NETFILTER PACKET FLOW

NETFILTER PACKET FLOW (kernel):

DROP   will not warn
REJECT will let them know its closed
example:
(RULE CHECK CHAIN)  (THE RULE, WHAT TO DO)
iptables -t filter -A INPUT -s 192.168.0.1 -j DROP
Notes:
The default for -t is filter
-s is the source
-A append
-j jump (what to do)
ex:
iptables -L -n –line-numbers
The ID is used when inserting and deleting rules
Delete rule:
iptables -D CHAIN 3
Insert rule:
ex:
iptables -I OUTPUT -o eth0 -s ‘!’ 192.168.0.4 -j ACCEPT
note:
‘!’ will inverse the criteria
-s Source
-d Destination
Network Interface:
-i -o  (input, output)
ex:
Will log all outgoing acess to port 8080
iptables -A OUTPUT -p tcp -o eth0 –dport 8080 -j LOG
To find out if rules are working (debug)
watch -n 1 iptables -L –line-numbers -v
To add connection tracking (conntrack)
iptables -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
::NAT::
INTERNET – ETH0 – ROUTE – ETH1 – LAN – PC
CHAINS:
Inbound traffic uses PREROUTING, Outbound traffic uses POSTROUTING
INBOUND
iptables -t nat -A PREROUTING -i eth0 -p tcp –dport 80 -j DNAT –to-dest 192.168.0.20
OUTBOUND (port redirection)
iptables -t nat -A OUTPUT -p tcp –dport 80 -j DNAT –to-dest 192.168.0.200:3128
SNAT (OUTBOUND)
MASQUERADE (DYNAMIC IP)
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
SNAT (STATIC IP)
iptables -t nat -A POSTROUTING -j SNAT –to-source 1.2.3.45
Easiest way:
iptables-save > iptables.conf
then edit rules:
vim iptables.conf
iptables-restore < iptables.conf
Then save it.
iptables-save

Leave a Reply

Your email address will not be published. Required fields are marked *

*