Friday, 12 July 2013

Listing iptables rules


When monitoring traffic tcpdump comes is quite useful as it shows the traffic entering or leaving a server interface. However this is no guarantee that the traffic actually reaches the application.

After the network stack receives the packet its passed to iptables which then permits or denys the traffic based on its rule base. There are few tables to look at:

filter: (think ACLs)
It contains the built-in chains
INPUT (for packets from the network destined to local sockets/applications)
FORWARD (for packets being routed through the box)
OUTPUT (for locally-generated packets being sent out)

nat:
This table is consulted when a packet that creates a new connection is encountered. It consists of three built-ins:
PREROUTING (for altering packets as soon as they come in)
OUTPUT (for altering locally-generated packets before routing)
POSTROUTING (for altering packets as they are  about to go out)

mangle:
This  table  is  used  for  specialized packet alteration.  Until linux kernel 2.4.17 it had two built-in chains:
PREROUTING (for altering incoming packets before routing)
OUTPUT (for altering locally- generated  packets before routing)

Since kernel 2.4.18, three other built-in chains are also sup- ported:
INPUT (for packets coming into the box itself)
FORWARD (for altering packets being routed through the box)
POSTROUTING (for altering packets as they are about to go out).

raw:
This  table  is used mainly for configuring exemptions from connection tracking in combination with the NOTRACK target.  It registers a the netfilter hooks with higher priority and  is  thus  called before ip_conntrack, or any other IP tables.  It provides the following built-in chains: PREROUTING (for packets arriving via any network interface) OUTPUT (for packets generated by local processes)


You can easily look at the contents of a table using the command "iptables -t xxx -L -n -v". For example:



 root@hostname:~ # iptables -t filter -L -v -n
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
  643 53797 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:22
 162K   56M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
   82  5009 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           PKTTYPE = broadcast
   20   640 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           PKTTYPE = multicast
   10   520 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:8080
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:123
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:22
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:25
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:161
   13  1790 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:162
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 4 prefix `INPUT DROP: '
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 4 prefix `FORWARD DROP: '
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
 165K   56M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 4 prefix `OUTPUT DROP: '
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

 root@hostname:~ # iptables -t nat -L -v -n
Chain PREROUTING (policy ACCEPT 354 packets, 23490 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 17376 packets, 1361K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 17376 packets, 1361K bytes)
 pkts bytes target     prot opt in     out     source               destination


Posted by at

1 comment:

  1. Anonymous20 April 2022 at 10:39

    Note Paper: Listing Iptables Rules >>>>> Download Now

    >>>>> Download Full

    Note Paper: Listing Iptables Rules >>>>> Download LINK

    >>>>> Download Now

    Note Paper: Listing Iptables Rules >>>>> Download Full

    >>>>> Download LINK h0

    ReplyDelete

Subscribe to: Post Comments (Atom)