SCAR-iT/LWM-Linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
LWM-Linux/12 - Network Configuration and Troubleshooting/Advanced IPTables Configuration.md

113 lines
2.8 KiB
Markdown
Raw Blame History

# Advanced IPTables Configuration
## 1. Understanding IPTables Architecture:
IPTables is the user-space command line utility for configuring the Linux kernel firewall. It works with chains and tables:
- Tables: filter, nat, mangle, raw, security
- Chains: INPUT, OUTPUT, FORWARD, PREROUTING, POSTROUTING
## 2. Basic Syntax:
```
iptables [-t table] command chain rule-specification [options]
```
## 3. Common Commands:
- -A: Append rule
- -I: Insert rule
- -D: Delete rule
- -R: Replace rule
- -L: List rules
- -F: Flush rules
## 4. Advanced Rule Specifications:
- a) State Matching:
```
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
```
- b) Rate Limiting:
```
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP
```
- c) String Matching:
```
iptables -A INPUT -p tcp --dport 80 -m string --string "GET /admin" --algo bm -j DROP
```
- d) Time-based Rules:
```
iptables -A INPUT -p tcp --dport 80 -m time --timestart 09:00 --timestop 18:00 --weekdays Mon,Tue,Wed,Thu,Fri -j ACCEPT
```
## 5. NAT Configuration:
- a) SNAT (Source NAT):
```
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 203.0.113.1
```
- b) DNAT (Destination NAT):
```
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination 192.168.1.100:8080
```
- c) Port Forwarding:
```
iptables -t nat -A PREROUTING -p tcp --dport 22 -j REDIRECT --to-port 2222
```
## 6. Logging:
```
iptables -A INPUT -j LOG --log-prefix "DROPPED: " --log-level 4
```
## 7. Custom Chains:
```
iptables -N CUSTOM_CHAIN
iptables -A INPUT -j CUSTOM_CHAIN
iptables -A CUSTOM_CHAIN -p tcp --dport 80 -j ACCEPT
```
## 8. IPv6 Support (ip6tables):
```
ip6tables -A INPUT -p ipv6-icmp -j ACCEPT
```
## 9. Saving and Restoring Rules:
```
iptables-save > /etc/iptables/rules.v4
iptables-restore < /etc/iptables/rules.v4
```
## 10. Performance Optimization:
- Use stateful filtering
- Organize rules from most to least used
- Use custom chains for logical grouping
## 11. Security Best Practices:
- Default deny policy
- Allow only necessary services
- Use connection tracking
- Implement egress filtering
## 12. Troubleshooting:
- Use `-v` for verbose output
- Check logs in `/var/log/messages` or `/var/log/syslog`
- Use `tcpdump` for packet analysis
## 13. Advanced Techniques:
- Layer 7 filtering with `iptables` extensions
- Geolocation-based filtering using `geoip` module
- Integration with fail2ban for dynamic IP blocking
## 14. Scripting and Automation:
- Create shell scripts for complex rule sets
- Use configuration management tools (Ansible, Puppet) for deployment
## 15. Monitoring and Reporting:
- Use `iptables -L -v -n` for rule hit counts
- Implement log analysis tools (ELK stack, Splunk) for insights
Reference in New Issue View Git Blame Copy Permalink