SlideShare ist ein Scribd-Unternehmen logo

Iptables Configuration

S
stom123

Linux Firewall Iptables complete configuration

BildungTechnologie
1 von 36
Downloaden Sie, um offline zu lesen
CONFIGURATION AND IMPLEMANTATION of IPTABLEs Submitted by- SAMESWAR BEHERA 1 Guided By- ER.NUTAN KUMAR PANDA
Certificate This is to certify that the Project report entitled “Configuration and Implementation of Iptables” submitted by Sameswar Behera, ISEH-FRP, in partial fulfillment of the requirement of the award of Diploma in ISEH under APPIN TECHNOLOGY LAB: Bhubaneswar. Completed his project successfully. Er. Nutan Kumar Panda Mr. Bibhuti Bhusan Prusty Project Guide Center Head Mr. SudhanshuBhusanPrusty Managing Director 2
Acknowledgement I have a great honor to acknowledge MR. Sudhanshu Bhusan Prusty, Managing Director, Appin Technology Labs, Bhubaneswar, Odisha. Who had given me his consent to carry out this project . I feel immense pleasure and privilege in expressing my deep sense of gratitude towards my guide ER. Nutan Kumar Panda, whose valuable guidance and critical analysis of my result has led to successful completion of my project. My special thanks to all my friends for giving me incentive support in this report work. I express my gratitude to my affectionate and friends for encouragement and enthusiastic support throughout this study. SAMESWAR BEHERA 3
TABLE OF CONTENTS What is firewall……………………………………………………………………………………………………………….5 What is iptables………………………………………………………………………………………………………………5 Installing iptables……………………………………………………………………………………………………………5 To start iptables………………………………………………………………………………………………………………6 Determining the status of iptables…………………………………………………………………………………7 Packet processing in iptables………………………………………………………………………………………….8 Processing for packet routed by the firewall………………………………………………………………….9 Iptables packet flow diagram………………………………………………………………………………………..10 Targets and jumps………………………………………………………………………………………………………….11 General iptables match criteria………………………………………………………………………………………12 Common TCP and UDP match criteria……………………………………………………………………………21 Common extended match criteria………………………………………………………………………………….29 Saving iptables scripts…………………………………………………………………………………………………….31 Iptables restoration…………………………………………………………………………………………………………32 Allow your home network to access the internet………………………………………………………….33 Allow your home network to access the firewall……………………………………………………………33 Prevent DoS attack…………………………………………………………………………………………………………33 Static NAT………………………………………………………………………………………………………………………..34 Port forwarding……………………………………………………………………………………………………………….34 Conclusion……………………………………………………………………………………………………………………….35 Reference…………………………………………………………………………………………………………………………36 4
What is a Firewall?  A firewall is hardware, software, or a combination of both that is used to prevent unauthorized programs or Internet users from accessing a private network and/or a single computer.  A set of related programs that protects the resources of a private network from users from other networks.  A mechanism for filtering network packets based on information contained within the IP header. Firewall Options:  Commercial Firewall Devices (Watchguard, Cisco PIX)  Routers (ACL Lists)  Linux (Iptables)  Software Packages (ZoneAlarm, Black Ice, Tiny Personal Firewall, Norton Personal Firewall, Comodo Firewall) Linux Firewall Programs: Ipfwadm : Linux kernel 2.0.34 Ipchains : Linux kernel 2.2. Iptables : Linux kernel 2.4. & above What Is iptables? It is the modified firewall package available in linux operating system. Before it was known as ipchanes, later it comes with capabilities like natting and routing. Some other improvements are:  Better integration with the Linux kernel, so improved speed and reliability.  Stateful packet inspection.  Filter packets according to TCP header and MAC address.  System logging that provides the option of adjusting the level of detail of the reporting.  Better network address translation.  Support for transparent integration with such Web proxy programs as Squid.  A rate limiting feature that helps iptables block some types of denial of service (DoS) attacks. Installing iptables: In most Linux distros including Redhat / CentOS Linux installs iptables by default. You can use the following procedure to verify that iptables has been installed or not in Redhat. Open terminal and type the following command: [root@localhost ~]#yum info iptables 5
Sample outputs: If the above message does not appear, then type the following command to install iptables: [root@localhost ~]#yum install iptables To Start iptables: You can start, stop, and restart iptables after booting by using the commands: [root@localhost ~]# service iptables start [root@localhost ~]# service iptables stop [root@localhost ~]# service iptables restart To get iptables configured to start at boot, use the chkconfig command: [root@localhost ~]# chkconfig iptables on 6
Determining The Status of iptables: You can determine whether iptables is running or not via the service iptables status command. [root@localhost ~]# service iptables status 7
Packet Processing In iptables: All packets inspected by iptables pass through a sequence of built-in tables (queues) for processing. Each of these queues is dedicated to a particular type of packet activity and is controlled by an associated packet transformation/filtering chain.  There are three tables in total. The first is the mangle table which is responsible for the alteration of quality of service bits in the TCP header. This is hardly used in a home or SOHO environment.  The second table is the filter queue which is responsible for packet filtering. It has three built-in chains in which you can place your firewall policy rules. These are the: 1. Forward chain: Filters packets to servers protected by the firewall. 2. Input chain : Filters packets destined for the firewall. 3. Output chain : Filters packets originating from the firewall.  The third table is the nat queue which is responsible for network address translation. It has two built-in chains; these are: 4. Pre-routing chain: NATs packets when the destination address of the packet needs to be changed. 5. Post-routing chain: NATs packets when the source address of the packet needs to be changed. 8
Processing For Packets Routed By The Firewall: Packet Queue Queue Transformation Chain Function Type Function Chain in Queue Filter Packet FORWARD Filters packets to servers accessible by another filtering NIC on the firewall. INPUT Filters packets destined to the firewall. OUTPUT Filters packets originating from the firewall. Address translation occurs before routing. Nat Network PREROUTING Facilitates the transformation of the destination IP Address address to be compatible with the firewall's routing table. Used with NAT of the destination Translation IP address, also known as destination NAT or DNAT. Address translation occurs after routing. This POSTROUTING implies that there was no need to modify the destination IP address of the packet as in pre- routing. Used with NAT of the source IP address using either one-to-one or many-to-one NAT. This is known as source NAT, or SNAT. Network address translation for packets generated OUTPUT by the firewall. (Rarely used in SOHO environments) Mangle TCP header PREROUTING Modification of the TCP packet quality of service modification POSTROUTING bits before routing occurs. (Rarely used in SOHO OUTPUT environments) INPUT FORWARD You need to specify the table and the chain for each firewall rule you create. There is an exception: Most rules are related to filtering, so iptables assumes that any chain that's defined without an associated table will be a part of the filter table. The filter table is therefore the default. Queue Take a look at the way packets are handled by iptables. In Figure below a TCP packet from the Internet arrives at the firewall's interface on Network A to create a data connection.  The packet is first examined by your rules in the mangle table's PREROUTING chain, if any. It is then inspected by the rules in the nat table's PREROUTING chain to see whether the packet requires DNAT. It is then routed.  If the packet is destined for a protected network, then it is filtered by the rules in the FORWARD chain of the filter table and, if necessary, the packet undergoes SNAT in the POSTROUTING chain before arriving at Network B. When the destination server decides to reply, the packet undergoes 9
the same sequence of steps. Both the FORWARD and POSTROUTING chains may be configured to implement quality of service (QoS) features in their mangle tables, but this is not usually done in SOHO environments.  If the packet is destined for the firewall itself, then it passes through the mangle table of the INPUT chain, if configured, before being filtered by the rules in the INPUT chain of the filter table before. If it successfully passes these tests then it is processed by the intended application on the firewall.  At some point, the firewall needs to reply. This reply is routed and inspected by the rules in the OUTPUT chain of the mangle table, if any. Next, the rules in the OUTPUT chain of the nat table determine whether DNAT is required and the rules in the OUTPUT chain of the filter table are then inspected to help restrict unauthorized packets. Finally, before the packet is sent back to the Internet, SNAT and QoS mangling is done by the POSTROUTING chain. Type Iptables Packet Flow Diagram: Packet 10
Targets And Jumps: Each firewall rule inspects each IP packet and then tries to identify it as the target of some sort of operation. Once a target is identified, the packet needs to jump over to it for further processing. Target Description Most Common Options Iptables stops further processing and ACCEPT the packet is handed over to the end N/A application. Iptables stops further processing and DROP drop the packet. N/A The packet information is sent to the syslog --log-prefix “string” LOG daemon for logging and iptables continues processing with the next rule in the table. (It tells iptable to fix the log message As you can't log and drop at the with a user defined string.) same time. --log-level 0 to 7 --reject-with qualifier REJECT Works like the DROP target, but will also (The qualifier tells what type of reject return an error message to the host message is returned.) sending the packet that the packet was Qualifiers include: blocked. icmp-port-unreachable (default) icmp-net-unreachable icmp-host-unreachable icmp-proto-unreachable icmp-net-prohibited icmp-host-prohibited tcp-reset echo-reply Used to do destination network address --to-destination ipaddress DNAT translation. ie. rewriting the destination IP address of the packet. (Tells iptables what the destination IP address should be.) Used to do source network address --to-source <ip>[-<ip>][:<port>- SNAT translation. ie. rewriting the source IP <port>] address of the packet. The source IP address is user defined. (Specifies the source IP address and ports to be used by SNAT.) Used to do Source Network Address --to-ports <port>[-<port>] MASQUERADE Translation. By default the source IP address is the (Specifies the range of source ports to same as that used by the firewall's which the original source port can be interface. mapped.) Queue Chain Function 11
Important Iptables Command Switch Operations: Each line of an iptables script not only has a jump, but they also have a number of command line options that are used to append rules to chains that match your defined packet characteristics, such the source IP address and TCP port. There are also options that can be used to just clear a chain so you can start all over again. General Iptables Match Criteria:- Iptables command Switch Description It is to specify which table you will use from filter, nat, mangle. -t <-table-> If you don’t specify a table then the filter table is assumed. Jump to the specified target chain when the packet matches the current -j <target> rule. -A Append rule to end of a chain. -F Flush. Deletes all the rules in the selected table. -p <protocol-type> Match protocol. Types include, icmp, tcp, udp, and all. -s <ip-address> Match source IP address. -d <ip-address> Match destination IP address. -i <interface-name> Match "input" interface on which the packet enters. -o <interface-name> Match "output" interface on which the packet exits. In this command switches example: [root@localhost ~]#iptables -A INPUT -s 0/0 -i eth0 -d 0/0 -p TCP -j ACCEPT iptables is being configured to allow the firewall to accept TCP packets coming in on interface eth0 from any IP address . The 0/0 representation of an IP address means any. 12
13
[root@localhost ~]#iptables -A INPUT -s 0/0 -i eth0 -d 0/0 -p TCP -j DROP 14
15
[root@localhost ~]#iptables -A INPUT -s 0/0 -i eth0 -d 0/0 -p icmp -j DROP 16
iptables -A INPUT -s 0/0 -i eth0 -d 0/0 -p icmp –REJECT –reject-with icmp-host-unrechable 17
18
19
Block a Specific ip-address: if you want to block a specific ip-address, you should do that first as shown below. Change the “x.x.x.x” in the following example to the specific ip-address that you like to block. BLOCK_THIS_IP="x.x.x.x" iptables -A INPUT -s "$BLOCK_THIS_IP" -j DROP This is helpful when you find some strange activities from a specific ip-address in your log files, and you want to temporarily block that ip-address while you do further research.You can also use one of the following variations, which blocks only TCP traffic on eth0 connection for this ip-address. iptables -A INPUT -i eth0 -s "$BLOCK_THIS_IP" -j DROP iptables -A INPUT -i eth0 -p tcp -s "$BLOCK_THIS_IP" -j DROP Allow Internal Network to External network: On the firewall server where one ethernet card is connected to the external, and another ethernet card connected to the internal servers, use the following rules to allow internal network talk to external network. iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT In this example, eth1 is connected to external network (internet), and eth0 is connected to internal network (For example: 192.168.1.x). 20
Common TCP and UDP Match Criteria:- Switch Description -p tcp --sport <port> TCP source port. It filter TCP source port. -p tdp --sport <start-port:end-port> Can be a single value or a range like 1024:65535 -p tcp --dport <port> TCP source port. It filter TCP destination port. -p tdp --dport <start-port:end-port> Can be a single value or a range like 1024:65535 -p tcp --syn Used to identify a new TCP connection request. ! --syn means, not a new connection request. -P tcp !--syn Used to identify old TCP connection request. -p udp --sport <port> UDP source port. It test UDP connections for source ports. -p udp --sport <start-port:end-port> Can be a single value or a range like 1024:65535 -p udp --dport <port> UDP destination port. It test UDP connections for destination -p udp --dport <start-port:end-port> ports.Can be a single value or a range like 1024:65535 In this command switches example: iptables -A OUTPUT -s 0/0 -d 0/0 -p TCP --sport 1024:65535 --dport 80 -j ACCEPT  The source port is in the range 1024 to 65535 and the destination port is port 80 (www/http). 21
22
Allow outbound DNS: iptables -A OUTPUT -p udp -o eth0 --dport 53 -j ACCEPT iptables -A INPUT -p udp -i eth0 --sport 53 -j ACCEPT Allow POP3 access: iptables -A INPUT -i eth0 -p tcp --dport 110 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp --sport 110 -m state --state ESTABLISHED -j ACCEPT Allow outbound DNS: iptables -A OUTPUT -p udp -o eth0 --dport 53 -j ACCEPT iptables -A INPUT -p udp -i eth0 --sport 53 -j ACCEPT Allow Outgoing SSH: iptables -A OUTPUT -o eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -i eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT Please note that this is slightly different than the incoming rule. i.e We allow both the NEW and ESTABLISHED state on the OUTPUT chain, and only ESTABLISHED state on the INPUT chain. For the incoming rule, it is vice versa. 23
Common ICMP (Ping) Match Criteria:- Matches used with ---icmp-type Description --icmp-type <type> The most commonly used types are echo-reply and echo-request . Allow Ping from Outside to Inside: The following rules allow outside users to be able to ping your servers. iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT 24
Reject Ping from Outside to Inside: iptables -A INPUT -p icmp --icmp-type echo-request -j REJECT iptables -A OUTPUT -p icmp --icmp-type echo-reply -j REJECT 25
Allow Ping from Inside to Outside: The following rules allow you to ping from inside to any of the outside servers. iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT 26
Consider another example: iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -i eth0 -j ACCEPT  The limit feature in iptables specifies the maximum average number of matches to allow per second. You can specify time intervals in the format /second, /minute, /hour, or /day, or you can use abbreviations so that 3/second is the same as 3/s.  In this example, ICMP echo requests are restricted to no more than one per second. When tuned correctly, this feature allows you to filter unusually high volumes of traffic that characterize denial of service (DOS) attacks and Internet worms. 27
iptables -A INPUT -p tcp --syn -m limit --limit 5/s -i eth0 -j ACCEPT  In this example, you can expand on the limit feature of iptables to reduce your vulnerability to certain types of denial of service attack. Here a defense for SYN flood attacks was created by limiting the acceptance of TCP segments with the SYN bit set to no more than five per second. 28
Common Extended Match Criteria:- Switch Description -m multiport --sports <port, port> A variety of TCP/UDP source ports separated by commas. Unlike when -m isn't used, they do not have to be within a range. -m multiport --dports <port,port> A variety of TCP/UDP destination ports separated by commas. Unlike when -m isn't used, they do not have to be within a range. -m multiport --ports <port,port> A variety of TCP/UDP ports separated by commas. Source and destination ports are assumed to be the same and they do not have to be within a range. -m –state <state> The most frequently tested states are: ESTABLISHED: The packet is part of a connection that has seen packets in both directions. NEW: The packet is the start of a new connection. RELATED: The packet is starting a new secondary connection. This is a common feature of such protocols such as an FTP data transfer, or an ICMP error. INVALID: The packet couldn't be identified. Could be due to insufficient system resources, or ICMP errors that don't match an existing data flow. In this command switch examples: iptables -A FORWARD -s 0/0 -i eth0 -d 0/0 -p TCP --sport 1024:65535 -m multiport --dports 80,443 -j ACCEPT iptables -A FORWARD -d 0/0 -o eth0 -s 0/0 -p TCP -m state --state ESTABLISHED -j ACCEPT  Here iptables is being configured to allow the firewall to accept TCP packets to be routed when they enter on interface eth0 from any IP address destined for IP address of 192.168.1.58 that is reachable via interface eth1. The source port is in the range 1024 to 65535 and the destination ports are port 80 (www/http) and 443 (https). The return packets from 192.168.1.58 are allowed to be accepted too. Instead of stating the source and destination ports, you can simply allow packets related to established connections using the -m state and --state ESTABLISHED options. 29
30
Saving iptables Scripts: [root@localhost ~]#service iptables save [root@localhost ~]#iptables-save  The above command permanently saves the iptables configuration in the /etc/sysconfig/iptables file. When the system reboots, the iptables-restore program reads the configuration and makes it the active configuration. 31
Here is a sample /etc/sysconfig/iptables configuration:  It is never a good idea to edit this script directly because it is always overwritten by the save command and it doesn't save any comments at all, which can also make it extremely difficult to follow. For these reasons, you're better off writing and applying a customized script and then using the service iptables save command to make the changes permanent. [root@localhost ~]#iptables-save > firewall-config It will actually saves a permanent copy of the firewall's active configuration in the /etc/sysconfig/iptables file and exports the iptables-save output to a text file named firewall-config. It can be further used for restoration of iptables. Iptables Restoration: [root@localhost ~]#iptables-restore < firewall-config  Finally, you should permanently save the active configuration so that it will be loaded automatically when the system reboots. 32
Allow Your Firewall To Access The Internet: Allow port 80 (www) and 443 (https) connections from the firewall: iptables -A OUTPUT -j ACCEPT -m state --state NEW,ESTABLISHED,RELATED -o eth0 -p tcp -m multiport - -dports 80,443 --sport 1024:65535 If you want all TCP traffic originating from the firewall to be accepted, then remove the line: -m multiport --dports 80,443 --sport 1024:65535 Allow previously established connections: [root@localhost ~]#iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED -i eth0 -p tcp Allow Your Home Network To Access The Firewall: Here eth0 is directly connected to a home network using IP addresses from the 192.168.1.0 network. All traffic between this network and the firewall is simplistically assumed to be trusted and allowed. Further rules will be needed for the interface connected to the Internet to allow only specific ports, types of connections and possibly even remote servers to have access to your firewall and home network. Allow all bidirectional traffic from your firewall to the protected network: [root@localhost ~]#iptables -A INPUT -j ACCEPT -p all -s 192.168.1.0/24 -i eth0 [root@localhost~]#iptables -A OUTPUT -j ACCEPT -p all -d 192.168.1.0/24 -o eth0 Prevent DoS Attack: The following iptables rule will help you prevent the Denial of Service (DoS) attack on your webserver. iptables -A INPUT -p tcp --dport 80 -m limit --limit 25/minute --limit-burst 100 -j ACCEPT 33
In the above example:  -m limit: This uses the limit iptables extension  –limit 25/minute: This limits only maximum of 25 connection per minute. Change this value based on your specific requirement  –limit-burst 100: This value indicates that the limit/minute will be enforced only after the total number of connection have reached the limit-burst level. Static NAT: In this example, all traffic to a particular public IP address, not just to a particular port, is translated to a single server on the protected subnet. Uses one to one NAT to make the server 192.168.1.100 on your home network appear on the Internet as IP addresses 97.158.253.26. iptables -t nat -A PREROUTING -d 97.158.253.26 -i eth0 -j DNAT --to-destination 192.168.1.100 iptables -t nat -A POSTROUTING -s 192.168.1.100 -o eth0 -j SNAT --to-source 97.158.253.26 Creates a many to one NAT for the 192.168.1.0 home network in which all the servers appear on the Internet as IP address 97.158.253.29. iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -j SNAT -o eth0 --to-source 97.158.253.29 Port Forwarding (PAT): The following example routes all traffic that comes to the port 442 to 22. This means that the incoming ssh connection can come from both port 22 and 422. iptables -t nat -A PREROUTING -p tcp -d 192.168.102.37 --dport 422 -j DNAT --to 192.168.102.37:22 34
CONCLUSION: We can get different service with this like firewall, routing, natting, logging and we can also block some types of DoS attacks just by implementing few rules in it. 35
REFERENCE: www.haifux.org/lectures/98-sil/IPTablesPresentation.pdf http://media.scottr.org/presentations/linux-home-networking.pdf http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/3/html/Reference_Guide/s1-iptables-options.html www.thegeekstuff.com/2011/06/iptables-rules-examples/ www.cse.psu.edu/~tjaeger/cse497b.../cse497b-project-4-iptables.pdf www.linuxhowtos.org/Security/iptables.pdf 36

Empfohlen

Iptables presentation
Iptables presentationIptables presentation
Iptables presentationEmin Abdul Azeez
 
Iptables in linux
Iptables in linuxIptables in linux
Iptables in linuxMandeep Singh
 
Iptables the Linux Firewall
Iptables the Linux Firewall Iptables the Linux Firewall
Iptables the Linux Firewall Syed fawad Gillani
 
GRE (Generic Routing Encapsulation)
GRE (Generic Routing Encapsulation)GRE (Generic Routing Encapsulation)
GRE (Generic Routing Encapsulation)NetProtocol Xpert
 
Ip tables
Ip tablesIp tables
Ip tablesnavid ashrafi
 
CCNA 2 Routing and Switching v5.0 Chapter 7
CCNA 2 Routing and Switching v5.0 Chapter 7CCNA 2 Routing and Switching v5.0 Chapter 7
CCNA 2 Routing and Switching v5.0 Chapter 7Nil Menon
 
Ospf
OspfOspf
OspfJoshua Fonseca
 
Access control list [1]
Access control list [1]Access control list [1]
Access control list [1]Summit Bisht
 

Empfohlen

Iptables presentation
Iptables presentationIptables presentation
Iptables presentationEmin Abdul Azeez
 
Iptables in linux
Iptables in linuxIptables in linux
Iptables in linuxMandeep Singh
 
Iptables the Linux Firewall
Iptables the Linux Firewall Iptables the Linux Firewall
Iptables the Linux Firewall Syed fawad Gillani
 
GRE (Generic Routing Encapsulation)
GRE (Generic Routing Encapsulation)GRE (Generic Routing Encapsulation)
GRE (Generic Routing Encapsulation)NetProtocol Xpert
 
Ip tables
Ip tablesIp tables
Ip tablesnavid ashrafi
 
CCNA 2 Routing and Switching v5.0 Chapter 7
CCNA 2 Routing and Switching v5.0 Chapter 7CCNA 2 Routing and Switching v5.0 Chapter 7
CCNA 2 Routing and Switching v5.0 Chapter 7Nil Menon
 
Ospf
OspfOspf
OspfJoshua Fonseca
 
Access control list [1]
Access control list [1]Access control list [1]
Access control list [1]Summit Bisht
 
Basics of IP Addressing
Basics of IP AddressingBasics of IP Addressing
Basics of IP AddressingKushal Sheth
 
CCNA - Routing & Switching Commands
CCNA - Routing & Switching CommandsCCNA - Routing & Switching Commands
CCNA - Routing & Switching CommandsEng. Emad Al-Atoum
 
Vpn site to site
Vpn site to siteVpn site to site
Vpn site to siteIT Tech
 
IPSec Overview
IPSec OverviewIPSec Overview
IPSec Overviewdavisli
 
Ip address
Ip address Ip address
Ip address Yash Bansal
 
Access Control List (ACL)
Access Control List (ACL)Access Control List (ACL)
Access Control List (ACL)ISMT College
 
Introduction to Snort
Introduction to SnortIntroduction to Snort
Introduction to SnortHossein Yavari
 
Automating with NX-OS: Let's Get Started!
Automating with NX-OS: Let's Get Started!Automating with NX-OS: Let's Get Started!
Automating with NX-OS: Let's Get Started!Cisco DevNet
 
Ospf.ppt
Ospf.pptOspf.ppt
Ospf.pptEdgardo Scrimaglia
 
Router configuration
Router configurationRouter configuration
Router configurationChoyonBonik
 
MikroTik & RouterOS
MikroTik & RouterOSMikroTik & RouterOS
MikroTik & RouterOSFaelix Ltd
 
CCNA 2 Routing and Switching v5.0 Chapter 6
CCNA 2 Routing and Switching v5.0 Chapter 6CCNA 2 Routing and Switching v5.0 Chapter 6
CCNA 2 Routing and Switching v5.0 Chapter 6Nil Menon
 
CCNA PPT
CCNA PPTCCNA PPT
CCNA PPTAIRTEL
 
Ip address
Ip addressIp address
Ip addressAmandeep Kaur
 
CCNA 1 Routing and Switching v5.0 Chapter 6
CCNA 1 Routing and Switching v5.0 Chapter 6CCNA 1 Routing and Switching v5.0 Chapter 6
CCNA 1 Routing and Switching v5.0 Chapter 6Nil Menon
 
BASIC TO ADVANCED NETWORKING TUTORIALS
BASIC TO ADVANCED NETWORKING TUTORIALSBASIC TO ADVANCED NETWORKING TUTORIALS
BASIC TO ADVANCED NETWORKING TUTORIALSVarinder Singh Walia
 
Computer Networking: Internet Protcol (IP) and IP Addressing
Computer Networking: Internet Protcol (IP) and IP AddressingComputer Networking: Internet Protcol (IP) and IP Addressing
Computer Networking: Internet Protcol (IP) and IP AddressingBisrat Girma
 
GRE (generic routing encapsulation)
GRE (generic routing encapsulation)GRE (generic routing encapsulation)
GRE (generic routing encapsulation)Netwax Lab
 
CCNA 2 Routing and Switching v5.0 Chapter 9
CCNA 2 Routing and Switching v5.0 Chapter 9CCNA 2 Routing and Switching v5.0 Chapter 9
CCNA 2 Routing and Switching v5.0 Chapter 9Nil Menon
 
FIREWALLD
FIREWALLDFIREWALLD
FIREWALLDBenjamin Samuel
 
Iptables
IptablesIptables
Iptablesleminhvuong
 
Packet Filtering Using Iptables
Packet Filtering Using IptablesPacket Filtering Using Iptables
Packet Filtering Using IptablesAhmed Mekkawy
 

Weitere ähnliche Inhalte

Was ist angesagt?

Basics of IP Addressing
Basics of IP AddressingBasics of IP Addressing
Basics of IP AddressingKushal Sheth
 
CCNA - Routing & Switching Commands
CCNA - Routing & Switching CommandsCCNA - Routing & Switching Commands
CCNA - Routing & Switching CommandsEng. Emad Al-Atoum
 
Vpn site to site
Vpn site to siteVpn site to site
Vpn site to siteIT Tech
 
IPSec Overview
IPSec OverviewIPSec Overview
IPSec Overviewdavisli
 
Access Control List (ACL)
Access Control List (ACL)Access Control List (ACL)
Access Control List (ACL)ISMT College
 
Automating with NX-OS: Let's Get Started!
Automating with NX-OS: Let's Get Started!Automating with NX-OS: Let's Get Started!
Automating with NX-OS: Let's Get Started!Cisco DevNet
 
Router configuration
Router configurationRouter configuration
Router configurationChoyonBonik
 
MikroTik & RouterOS
MikroTik & RouterOSMikroTik & RouterOS
MikroTik & RouterOSFaelix Ltd
 
CCNA 2 Routing and Switching v5.0 Chapter 6
CCNA 2 Routing and Switching v5.0 Chapter 6CCNA 2 Routing and Switching v5.0 Chapter 6
CCNA 2 Routing and Switching v5.0 Chapter 6Nil Menon
 
CCNA PPT
CCNA PPTCCNA PPT
CCNA PPTAIRTEL
 
CCNA 1 Routing and Switching v5.0 Chapter 6
CCNA 1 Routing and Switching v5.0 Chapter 6CCNA 1 Routing and Switching v5.0 Chapter 6
CCNA 1 Routing and Switching v5.0 Chapter 6Nil Menon
 
BASIC TO ADVANCED NETWORKING TUTORIALS
BASIC TO ADVANCED NETWORKING TUTORIALSBASIC TO ADVANCED NETWORKING TUTORIALS
BASIC TO ADVANCED NETWORKING TUTORIALSVarinder Singh Walia
 
Computer Networking: Internet Protcol (IP) and IP Addressing
Computer Networking: Internet Protcol (IP) and IP AddressingComputer Networking: Internet Protcol (IP) and IP Addressing
Computer Networking: Internet Protcol (IP) and IP AddressingBisrat Girma
 
GRE (generic routing encapsulation)
GRE (generic routing encapsulation)GRE (generic routing encapsulation)
GRE (generic routing encapsulation)Netwax Lab
 
CCNA 2 Routing and Switching v5.0 Chapter 9
CCNA 2 Routing and Switching v5.0 Chapter 9CCNA 2 Routing and Switching v5.0 Chapter 9
CCNA 2 Routing and Switching v5.0 Chapter 9Nil Menon
 

Was ist angesagt? (20)

Basics of IP Addressing
Basics of IP AddressingBasics of IP Addressing
Basics of IP Addressing
 
CCNA - Routing & Switching Commands
CCNA - Routing & Switching CommandsCCNA - Routing & Switching Commands
CCNA - Routing & Switching Commands
 
Vpn site to site
Vpn site to siteVpn site to site
Vpn site to site
 
IPSec Overview
IPSec OverviewIPSec Overview
IPSec Overview
 
Ip address
Ip address Ip address
Ip address
 
Access Control List (ACL)
Access Control List (ACL)Access Control List (ACL)
Access Control List (ACL)
 
Introduction to Snort
Introduction to SnortIntroduction to Snort
Introduction to Snort
 
Automating with NX-OS: Let's Get Started!
Automating with NX-OS: Let's Get Started!Automating with NX-OS: Let's Get Started!
Automating with NX-OS: Let's Get Started!
 
Ospf.ppt
Ospf.pptOspf.ppt
Ospf.ppt
 
Router configuration
Router configurationRouter configuration
Router configuration
 
MikroTik & RouterOS
MikroTik & RouterOSMikroTik & RouterOS
MikroTik & RouterOS
 
CCNA 2 Routing and Switching v5.0 Chapter 6
CCNA 2 Routing and Switching v5.0 Chapter 6CCNA 2 Routing and Switching v5.0 Chapter 6
CCNA 2 Routing and Switching v5.0 Chapter 6
 
CCNA PPT
CCNA PPTCCNA PPT
CCNA PPT
 
Ip address
Ip addressIp address
Ip address
 
CCNA 1 Routing and Switching v5.0 Chapter 6
CCNA 1 Routing and Switching v5.0 Chapter 6CCNA 1 Routing and Switching v5.0 Chapter 6
CCNA 1 Routing and Switching v5.0 Chapter 6
 
BASIC TO ADVANCED NETWORKING TUTORIALS
BASIC TO ADVANCED NETWORKING TUTORIALSBASIC TO ADVANCED NETWORKING TUTORIALS
BASIC TO ADVANCED NETWORKING TUTORIALS
 
Computer Networking: Internet Protcol (IP) and IP Addressing
Computer Networking: Internet Protcol (IP) and IP AddressingComputer Networking: Internet Protcol (IP) and IP Addressing
Computer Networking: Internet Protcol (IP) and IP Addressing
 
GRE (generic routing encapsulation)
GRE (generic routing encapsulation)GRE (generic routing encapsulation)
GRE (generic routing encapsulation)
 
CCNA 2 Routing and Switching v5.0 Chapter 9
CCNA 2 Routing and Switching v5.0 Chapter 9CCNA 2 Routing and Switching v5.0 Chapter 9
CCNA 2 Routing and Switching v5.0 Chapter 9
 
FIREWALLD
FIREWALLDFIREWALLD
FIREWALLD
 

Andere mochten auch

Packet Filtering Using Iptables
Packet Filtering Using IptablesPacket Filtering Using Iptables
Packet Filtering Using IptablesAhmed Mekkawy
 
SSH - Secure Shell
SSH - Secure ShellSSH - Secure Shell
SSH - Secure ShellSouhaib El
 
ssh, bien plus qu'un telnet sécurisé
ssh, bien plus qu'un telnet sécuriséssh, bien plus qu'un telnet sécurisé
ssh, bien plus qu'un telnet sécuriséTryphon
 
Microsoft Word Project, Firewalls
Microsoft Word Project, FirewallsMicrosoft Word Project, Firewalls
Microsoft Word Project, Firewallskkkseld
 
Introduction to firewalls through Iptables
Introduction to firewalls through IptablesIntroduction to firewalls through Iptables
Introduction to firewalls through IptablesBud Siddhisena
 
Kingston University Thesis - Design and Implementation of a Secure Web Applic...
Kingston University Thesis - Design and Implementation of a Secure Web Applic...Kingston University Thesis - Design and Implementation of a Secure Web Applic...
Kingston University Thesis - Design and Implementation of a Secure Web Applic...PROBOTEK
 
initiation SSH_SecuriNets ISI Tunisie
initiation SSH_SecuriNets ISI Tunisieinitiation SSH_SecuriNets ISI Tunisie
initiation SSH_SecuriNets ISI TunisieDonia Hammami
 
Assignment (2)
Assignment (2)Assignment (2)
Assignment (2)aroosa12
 
WRITTEN ASSIGNMENT FORMAT - LA 2.0 COMPUTER SYSTEM
WRITTEN ASSIGNMENT FORMAT - LA 2.0 COMPUTER SYSTEMWRITTEN ASSIGNMENT FORMAT - LA 2.0 COMPUTER SYSTEM
WRITTEN ASSIGNMENT FORMAT - LA 2.0 COMPUTER SYSTEMsalwahanim
 
Netfilter: Making large iptables rulesets scale
Netfilter: Making large iptables rulesets scaleNetfilter: Making large iptables rulesets scale
Netfilter: Making large iptables rulesets scalebrouer
 

Andere mochten auch (20)

Iptables
IptablesIptables
Iptables
 
Packet Filtering Using Iptables
Packet Filtering Using IptablesPacket Filtering Using Iptables
Packet Filtering Using Iptables
 
Projet IPTable
Projet IPTableProjet IPTable
Projet IPTable
 
SSH - Secure Shell
SSH - Secure ShellSSH - Secure Shell
SSH - Secure Shell
 
Atelier ssh
Atelier sshAtelier ssh
Atelier ssh
 
ssh, bien plus qu'un telnet sécurisé
ssh, bien plus qu'un telnet sécuriséssh, bien plus qu'un telnet sécurisé
ssh, bien plus qu'un telnet sécurisé
 
Microsoft Word Project, Firewalls
Microsoft Word Project, FirewallsMicrosoft Word Project, Firewalls
Microsoft Word Project, Firewalls
 
Introduction to firewalls through Iptables
Introduction to firewalls through IptablesIntroduction to firewalls through Iptables
Introduction to firewalls through Iptables
 
Git basics
Git basicsGit basics
Git basics
 
Kingston University Thesis - Design and Implementation of a Secure Web Applic...
Kingston University Thesis - Design and Implementation of a Secure Web Applic...Kingston University Thesis - Design and Implementation of a Secure Web Applic...
Kingston University Thesis - Design and Implementation of a Secure Web Applic...
 
Understanding iptables
Understanding iptablesUnderstanding iptables
Understanding iptables
 
IPTABLES
IPTABLESIPTABLES
IPTABLES
 
IP Tables Getting Started - Part 2
IP Tables Getting Started - Part 2IP Tables Getting Started - Part 2
IP Tables Getting Started - Part 2
 
IPTables Primer - Part 2
IPTables Primer - Part 2IPTables Primer - Part 2
IPTables Primer - Part 2
 
IP Tables Primer - Part 1
IP Tables Primer - Part 1IP Tables Primer - Part 1
IP Tables Primer - Part 1
 
initiation SSH_SecuriNets ISI Tunisie
initiation SSH_SecuriNets ISI Tunisieinitiation SSH_SecuriNets ISI Tunisie
initiation SSH_SecuriNets ISI Tunisie
 
Assignment (2)
Assignment (2)Assignment (2)
Assignment (2)
 
WRITTEN ASSIGNMENT FORMAT - LA 2.0 COMPUTER SYSTEM
WRITTEN ASSIGNMENT FORMAT - LA 2.0 COMPUTER SYSTEMWRITTEN ASSIGNMENT FORMAT - LA 2.0 COMPUTER SYSTEM
WRITTEN ASSIGNMENT FORMAT - LA 2.0 COMPUTER SYSTEM
 
Netfilter: Making large iptables rulesets scale
Netfilter: Making large iptables rulesets scaleNetfilter: Making large iptables rulesets scale
Netfilter: Making large iptables rulesets scale
 
Android Firewall project
Android Firewall projectAndroid Firewall project
Android Firewall project
 

Ähnlich wie Iptables Configuration

IP Tables And Filtering
IP Tables And FilteringIP Tables And Filtering
IP Tables And FilteringSuperstarRr
 
Nad710 Network Address Translation
Nad710 Network Address TranslationNad710 Network Address Translation
Nad710 Network Address Translationtmavroidis
 
Paper id 25201418
Paper id 25201418Paper id 25201418
Paper id 25201418IJRAT
 
IPTABLES_linux_Firewall_Administration (1).pdf
IPTABLES_linux_Firewall_Administration (1).pdfIPTABLES_linux_Firewall_Administration (1).pdf
IPTABLES_linux_Firewall_Administration (1).pdfmpassword
 
Basic ccna interview questions and answers ~ sysnet notes
Basic ccna interview questions and answers ~ sysnet notesBasic ccna interview questions and answers ~ sysnet notes
Basic ccna interview questions and answers ~ sysnet notesVamsi Krishna Kalavala
 
CCNA Routing Protocols
CCNA Routing ProtocolsCCNA Routing Protocols
CCNA Routing ProtocolsDsunte Wilson
 
ccna summer training ppt ( Cisco certified network analysis) ppt. by Traun k...
ccna summer training ppt ( Cisco certified network analysis) ppt. by Traun k...ccna summer training ppt ( Cisco certified network analysis) ppt. by Traun k...
ccna summer training ppt ( Cisco certified network analysis) ppt. by Traun k...Tarun Khaneja
 
ccna project on topic company infrastructure
ccna project on topic company infrastructureccna project on topic company infrastructure
ccna project on topic company infrastructurePrince Gautam
 
Cisco Router As A Vpn Server
Cisco Router As A Vpn ServerCisco Router As A Vpn Server
Cisco Router As A Vpn Servermmoizuddin
 
Training Day Slides
Training Day SlidesTraining Day Slides
Training Day Slidesadam_merritt
 
Basic Introduction to Technology (networking).pdf
Basic Introduction to Technology (networking).pdfBasic Introduction to Technology (networking).pdf
Basic Introduction to Technology (networking).pdftthind
 

Ähnlich wie Iptables Configuration (20)

CCNA FUNDAMENTAL
CCNA FUNDAMENTALCCNA FUNDAMENTAL
CCNA FUNDAMENTAL
 
NAT_Final
NAT_FinalNAT_Final
NAT_Final
 
IP Tables And Filtering
IP Tables And FilteringIP Tables And Filtering
IP Tables And Filtering
 
Nad710 Network Address Translation
Nad710 Network Address TranslationNad710 Network Address Translation
Nad710 Network Address Translation
 
Lan Network with Redundancy
Lan Network with RedundancyLan Network with Redundancy
Lan Network with Redundancy
 
Lan Network with Redundancy.ppt
Lan Network with Redundancy.pptLan Network with Redundancy.ppt
Lan Network with Redundancy.ppt
 
Paper id 25201418
Paper id 25201418Paper id 25201418
Paper id 25201418
 
IPTABLES_linux_Firewall_Administration (1).pdf
IPTABLES_linux_Firewall_Administration (1).pdfIPTABLES_linux_Firewall_Administration (1).pdf
IPTABLES_linux_Firewall_Administration (1).pdf
 
Basic ccna interview questions and answers ~ sysnet notes
Basic ccna interview questions and answers ~ sysnet notesBasic ccna interview questions and answers ~ sysnet notes
Basic ccna interview questions and answers ~ sysnet notes
 
CCNA Routing Protocols
CCNA Routing ProtocolsCCNA Routing Protocols
CCNA Routing Protocols
 
ccna summer training ppt ( Cisco certified network analysis) ppt. by Traun k...
ccna summer training ppt ( Cisco certified network analysis) ppt. by Traun k...ccna summer training ppt ( Cisco certified network analysis) ppt. by Traun k...
ccna summer training ppt ( Cisco certified network analysis) ppt. by Traun k...
 
ccna project on topic company infrastructure
ccna project on topic company infrastructureccna project on topic company infrastructure
ccna project on topic company infrastructure
 
SRE NL MeetUp - eBPF.pdf
SRE NL MeetUp - eBPF.pdfSRE NL MeetUp - eBPF.pdf
SRE NL MeetUp - eBPF.pdf
 
Cisco Router As A Vpn Server
Cisco Router As A Vpn ServerCisco Router As A Vpn Server
Cisco Router As A Vpn Server
 
Training Day Slides
Training Day SlidesTraining Day Slides
Training Day Slides
 
I ptable
I ptableI ptable
I ptable
 
Mikro tik
Mikro tikMikro tik
Mikro tik
 
Basic Introduction to Technology (networking).pdf
Basic Introduction to Technology (networking).pdfBasic Introduction to Technology (networking).pdf
Basic Introduction to Technology (networking).pdf
 
66 pf sensetutorial
66 pf sensetutorial66 pf sensetutorial
66 pf sensetutorial
 
66_pfSenseTutorial
66_pfSenseTutorial66_pfSenseTutorial
66_pfSenseTutorial
 

Kürzlich hochgeladen

Global Lehigh Strategic Initiatives (without descriptions)
Global Lehigh Strategic Initiatives (without descriptions)Global Lehigh Strategic Initiatives (without descriptions)
Global Lehigh Strategic Initiatives (without descriptions)cama23
 
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)lakshayb543
 
Proudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptxProudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptxthorishapillay1
 
Choosing the Right CBSE School A Comprehensive Guide for Parents
Choosing the Right CBSE School A Comprehensive Guide for ParentsChoosing the Right CBSE School A Comprehensive Guide for Parents
Choosing the Right CBSE School A Comprehensive Guide for Parentsnavabharathschool99
 
Culture Uniformity or Diversity IN SOCIOLOGY.pptx
Culture Uniformity or Diversity IN SOCIOLOGY.pptxCulture Uniformity or Diversity IN SOCIOLOGY.pptx
Culture Uniformity or Diversity IN SOCIOLOGY.pptxPoojaSen20
 
4.18.24 Movement Legacies, Reflection, and Review.pptx
4.18.24 Movement Legacies, Reflection, and Review.pptx4.18.24 Movement Legacies, Reflection, and Review.pptx
4.18.24 Movement Legacies, Reflection, and Review.pptxmary850239
 
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...JhezDiaz1
 
AMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdf
AMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdfAMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdf
AMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdfphamnguyenenglishnb
 
How to Add Barcode on PDF Report in Odoo 17
How to Add Barcode on PDF Report in Odoo 17How to Add Barcode on PDF Report in Odoo 17
How to Add Barcode on PDF Report in Odoo 17Celine George
 
Transaction Management in Database Management System
Transaction Management in Database Management SystemTransaction Management in Database Management System
Transaction Management in Database Management SystemChristalin Nelson
 
What is Model Inheritance in Odoo 17 ERP
What is Model Inheritance in Odoo 17 ERPWhat is Model Inheritance in Odoo 17 ERP
What is Model Inheritance in Odoo 17 ERPCeline George
 
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdf
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdfInclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdf
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdfTechSoup
 
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptxECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptxiammrhaywood
 
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdf
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdfGrade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdf
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdfJemuel Francisco
 
USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...
USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...
USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...Postal Advocate Inc.
 
Barangay Council for the Protection of Children (BCPC) Orientation.pptx
Barangay Council for the Protection of Children (BCPC) Orientation.pptxBarangay Council for the Protection of Children (BCPC) Orientation.pptx
Barangay Council for the Protection of Children (BCPC) Orientation.pptxCarlos105
 
THEORIES OF ORGANIZATION-PUBLIC ADMINISTRATION
THEORIES OF ORGANIZATION-PUBLIC ADMINISTRATIONTHEORIES OF ORGANIZATION-PUBLIC ADMINISTRATION
THEORIES OF ORGANIZATION-PUBLIC ADMINISTRATIONHumphrey A Beña
 
Virtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdf
Virtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdfVirtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdf
Virtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdfErwinPantujan2
 
Karra SKD Conference Presentation Revised.pptx
Karra SKD Conference Presentation Revised.pptxKarra SKD Conference Presentation Revised.pptx
Karra SKD Conference Presentation Revised.pptxAshokKarra1
 
Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)Mark Reed
 

Kürzlich hochgeladen (20)

Global Lehigh Strategic Initiatives (without descriptions)
Global Lehigh Strategic Initiatives (without descriptions)Global Lehigh Strategic Initiatives (without descriptions)
Global Lehigh Strategic Initiatives (without descriptions)
 
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
 
Proudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptxProudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptx
 
Choosing the Right CBSE School A Comprehensive Guide for Parents
Choosing the Right CBSE School A Comprehensive Guide for ParentsChoosing the Right CBSE School A Comprehensive Guide for Parents
Choosing the Right CBSE School A Comprehensive Guide for Parents
 
Culture Uniformity or Diversity IN SOCIOLOGY.pptx
Culture Uniformity or Diversity IN SOCIOLOGY.pptxCulture Uniformity or Diversity IN SOCIOLOGY.pptx
Culture Uniformity or Diversity IN SOCIOLOGY.pptx
 
4.18.24 Movement Legacies, Reflection, and Review.pptx
4.18.24 Movement Legacies, Reflection, and Review.pptx4.18.24 Movement Legacies, Reflection, and Review.pptx
4.18.24 Movement Legacies, Reflection, and Review.pptx
 
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
 
AMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdf
AMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdfAMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdf
AMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdf
 
How to Add Barcode on PDF Report in Odoo 17
How to Add Barcode on PDF Report in Odoo 17How to Add Barcode on PDF Report in Odoo 17
How to Add Barcode on PDF Report in Odoo 17
 
Transaction Management in Database Management System
Transaction Management in Database Management SystemTransaction Management in Database Management System
Transaction Management in Database Management System
 
What is Model Inheritance in Odoo 17 ERP
What is Model Inheritance in Odoo 17 ERPWhat is Model Inheritance in Odoo 17 ERP
What is Model Inheritance in Odoo 17 ERP
 
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdf
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdfInclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdf
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdf
 
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptxECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
 
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdf
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdfGrade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdf
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdf
 
USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...
USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...
USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...
 
Barangay Council for the Protection of Children (BCPC) Orientation.pptx
Barangay Council for the Protection of Children (BCPC) Orientation.pptxBarangay Council for the Protection of Children (BCPC) Orientation.pptx
Barangay Council for the Protection of Children (BCPC) Orientation.pptx
 
THEORIES OF ORGANIZATION-PUBLIC ADMINISTRATION
THEORIES OF ORGANIZATION-PUBLIC ADMINISTRATIONTHEORIES OF ORGANIZATION-PUBLIC ADMINISTRATION
THEORIES OF ORGANIZATION-PUBLIC ADMINISTRATION
 
Virtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdf
Virtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdfVirtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdf
Virtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdf
 
Karra SKD Conference Presentation Revised.pptx
Karra SKD Conference Presentation Revised.pptxKarra SKD Conference Presentation Revised.pptx
Karra SKD Conference Presentation Revised.pptx
 
Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)
 

Iptables Configuration

  • 1. CONFIGURATION AND IMPLEMANTATION of IPTABLEs Submitted by- SAMESWAR BEHERA 1 Guided By- ER.NUTAN KUMAR PANDA
  • 2. Certificate This is to certify that the Project report entitled “Configuration and Implementation of Iptables” submitted by Sameswar Behera, ISEH-FRP, in partial fulfillment of the requirement of the award of Diploma in ISEH under APPIN TECHNOLOGY LAB: Bhubaneswar. Completed his project successfully. Er. Nutan Kumar Panda Mr. Bibhuti Bhusan Prusty Project Guide Center Head Mr. SudhanshuBhusanPrusty Managing Director 2
  • 3. Acknowledgement I have a great honor to acknowledge MR. Sudhanshu Bhusan Prusty, Managing Director, Appin Technology Labs, Bhubaneswar, Odisha. Who had given me his consent to carry out this project . I feel immense pleasure and privilege in expressing my deep sense of gratitude towards my guide ER. Nutan Kumar Panda, whose valuable guidance and critical analysis of my result has led to successful completion of my project. My special thanks to all my friends for giving me incentive support in this report work. I express my gratitude to my affectionate and friends for encouragement and enthusiastic support throughout this study. SAMESWAR BEHERA 3
  • 4. TABLE OF CONTENTS What is firewall……………………………………………………………………………………………………………….5 What is iptables………………………………………………………………………………………………………………5 Installing iptables……………………………………………………………………………………………………………5 To start iptables………………………………………………………………………………………………………………6 Determining the status of iptables…………………………………………………………………………………7 Packet processing in iptables………………………………………………………………………………………….8 Processing for packet routed by the firewall………………………………………………………………….9 Iptables packet flow diagram………………………………………………………………………………………..10 Targets and jumps………………………………………………………………………………………………………….11 General iptables match criteria………………………………………………………………………………………12 Common TCP and UDP match criteria……………………………………………………………………………21 Common extended match criteria………………………………………………………………………………….29 Saving iptables scripts…………………………………………………………………………………………………….31 Iptables restoration…………………………………………………………………………………………………………32 Allow your home network to access the internet………………………………………………………….33 Allow your home network to access the firewall……………………………………………………………33 Prevent DoS attack…………………………………………………………………………………………………………33 Static NAT………………………………………………………………………………………………………………………..34 Port forwarding……………………………………………………………………………………………………………….34 Conclusion……………………………………………………………………………………………………………………….35 Reference…………………………………………………………………………………………………………………………36 4
  • 5. What is a Firewall?  A firewall is hardware, software, or a combination of both that is used to prevent unauthorized programs or Internet users from accessing a private network and/or a single computer.  A set of related programs that protects the resources of a private network from users from other networks.  A mechanism for filtering network packets based on information contained within the IP header. Firewall Options:  Commercial Firewall Devices (Watchguard, Cisco PIX)  Routers (ACL Lists)  Linux (Iptables)  Software Packages (ZoneAlarm, Black Ice, Tiny Personal Firewall, Norton Personal Firewall, Comodo Firewall) Linux Firewall Programs: Ipfwadm : Linux kernel 2.0.34 Ipchains : Linux kernel 2.2. Iptables : Linux kernel 2.4. & above What Is iptables? It is the modified firewall package available in linux operating system. Before it was known as ipchanes, later it comes with capabilities like natting and routing. Some other improvements are:  Better integration with the Linux kernel, so improved speed and reliability.  Stateful packet inspection.  Filter packets according to TCP header and MAC address.  System logging that provides the option of adjusting the level of detail of the reporting.  Better network address translation.  Support for transparent integration with such Web proxy programs as Squid.  A rate limiting feature that helps iptables block some types of denial of service (DoS) attacks. Installing iptables: In most Linux distros including Redhat / CentOS Linux installs iptables by default. You can use the following procedure to verify that iptables has been installed or not in Redhat. Open terminal and type the following command: [root@localhost ~]#yum info iptables 5
  • 6. Sample outputs: If the above message does not appear, then type the following command to install iptables: [root@localhost ~]#yum install iptables To Start iptables: You can start, stop, and restart iptables after booting by using the commands: [root@localhost ~]# service iptables start [root@localhost ~]# service iptables stop [root@localhost ~]# service iptables restart To get iptables configured to start at boot, use the chkconfig command: [root@localhost ~]# chkconfig iptables on 6
  • 7. Determining The Status of iptables: You can determine whether iptables is running or not via the service iptables status command. [root@localhost ~]# service iptables status 7
  • 8. Packet Processing In iptables: All packets inspected by iptables pass through a sequence of built-in tables (queues) for processing. Each of these queues is dedicated to a particular type of packet activity and is controlled by an associated packet transformation/filtering chain.  There are three tables in total. The first is the mangle table which is responsible for the alteration of quality of service bits in the TCP header. This is hardly used in a home or SOHO environment.  The second table is the filter queue which is responsible for packet filtering. It has three built-in chains in which you can place your firewall policy rules. These are the: 1. Forward chain: Filters packets to servers protected by the firewall. 2. Input chain : Filters packets destined for the firewall. 3. Output chain : Filters packets originating from the firewall.  The third table is the nat queue which is responsible for network address translation. It has two built-in chains; these are: 4. Pre-routing chain: NATs packets when the destination address of the packet needs to be changed. 5. Post-routing chain: NATs packets when the source address of the packet needs to be changed. 8
  • 9. Processing For Packets Routed By The Firewall: Packet Queue Queue Transformation Chain Function Type Function Chain in Queue Filter Packet FORWARD Filters packets to servers accessible by another filtering NIC on the firewall. INPUT Filters packets destined to the firewall. OUTPUT Filters packets originating from the firewall. Address translation occurs before routing. Nat Network PREROUTING Facilitates the transformation of the destination IP Address address to be compatible with the firewall's routing table. Used with NAT of the destination Translation IP address, also known as destination NAT or DNAT. Address translation occurs after routing. This POSTROUTING implies that there was no need to modify the destination IP address of the packet as in pre- routing. Used with NAT of the source IP address using either one-to-one or many-to-one NAT. This is known as source NAT, or SNAT. Network address translation for packets generated OUTPUT by the firewall. (Rarely used in SOHO environments) Mangle TCP header PREROUTING Modification of the TCP packet quality of service modification POSTROUTING bits before routing occurs. (Rarely used in SOHO OUTPUT environments) INPUT FORWARD You need to specify the table and the chain for each firewall rule you create. There is an exception: Most rules are related to filtering, so iptables assumes that any chain that's defined without an associated table will be a part of the filter table. The filter table is therefore the default. Queue Take a look at the way packets are handled by iptables. In Figure below a TCP packet from the Internet arrives at the firewall's interface on Network A to create a data connection.  The packet is first examined by your rules in the mangle table's PREROUTING chain, if any. It is then inspected by the rules in the nat table's PREROUTING chain to see whether the packet requires DNAT. It is then routed.  If the packet is destined for a protected network, then it is filtered by the rules in the FORWARD chain of the filter table and, if necessary, the packet undergoes SNAT in the POSTROUTING chain before arriving at Network B. When the destination server decides to reply, the packet undergoes 9
  • 10. the same sequence of steps. Both the FORWARD and POSTROUTING chains may be configured to implement quality of service (QoS) features in their mangle tables, but this is not usually done in SOHO environments.  If the packet is destined for the firewall itself, then it passes through the mangle table of the INPUT chain, if configured, before being filtered by the rules in the INPUT chain of the filter table before. If it successfully passes these tests then it is processed by the intended application on the firewall.  At some point, the firewall needs to reply. This reply is routed and inspected by the rules in the OUTPUT chain of the mangle table, if any. Next, the rules in the OUTPUT chain of the nat table determine whether DNAT is required and the rules in the OUTPUT chain of the filter table are then inspected to help restrict unauthorized packets. Finally, before the packet is sent back to the Internet, SNAT and QoS mangling is done by the POSTROUTING chain. Type Iptables Packet Flow Diagram: Packet 10
  • 11. Targets And Jumps: Each firewall rule inspects each IP packet and then tries to identify it as the target of some sort of operation. Once a target is identified, the packet needs to jump over to it for further processing. Target Description Most Common Options Iptables stops further processing and ACCEPT the packet is handed over to the end N/A application. Iptables stops further processing and DROP drop the packet. N/A The packet information is sent to the syslog --log-prefix “string” LOG daemon for logging and iptables continues processing with the next rule in the table. (It tells iptable to fix the log message As you can't log and drop at the with a user defined string.) same time. --log-level 0 to 7 --reject-with qualifier REJECT Works like the DROP target, but will also (The qualifier tells what type of reject return an error message to the host message is returned.) sending the packet that the packet was Qualifiers include: blocked. icmp-port-unreachable (default) icmp-net-unreachable icmp-host-unreachable icmp-proto-unreachable icmp-net-prohibited icmp-host-prohibited tcp-reset echo-reply Used to do destination network address --to-destination ipaddress DNAT translation. ie. rewriting the destination IP address of the packet. (Tells iptables what the destination IP address should be.) Used to do source network address --to-source <ip>[-<ip>][:<port>- SNAT translation. ie. rewriting the source IP <port>] address of the packet. The source IP address is user defined. (Specifies the source IP address and ports to be used by SNAT.) Used to do Source Network Address --to-ports <port>[-<port>] MASQUERADE Translation. By default the source IP address is the (Specifies the range of source ports to same as that used by the firewall's which the original source port can be interface. mapped.) Queue Chain Function 11
  • 12. Important Iptables Command Switch Operations: Each line of an iptables script not only has a jump, but they also have a number of command line options that are used to append rules to chains that match your defined packet characteristics, such the source IP address and TCP port. There are also options that can be used to just clear a chain so you can start all over again. General Iptables Match Criteria:- Iptables command Switch Description It is to specify which table you will use from filter, nat, mangle. -t <-table-> If you don’t specify a table then the filter table is assumed. Jump to the specified target chain when the packet matches the current -j <target> rule. -A Append rule to end of a chain. -F Flush. Deletes all the rules in the selected table. -p <protocol-type> Match protocol. Types include, icmp, tcp, udp, and all. -s <ip-address> Match source IP address. -d <ip-address> Match destination IP address. -i <interface-name> Match "input" interface on which the packet enters. -o <interface-name> Match "output" interface on which the packet exits. In this command switches example: [root@localhost ~]#iptables -A INPUT -s 0/0 -i eth0 -d 0/0 -p TCP -j ACCEPT iptables is being configured to allow the firewall to accept TCP packets coming in on interface eth0 from any IP address . The 0/0 representation of an IP address means any. 12
  • 13. 13
  • 14. [root@localhost ~]#iptables -A INPUT -s 0/0 -i eth0 -d 0/0 -p TCP -j DROP 14
  • 15. 15
  • 16. [root@localhost ~]#iptables -A INPUT -s 0/0 -i eth0 -d 0/0 -p icmp -j DROP 16
  • 17. iptables -A INPUT -s 0/0 -i eth0 -d 0/0 -p icmp –REJECT –reject-with icmp-host-unrechable 17
  • 18. 18
  • 19. 19
  • 20. Block a Specific ip-address: if you want to block a specific ip-address, you should do that first as shown below. Change the “x.x.x.x” in the following example to the specific ip-address that you like to block. BLOCK_THIS_IP="x.x.x.x" iptables -A INPUT -s "$BLOCK_THIS_IP" -j DROP This is helpful when you find some strange activities from a specific ip-address in your log files, and you want to temporarily block that ip-address while you do further research.You can also use one of the following variations, which blocks only TCP traffic on eth0 connection for this ip-address. iptables -A INPUT -i eth0 -s "$BLOCK_THIS_IP" -j DROP iptables -A INPUT -i eth0 -p tcp -s "$BLOCK_THIS_IP" -j DROP Allow Internal Network to External network: On the firewall server where one ethernet card is connected to the external, and another ethernet card connected to the internal servers, use the following rules to allow internal network talk to external network. iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT In this example, eth1 is connected to external network (internet), and eth0 is connected to internal network (For example: 192.168.1.x). 20
  • 21. Common TCP and UDP Match Criteria:- Switch Description -p tcp --sport <port> TCP source port. It filter TCP source port. -p tdp --sport <start-port:end-port> Can be a single value or a range like 1024:65535 -p tcp --dport <port> TCP source port. It filter TCP destination port. -p tdp --dport <start-port:end-port> Can be a single value or a range like 1024:65535 -p tcp --syn Used to identify a new TCP connection request. ! --syn means, not a new connection request. -P tcp !--syn Used to identify old TCP connection request. -p udp --sport <port> UDP source port. It test UDP connections for source ports. -p udp --sport <start-port:end-port> Can be a single value or a range like 1024:65535 -p udp --dport <port> UDP destination port. It test UDP connections for destination -p udp --dport <start-port:end-port> ports.Can be a single value or a range like 1024:65535 In this command switches example: iptables -A OUTPUT -s 0/0 -d 0/0 -p TCP --sport 1024:65535 --dport 80 -j ACCEPT  The source port is in the range 1024 to 65535 and the destination port is port 80 (www/http). 21
  • 22. 22
  • 23. Allow outbound DNS: iptables -A OUTPUT -p udp -o eth0 --dport 53 -j ACCEPT iptables -A INPUT -p udp -i eth0 --sport 53 -j ACCEPT Allow POP3 access: iptables -A INPUT -i eth0 -p tcp --dport 110 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp --sport 110 -m state --state ESTABLISHED -j ACCEPT Allow outbound DNS: iptables -A OUTPUT -p udp -o eth0 --dport 53 -j ACCEPT iptables -A INPUT -p udp -i eth0 --sport 53 -j ACCEPT Allow Outgoing SSH: iptables -A OUTPUT -o eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -i eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT Please note that this is slightly different than the incoming rule. i.e We allow both the NEW and ESTABLISHED state on the OUTPUT chain, and only ESTABLISHED state on the INPUT chain. For the incoming rule, it is vice versa. 23
  • 24. Common ICMP (Ping) Match Criteria:- Matches used with ---icmp-type Description --icmp-type <type> The most commonly used types are echo-reply and echo-request . Allow Ping from Outside to Inside: The following rules allow outside users to be able to ping your servers. iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT 24
  • 25. Reject Ping from Outside to Inside: iptables -A INPUT -p icmp --icmp-type echo-request -j REJECT iptables -A OUTPUT -p icmp --icmp-type echo-reply -j REJECT 25
  • 26. Allow Ping from Inside to Outside: The following rules allow you to ping from inside to any of the outside servers. iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT 26
  • 27. Consider another example: iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -i eth0 -j ACCEPT  The limit feature in iptables specifies the maximum average number of matches to allow per second. You can specify time intervals in the format /second, /minute, /hour, or /day, or you can use abbreviations so that 3/second is the same as 3/s.  In this example, ICMP echo requests are restricted to no more than one per second. When tuned correctly, this feature allows you to filter unusually high volumes of traffic that characterize denial of service (DOS) attacks and Internet worms. 27
  • 28. iptables -A INPUT -p tcp --syn -m limit --limit 5/s -i eth0 -j ACCEPT  In this example, you can expand on the limit feature of iptables to reduce your vulnerability to certain types of denial of service attack. Here a defense for SYN flood attacks was created by limiting the acceptance of TCP segments with the SYN bit set to no more than five per second. 28
  • 29. Common Extended Match Criteria:- Switch Description -m multiport --sports <port, port> A variety of TCP/UDP source ports separated by commas. Unlike when -m isn't used, they do not have to be within a range. -m multiport --dports <port,port> A variety of TCP/UDP destination ports separated by commas. Unlike when -m isn't used, they do not have to be within a range. -m multiport --ports <port,port> A variety of TCP/UDP ports separated by commas. Source and destination ports are assumed to be the same and they do not have to be within a range. -m –state <state> The most frequently tested states are: ESTABLISHED: The packet is part of a connection that has seen packets in both directions. NEW: The packet is the start of a new connection. RELATED: The packet is starting a new secondary connection. This is a common feature of such protocols such as an FTP data transfer, or an ICMP error. INVALID: The packet couldn't be identified. Could be due to insufficient system resources, or ICMP errors that don't match an existing data flow. In this command switch examples: iptables -A FORWARD -s 0/0 -i eth0 -d 0/0 -p TCP --sport 1024:65535 -m multiport --dports 80,443 -j ACCEPT iptables -A FORWARD -d 0/0 -o eth0 -s 0/0 -p TCP -m state --state ESTABLISHED -j ACCEPT  Here iptables is being configured to allow the firewall to accept TCP packets to be routed when they enter on interface eth0 from any IP address destined for IP address of 192.168.1.58 that is reachable via interface eth1. The source port is in the range 1024 to 65535 and the destination ports are port 80 (www/http) and 443 (https). The return packets from 192.168.1.58 are allowed to be accepted too. Instead of stating the source and destination ports, you can simply allow packets related to established connections using the -m state and --state ESTABLISHED options. 29
  • 30. 30
  • 31. Saving iptables Scripts: [root@localhost ~]#service iptables save [root@localhost ~]#iptables-save  The above command permanently saves the iptables configuration in the /etc/sysconfig/iptables file. When the system reboots, the iptables-restore program reads the configuration and makes it the active configuration. 31
  • 32. Here is a sample /etc/sysconfig/iptables configuration:  It is never a good idea to edit this script directly because it is always overwritten by the save command and it doesn't save any comments at all, which can also make it extremely difficult to follow. For these reasons, you're better off writing and applying a customized script and then using the service iptables save command to make the changes permanent. [root@localhost ~]#iptables-save > firewall-config It will actually saves a permanent copy of the firewall's active configuration in the /etc/sysconfig/iptables file and exports the iptables-save output to a text file named firewall-config. It can be further used for restoration of iptables. Iptables Restoration: [root@localhost ~]#iptables-restore < firewall-config  Finally, you should permanently save the active configuration so that it will be loaded automatically when the system reboots. 32
  • 33. Allow Your Firewall To Access The Internet: Allow port 80 (www) and 443 (https) connections from the firewall: iptables -A OUTPUT -j ACCEPT -m state --state NEW,ESTABLISHED,RELATED -o eth0 -p tcp -m multiport - -dports 80,443 --sport 1024:65535 If you want all TCP traffic originating from the firewall to be accepted, then remove the line: -m multiport --dports 80,443 --sport 1024:65535 Allow previously established connections: [root@localhost ~]#iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED -i eth0 -p tcp Allow Your Home Network To Access The Firewall: Here eth0 is directly connected to a home network using IP addresses from the 192.168.1.0 network. All traffic between this network and the firewall is simplistically assumed to be trusted and allowed. Further rules will be needed for the interface connected to the Internet to allow only specific ports, types of connections and possibly even remote servers to have access to your firewall and home network. Allow all bidirectional traffic from your firewall to the protected network: [root@localhost ~]#iptables -A INPUT -j ACCEPT -p all -s 192.168.1.0/24 -i eth0 [root@localhost~]#iptables -A OUTPUT -j ACCEPT -p all -d 192.168.1.0/24 -o eth0 Prevent DoS Attack: The following iptables rule will help you prevent the Denial of Service (DoS) attack on your webserver. iptables -A INPUT -p tcp --dport 80 -m limit --limit 25/minute --limit-burst 100 -j ACCEPT 33
  • 34. In the above example:  -m limit: This uses the limit iptables extension  –limit 25/minute: This limits only maximum of 25 connection per minute. Change this value based on your specific requirement  –limit-burst 100: This value indicates that the limit/minute will be enforced only after the total number of connection have reached the limit-burst level. Static NAT: In this example, all traffic to a particular public IP address, not just to a particular port, is translated to a single server on the protected subnet. Uses one to one NAT to make the server 192.168.1.100 on your home network appear on the Internet as IP addresses 97.158.253.26. iptables -t nat -A PREROUTING -d 97.158.253.26 -i eth0 -j DNAT --to-destination 192.168.1.100 iptables -t nat -A POSTROUTING -s 192.168.1.100 -o eth0 -j SNAT --to-source 97.158.253.26 Creates a many to one NAT for the 192.168.1.0 home network in which all the servers appear on the Internet as IP address 97.158.253.29. iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -j SNAT -o eth0 --to-source 97.158.253.29 Port Forwarding (PAT): The following example routes all traffic that comes to the port 442 to 22. This means that the incoming ssh connection can come from both port 22 and 422. iptables -t nat -A PREROUTING -p tcp -d 192.168.102.37 --dport 422 -j DNAT --to 192.168.102.37:22 34
  • 35. CONCLUSION: We can get different service with this like firewall, routing, natting, logging and we can also block some types of DoS attacks just by implementing few rules in it. 35