[LINUX] Iptables learned from documentation

I've been frustrated by trying to understand iptables several times before. I don't always understand the words.

――What is a table? ――What is a chain? ――What is a target?

There are many explanations on the internet, but I couldn't help it. So, this time I would like to seriously read and understand the iptables documentation.

2019.12.25 Addendum While gathering information to understand iptables, I found a Japanese translation site for a great reference. We recommend that you refer to the following for accurate knowledge. Iptables Tutorial Japanese Translation For an overview of tables and chains, look at Chapter 6. I think.

outline

1. First, read the iptable manuals Description, TAGETS, TABLES to learn and organize the basic knowledge.
2. After that, read @ suin's "Exposing the strongest iptables in my history".

$ man iptables

The following is an excerpt from the iptables 1.6.1 manual.

DESCRIPTION

You can see the following by reading the SEQ.

--What iptables does --The concept of tables, chains and targets

Iptables and ip6tables are used to set up, maintain, and inspect the tables of IPv4 and IPv6 packet filter rules in the Linux kernel. Several different tables may be defined. Each table contains a number of built-in chains and may also contain user-defined chains.

--The Linux kernel has a table of IPv4 and IPv6 packet filter rules. --iptables is used to set up, maintain and inspect it. --Several different tables will be defined. --Each table contains built-in chains and user-defined chains, if any.

Each chain is a list of rules which can match a set of packets. Each rule specifies what to do with a packet that matches. This is called a `target', which may be a jump to a user-defined chain in the same table.

--Each chain is a list of rules that match a set of packets. --Each rule specifies what to do with the matched packet. ――This "what to do" is called the target. (Sometimes it's a jump to a user-defined chain in the same table.

Summary

1. ** Table ** refers to the packet filter table that exists in the Linux kernel There are multiple tables, each table contains a chain
2. ** Chain ** is a list of rules to match packets
3. What does ** target ** do with matched packets?

TARGETS

You can find out the following by reading TARGETS.

--What to do if the packet does not match, what to do if it matches --About the targets ACCEPT, DROP, RETURN

A firewall rule specifies criteria for a packet and a target. If the packet does not match, the next rule in the chain is examined; if it does match, then the next rule is specified by the value of the target, which can be the name of a user-defined chain, one of the targets described in iptables-extensions(8), or one of the special values ACCEPT, DROP or RETURN.

--If the packets do not match, try the following rules. --If the packets match, the next rule is specified by the target value. --The target values are either user-defined chains or special values ACCEPT, DROP, RETURN.

ACCEPT means to let the packet through. DROP means to drop the packet on the floor. RETURN means stop traversing this chain and resume at the next rule in the previous (calling) chain. If the end of a built-in chain is reached or a rule in a built-in chain with target RETURN is matched, the target specified by the chain policy determines the fate of the packet.

--ACCEPT allows packets to pass --DROP drops packets to the floor, that is, discards them --RETURN stops scanning the chain and resumes with the next rule in the calling chain --If the end of a built-in chain is reached or a RETURN is matched in the built-in chain, the fate of the packet is specified by the policy of that chain.

Summary

--Targets include ACCEPT, DROP, RETURN --No match to the built-in chain rules, packet handling is specified by policy

• For REJECT, refer to man iptables-extensions.

TABLES

You can see the following by reading TABLES.

--What is in multiple tables --What is the built-in chain that exists in the filter table?

There are currently five independent tables (which tables are present at any time depends on the kernel configuration options and which modules are present). The tables are as follows

--There are currently 5 independent tables, depending on the kernel config. --It is filter, nat, mangle, raw, security

Here, only the filter table and nat table are translated.

filter: This is the default table (if no -t option is passed). It contains the built-in chains INPUT (for packets destined to local sockets), FORWARD (for packets being routed through the box), and OUTPUT (for locally-generated packets).

--The filter table is the default table if you do not use the -t option --This table has the following built-in chains --INPUT (for packets destined for local sockets) --FORWARD (for packets routed to pass) --OUTPUT (for locally generated packets)

nat: This table is consulted when a packet that creates a new connection is encountered. It consists of four built-ins: PREROUTING (for altering packets as soon as they come in), INPUT (for altering packets destined for local sockets), OUTPUT (for altering locally-generated packets before routing), and POSTROUTING (for altering packets as they are about to go out). IPv6 NAT support is available since kernel 3.7.

--The nat table is referenced when it detects a packet that creates a new connection. --This table has the following four built-in chains --PERROUTING (for modifying incoming packets) --INPUT (for modifying packets addressed to local sockets) --OUTPUT (for pre-routing modification of locally generated packets) --POSTROUTING (for modifying outgoing packets)

Illustrated filter table

Let's make a diagram of the understanding so far.

--There is a filter table, which contains three built-in chains and a user-defined chain. --Packets destined for local sockets are in the INPUT chain, packets routed through are in the FORWARD chain, and locally generated packets are in the OUTPUT chain to see if they match the rules. --Each chain has rules, and if they match, ACCEPT, DROP, RETURN or jump to a user-defined chain. --If there is no match, the chain policy determines the processing to ACCEPT or DROP.

Read "Exposing the strongest iptables in my history"

I will read an excerpt with the knowledge I have gained so far.

Policy decision

 iptables -P INPUT DROP # All DROP. It is good to close all the holes and then open the necessary ports.
iptables -P OUTPUT  ACCEPT
iptables -P FORWARD DROP

-P, --policy chain target

I have a policy set for the built-in chain. It determines the final treatment if the packet does not match the chain's rule list.

If the packet targeted by the INPUT and FORWARD chains (the rule list included in it) does not match any of the rules, it is said to be DROP.

First, set this policy, and then decide which packets to allow by adding a rule with an ACCEPT target. I think this is the reason why it is called a whitelist.

Trusted hosts allowed

#lo stands for local loopback and points to its own host
iptables -A INPUT -i lo -j ACCEPT # SELF -> SELF

-A, --append chain rule-specification -i, --in-interface name -j, --jump target

I'm adding a rule to the INPUT chain. It matches the packet that came to lo and ACCEPT.

Attack Countermeasures: Stealth Scan

iptables -N STEALTH_SCAN # "STEALTH_SCAN"Make a chain with the name
iptables -A STEALTH_SCAN -j LOG --log-prefix "stealth_scan_attack: "
iptables -A STEALTH_SCAN -j DROP

-N, --new-chain chain

A user-defined chain called STEALTH_SCAN is created, and the rules for jumping to LOG and DROP are appended to that chain.

The LOG target does not exit after processing, it processes the following rule:

• See LOG of man iptables-extentions

This is a "non-terminating target", i.e. rule traversal continues at the next rule.

The above settings register a rule to leave a log and a rule to discard packets in the STELALTH_SCAN chain. Jumping into this chain will leave logs in sequence and the packets will be dropped.

And the settings for jumping to this chain are as follows.

#Packets that look like stealth scans"STEALTH_SCAN"Jump to the chain
iptables -A INPUT -p tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j STEALTH_SCAN
...#The continuation is omitted

A rule has been added to INPUT that matches packets that appear to be stealth scans and jumps to the STELALTH_SCAN chain.

• I think -p tcp --tcp-flags, -m state --state NEW is a setting that matches packets that seem to be stealth scans. We won't go into stealth scans here, so we won't go into it.

-j Although ACCEPT etc. is jump, it seemed strange at first, By treating ACCEPT, DROP, and RETURN as a special chain, the feeling of strangeness has disappeared.

Summary

At this point, you can read the outline. If you learn the option to match packets, you can understand "Exposing the strongest iptables in my history" for the time being.

However, "Exposing the strongest iptables in my history" is only for registering rules in the INPUT chain, so I don't understand FORWARD and OUTPUT. Next time, I would like to dig a little more around here. ← I wrote the following.

-Try and learn iptables, until you can browse the web -Try and learn iptablse, port forwarding

2019.12.25 Addendum While gathering information to understand iptables, I found a Japanese translation site for a great reference. We recommend that you refer to the following for accurate knowledge. Iptables Tutorial Japanese Translation For an overview of tables and chains, look at Chapter 6. I think.

I hope this article has helped you understand. ** "Like" Thank you. **: wink: