments)

Queue-Type: Mangle
Queue-Function: TCP header modification
Packet-Transformation-Chain-in-Queue: PREROUTING
                                                                   POSTROUTING
                                                                   OUTPUT
                                                                   INPUT
                                                                   FORWARD
Chain-Function: Modification of the TCP packet quality of service bits before routing occurs. (Rarely used in SOHO environments) 

You need to specify the table and the chain for each firewall rule you create.
There is an exception: Most rules are related to filtering, so iptables assumes that any chain that's defined without an associated table will be a part of the filter table. The filter table is therefore the default.

EXMP:- a TCP packet from the Internet arrives at the firewall's interface on Network A to create a data connection. The packet is first examined by your rules in the mangle table's PREROUTING chain, if any. It is then inspected by the rules in the nat table's PREROUTING chain to see whether the packet requires DNAT. It is then routed.

If the packet is destined for a protected network, then it is filtered by the rules in the FORWARD chain of the filter table and, if necessary, the packet undergoes SNAT in the POSTROUTING chain before arriving at Network B.
When the destination server decides to reply, the packet undergoes the same sequence of steps.
Both the FORWARD and POSTROUTING chains may be configured to implement quality of service (QoS) features in their mangle tables.

If the packet is destined for the firewall itself, then it passes through the mangle table of the INPUT chain, if configured, before being filtered by
the rules in the INPUT chain of the filter table before. If it successfully passes these tests then it is processed by the intended application on the firewall.

At some point, the firewall needs to reply. This reply is routed and inspected by the rules in the OUTPUT chain of the mangle table, if any. Next, the rules in the OUTPUT chain of the nat table determine whether DNAT is required and the rules in the OUTPUT chain of the filter table are then inspected to help restrict unauthorized packets. Finally, before the packet is sent back to the Internet, SNAT and QoS mangling is done by the POSTROUTING chain.

   Targets And Jumps 

Each firewall rule inspects each IP packet and then tries to identify it as the target of some sort of operation. Once a target is identified, the packet needs to jump over to it for further processing.
check the built-in targets that iptables uses:-

Target : ACCEPT  
Description : * iptables stops further processing.
                 * The packet is handed over to the end application or the 
                    operating system for processing
Most-Common-Options : N/A 

Target : DROP
Description :  * iptables stops further processing.
                   * The packet is blocked. It won't return any 
                        error message to the host.
Most-Common-Options : N/A

Target : LOG
Description :  * The packet information is sent to the syslog daemon for
                      logging
                   * iptables continues processing with the next rule 
                        in the table
                   * As you can't log and drop at the same time, 
                      it is common to have two similar rules in sequence.
                    The first will log the packet, the second will drop it.

Most-Common-Options : --log-prefix "string"
              Tells iptables to prefix all log messages with 
               a user defined string. Frequently used to tell why the 
                  logged packet was dropped.

Target : REJECT
Description : * Works like the DROP target, but will also return an error 
                  message to the host sending the packet that 
                   the packet was blocked.
Most-Common-Options : --reject-with qualifier        
                      The qualifier tells what type of reject message is returned. Qualifiers include: icmp-port-unreachable (default)
                          icmp-net-unreachable
                          icmp-host-unreachable
                          icmp-proto-unreachable
                          icmp-net-prohibited
                          icmp-host-prohibited
                          tcp-reset
                          echo-reply

Target : DNAT
Description :  * Used to do destination network address translation.
                    ie. rewriting the destination IP address of the packet.
Most-Common-Options : --to-destination ipaddress
                       Tells iptables what the destination IP address should be.


Target : SNAT
Description : * Used to do source network address translation 
                 rewriting the source IP address of the packet, 
                 * The source IP address is user defined
Most-Common-Options :  
               --to-source <address>[-<address>][:<port>-<port>]
            Specifies the source IP address and ports to be used by SNAT.


Target : MASQUERADE
Description : * Used to do Source Network Address Translation.
           * By default the source IP address is the same as that used 
               by the firewall's interface

Most-Common-Options : [--to-ports <port>[-<port>]]
    Specifies the range of source ports to which the original source 
    port can be  mapped.

General Iptables Match Criteria

iptables command Switch           Desciption 

-t <-table->                 If you don't specify a table, then the filter
                                 table is assumed. As discussed before, 
                                   the possible built-in tables include: filter, nat,
                                  mangle.

-j <target>                  Jump to the specified target chain
                               when the packet matches the current rule.

-A                               Append rule to end of a chain

-F     Flush.                  Deletes all the rules in the selected table

-p <protocol-type>        Match protocol. Types include, 
                                    icmp, tcp, udp, and all

-s <ip-address>            Match source IP address

-d <ip-address>            Match destination IP address

-i <interface-name>      Match "input" interface on which 
                                    the packet enters.

-o <interface-name>     Match "output" interface on which 
                                    the packet exits
In this command switches example:-
 # iptables -A INPUT -s 0/0 -i eth0 -d 192.168.1.1  -p TCP -j ACCEPT
 
iptables is being configured to allow the firewall to accept TCP packets coming in on interface eth0 from any IP address destined for the firewall's IP address of 192.168.1.1. The 0/0 representation of an IP address means any.

Common TCP and UDP Match Criteria 

Switch                              Desciption

-p tcp --sport <port>       TCP source port. Can be a single value 
                                  or a range in the format: 
                                   start-port-number:end-port-number

-p tcp --dport <port>      TCP destination port. Can be a single 
                                value or a  range in the format: 
                                    starting-port:ending-port

-p tcp --syn                    Used to identify a new TCP connection 
                                  request. ! --syn means, not a new connection 
                                   request

-p udp --sport <port>      UDP source port. Can be a 
                                     single value or a range in  the format: 
                                    starting-port:ending-port

-p udp --dport <port>     UDP destination port. Can be a 
                                     single value or a  range in the format: 
                                   starting-port:ending-port


In this example:

# iptables -A FORWARD -s 0/0 -i eth0 -d 192.168.1.58 -o eth1 -p TCP --sport 1024:65535 --dport 80 -j ACCEPT

iptables is being configured to allow the firewall to accept TCP packets for routing when they enter on interface eth0 from any IP address and are destined for an IP address of 192.168.1.58 that is reachable via interface eth1. The source port is in the range 1024 to 65535 and the destination
port is port 80 (www/http).

Common ICMP (Ping) Match Criteria

Matches used with ---icmp-type               Desciption 

--icmp-type <type>                         The most commonly used 
                                                   types are  echo-reply and 
                                                     echo-request
In this example:

iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT  -p icmp --icmp-type echo-reply   -j ACCEPT

iptables is being configured to allow the firewall to send ICMP echo-requests (pings) and in turn, accept the expected ICMP echo-replies.

Consider another example:

# iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -i eth0 -j ACCEPT

The limit feature in iptables specifies the maximum average number of matches to allow per second. 

You can specify time intervals in the format /second, /minute, /hour, or /day, or you can use abbreviations so that 3/second is the same as 3/s.

In this example, ICMP echo requests are restricted to no more than one per second.

When tuned correctly, this feature allows you to filter unusually high volumes of traffic that characterize denial of service (DOS) attacks and Internet worms.

# iptables -A INPUT -p tcp --syn -m limit --limit 5/s -i eth0 -j ACCEPT

You can expand on the limit feature of iptables to reduce your vulnerability to certain types of denial of service attack.
 
Here a defense for SYN flood attacks was created by limiting the acceptance of TCP segments with the SYN bit set to no more than five per second.