113 lines
2.8 KiB
Markdown
113 lines
2.8 KiB
Markdown
|
# Advanced IPTables Configuration
|
||
|
|
|
||
|
|
## 1. Understanding IPTables Architecture:
|
||
|
|
IPTables is the user-space command line utility for configuring the Linux kernel firewall. It works with chains and tables:
|
||
|
|
|
||
|
|
- Tables: filter, nat, mangle, raw, security
|
||
|
|
- Chains: INPUT, OUTPUT, FORWARD, PREROUTING, POSTROUTING
|
||
|
|
|
||
|
|
## 2. Basic Syntax:
|
||
|
|
```
|
||
|
|
iptables [-t table] command chain rule-specification [options]
|
||
|
|
```
|
||
|
|
|
||
|
|
## 3. Common Commands:
|
||
|
|
- -A: Append rule
|
||
|
|
- -I: Insert rule
|
||
|
|
- -D: Delete rule
|
||
|
|
- -R: Replace rule
|
||
|
|
- -L: List rules
|
||
|
|
- -F: Flush rules
|
||
|
|
|
||
|
|
## 4. Advanced Rule Specifications:
|
||
|
|
|
||
|
|
- a) State Matching:
|
||
|
|
```
|
||
|
|
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
|
||
|
|
```
|
||
|
|
|
||
|
|
- b) Rate Limiting:
|
||
|
|
```
|
||
|
|
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set
|
||
|
|
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP
|
||
|
|
```
|
||
|
|
|
||
|
|
- c) String Matching:
|
||
|
|
```
|
||
|
|
iptables -A INPUT -p tcp --dport 80 -m string --string "GET /admin" --algo bm -j DROP
|
||
|
|
```
|
||
|
|
|
||
|
|
- d) Time-based Rules:
|
||
|
|
```
|
||
|
|
iptables -A INPUT -p tcp --dport 80 -m time --timestart 09:00 --timestop 18:00 --weekdays Mon,Tue,Wed,Thu,Fri -j ACCEPT
|
||
|
|
```
|
||
|
|
|
||
|
|
## 5. NAT Configuration:
|
||
|
|
|
||
|
|
- a) SNAT (Source NAT):
|
||
|
|
```
|
||
|
|
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 203.0.113.1
|
||
|
|
```
|
||
|
|
|
||
|
|
- b) DNAT (Destination NAT):
|
||
|
|
```
|
||
|
|
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination 192.168.1.100:8080
|
||
|
|
```
|
||
|
|
|
||
|
|
- c) Port Forwarding:
|
||
|
|
```
|
||
|
|
iptables -t nat -A PREROUTING -p tcp --dport 22 -j REDIRECT --to-port 2222
|
||
|
|
```
|
||
|
|
|
||
|
|
## 6. Logging:
|
||
|
|
```
|
||
|
|
iptables -A INPUT -j LOG --log-prefix "DROPPED: " --log-level 4
|
||
|
|
```
|
||
|
|
|
||
|
|
## 7. Custom Chains:
|
||
|
|
```
|
||
|
|
iptables -N CUSTOM_CHAIN
|
||
|
|
iptables -A INPUT -j CUSTOM_CHAIN
|
||
|
|
iptables -A CUSTOM_CHAIN -p tcp --dport 80 -j ACCEPT
|
||
|
|
```
|
||
|
|
|
||
|
|
## 8. IPv6 Support (ip6tables):
|
||
|
|
```
|
||
|
|
ip6tables -A INPUT -p ipv6-icmp -j ACCEPT
|
||
|
|
```
|
||
|
|
|
||
|
|
## 9. Saving and Restoring Rules:
|
||
|
|
```
|
||
|
|
iptables-save > /etc/iptables/rules.v4
|
||
|
|
iptables-restore < /etc/iptables/rules.v4
|
||
|
|
```
|
||
|
|
|
||
|
|
## 10. Performance Optimization:
|
||
|
|
- Use stateful filtering
|
||
|
|
- Organize rules from most to least used
|
||
|
|
- Use custom chains for logical grouping
|
||
|
|
|
||
|
|
## 11. Security Best Practices:
|
||
|
|
- Default deny policy
|
||
|
|
- Allow only necessary services
|
||
|
|
- Use connection tracking
|
||
|
|
- Implement egress filtering
|
||
|
|
|
||
|
|
## 12. Troubleshooting:
|
||
|
|
- Use `-v` for verbose output
|
||
|
|
- Check logs in `/var/log/messages` or `/var/log/syslog`
|
||
|
|
- Use `tcpdump` for packet analysis
|
||
|
|
|
||
|
|
## 13. Advanced Techniques:
|
||
|
|
- Layer 7 filtering with `iptables` extensions
|
||
|
|
- Geolocation-based filtering using `geoip` module
|
||
|
|
- Integration with fail2ban for dynamic IP blocking
|
||
|
|
|
||
|
|
## 14. Scripting and Automation:
|
||
|
|
- Create shell scripts for complex rule sets
|
||
|
|
- Use configuration management tools (Ansible, Puppet) for deployment
|
||
|
|
|
||
|
|
## 15. Monitoring and Reporting:
|
||
|
|
- Use `iptables -L -v -n` for rule hit counts
|
||
|
|
- Implement log analysis tools (ELK stack, Splunk) for insights
|