4. Stateful firewall
iptables -A INPUT -p tcp -m conntrack --ctstate ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -m conntrack --ctstate NEW -j ACCEPT
5. Logging
iptables -A INPUT -p tcp --dport 80 -m conntrack --ctstate NEW -j LOG --log-prefix “In
Http:”
6. Tables overview
Filter is a default table.
So, if you don’t define
you own table, you’ll
be using filter table.
Each table has a number
of predefined chains
inside.
You can create your own
chain.
Filter
Input
Forward
Output
Nat
Output
Prerouting
Postrouting
Mangle
Input
Prerouting
Postrouting
Output
Forward
Raw
Output
Prerouting
7. Tables in shell
iptables -t mangle -A POSTROUTING -o $NETCARD -p tcp -m connbytes --connbytes
10000000: --connbytes-mode bytes --connbytes-dir both -j CONNMARK --set-mark 999
iptables -t mangle -A INPUT -i eth0 -p tcp --dport 80 -m string --string ”get /admin http/”
--icase --algo bm -m conntrack --ctstate ESTABLISHED -j DROP
iptables -t filter -A input -p tcp --dport 22 -m time --datestart “” --datestop “” --utc --j
DROP
8. Custom chains
Create a new chain
iptables -N LOGDROP
Add chain rules
iptables -A LOGDROP -j LOG --log-level 4 --log-prefix 'SourceDrop '
iptables -A LOGDROP -j DROP
Add chain rules to iptables rules
iptables -A INPUT -s 10.0.0.0/8 -j LOGDROP
9. Netfilter in user land
libnetfilter_queue is used to divert traffic to user application
Packets are not duplicated
User application has to inject a packet back
Useful for debugging rules
10. ip sets
Constant time hash lookup
modprobe ip_set
ipset -N droplist nethash
ipset -add droplist 192.168.1.0/24
iptables -A INPUT -m set --set droplistsrc -j DROP
11. Useful commands
Drop all rules
iptables -F
Quickly restore rules
iptables-restore <rules list file>
12. References
Designing and Implementing Linux Firewalls with QoS using netfilter, iproute2, NAT
and L7-filter
Netfilter & Iptables Elements
Linux Firewall Tutorial: IPTables Tables, Chains, Rules Fundamentals
Understanding Linux Network Internals
iptables book
Iptables targets and jumps
Security in Linux