SlideShare uma empresa Scribd logo

Packet Filtering Using Iptables

Ahmed Mekkawy
Ahmed Mekkawy
Tecnologia
1 de 15
Baixar para ler offline
Packet Filtering using iptables Ahmed Mekkawy AKA linuxawy
What is iptables/netfilter? • The native firewall in GNU/Linux is iptables/netfilter. • Netfilter is a kernel patch (now it's basic in all modern kernels, unless you compiled your own without it) • Iptables is just a configuration tool for netfilter. • You can uninstall iptables, but not netfilter. • Netfilter cannot be stopped. Anyway you can remove all rules so it doesn't do anything. • Iptables rules are volatile, you have to put them in a startup script to start with booting.
What are the tables/ chains? Tables => Chains => Rules We have 3 tables: • Filter table • Nat table • Mangle table We will focus on the filter table today, in filter table we have 3 main chains, which are: • INPUT chain • FORWARD chain • OUTPUT chain
Packets path file:///home/linuxawy/Presentations/iptables.png
Iptables syntax How to add a rule: • iptables -t table -A/I chain condition -j target iptables -A INPUT -p tcp –-dport 80 -j ACCEPT How to list rules: • iptables -t (table) -L (-n) (--line-number) How to delete a rule: • iptables -t (table) -D (chain) (condition) (action) • iptables -t (table) -D (chain) (rule number)
conditions -p tcp,udp,icmp,all • -s source_ip • -d destination_ip • --sport source_port • --dport destination_port • -i input_interface • -o output_interface • -m state --state NEW,ESTABLISHED,RELATED • ... etc • -p tcp -s IP –-sport 80 –-d IP -m state –-state NEW
Targets • ACCEPT: let it pass • DROP: ignore it, and don't send any responce. • REJECT: drop the packet, and reply with error message (e.g port not used, host unreachable, .. etc) – to be used if you want the attacker not to know that you are using a firewall. • COSTOM_CHAIN: to direct the packet to a custom chain. • SNAT, DNAT, .... : not used in filter table, to be used in the nat and mangle table, explained in other sessions isA.
3-way connection The 3-way connection is the most commonly used connection. That happens in 3 steps: • Step 1: client initiates the connection to the server. The connection type is now NEW. • Step 2: server replies with acknowledgment, the connection is now in the ESTABLISHED state. • Step 3: the client acknowledges the server, and starts to send its data in an ESTABLISHED connection. After that, the connection continues in both ways normally.
iptables initialization • First, we flush all chains, delete custom chains, zero all counters: iptables -F iptables -X iptables -Z • Turn off IP forwarding: echo 0 > /proc/sys/net/ipv4/ip_forward • Enable dynamic IP support. 1: enable, 2: verbose, 0: disable echo quot;1quot; > /proc/sys/net/ipv4/ip_dynaddr • To use RELATED in ftp rules, add ip_conntrack_ftp: modprobe ip_conntrack_ftp
Set policies, enable loopback • Set default policy to DROP: iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP • Enable all connections on the loopback interface: iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -i lo -j ACCEPT
Enable pings • Enable incoming/outgoing pings: • Incoming: iptables -A INPUT -p icmp –-icmp-type echo- request -j ACCEPT iptables -A OUTPUT -p icmp -–icmp-type echo- reply -j ACCEPT • Outgoing: iptables -A OUTPUT -p icmp -–icmp-type echo- request -j ACCEPT iptables -A INPUT -p icmp –-icmp-type echo-reply - j ACCEPT
Add your rules Example: web server sport dport ============> CLIENT SERVER <============ dport sport iptables (-t filter) -A INPUT -p tcp –-dport 80 -m state –-state NEW,ESTABLISHED -j ACCEPT iptables (-t filter) -A OUTPUT -p tcp –-sport 80 -m state –-state ESTABLISHED -j ACCEPT
Special connections: ftp • You must enable kernel module ip_conntrack_ftp • FTP has 3 types of connections: Control Port: Port 21, normal 3 way connection initiated by client. • Active connection: Port 20, normal 3 way connection RELATED to the previous connection, initiated by client Passive connection: 3 way connection RELATED to the control connection, initiated by the server from a random port on the server to a random port at the client
ftp - continued •# Control Port: •iptables -A OUTPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT •iptables -A INPUT -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT •# Active mode: •iptables -A OUTPUT -p tcp --dport 20 --sport 1024: -m state --state RELATED,ESTABLISHED -j ACCEPT •iptables -A INPUT -p tcp --sport 20 --dport 1024: -m state --state ESTABLISHED -j ACCEPT •# Passive mode: •iptables -A OUTPUT -p tcp --dport 1024: --sport 1024: -m state --state ESTABLISHED -j ACCEPT •iptables -A INPUT -p tcp --sport 1024: --dport 1024: -m state --state RELATED,ESTABLISHED -j ACCEPT
Thank you Questions?? ahmed.mekkawy@espace.com.eg

Recomendados

Iptables
IptablesIptables
Iptablesleminhvuong
 
Iptables fundamentals
Iptables fundamentalsIptables fundamentals
Iptables fundamentalsram_b17
 
Understanding iptables
Understanding iptablesUnderstanding iptables
Understanding iptablesDenys Haryachyy
 
IP Tables Primer - Part 1
IP Tables Primer - Part 1IP Tables Primer - Part 1
IP Tables Primer - Part 1n|u - The Open Security Community
 
IP tables
IP tablesIP tables
IP tablesaamodt
 
Netfilter: Making large iptables rulesets scale
Netfilter: Making large iptables rulesets scaleNetfilter: Making large iptables rulesets scale
Netfilter: Making large iptables rulesets scalebrouer
 
Introduction to firewalls through Iptables
Introduction to firewalls through IptablesIntroduction to firewalls through Iptables
Introduction to firewalls through IptablesBud Siddhisena
 
Iptables in linux
Iptables in linuxIptables in linux
Iptables in linuxMandeep Singh
 

Recomendados

Iptables
IptablesIptables
Iptablesleminhvuong
 
Iptables fundamentals
Iptables fundamentalsIptables fundamentals
Iptables fundamentalsram_b17
 
Understanding iptables
Understanding iptablesUnderstanding iptables
Understanding iptablesDenys Haryachyy
 
IP Tables Primer - Part 1
IP Tables Primer - Part 1IP Tables Primer - Part 1
IP Tables Primer - Part 1n|u - The Open Security Community
 
IP tables
IP tablesIP tables
IP tablesaamodt
 
Netfilter: Making large iptables rulesets scale
Netfilter: Making large iptables rulesets scaleNetfilter: Making large iptables rulesets scale
Netfilter: Making large iptables rulesets scalebrouer
 
Introduction to firewalls through Iptables
Introduction to firewalls through IptablesIntroduction to firewalls through Iptables
Introduction to firewalls through IptablesBud Siddhisena
 
Iptables in linux
Iptables in linuxIptables in linux
Iptables in linuxMandeep Singh
 
Basics of firewall, ebtables, arptables and iptables
Basics of firewall, ebtables, arptables and iptablesBasics of firewall, ebtables, arptables and iptables
Basics of firewall, ebtables, arptables and iptablesPrzemysław Piotrowski
 
Fosscon 2012 firewall workshop
Fosscon 2012 firewall workshopFosscon 2012 firewall workshop
Fosscon 2012 firewall workshopjvehent
 
Fcsi601 Linux Firewall Nat
Fcsi601 Linux Firewall NatFcsi601 Linux Firewall Nat
Fcsi601 Linux Firewall Natnarayannpp
 
Iptables Configuration
Iptables ConfigurationIptables Configuration
Iptables Configurationstom123
 
Iptables the Linux Firewall
Iptables the Linux Firewall Iptables the Linux Firewall
Iptables the Linux Firewall Syed fawad Gillani
 
Router Commands Overview
Router Commands OverviewRouter Commands Overview
Router Commands OverviewMuhammed Niyas
 
03 linuxfirewall1
03 linuxfirewall103 linuxfirewall1
03 linuxfirewall1Iwan Threads
 
In depth understanding network security
In depth understanding network securityIn depth understanding network security
In depth understanding network securityThanawan Tuamyim
 
nftables - the evolution of Linux Firewall
nftables - the evolution of Linux Firewallnftables - the evolution of Linux Firewall
nftables - the evolution of Linux FirewallMarian Marinov
 
Network Mapper (NMAP)
Network Mapper (NMAP)Network Mapper (NMAP)
Network Mapper (NMAP)KHNOG
 
TCPdump-Wireshark
TCPdump-WiresharkTCPdump-Wireshark
TCPdump-WiresharkHarsh Singh
 
IPTables Primer - Part 2
IPTables Primer - Part 2IPTables Primer - Part 2
IPTables Primer - Part 2Nishanth Kumar Pathi
 
25 most frequently used linux ip tables rules examples
25 most frequently used linux ip tables rules examples25 most frequently used linux ip tables rules examples
25 most frequently used linux ip tables rules examplesTeja Bheemanapally
 
Cisco CCNA OSPF IPV6 Configuration
Cisco CCNA OSPF IPV6 ConfigurationCisco CCNA OSPF IPV6 Configuration
Cisco CCNA OSPF IPV6 ConfigurationHamed Moghaddam
 
Lession2 Xinetd
Lession2 XinetdLession2 Xinetd
Lession2 Xinetdleminhvuong
 
Linux internet server security and configuration tutorial
Linux internet server security and configuration tutorialLinux internet server security and configuration tutorial
Linux internet server security and configuration tutorialannik147
 
Nmap
NmapNmap
NmapMegha Sahu
 
Understanding NMAP
Understanding NMAPUnderstanding NMAP
Understanding NMAPPhannarith Ou, G-CISO
 
6 stages of linux boot process
6 stages of linux boot process6 stages of linux boot process
6 stages of linux boot processTeja Bheemanapally
 
Linux booting procedure
Linux booting procedureLinux booting procedure
Linux booting procedureDhaval Kaneria
 
Linux booting process!!
Linux booting process!!Linux booting process!!
Linux booting process!!sourav verma
 
Iptables presentation
Iptables presentationIptables presentation
Iptables presentationEmin Abdul Azeez
 

Mais conteúdo relacionado

Mais procurados

Basics of firewall, ebtables, arptables and iptables
Basics of firewall, ebtables, arptables and iptablesBasics of firewall, ebtables, arptables and iptables
Basics of firewall, ebtables, arptables and iptablesPrzemysław Piotrowski
 
Fosscon 2012 firewall workshop
Fosscon 2012 firewall workshopFosscon 2012 firewall workshop
Fosscon 2012 firewall workshopjvehent
 
Fcsi601 Linux Firewall Nat
Fcsi601 Linux Firewall NatFcsi601 Linux Firewall Nat
Fcsi601 Linux Firewall Natnarayannpp
 
Iptables Configuration
Iptables ConfigurationIptables Configuration
Iptables Configurationstom123
 
Router Commands Overview
Router Commands OverviewRouter Commands Overview
Router Commands OverviewMuhammed Niyas
 
In depth understanding network security
In depth understanding network securityIn depth understanding network security
In depth understanding network securityThanawan Tuamyim
 
nftables - the evolution of Linux Firewall
nftables - the evolution of Linux Firewallnftables - the evolution of Linux Firewall
nftables - the evolution of Linux FirewallMarian Marinov
 
Network Mapper (NMAP)
Network Mapper (NMAP)Network Mapper (NMAP)
Network Mapper (NMAP)KHNOG
 
TCPdump-Wireshark
TCPdump-WiresharkTCPdump-Wireshark
TCPdump-WiresharkHarsh Singh
 
25 most frequently used linux ip tables rules examples
25 most frequently used linux ip tables rules examples25 most frequently used linux ip tables rules examples
25 most frequently used linux ip tables rules examplesTeja Bheemanapally
 
Cisco CCNA OSPF IPV6 Configuration
Cisco CCNA OSPF IPV6 ConfigurationCisco CCNA OSPF IPV6 Configuration
Cisco CCNA OSPF IPV6 ConfigurationHamed Moghaddam
 
Linux internet server security and configuration tutorial
Linux internet server security and configuration tutorialLinux internet server security and configuration tutorial
Linux internet server security and configuration tutorialannik147
 

Mais procurados (18)

Basics of firewall, ebtables, arptables and iptables
Basics of firewall, ebtables, arptables and iptablesBasics of firewall, ebtables, arptables and iptables
Basics of firewall, ebtables, arptables and iptables
 
Fosscon 2012 firewall workshop
Fosscon 2012 firewall workshopFosscon 2012 firewall workshop
Fosscon 2012 firewall workshop
 
Fcsi601 Linux Firewall Nat
Fcsi601 Linux Firewall NatFcsi601 Linux Firewall Nat
Fcsi601 Linux Firewall Nat
 
Iptables Configuration
Iptables ConfigurationIptables Configuration
Iptables Configuration
 
Iptables the Linux Firewall
Iptables the Linux Firewall Iptables the Linux Firewall
Iptables the Linux Firewall
 
Router Commands Overview
Router Commands OverviewRouter Commands Overview
Router Commands Overview
 
03 linuxfirewall1
03 linuxfirewall103 linuxfirewall1
03 linuxfirewall1
 
In depth understanding network security
In depth understanding network securityIn depth understanding network security
In depth understanding network security
 
nftables - the evolution of Linux Firewall
nftables - the evolution of Linux Firewallnftables - the evolution of Linux Firewall
nftables - the evolution of Linux Firewall
 
Network Mapper (NMAP)
Network Mapper (NMAP)Network Mapper (NMAP)
Network Mapper (NMAP)
 
TCPdump-Wireshark
TCPdump-WiresharkTCPdump-Wireshark
TCPdump-Wireshark
 
IPTables Primer - Part 2
IPTables Primer - Part 2IPTables Primer - Part 2
IPTables Primer - Part 2
 
25 most frequently used linux ip tables rules examples
25 most frequently used linux ip tables rules examples25 most frequently used linux ip tables rules examples
25 most frequently used linux ip tables rules examples
 
Cisco CCNA OSPF IPV6 Configuration
Cisco CCNA OSPF IPV6 ConfigurationCisco CCNA OSPF IPV6 Configuration
Cisco CCNA OSPF IPV6 Configuration
 
Lession2 Xinetd
Lession2 XinetdLession2 Xinetd
Lession2 Xinetd
 
Linux internet server security and configuration tutorial
Linux internet server security and configuration tutorialLinux internet server security and configuration tutorial
Linux internet server security and configuration tutorial
 
Nmap
NmapNmap
Nmap
 
Understanding NMAP
Understanding NMAPUnderstanding NMAP
Understanding NMAP
 

Destaque

6 stages of linux boot process
6 stages of linux boot process6 stages of linux boot process
6 stages of linux boot processTeja Bheemanapally
 
Linux booting procedure
Linux booting procedureLinux booting procedure
Linux booting procedureDhaval Kaneria
 
Linux booting process!!
Linux booting process!!Linux booting process!!
Linux booting process!!sourav verma
 
System and network administration network services
System and network administration network servicesSystem and network administration network services
System and network administration network servicesUc Man
 
Linux process management
Linux process managementLinux process management
Linux process managementRaghu nath
 
Process management in linux
Process management in linuxProcess management in linux
Process management in linuxMazenetsolution
 

Destaque (8)

6 stages of linux boot process
6 stages of linux boot process6 stages of linux boot process
6 stages of linux boot process
 
Linux booting procedure
Linux booting procedureLinux booting procedure
Linux booting procedure
 
Linux booting process!!
Linux booting process!!Linux booting process!!
Linux booting process!!
 
Iptables presentation
Iptables presentationIptables presentation
Iptables presentation
 
System and network administration network services
System and network administration network servicesSystem and network administration network services
System and network administration network services
 
Linux process management
Linux process managementLinux process management
Linux process management
 
Process management in linux
Process management in linuxProcess management in linux
Process management in linux
 
Processes
ProcessesProcesses
Processes
 

Semelhante a Packet Filtering Using Iptables

Firewalls rules using iptables in linux
Firewalls rules using iptables in linuxFirewalls rules using iptables in linux
Firewalls rules using iptables in linuxaamir lucky
 
Stupid iptables tricks
Stupid iptables tricksStupid iptables tricks
Stupid iptables tricksJim MacLeod
 
Athenticated smaba server config with open vpn
Athenticated smaba server config with open vpnAthenticated smaba server config with open vpn
Athenticated smaba server config with open vpnChanaka Lasantha
 
(NET404) Making Every Packet Count
(NET404) Making Every Packet Count(NET404) Making Every Packet Count
(NET404) Making Every Packet CountAmazon Web Services
 
25 most frequently used linux ip tables rules examples
25 most frequently used linux ip tables rules examples25 most frequently used linux ip tables rules examples
25 most frequently used linux ip tables rules examplesTeja Bheemanapally
 
Complete squid &amp; firewall configuration. plus easy mac binding
Complete squid &amp; firewall configuration. plus easy mac bindingComplete squid &amp; firewall configuration. plus easy mac binding
Complete squid &amp; firewall configuration. plus easy mac bindingChanaka Lasantha
 
AWS re:Invent 2016: Making Every Packet Count (NET404)
AWS re:Invent 2016: Making Every Packet Count (NET404)AWS re:Invent 2016: Making Every Packet Count (NET404)
AWS re:Invent 2016: Making Every Packet Count (NET404)Amazon Web Services
 
How to shutdown and power up of the netapp cluster mode storage system
How to shutdown and power up of the netapp cluster mode storage systemHow to shutdown and power up of the netapp cluster mode storage system
How to shutdown and power up of the netapp cluster mode storage systemSaroj Sahu
 
Note I only need the last 3 sub-questions ( e, f and g) 3. Firew.pdf
Note I only need the last 3 sub-questions ( e, f and g) 3. Firew.pdfNote I only need the last 3 sub-questions ( e, f and g) 3. Firew.pdf
Note I only need the last 3 sub-questions ( e, f and g) 3. Firew.pdfezonesolutions
 
How to shut down Netapp san 9.2 cluster mode version1
How to shut down Netapp san 9.2 cluster mode version1How to shut down Netapp san 9.2 cluster mode version1
How to shut down Netapp san 9.2 cluster mode version1Saroj Sahu
 
How to shutdown the Netapp SAN 8.3 and 9.2 version
How to shutdown the Netapp SAN 8.3 and 9.2 versionHow to shutdown the Netapp SAN 8.3 and 9.2 version
How to shutdown the Netapp SAN 8.3 and 9.2 versionSaroj Sahu
 
How To Install and Configure SNMP on RHEL 7 or CentOS 7
How To Install and Configure SNMP on RHEL 7 or CentOS 7How To Install and Configure SNMP on RHEL 7 or CentOS 7
How To Install and Configure SNMP on RHEL 7 or CentOS 7VCP Muthukrishna
 
Model-driven Extraction and Analysis of Network Security Policies (at MoDELS'13)
Model-driven Extraction and Analysis of Network Security Policies (at MoDELS'13)Model-driven Extraction and Analysis of Network Security Policies (at MoDELS'13)
Model-driven Extraction and Analysis of Network Security Policies (at MoDELS'13)Jordi Cabot
 
Things you should know for network programming
Things you should know for network programmingThings you should know for network programming
Things you should know for network programmingAnry Lu
 
Positive Hack Days. Pavlov. Network Infrastructure Security Assessment
Positive Hack Days. Pavlov. Network Infrastructure Security AssessmentPositive Hack Days. Pavlov. Network Infrastructure Security Assessment
Positive Hack Days. Pavlov. Network Infrastructure Security AssessmentPositive Hack Days
 
Multihomed Linux router
Multihomed Linux routerMultihomed Linux router
Multihomed Linux routerMarian Marinov
 
Connectivity Troubleshooting - pfSense Hangout June 2016
Connectivity Troubleshooting - pfSense Hangout June 2016Connectivity Troubleshooting - pfSense Hangout June 2016
Connectivity Troubleshooting - pfSense Hangout June 2016Netgate
 
Troubleshooting TCP/IP
Troubleshooting TCP/IPTroubleshooting TCP/IP
Troubleshooting TCP/IPvijai s
 

Semelhante a Packet Filtering Using Iptables (20)

Firewalls rules using iptables in linux
Firewalls rules using iptables in linuxFirewalls rules using iptables in linux
Firewalls rules using iptables in linux
 
5 - Networking in Red Hat
5 - Networking in Red Hat5 - Networking in Red Hat
5 - Networking in Red Hat
 
Stupid iptables tricks
Stupid iptables tricksStupid iptables tricks
Stupid iptables tricks
 
Athenticated smaba server config with open vpn
Athenticated smaba server config with open vpnAthenticated smaba server config with open vpn
Athenticated smaba server config with open vpn
 
(NET404) Making Every Packet Count
(NET404) Making Every Packet Count(NET404) Making Every Packet Count
(NET404) Making Every Packet Count
 
25 most frequently used linux ip tables rules examples
25 most frequently used linux ip tables rules examples25 most frequently used linux ip tables rules examples
25 most frequently used linux ip tables rules examples
 
Complete squid &amp; firewall configuration. plus easy mac binding
Complete squid &amp; firewall configuration. plus easy mac bindingComplete squid &amp; firewall configuration. plus easy mac binding
Complete squid &amp; firewall configuration. plus easy mac binding
 
AWS re:Invent 2016: Making Every Packet Count (NET404)
AWS re:Invent 2016: Making Every Packet Count (NET404)AWS re:Invent 2016: Making Every Packet Count (NET404)
AWS re:Invent 2016: Making Every Packet Count (NET404)
 
How to shutdown and power up of the netapp cluster mode storage system
How to shutdown and power up of the netapp cluster mode storage systemHow to shutdown and power up of the netapp cluster mode storage system
How to shutdown and power up of the netapp cluster mode storage system
 
Note I only need the last 3 sub-questions ( e, f and g) 3. Firew.pdf
Note I only need the last 3 sub-questions ( e, f and g) 3. Firew.pdfNote I only need the last 3 sub-questions ( e, f and g) 3. Firew.pdf
Note I only need the last 3 sub-questions ( e, f and g) 3. Firew.pdf
 
How to shut down Netapp san 9.2 cluster mode version1
How to shut down Netapp san 9.2 cluster mode version1How to shut down Netapp san 9.2 cluster mode version1
How to shut down Netapp san 9.2 cluster mode version1
 
How to shutdown the Netapp SAN 8.3 and 9.2 version
How to shutdown the Netapp SAN 8.3 and 9.2 versionHow to shutdown the Netapp SAN 8.3 and 9.2 version
How to shutdown the Netapp SAN 8.3 and 9.2 version
 
Firewall
FirewallFirewall
Firewall
 
How To Install and Configure SNMP on RHEL 7 or CentOS 7
How To Install and Configure SNMP on RHEL 7 or CentOS 7How To Install and Configure SNMP on RHEL 7 or CentOS 7
How To Install and Configure SNMP on RHEL 7 or CentOS 7
 
Model-driven Extraction and Analysis of Network Security Policies (at MoDELS'13)
Model-driven Extraction and Analysis of Network Security Policies (at MoDELS'13)Model-driven Extraction and Analysis of Network Security Policies (at MoDELS'13)
Model-driven Extraction and Analysis of Network Security Policies (at MoDELS'13)
 
Things you should know for network programming
Things you should know for network programmingThings you should know for network programming
Things you should know for network programming
 
Positive Hack Days. Pavlov. Network Infrastructure Security Assessment
Positive Hack Days. Pavlov. Network Infrastructure Security AssessmentPositive Hack Days. Pavlov. Network Infrastructure Security Assessment
Positive Hack Days. Pavlov. Network Infrastructure Security Assessment
 
Multihomed Linux router
Multihomed Linux routerMultihomed Linux router
Multihomed Linux router
 
Connectivity Troubleshooting - pfSense Hangout June 2016
Connectivity Troubleshooting - pfSense Hangout June 2016Connectivity Troubleshooting - pfSense Hangout June 2016
Connectivity Troubleshooting - pfSense Hangout June 2016
 
Troubleshooting TCP/IP
Troubleshooting TCP/IPTroubleshooting TCP/IP
Troubleshooting TCP/IP
 

Mais de Ahmed Mekkawy

Encrypted Traffic in Egypt - an attempt to understand
Encrypted Traffic in Egypt - an attempt to understandEncrypted Traffic in Egypt - an attempt to understand
Encrypted Traffic in Egypt - an attempt to understandAhmed Mekkawy
 
Securing Governmental Public Services with Free/Open Source Tools - Egyptian ...
Securing Governmental Public Services with Free/Open Source Tools - Egyptian ...Securing Governmental Public Services with Free/Open Source Tools - Egyptian ...
Securing Governmental Public Services with Free/Open Source Tools - Egyptian ...Ahmed Mekkawy
 
OpenData for governments
OpenData for governmentsOpenData for governments
OpenData for governmentsAhmed Mekkawy
 
Infrastructure as a Code
Infrastructure as a Code Infrastructure as a Code
Infrastructure as a Code Ahmed Mekkawy
 
شركة سبيرولا للأنظمة والجمعية المصرية للمصادر المفتوحة
شركة سبيرولا للأنظمة والجمعية المصرية للمصادر المفتوحةشركة سبيرولا للأنظمة والجمعية المصرية للمصادر المفتوحة
شركة سبيرولا للأنظمة والجمعية المصرية للمصادر المفتوحةAhmed Mekkawy
 
Everything is a Game
Everything is a GameEverything is a Game
Everything is a GameAhmed Mekkawy
 
Why Cloud Computing has to go the FOSS way
Why Cloud Computing has to go the FOSS wayWhy Cloud Computing has to go the FOSS way
Why Cloud Computing has to go the FOSS wayAhmed Mekkawy
 
FOSS Enterpreneurship
FOSS EnterpreneurshipFOSS Enterpreneurship
FOSS EnterpreneurshipAhmed Mekkawy
 
Intro to FOSS & using it in development
Intro to FOSS & using it in developmentIntro to FOSS & using it in development
Intro to FOSS & using it in developmentAhmed Mekkawy
 
FOSS, history and philosophy
FOSS, history and philosophyFOSS, history and philosophy
FOSS, history and philosophyAhmed Mekkawy
 
Virtualization Techniques & Cloud Compting
Virtualization Techniques & Cloud ComptingVirtualization Techniques & Cloud Compting
Virtualization Techniques & Cloud ComptingAhmed Mekkawy
 
A look at computer security
A look at computer securityA look at computer security
A look at computer securityAhmed Mekkawy
 
Networking in Gnu/Linux
Networking in Gnu/LinuxNetworking in Gnu/Linux
Networking in Gnu/LinuxAhmed Mekkawy
 
Foss Movement In Egypt
Foss Movement In EgyptFoss Movement In Egypt
Foss Movement In EgyptAhmed Mekkawy
 

Mais de Ahmed Mekkawy (20)

Encrypted Traffic in Egypt - an attempt to understand
Encrypted Traffic in Egypt - an attempt to understandEncrypted Traffic in Egypt - an attempt to understand
Encrypted Traffic in Egypt - an attempt to understand
 
Securing Governmental Public Services with Free/Open Source Tools - Egyptian ...
Securing Governmental Public Services with Free/Open Source Tools - Egyptian ...Securing Governmental Public Services with Free/Open Source Tools - Egyptian ...
Securing Governmental Public Services with Free/Open Source Tools - Egyptian ...
 
OpenData for governments
OpenData for governmentsOpenData for governments
OpenData for governments
 
Infrastructure as a Code
Infrastructure as a Code Infrastructure as a Code
Infrastructure as a Code
 
شركة سبيرولا للأنظمة والجمعية المصرية للمصادر المفتوحة
شركة سبيرولا للأنظمة والجمعية المصرية للمصادر المفتوحةشركة سبيرولا للأنظمة والجمعية المصرية للمصادر المفتوحة
شركة سبيرولا للأنظمة والجمعية المصرية للمصادر المفتوحة
 
Everything is a Game
Everything is a GameEverything is a Game
Everything is a Game
 
Why Cloud Computing has to go the FOSS way
Why Cloud Computing has to go the FOSS wayWhy Cloud Computing has to go the FOSS way
Why Cloud Computing has to go the FOSS way
 
FOSS Enterpreneurship
FOSS EnterpreneurshipFOSS Enterpreneurship
FOSS Enterpreneurship
 
Intro to FOSS & using it in development
Intro to FOSS & using it in developmentIntro to FOSS & using it in development
Intro to FOSS & using it in development
 
FOSS, history and philosophy
FOSS, history and philosophyFOSS, history and philosophy
FOSS, history and philosophy
 
Virtualization Techniques & Cloud Compting
Virtualization Techniques & Cloud ComptingVirtualization Techniques & Cloud Compting
Virtualization Techniques & Cloud Compting
 
A look at computer security
A look at computer securityA look at computer security
A look at computer security
 
Networking in Gnu/Linux
Networking in Gnu/LinuxNetworking in Gnu/Linux
Networking in Gnu/Linux
 
Foss Movement In Egypt
Foss Movement In EgyptFoss Movement In Egypt
Foss Movement In Egypt
 
Sysprog17
Sysprog17Sysprog17
Sysprog17
 
Sysprog 15
Sysprog 15Sysprog 15
Sysprog 15
 
Sysprog 9
Sysprog 9Sysprog 9
Sysprog 9
 
Sysprog 12
Sysprog 12Sysprog 12
Sysprog 12
 
Sysprog 14
Sysprog 14Sysprog 14
Sysprog 14
 
Sysprog 11
Sysprog 11Sysprog 11
Sysprog 11
 

Último

Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Zilliz
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdfSandro Moreira
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024The Digital Insurer
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Orbitshub
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024The Digital Insurer
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsNanddeep Nachan
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfOrbitshub
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024The Digital Insurer
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Angeliki Cooney
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 

Último (20)

Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 

Packet Filtering Using Iptables

  • 1. Packet Filtering using iptables Ahmed Mekkawy AKA linuxawy
  • 2. What is iptables/netfilter? • The native firewall in GNU/Linux is iptables/netfilter. • Netfilter is a kernel patch (now it's basic in all modern kernels, unless you compiled your own without it) • Iptables is just a configuration tool for netfilter. • You can uninstall iptables, but not netfilter. • Netfilter cannot be stopped. Anyway you can remove all rules so it doesn't do anything. • Iptables rules are volatile, you have to put them in a startup script to start with booting.
  • 3. What are the tables/ chains? Tables => Chains => Rules We have 3 tables: • Filter table • Nat table • Mangle table We will focus on the filter table today, in filter table we have 3 main chains, which are: • INPUT chain • FORWARD chain • OUTPUT chain
  • 5. Iptables syntax How to add a rule: • iptables -t table -A/I chain condition -j target iptables -A INPUT -p tcp –-dport 80 -j ACCEPT How to list rules: • iptables -t (table) -L (-n) (--line-number) How to delete a rule: • iptables -t (table) -D (chain) (condition) (action) • iptables -t (table) -D (chain) (rule number)
  • 6. conditions -p tcp,udp,icmp,all • -s source_ip • -d destination_ip • --sport source_port • --dport destination_port • -i input_interface • -o output_interface • -m state --state NEW,ESTABLISHED,RELATED • ... etc • -p tcp -s IP –-sport 80 –-d IP -m state –-state NEW
  • 7. Targets • ACCEPT: let it pass • DROP: ignore it, and don't send any responce. • REJECT: drop the packet, and reply with error message (e.g port not used, host unreachable, .. etc) – to be used if you want the attacker not to know that you are using a firewall. • COSTOM_CHAIN: to direct the packet to a custom chain. • SNAT, DNAT, .... : not used in filter table, to be used in the nat and mangle table, explained in other sessions isA.
  • 8. 3-way connection The 3-way connection is the most commonly used connection. That happens in 3 steps: • Step 1: client initiates the connection to the server. The connection type is now NEW. • Step 2: server replies with acknowledgment, the connection is now in the ESTABLISHED state. • Step 3: the client acknowledges the server, and starts to send its data in an ESTABLISHED connection. After that, the connection continues in both ways normally.
  • 9. iptables initialization • First, we flush all chains, delete custom chains, zero all counters: iptables -F iptables -X iptables -Z • Turn off IP forwarding: echo 0 > /proc/sys/net/ipv4/ip_forward • Enable dynamic IP support. 1: enable, 2: verbose, 0: disable echo quot;1quot; > /proc/sys/net/ipv4/ip_dynaddr • To use RELATED in ftp rules, add ip_conntrack_ftp: modprobe ip_conntrack_ftp
  • 10. Set policies, enable loopback • Set default policy to DROP: iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP • Enable all connections on the loopback interface: iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -i lo -j ACCEPT
  • 11. Enable pings • Enable incoming/outgoing pings: • Incoming: iptables -A INPUT -p icmp –-icmp-type echo- request -j ACCEPT iptables -A OUTPUT -p icmp -–icmp-type echo- reply -j ACCEPT • Outgoing: iptables -A OUTPUT -p icmp -–icmp-type echo- request -j ACCEPT iptables -A INPUT -p icmp –-icmp-type echo-reply - j ACCEPT
  • 12. Add your rules Example: web server sport dport ============> CLIENT SERVER <============ dport sport iptables (-t filter) -A INPUT -p tcp –-dport 80 -m state –-state NEW,ESTABLISHED -j ACCEPT iptables (-t filter) -A OUTPUT -p tcp –-sport 80 -m state –-state ESTABLISHED -j ACCEPT
  • 13. Special connections: ftp • You must enable kernel module ip_conntrack_ftp • FTP has 3 types of connections: Control Port: Port 21, normal 3 way connection initiated by client. • Active connection: Port 20, normal 3 way connection RELATED to the previous connection, initiated by client Passive connection: 3 way connection RELATED to the control connection, initiated by the server from a random port on the server to a random port at the client
  • 14. ftp - continued •# Control Port: •iptables -A OUTPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT •iptables -A INPUT -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT •# Active mode: •iptables -A OUTPUT -p tcp --dport 20 --sport 1024: -m state --state RELATED,ESTABLISHED -j ACCEPT •iptables -A INPUT -p tcp --sport 20 --dport 1024: -m state --state ESTABLISHED -j ACCEPT •# Passive mode: •iptables -A OUTPUT -p tcp --dport 1024: --sport 1024: -m state --state ESTABLISHED -j ACCEPT •iptables -A INPUT -p tcp --sport 1024: --dport 1024: -m state --state RELATED,ESTABLISHED -j ACCEPT
  • 15. Thank you Questions?? ahmed.mekkawy@espace.com.eg