iptables
========
Esta página es mitad teoría mitad práctica. Ver también
:doc:`../teoria/seguridad`.
Es posible cargar extensiones o módulos con más reglas, objetivos, etc.
Se pueden hacer filtros *stateful*, esto significa que se analiza a cada paquete
teniendo en cuenta su relación con paquetes anteriores (por ejemplo para
conexiones TCP). No vemos filtros *stateful*, usamos todo *stateless*.
- Reglas: Son líneas que especifican tipos de paquetes, llevan asociadas un
objetivo (*target*) a utilizar en el caso en el que un paquete coincida.
- Objetivos: Es lo que quiero hacer con los paquetes que coinciden con una
regla: aceptar, rechazar, etc.
- Cadenas: Es una de reglas a corroborar secuencialmente cada vez que llega un
paquete. Ya vienen las cadenas INPUT, OUTPUT, FORWARD, etc. que contienen
reglas a utilizar ante paquetes entrantes, salientes, redireccionados, etc.
- Tablas: Es un conjunto de cadenas, cada tabla se usa para cosas distintas,
la tabla por defecto es `filter`, cada una extá explicada abajo.
En esta imagen se ve por qué cadenas y tablas pasa cada paquete:
.. image:: iptables.jpg
Tablas que hay:
- **filter**: This is the default table (if no -t option is passed). It contains
the built-in chains INPUT (for packets destined to local sockets), FORWARD
(for packets being routed through the box), and OUTPUT (for locally-generated
packets).
- **nat**: This table is consulted when a packet that creates a new connection
is encountered. It consists of four built-ins: PREROUTING (for altering
packets as soon as they come in), INPUT (for altering packets destined for
local sockets), OUTPUT (for altering locally-generated packets before
routing), and POSTROUTING (for altering packets as they are about to go out).
IPv6 NAT support is available since kernel 3.7.
- **mangle**: This table is used for specialized packet alteration. Until kernel
2.4.17 it had two built-in chains: PREROUTING (for altering incoming packets
before routing) and OUT‐ PUT (for altering locally-generated packets before
routing). Since kernel 2.4.18, three other built-in chains are also
supported: INPUT (for packets coming into the box itself), FORWARD (for
altering packets being routed through the box), and POSTROUTING (for altering
packets as they are about to go out).
- **raw**: This table is used mainly for configuring exemptions from connection
tracking in combination with the NOTRACK target. It registers at the
netfilter hooks with higher priority and is thus called before ip_conntrack,
or any other IP tables. It provides the following built-in chains: PREROUTING
(for packets arriving via any network interface) OUTPUT (for packets
generated by local processes)
- **security**: This table is used for Mandatory Access Control (MAC) networking
rules, such as those enabled by the SECMARK and CONNSECMARK targets.
Mandatory Access Control is implemented by Linux Security Modules such as
SELinux. The security table is called after the filter table, allowing any
Discretionary Access Control (DAC) rules in the filter table to take
effect before MAC rules. This table provides the following built-in chains:
INPUT (for packets coming into the box itself), OUTPUT (for altering
locally-generated packets before routing), and FORWARD (for altering packets
being routed through the box).
Para ver alguna tabla::
iptables [-t table] -L
El uso simplificado del comando `iptables` es::
iptables [-t table] {-A|-C|-D} chain rule-specification
En ese comando, `{-A|-C|-D}` son ejemplos de opciones a dar,
`rule-specification` vendría a ser un conjunto de parámetros que especifican la
regla en sí. Al final se usa `-j` y el objetivo (target) para especificar la
acción a realizar. Por ejemplo::
iptables -t filter -A INPUT -i eth0 -s 10.0.0.20 -j DROP
iptables -A INPUT -p tcp --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -t filter -F FORWARD
iptables -t filter -F INPUT
iptables -t filter -A FORWARD -s 10.0.0.2/32 -d 10.1.0.2/32 -p icmp -j ACCEPT
iptables -t filter -A FORWARD -s 10.1.0.0/16 -p tcp --destination-port 80 -j DROP
iptables -t filter -A FORWARD -o emp2s0 -p tcp --destination-port 80 -j DROP
iptables -t filter -A FORWARD -s 10.0.0.2/32 -p icmp -j DROP
iptables -t filter -A INPUT -s 10.0.0.2/32 -p icmp -j REJECT
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
Al buscar ayuda usar ``man iptables`` y ``man iptables-extensions``. Sino se
puede usar por ejemplo ``iptables -p tcp --help``.
Opciones
--------
Especifican si la regla dada se debe agregar, borrar, reemplazar, etc.::
-A, --append chain rule-specification
Append one or more rules to the end of the selected chain. When the
source and/or destination names resolve to more than one address, a rule
will be added for each possible address combination.
-C, --check chain rule-specification
Check whether a rule matching the specification does exist in the
selected chain. This command uses the same logic as -D to find a
matching entry, but does not alter the existing iptables configura‐
tion and uses its exit code to indicate success or failure.
-D, --delete chain rule-specification
-D, --delete chain rulenum
Delete one or more rules from the selected chain. There are two
versions of this command: the rule can be specified as a number in the
chain (starting at 1 for the first rule) or a rule to match.
-I, --insert chain [rulenum] rule-specification
Insert one or more rules in the selected chain as the given rule
number. So, if the rule number is 1, the rule or rules are inserted at
the head of the chain. This is also the default if no rule number
is specified.
-R, --replace chain rulenum rule-specification
Replace a rule in the selected chain. If the source and/or
destination names resolve to multiple addresses, the command will fail.
Rules are numbered starting at 1.
-L, --list [chain]
List all rules in the selected chain. If no chain is selected, all
chains are listed. Like every other iptables command, it applies to
the specified table (filter is the default), so NAT rules get listed by
iptables -t nat -n -L Please note that it is often used with the -n
option, in order to avoid long reverse DNS lookups. It is legal
to specify the -Z (zero) option as well, in which case the chain(s)
will be atomically listed and zeroed. The exact output is affected by
the other arguments given. The exact rules are suppressed until you
use iptables -L -v or iptables-save(8).
-S, --list-rules [chain]
Print all rules in the selected chain. If no chain is selected, all
chains are printed like ipta‐ bles-save. Like every other iptables
command, it applies to the specified table (filter is the
default).
-F, --flush [chain]
Flush the selected chain (all the chains in the table if none is
given). This is equivalent to deleting all the rules one by one.
-Z, --zero [chain [rulenum]]
Zero the packet and byte counters in all chains, or only the given
chain, or only the given rule in a chain. It is legal to specify
the -L, --list (list) option as well, to see the counters immedi‐ ately
before they are cleared. (See above.)
-N, --new-chain chain
Create a new user-defined chain by the given name. There must be no
target of that name already.
-X, --delete-chain [chain]
Delete the optional user-defined chain specified. There must be no
references to the chain. If there are, you must delete or
replace the referring rules before the chain can be deleted. The chain
must be empty, i.e. not contain any rules. If no argument is given, it
will attempt to delete every non-builtin chain in the table.
-P, --policy chain target
Set the policy for the built-in (non-user-defined) chain to the
given target. The policy target must be either ACCEPT or DROP.
-E, --rename-chain old-chain new-chain
Rename the user specified chain to the user supplied name. This is
cosmetic, and has no effect on the structure of the table.
-h Help. Give a (currently very brief) description of the command syntax.
Parámetros
----------
Especifican a la regla. Estas son algunos parámetros disponibles, ver ``man
iptables-extensions``::
-4, --ipv4
This option has no effect in iptables and iptables-restore. If a
rule using the -4 option is inserted with (and only with)
ip6tables-restore, it will be silently ignored. Any other uses will
throw an error. This option allows IPv4 and IPv6 rules in a single rule
file for use with both ipta‐ bles-restore and ip6tables-restore.
-6, --ipv6
If a rule using the -6 option is inserted with (and only with)
iptables-restore, it will be silently ignored. Any other uses will
throw an error. This option allows IPv4 and IPv6 rules in a single rule
file for use with both iptables-restore and ip6tables-restore.
This option has no effect in ip6tables and ip6tables-restore.
[!] -p, --protocol protocol
The protocol of the rule or of the packet to check. The specified
protocol can be one of tcp, udp, udplite, icmp, icmpv6,esp, ah, sctp,
mh or the special keyword "all", or it can be a numeric value,
representing one of these protocols or a different one. A protocol
name from /etc/protocols is also allowed. A "!" argument before
the protocol inverts the test. The number zero is equivalent to all.
"all" will match with all protocols and is taken as default when this
option is omitted. Note that, in ip6tables, IPv6 extension headers
except esp are not allowed. esp and ipv6-nonext can be used with
Kernel version 2.6.11 or later. The number zero is equivalent to all,
which means that you cannot test the protocol field for the value
0 directly. To match on a HBH header, even if it were the last, you
cannot use -p 0, but always need -m hbh.
[!] -s, --source address[/mask][,...]
Source specification. Address can be either a network name, a hostname,
a network IP address (with /mask), or a plain IP address. Hostnames
will be resolved once only, before the rule is submitted to the kernel.
Please note that specifying any name to be resolved with a remote query
such as DNS is a really bad idea. The mask can be either an ipv4
network mask (for iptables) or a plain number, specifying the number of
1's at the left side of the network mask. Thus, an iptables mask of 24
is equivalent to 255.255.255.0. A "!" argument before the address
specification inverts the sense of the address. The flag --src is an
alias for this option. Multiple addresses can be specified, but this
will expand to multiple rules (when adding with -A), or will cause
multiple rules to be deleted (with -D).
[!] -d, --destination address[/mask][,...]
Destination specification. See the description of the -s (source) flag
for a detailed description of the syntax. The flag --dst is an alias
for this option.
-m, --match match
Specifies a match to use, that is, an extension module that tests for
a specific property. The set of matches make up the condition under
which a target is invoked. Matches are evaluated first to last as
specified on the command line and work in short-circuit fashion,
i.e. if one extension yields false, evaluation will stop.
-j, --jump target
This specifies the target of the rule; i.e., what to do if the packet
matches it. The target can be a user-defined chain (other than the
one this rule is in), one of the special builtin targets which decide
the fate of the packet immediately, or an extension (see EXTENSIONS
below). If this option is omitted in a rule (and -g is not
used), then matching the rule will have no effect on the packet's fate,
but the counters on the rule will be incremented.
-g, --goto chain
This specifies that the processing should continue in a user specified
chain. Unlike the --jump option return will not continue processing
in this chain but instead in the chain that called us via --jump.
[!] -i, --in-interface name
Name of an interface via which a packet was received (only for packets
entering the INPUT, FORWARD and PREROUTING chains). When the
"!" argument is used before the interface name, the sense is inverted.
If the interface name ends in a "+", then any interface which begins
with this name will match. If this option is omitted, any interface
name will match.
[!] -o, --out-interface name
Name of an interface via which a packet is going to be sent (for
packets entering the FORWARD, OUT‐ PUT and POSTROUTING chains). When
the "!" argument is used before the interface name, the sense is
inverted. If the interface name ends in a "+", then any interface
which begins with this name will match. If this option is omitted, any
interface name will match.
[!] -f, --fragment
This means that the rule only refers to second and further IPv4
fragments of fragmented packets. Since there is no way to tell the
source or destination ports of such a packet (or ICMP type), such a
packet will not match any rules which specify them. When the "!"
argument precedes the "-f" flag, the rule will only match head
fragments, or unfragmented packets. This option is IPv4 specific, it is
not available in ip6tables.
-c, --set-counters packets bytes
This enables the administrator to initialize the packet and byte
counters of a rule (during INSERT, APPEND, REPLACE operations).
Objetivos
---------
Cada cadena tiene su propia política por defecto, que se puede ver al mostrar
las tablas. Para cambiarla se usa::
iptables [-t table] --policy chain target
La política por defecto es la que se utiliza si el paquete no coincide con
ninguna regla.
Estos son algunos de los objetivos posibles, ver ``man iptables-extensions``:
- ACCEPT: Deja pasar el paquete.
- DROP: Descarta el paquete.
- REJECT: Descarta el paquete y responde con un ICMP (*unreachable port* por
defecto, pero se puede cambiar).
- SNAT: Significa Source NAT. This target is only valid in the nat table, in the
POSTROUTING and INPUT chains, and user-defined chains which are only called
from those chains. It specifies that the source address of the packet should
be modified (and all future packets in this connection will also be mangled),
and rules should cease being examined. Generalmente se usa con la opción
- ``--to-source [ipaddr[-ipaddr]][:port[-port]]``: Which can specify a single
new source IP address, an inclusive range of IP addresses. Optionally a
port range, if the rule also specifies one of the following protocols: tcp,
udp, dccp or sctp. If no port range is specified, then source ports below 512
will be mapped to other ports below 512: those between 512 and 1023 inclusive
will be mapped to ports below 1024, and other ports will be mapped to 1024 or
above. Where possible, no port alteration will occur.
Ejemplo::
iptables -t nat -A POSTROUTING -o {interfaz WAN} -j SNAT --to {IP salida}
- MASQUERADE: This target is only valid in the nat table, in the POSTROUTING
chain. It should only be used with dynamically assigned IP (dialup)
connections: if you have a static IP address, you should use the SNAT target.
Masquerading is equivalent to specifying a mapping to the IP address of the
interface the packet is going out, but also has the effect that connections
are forgotten when the interface goes down. This is the correct behavior when
the next dialup is unlikely to have the same interface address (and hence any
established connections are lost anyway). La única opción interesante que
tiene es:
- ``--to-ports port[-port]``: This specifies a range of source ports to use,
overriding the default SNAT source port-selection heuristics (see above). This
is only valid if the rule also specifies one of the following protocols: tcp,
udp, dccp or sctp.
Ejemplo::
iptables -t nat -A POSTROUTING -o {interfaz WAN} -j MASQUERADE
- DNAT: Significa Destination NAT. This target is only valid in the nat table,
in the PREROUTING and OUTPUT chains, and user-defined chains which are only
called from those chains. It specifies that the destination address of the
packet should be modified (and all future packets in this connection will also
be mangled), and rules should cease being examined. Generalmente se usa con la
opción::
--to-destination [ipaddr[-ipaddr]][:port[-port]]
Which can specify a single new destination IP address, an inclusive range of
IP addresses. Optionally a port range, if the rule also specifies one of the
following protocols: tcp, udp, dccp or sctp. If no port range is specified,
then the destination port will never be modified. If no IP address is specified
then only the destination port will be modified.
- LOG: Turn on kernel logging of matching packets. When this option is set for
a rule, the Linux kernel will print some information on all matching packets
(like most IP/IPv6 header fields) via the kernel log (where it can be read
with dmesg or read in the syslog). This is a "non-terminating target", i.e.
rule traversal continues at the next rule. So if you want to LOG the packets
you refuse, use two separate rules with the same matching criteria, first
using target LOG then DROP (or REJECT).
- ``--log-level level``: Level of logging, which can be (system-specific)
numeric or a mnemonic. Possible values are (in decreasing order of priority):
emerg, alert, crit, error, warning, notice, info or debug.
- ``--log-prefix prefix``: Prefix log messages with the specified prefix; up
to 29 letters long, and useful for distinguishing messages in the logs.
- ``--log-tcp-sequence``: Log TCP sequence numbers. This is a security risk
if the log is readable by users.
- ``--log-tcp-options``: Log options from the TCP packet header.
- ``--log-ip-options``: Log options from the IP/IPv6 packet header.
- ``--log-uid``: Log the userid of the process which generated the packet.
Referencias
-----------
https://www.net.t-labs.tu-berlin.de/teaching/ss08/RL_labcourse/docs/08-lartc.pdf
https://www.booleanworld.com/depth-guide-iptables-linux-firewall/#How_does_iptables_work