Iptables in linux
-
Upload
mandeep-hans -
Category
Engineering
-
view
283 -
download
46
Transcript of Iptables in linux
![Page 1: Iptables in linux](https://reader036.fdocuments.net/reader036/viewer/2022081415/55b49884bb61ebf1608b45b5/html5/thumbnails/1.jpg)
IPTABLES IN LINUX
1
![Page 2: Iptables in linux](https://reader036.fdocuments.net/reader036/viewer/2022081415/55b49884bb61ebf1608b45b5/html5/thumbnails/2.jpg)
TABLE OF CONTENTS
1. What is firewall
2. What is iptables
3. Installing iptables
4. Iptables Configuration
5. Prevent DoS attack
6. Conclusion
2
![Page 3: Iptables in linux](https://reader036.fdocuments.net/reader036/viewer/2022081415/55b49884bb61ebf1608b45b5/html5/thumbnails/3.jpg)
What is a Firewall?
• A firewall is hardware, software, or a combination of both that is used to prevent unauthorized programs or Internet users from accessing a private network and/or a single computer.
• A set of related programs that protects the resources of a private network from users from other networks.
3
![Page 4: Iptables in linux](https://reader036.fdocuments.net/reader036/viewer/2022081415/55b49884bb61ebf1608b45b5/html5/thumbnails/4.jpg)
Continue..
• Linux Firewall Programs: Ipfwadm : Linux kernel 2.0.34 Ipchains : Linux kernel 2.2. Iptables : Linux kernel 2.4. & above
4
![Page 5: Iptables in linux](https://reader036.fdocuments.net/reader036/viewer/2022081415/55b49884bb61ebf1608b45b5/html5/thumbnails/5.jpg)
What is iptables?
It is the modified firewall package available in linux operating system. Before it was known as ipchains, later it comes with some other improvements are:
Better integration with the Linux kernel, so improved speed and reliability.
Stateful packet inspection.Filter packets according to TCP header and MAC address.Better network address translation.A rate limiting feature that helps iptables block some types
of denial of service (DoS) attacks.
5
![Page 6: Iptables in linux](https://reader036.fdocuments.net/reader036/viewer/2022081415/55b49884bb61ebf1608b45b5/html5/thumbnails/6.jpg)
Installing iptablesIn most Linux distros including Redhat / CentOS Linux installs iptables by default. You can use the following procedure to verify that iptables has been installed or not in Redhat.
Open terminal and type the following command:[root@localhost ~]#sudo info iptables
For the installation of iptables:[root@localhost ~]#apt-get install iptables
6
![Page 7: Iptables in linux](https://reader036.fdocuments.net/reader036/viewer/2022081415/55b49884bb61ebf1608b45b5/html5/thumbnails/7.jpg)
7
To stop[root@localhost ~]# sudo service ufw stopufw stop/waiting
To start[root@localhost ~]# sudo service ufw startufw start/running
Start/Stop iptables services
![Page 8: Iptables in linux](https://reader036.fdocuments.net/reader036/viewer/2022081415/55b49884bb61ebf1608b45b5/html5/thumbnails/8.jpg)
Iptables Command Switch Operations
8
![Page 9: Iptables in linux](https://reader036.fdocuments.net/reader036/viewer/2022081415/55b49884bb61ebf1608b45b5/html5/thumbnails/9.jpg)
Continue..
9
![Page 10: Iptables in linux](https://reader036.fdocuments.net/reader036/viewer/2022081415/55b49884bb61ebf1608b45b5/html5/thumbnails/10.jpg)
Targets And Jumps• Each firewall rule inspects each IP packet and then tries to identify it as the
target. Once a target is identified, the packet needs to jump over to it for further processing.
-j - Jump to the specified target. By default, iptables allows four targets: ACCEPT - Accept the packet and stop processing rules in this chain. REJECT - Reject the packet and notify the sender that we did so, and
stop processing rules in this chain. DROP - Silently ignore the packet, and stop processing rules in this
chain. LOG - Log the packet, and continue processing more rules in this
chain.
10
![Page 11: Iptables in linux](https://reader036.fdocuments.net/reader036/viewer/2022081415/55b49884bb61ebf1608b45b5/html5/thumbnails/11.jpg)
Check the iptables rule list:
![Page 12: Iptables in linux](https://reader036.fdocuments.net/reader036/viewer/2022081415/55b49884bb61ebf1608b45b5/html5/thumbnails/12.jpg)
Allowing Established Sessions:We can allow established sessions to receive traffic:
[root@localhost ~]# sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
![Page 13: Iptables in linux](https://reader036.fdocuments.net/reader036/viewer/2022081415/55b49884bb61ebf1608b45b5/html5/thumbnails/13.jpg)
Continue..
![Page 14: Iptables in linux](https://reader036.fdocuments.net/reader036/viewer/2022081415/55b49884bb61ebf1608b45b5/html5/thumbnails/14.jpg)
Allowing Incoming Traffic on Specific Ports
To allow incoming traffic on the default SSH port (22), you could tell iptables to allow all TCP traffic on that port to come in.
sudo iptables -A INPUT -p tcp --dport ssh -j ACCEPT
Referring back to the list above, you can see that this tells iptables:1.append this rule to the input chain (-A INPUT) so we look at incoming traffic2. check to see if it is TCP (-p tcp).3.check to see if the input goes to the SSH port (--dport ssh).4. if so, accept the input (-j ACCEPT).
![Page 15: Iptables in linux](https://reader036.fdocuments.net/reader036/viewer/2022081415/55b49884bb61ebf1608b45b5/html5/thumbnails/15.jpg)
Continue..
![Page 16: Iptables in linux](https://reader036.fdocuments.net/reader036/viewer/2022081415/55b49884bb61ebf1608b45b5/html5/thumbnails/16.jpg)
sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
Allow all incoming web traffic:
![Page 17: Iptables in linux](https://reader036.fdocuments.net/reader036/viewer/2022081415/55b49884bb61ebf1608b45b5/html5/thumbnails/17.jpg)
Blocking an IP Address
Initially we install Apache tomcat7 server on Ubuntu and run HelloWorld servlet example.
![Page 18: Iptables in linux](https://reader036.fdocuments.net/reader036/viewer/2022081415/55b49884bb61ebf1608b45b5/html5/thumbnails/18.jpg)
Continue..
• following rule will drop any fragments going to 127.0.0.1[root@localhost ~]#iptables -I INPUT -s 127.0.0.1 -j DROP
![Page 19: Iptables in linux](https://reader036.fdocuments.net/reader036/viewer/2022081415/55b49884bb61ebf1608b45b5/html5/thumbnails/19.jpg)
Continue..
![Page 20: Iptables in linux](https://reader036.fdocuments.net/reader036/viewer/2022081415/55b49884bb61ebf1608b45b5/html5/thumbnails/20.jpg)
Blocking Traffic
Once a decision is made to accept a packet, no more rules affect it. As our rules allowing ssh and web traffic come first, as long as our rule to block all traffic comes after them, we can still accept the traffic we want. All we need to do is put the rule to block all traffic at the end.
![Page 21: Iptables in linux](https://reader036.fdocuments.net/reader036/viewer/2022081415/55b49884bb61ebf1608b45b5/html5/thumbnails/21.jpg)
Continue..
![Page 22: Iptables in linux](https://reader036.fdocuments.net/reader036/viewer/2022081415/55b49884bb61ebf1608b45b5/html5/thumbnails/22.jpg)
Saving iptablesSave your firewall rules to a file
#sudo sh -c "iptables-save > /etc/iptables.rules"
![Page 23: Iptables in linux](https://reader036.fdocuments.net/reader036/viewer/2022081415/55b49884bb61ebf1608b45b5/html5/thumbnails/23.jpg)
Continue..
![Page 24: Iptables in linux](https://reader036.fdocuments.net/reader036/viewer/2022081415/55b49884bb61ebf1608b45b5/html5/thumbnails/24.jpg)
Prevent DoS Attack:
The following iptables rule will help you prevent the Denial of Service (DoS) attack on your webserver# iptables -A INPUT -p tcp --dport 80 -m limit --limit 25/minute --limit-burst 100 -j ACCEPT
-m limit: This uses the limit iptables extension
–limit 25/minute: This limits only maximum of 25 connection per minute.
–limit-burst 100: This value indicates that the limit/minute will be enforced only after the total number of connection have reached the limit-burst level.
25
![Page 25: Iptables in linux](https://reader036.fdocuments.net/reader036/viewer/2022081415/55b49884bb61ebf1608b45b5/html5/thumbnails/25.jpg)
Conclusion
We can get different service with this like firewall, routing, natting, logging and we can also block some types of DoS attacks just by implementing few rules in it.
26
![Page 26: Iptables in linux](https://reader036.fdocuments.net/reader036/viewer/2022081415/55b49884bb61ebf1608b45b5/html5/thumbnails/26.jpg)
Thank You!!!