Home > HowTo, Linux, Security > NETFILTER PACKET FLOW

NETFILTER PACKET FLOW

March 29th, 2011 Leave a comment Go to comments

NETFILTER PACKET FLOW (kernel):

DROP   will not warn
REJECT will let them know its closed

example:
(RULE CHECK CHAIN)  (THE RULE, WHAT TO DO)
iptables -t filter -A INPUT -s 192.168.0.1 -j DROP

Notes:
The default for -t is filter
-s is the source
-A append
-j jump (what to do)

ex:
iptables -L -n –line-numbers

The ID is used when inserting and deleting rules
Delete rule:
iptables -D CHAIN 3
Insert rule:

ex:
iptables -I OUTPUT -o eth0 -s ‘!’ 192.168.0.4 -j ACCEPT
note:
‘!’ will inverse the criteria
-s Source
-d Destination
Network Interface:
-i -o  (input, output)

ex:
Will log all outgoing acess to port 8080
iptables -A OUTPUT -p tcp -o eth0 –dport 8080 -j LOG

To find out if rules are working (debug)
watch -n 1 iptables -L –line-numbers -v

To add connection tracking (conntrack)
iptables -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT

::NAT::

INTERNET – ETH0 – ROUTE – ETH1 – LAN – PC

CHAINS:
Inbound traffic uses PREROUTING, Outbound traffic uses POSTROUTING

INBOUND
iptables -t nat -A PREROUTING -i eth0 -p tcp –dport 80 -j DNAT –to-dest 192.168.0.20
OUTBOUND (port redirection)
iptables -t nat -A OUTPUT -p tcp –dport 80 -j DNAT –to-dest 192.168.0.200:3128

SNAT (OUTBOUND)
MASQUERADE (DYNAMIC IP)
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

SNAT (STATIC IP)
iptables -t nat -A POSTROUTING -j SNAT –to-source 1.2.3.45

Easiest way:
iptables-save > iptables.conf
then edit rules:
vim iptables.conf
iptables-restore < iptables.conf
Then save it.
iptables-save

  1. No comments yet.
  1. No trackbacks yet.

VAMOVE *

*