Iptables Configuration Tips and Tricks
Intro
The built-in (kernel level) linux firewall, iptables, can be daunting to attempt to use, however is a simple redirection filter in practice. I have used iptables from everything from securing my home networks, to routing things over a VPN and through a Intrustion Prevention System (Suricata), to other advanced things such as redirecting traffic from a single user going to port 80 to a local squid proxy on a different port. Here I will teach you the basics of how iptables tools are used.
I also set up iptables and/or IDS/IPS software as a service
Prerequesites
I suggest installing iptables-persistent from your distro’s package manager, as well as the iptables utilities (the latter should already be installed).
You’ll need access to the root account on the system to perform these tasks. It also must be a linux machine.
sudo apt update
sudo apt install iptables iptables-persistentGetting ready
First remember that the order of the rules is critical. If you drop all your packets before the rest of the rules come into play, things won’t work right!
I first suggest that you take a look at your current iptables ruleset by running iptables -L -v. This should output something like:
[marshall@jerkon]{12:55 AM}: [~] $ sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[marshall@jerkon]{12:55 AM}: [~] $This can varry widely depending on your current ruleset, so now you should definately do a
sudo sh -c 'iptables-save > /root/iptables.$(date -I).1'`Which will save your current ruleset to a file that looks something like:
[marshall@jerkon]{01:00 AM}: [~] $ sudo cat /etc/iptables/rules.v4
# Generated by iptables-save v1.8.4 on Sun Nov 14 16:27:45 2021
*filter
:INPUT ACCEPT [8303406:9963142380]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [4608688:4796631955]
:DOCKER - [0:0]
:DOCKER-ISOLATION-STAGE-1 - [0:0]
:DOCKER-ISOLATION-STAGE-2 - [0:0]
:DOCKER-USER - [0:0]
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN
COMMIT
# Completed on Sun Nov 14 16:27:45 2021
# Generated by iptables-save v1.8.4 on Sun Nov 14 16:27:45 2021
*nat
:PREROUTING ACCEPT [9588:1345311]
:INPUT ACCEPT [9588:1345311]
:OUTPUT ACCEPT [67180:7143813]
:POSTROUTING ACCEPT [67179:7143681]
:DOCKER - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A DOCKER -i docker0 -j RETURN
COMMIT
# Completed on Sun Nov 14 16:27:45 2021Important: This next command may kill your ssh session as well as other current sessions!
If you would like to flush the current tables you’re now free to do a:
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -XThen you should reset your default policy to ACCEPT for this walkthrough:
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPTNow you should also grab your current local IP address using something like 1
curl ifconfig.me
iptables -i lo -j ACCEPT
iptables -o lo -j ACCEPT
iptables -I INPUT -s 123.123.123.123 -j ACCEPT
iptables -I OUTPUT -d 123.123.123.123 -j ACCEPT
iptables -A INPUT -m state --state NEW,ESTABLISHED -j ACCEPTYou should now make sure things like SMTP won’t work in case the box becomes compromised at some point by dropping all traffic to TCP 25 anywhere (you’ll need to not do this if this is intended to be a mail server).
iptables -A OUTPUT -p tcp --dport 25 -j DROPAlso make sure that DNS will always go through.
iptables -A INPUT -m state --state NEW -p udp --dport 53 -j ACCEPT
iptables -A INPUT -m state --state NEW -p tcp --dport 53 -j ACCEPT
iptables -A OUTPUT -m state --state NEW -p udp --dport 53 -j ACCEPT
iptables -A OUTPUT -m state --state NEW -p tcp --dport 53 -j ACCEPTMake sure that stuff will work on the outbound:
iptables -A OUTPUT -j ACCEPTYou should also make sure that SSH inbound is open so that you can connect back in, and only have 5 active sessions at once:
ibtables -A INPUT -m tcp -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --syn --dport 22 -m connlimit --connlimit-above 5 -j REJECTAlso to demonstrate that commands can be mixed and matched we’ll make sure that the user street can only use IRC from this server.
sudo iptables -A OUTPUT -p tcp -m tcp --match multiport ! --dports 6666,6667,6697,9999 --match owner --uid-owner street -j DROPThen you can drop all pings that are not on your LAN by doing:
iptables -A INPUT -p icmp --pcmp-type echo-request -j ACCEPT
iptables -A INPUT ! -i eth0 -p icmp --icmp-type echo-request -j DROPThen finally you should drop all other incoming packets you didn’t explicity let through earlier by doing:
iptables -A INPUT -j DROPAfter the preceding command, if you have any other things you need to drop, you’ll need to use 1
-I
1
-A
So say you have an attacker 1.2.3.4, you can now do:
iptables -I INPUT 1.2.3.4 -j DROP
iptables -I OUTPUT 1.2.3.4 -j DROPThis will keep the ruls in order.
Conclusion
Once you play around with it until you get the ruleset you like, you should then run the command:
iptables-save > /etc/iptables/rules.v4Which will restore the same iptables rules on reboot.
Note: If somehow you messed up, you can always run: 1
iptables-restore < /rootiptables.$(date -I).1
1
iptables-restore < /etc/iptables/rules.v4
Hope you’ve learned something, and enjoyed reading. If you have any questions, feel free to email me!
Happy New Years!
If you enjoy my work, sponsor or hire me! I work hard keeping oxasploits running!
Bitcoin Address:
bc1qclqhff9dlvmmuqgu4907gh6gxy8wy8yqk596yp
Thank you so much and happy hacking!