Logging connections with IPtables
iptables -A OUTPUT -j LOG
iptables -A INPUT -j LOG
iptables -A FORWARD -j LOG
iptables -t nat -A PREROUTING -j LOG
iptables -t nat -A POSTROUTING -j LOG
iptables -t nat -A OUTPUT -j LOG
Description: Above commands will enable logging for all input/output/forwarded/routed traffic in /var/log/messages file. (Log file depend on syslog setting).
iptables -N LOGIT # special chain to log all except fragments
iptables -A LOGIT -m state --state ESTABLISHED -j RETURN # don't log frags
iptables -A LOGIT -j LOG
iptables -A LOGIT -j RETURN
Above commands will create a new chain LOGIT and will set it to log all except fragments. Now lets use this chain.
iptables -A INPUT -p tcp --dport 22 -j LOGIT
Description: It will log all connections to port 22 (SSH).
Below is the complete shell script for above loging.
Reverse script to delete above iptables config.
Blocking traffic with IPtables
Example: iptables -A INPUT -s 192.168.0.1 -j DROP
Example: iptables -A INPUT -s 192.168.0.1 -j REJECT
Example: iptables -A INPUT -p tcp -s 192.168.1.50 --dport 110 -j
REJECT
Description: This will reject connection from 192.168.1.50 at port 110.
Example: iptables -A INPUT -p udp -s 192.168.1.50 --dport 52 -j REJECT
Description: This will reject udp traffic from 192.168.1.50 at port 52
Example: iptables -A INPUT -p tcp --dport 110 -j REJECT
Description: This will reject ALL Incomming connections/Traffic at port 110.
Example: iptables -A INPUT -p icmp -j DROP
Description: Usefull to protect against automated network scans
to detect live ips.
Example: iptables -A OUTPUT -p tcp -d 192.168.1.50 -j REJECT
Description: This will block access to 192.168.1.50 from with in your server. Means your server users can not access that ip from with in the server
Example: iptables -A OUTPUT -p tcp -d 192.168.1.50 --dport 25 -j REJECT
Description: Port 25 of 192.168.1.50 will not be accessable from with in your server
Routing with IPtables
Example: iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 8080
Description: Port 80 will be redirected to port 8080, Means if you will connect at port 80 of this server then you will actually connected to 8080
Example: iptables -t nat -A PREROUTING -p tcp -s 192.168.1.40 --dport 80 -j REDIRECT --to-ports 8080
Description: All traffic from 192.168.1.40 at Port 80 will be redirected to port 8080, Means if 192.168.1.40 will connect at port 80 of this server then it will actually connected to 8080
Note: REDIRECT target can be used only to redirect traffic to the machine itself. To route traffic to other places, Use DNAT (see below)
Example:
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
iptables -t nat -A PREROUTING -p tcp -d 10.10.10.10 --dport 72 -j DNAT --to 33.55.37.226:25
Description: Above commands will route the traffic for port 72 of ip 10.10.10.10 to port 25 of ip 33.55.37.226 .
Listing and Deleting current rules
Example: iptables -L
Description: It will list all chains and rules
Example: iptables -L chain_name
Description: It will list all rules in a specific chain
Example: iptables -D LOGIT -j LOG
Description: It will delete the specific rule. The rule must be exact as it was executed.
Example: iptables -F chain_name
Description: It will delete all rules in chain_name
Example: iptables -F
Description: It will delete all rules in all chains
REFERENCE
http://www.openpages.info/iptables/
Logging ALL incomming and outgoing traffic
iptables -A OUTPUT -j LOG
iptables -A INPUT -j LOG
iptables -A FORWARD -j LOG
iptables -t nat -A PREROUTING -j LOG
iptables -t nat -A POSTROUTING -j LOG
iptables -t nat -A OUTPUT -j LOG
Description: Above commands will enable logging for all input/output/forwarded/routed traffic in /var/log/messages file. (Log file depend on syslog setting).
A Customized Logging Chain to Log all ssh connections
iptables -N LOGIT # special chain to log all except fragments
iptables -A LOGIT -m state --state ESTABLISHED -j RETURN # don't log frags
iptables -A LOGIT -j LOG
iptables -A LOGIT -j RETURN
Above commands will create a new chain LOGIT and will set it to log all except fragments. Now lets use this chain.
iptables -A INPUT -p tcp --dport 22 -j LOGIT
Description: It will log all connections to port 22 (SSH).
Below is the complete shell script for above loging.
#!/bin/bash
iptables -N LOGIT # special chain to log all except fragments
iptables -A LOGIT -m state --state ESTABLISHED -j RETURN # don't log frags
iptables -A LOGIT -j LOG
iptables -A LOGIT -j RETURN
iptables -A INPUT -p tcp --dport 22 -j LOGIT
#end
Reverse script to delete above iptables config.
#!/bin/bash<br /><br /> iptables -D LOGIT -m state --state ESTABLISHED -j RETURN <br /> iptables -D LOGIT -j LOG<br /> iptables -D LOGIT -j RETURN<br /><br /> iptables -D INPUT -p tcp --dport 22 -j LOGIT<br /> iptables -X LOGIT <br /><br /><br />#end<br /><br />
Blocking traffic with IPtables
Blocking an IP (Drop connection)
Example: iptables -A INPUT -s 192.168.0.1 -j DROP
Blocking an IP (Rejecting connection)
Example: iptables -A INPUT -s 192.168.0.1 -j REJECT
Blocking access of an ip to a certain port
Example: iptables -A INPUT -p tcp -s 192.168.1.50 --dport 110 -j
REJECT
Description: This will reject connection from 192.168.1.50 at port 110.
Example: iptables -A INPUT -p udp -s 192.168.1.50 --dport 52 -j REJECT
Description: This will reject udp traffic from 192.168.1.50 at port 52
Blocking All Incomming Traffic at a port
Example: iptables -A INPUT -p tcp --dport 110 -j REJECT
Description: This will reject ALL Incomming connections/Traffic at port 110.
Blocking Incomming Pings
Example: iptables -A INPUT -p icmp -j DROP
Description: Usefull to protect against automated network scans
to detect live ips.
Blocking access to an external ip from within your server
Example: iptables -A OUTPUT -p tcp -d 192.168.1.50 -j REJECT
Description: This will block access to 192.168.1.50 from with in your server. Means your server users can not access that ip from with in the server
Blocking access to an external port of an external ip
Example: iptables -A OUTPUT -p tcp -d 192.168.1.50 --dport 25 -j REJECT
Description: Port 25 of 192.168.1.50 will not be accessable from with in your server
Routing with IPtables
Redirecting a tcp port to another port
Example: iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 8080
Description: Port 80 will be redirected to port 8080, Means if you will connect at port 80 of this server then you will actually connected to 8080
Redirecting traffic from specific ip at a tcp port to another port
Example: iptables -t nat -A PREROUTING -p tcp -s 192.168.1.40 --dport 80 -j REDIRECT --to-ports 8080
Description: All traffic from 192.168.1.40 at Port 80 will be redirected to port 8080, Means if 192.168.1.40 will connect at port 80 of this server then it will actually connected to 8080
Note: REDIRECT target can be used only to redirect traffic to the machine itself. To route traffic to other places, Use DNAT (see below)
Routing traffic from specific port to another server
Example:
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
iptables -t nat -A PREROUTING -p tcp -d 10.10.10.10 --dport 72 -j DNAT --to 33.55.37.226:25
Description: Above commands will route the traffic for port 72 of ip 10.10.10.10 to port 25 of ip 33.55.37.226 .
Listing and Deleting current rules
Example: iptables -L
Description: It will list all chains and rules
Example: iptables -L chain_name
Description: It will list all rules in a specific chain
Example: iptables -D LOGIT -j LOG
Description: It will delete the specific rule. The rule must be exact as it was executed.
Example: iptables -F chain_name
Description: It will delete all rules in chain_name
Example: iptables -F
Description: It will delete all rules in all chains
REFERENCE
http://www.openpages.info/iptables/
