zeus
/
SwarmLab-HowTos
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
398 Commits
1 Branch
0 Tags
124 MiB
 
 
Tree: 3fc6ff70c8
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '3fc6ff70c8'
${ noResults }
SwarmLab-HowTos/labs/os2/Iptables.adoc.html

1280 lines
58 KiB
Raw Blame History

<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta name="generator" content="Asciidoctor 2.0.10">
<meta name="description" content="iptables">
<meta name="keywords" content="sec, tcpdump">
<meta name="author" content="Apostolos rootApostolos@swarmlab.io">
<title>Iptables !</title>
<link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Open+Sans:300,300italic,400,400italic,600,600italic%7CNoto+Serif:400,400italic,700,700italic%7CDroid+Sans+Mono:400,700">
<style>
/* Asciidoctor default stylesheet | MIT License | https://asciidoctor.org */
/* Uncomment @import statement to use as custom stylesheet */
/*@import "https://fonts.googleapis.com/css?family=Open+Sans:300,300italic,400,400italic,600,600italic%7CNoto+Serif:400,400italic,700,700italic%7CDroid+Sans+Mono:400,700";*/
article,aside,details,figcaption,figure,footer,header,hgroup,main,nav,section{display:block}
audio,video{display:inline-block}
audio:not([controls]){display:none;height:0}
html{font-family:sans-serif;-ms-text-size-adjust:100%;-webkit-text-size-adjust:100%}
a{background:none}
a:focus{outline:thin dotted}
a:active,a:hover{outline:0}
h1{font-size:2em;margin:.67em 0}
abbr[title]{border-bottom:1px dotted}
b,strong{font-weight:bold}
dfn{font-style:italic}
hr{-moz-box-sizing:content-box;box-sizing:content-box;height:0}
mark{background:#ff0;color:#000}
code,kbd,pre,samp{font-family:monospace;font-size:1em}
pre{white-space:pre-wrap}
q{quotes:"\201C" "\201D" "\2018" "\2019"}
small{font-size:80%}
sub,sup{font-size:75%;line-height:0;position:relative;vertical-align:baseline}
sup{top:-.5em}
sub{bottom:-.25em}
img{border:0}
svg:not(:root){overflow:hidden}
figure{margin:0}
fieldset{border:1px solid silver;margin:0 2px;padding:.35em .625em .75em}
legend{border:0;padding:0}
button,input,select,textarea{font-family:inherit;font-size:100%;margin:0}
button,input{line-height:normal}
button,select{text-transform:none}
button,html input[type="button"],input[type="reset"],input[type="submit"]{-webkit-appearance:button;cursor:pointer}
button[disabled],html input[disabled]{cursor:default}
input[type="checkbox"],input[type="radio"]{box-sizing:border-box;padding:0}
button::-moz-focus-inner,input::-moz-focus-inner{border:0;padding:0}
textarea{overflow:auto;vertical-align:top}
table{border-collapse:collapse;border-spacing:0}
*,*::before,*::after{-moz-box-sizing:border-box;-webkit-box-sizing:border-box;box-sizing:border-box}
html,body{font-size:100%}
body{background:#fff;color:rgba(0,0,0,.8);padding:0;margin:0;font-family:"Noto Serif","DejaVu Serif",serif;font-weight:400;font-style:normal;line-height:1;position:relative;cursor:auto;tab-size:4;-moz-osx-font-smoothing:grayscale;-webkit-font-smoothing:antialiased}
a:hover{cursor:pointer}
img,object,embed{max-width:100%;height:auto}
object,embed{height:100%}
img{-ms-interpolation-mode:bicubic}
.left{float:left!important}
.right{float:right!important}
.text-left{text-align:left!important}
.text-right{text-align:right!important}
.text-center{text-align:center!important}
.text-justify{text-align:justify!important}
.hide{display:none}
img,object,svg{display:inline-block;vertical-align:middle}
textarea{height:auto;min-height:50px}
select{width:100%}
.center{margin-left:auto;margin-right:auto}
.stretch{width:100%}
.subheader,.admonitionblock td.content>.title,.audioblock>.title,.exampleblock>.title,.imageblock>.title,.listingblock>.title,.literalblock>.title,.stemblock>.title,.openblock>.title,.paragraph>.title,.quoteblock>.title,table.tableblock>.title,.verseblock>.title,.videoblock>.title,.dlist>.title,.olist>.title,.ulist>.title,.qlist>.title,.hdlist>.title{line-height:1.45;color:#7a2518;font-weight:400;margin-top:0;margin-bottom:.25em}
div,dl,dt,dd,ul,ol,li,h1,h2,h3,#toctitle,.sidebarblock>.content>.title,h4,h5,h6,pre,form,p,blockquote,th,td{margin:0;padding:0;direction:ltr}
a{color:#2156a5;text-decoration:underline;line-height:inherit}
a:hover,a:focus{color:#1d4b8f}
a img{border:0}
p{font-family:inherit;font-weight:400;font-size:1em;line-height:1.6;margin-bottom:1.25em;text-rendering:optimizeLegibility}
p aside{font-size:.875em;line-height:1.35;font-style:italic}
h1,h2,h3,#toctitle,.sidebarblock>.content>.title,h4,h5,h6{font-family:"Open Sans","DejaVu Sans",sans-serif;font-weight:300;font-style:normal;color:#ba3925;text-rendering:optimizeLegibility;margin-top:1em;margin-bottom:.5em;line-height:1.0125em}
h1 small,h2 small,h3 small,#toctitle small,.sidebarblock>.content>.title small,h4 small,h5 small,h6 small{font-size:60%;color:#e99b8f;line-height:0}
h1{font-size:2.125em}
h2{font-size:1.6875em}
h3,#toctitle,.sidebarblock>.content>.title{font-size:1.375em}
h4,h5{font-size:1.125em}
h6{font-size:1em}
hr{border:solid #dddddf;border-width:1px 0 0;clear:both;margin:1.25em 0 1.1875em;height:0}
em,i{font-style:italic;line-height:inherit}
strong,b{font-weight:bold;line-height:inherit}
small{font-size:60%;line-height:inherit}
code{font-family:"Droid Sans Mono","DejaVu Sans Mono",monospace;font-weight:400;color:rgba(0,0,0,.9)}
ul,ol,dl{font-size:1em;line-height:1.6;margin-bottom:1.25em;list-style-position:outside;font-family:inherit}
ul,ol{margin-left:1.5em}
ul li ul,ul li ol{margin-left:1.25em;margin-bottom:0;font-size:1em}
ul.square li ul,ul.circle li ul,ul.disc li ul{list-style:inherit}
ul.square{list-style-type:square}
ul.circle{list-style-type:circle}
ul.disc{list-style-type:disc}
ol li ul,ol li ol{margin-left:1.25em;margin-bottom:0}
dl dt{margin-bottom:.3125em;font-weight:bold}
dl dd{margin-bottom:1.25em}
abbr,acronym{text-transform:uppercase;font-size:90%;color:rgba(0,0,0,.8);border-bottom:1px dotted #ddd;cursor:help}
abbr{text-transform:none}
blockquote{margin:0 0 1.25em;padding:.5625em 1.25em 0 1.1875em;border-left:1px solid #ddd}
blockquote cite{display:block;font-size:.9375em;color:rgba(0,0,0,.6)}
blockquote cite::before{content:"\2014 \0020"}
blockquote cite a,blockquote cite a:visited{color:rgba(0,0,0,.6)}
blockquote,blockquote p{line-height:1.6;color:rgba(0,0,0,.85)}
@media screen and (min-width:768px){h1,h2,h3,#toctitle,.sidebarblock>.content>.title,h4,h5,h6{line-height:1.2}
h1{font-size:2.75em}
h2{font-size:2.3125em}
h3,#toctitle,.sidebarblock>.content>.title{font-size:1.6875em}
h4{font-size:1.4375em}}
table{background:#fff;margin-bottom:1.25em;border:solid 1px #dedede}
table thead,table tfoot{background:#f7f8f7}
table thead tr th,table thead tr td,table tfoot tr th,table tfoot tr td{padding:.5em .625em .625em;font-size:inherit;color:rgba(0,0,0,.8);text-align:left}
table tr th,table tr td{padding:.5625em .625em;font-size:inherit;color:rgba(0,0,0,.8)}
table tr.even,table tr.alt{background:#f8f8f7}
table thead tr th,table tfoot tr th,table tbody tr td,table tr td,table tfoot tr td{display:table-cell;line-height:1.6}
h1,h2,h3,#toctitle,.sidebarblock>.content>.title,h4,h5,h6{line-height:1.2;word-spacing:-.05em}
h1 strong,h2 strong,h3 strong,#toctitle strong,.sidebarblock>.content>.title strong,h4 strong,h5 strong,h6 strong{font-weight:400}
.clearfix::before,.clearfix::after,.float-group::before,.float-group::after{content:" ";display:table}
.clearfix::after,.float-group::after{clear:both}
:not(pre):not([class^=L])>code{font-size:.9375em;font-style:normal!important;letter-spacing:0;padding:.1em .5ex;word-spacing:-.15em;background:#f7f7f8;-webkit-border-radius:4px;border-radius:4px;line-height:1.45;text-rendering:optimizeSpeed;word-wrap:break-word}
:not(pre)>code.nobreak{word-wrap:normal}
:not(pre)>code.nowrap{white-space:nowrap}
pre{color:rgba(0,0,0,.9);font-family:"Droid Sans Mono","DejaVu Sans Mono",monospace;line-height:1.45;text-rendering:optimizeSpeed}
pre code,pre pre{color:inherit;font-size:inherit;line-height:inherit}
pre>code{display:block}
pre.nowrap,pre.nowrap pre{white-space:pre;word-wrap:normal}
em em{font-style:normal}
strong strong{font-weight:400}
.keyseq{color:rgba(51,51,51,.8)}
kbd{font-family:"Droid Sans Mono","DejaVu Sans Mono",monospace;display:inline-block;color:rgba(0,0,0,.8);font-size:.65em;line-height:1.45;background:#f7f7f7;border:1px solid #ccc;-webkit-border-radius:3px;border-radius:3px;-webkit-box-shadow:0 1px 0 rgba(0,0,0,.2),0 0 0 .1em white inset;box-shadow:0 1px 0 rgba(0,0,0,.2),0 0 0 .1em #fff inset;margin:0 .15em;padding:.2em .5em;vertical-align:middle;position:relative;top:-.1em;white-space:nowrap}
.keyseq kbd:first-child{margin-left:0}
.keyseq kbd:last-child{margin-right:0}
.menuseq,.menuref{color:#000}
.menuseq b:not(.caret),.menuref{font-weight:inherit}
.menuseq{word-spacing:-.02em}
.menuseq b.caret{font-size:1.25em;line-height:.8}
.menuseq i.caret{font-weight:bold;text-align:center;width:.45em}
b.button::before,b.button::after{position:relative;top:-1px;font-weight:400}
b.button::before{content:"[";padding:0 3px 0 2px}
b.button::after{content:"]";padding:0 2px 0 3px}
p a>code:hover{color:rgba(0,0,0,.9)}
#header,#content,#footnotes,#footer{width:100%;margin-left:auto;margin-right:auto;margin-top:0;margin-bottom:0;max-width:62.5em;*zoom:1;position:relative;padding-left:.9375em;padding-right:.9375em}
#header::before,#header::after,#content::before,#content::after,#footnotes::before,#footnotes::after,#footer::before,#footer::after{content:" ";display:table}
#header::after,#content::after,#footnotes::after,#footer::after{clear:both}
#content{margin-top:1.25em}
#content::before{content:none}
#header>h1:first-child{color:rgba(0,0,0,.85);margin-top:2.25rem;margin-bottom:0}
#header>h1:first-child+#toc{margin-top:8px;border-top:1px solid #dddddf}
#header>h1:only-child,body.toc2 #header>h1:nth-last-child(2){border-bottom:1px solid #dddddf;padding-bottom:8px}
#header .details{border-bottom:1px solid #dddddf;line-height:1.45;padding-top:.25em;padding-bottom:.25em;padding-left:.25em;color:rgba(0,0,0,.6);display:-ms-flexbox;display:-webkit-flex;display:flex;-ms-flex-flow:row wrap;-webkit-flex-flow:row wrap;flex-flow:row wrap}
#header .details span:first-child{margin-left:-.125em}
#header .details span.email a{color:rgba(0,0,0,.85)}
#header .details br{display:none}
#header .details br+span::before{content:"\00a0\2013\00a0"}
#header .details br+span.author::before{content:"\00a0\22c5\00a0";color:rgba(0,0,0,.85)}
#header .details br+span#revremark::before{content:"\00a0|\00a0"}
#header #revnumber{text-transform:capitalize}
#header #revnumber::after{content:"\00a0"}
#content>h1:first-child:not([class]){color:rgba(0,0,0,.85);border-bottom:1px solid #dddddf;padding-bottom:8px;margin-top:0;padding-top:1rem;margin-bottom:1.25rem}
#toc{border-bottom:1px solid #e7e7e9;padding-bottom:.5em}
#toc>ul{margin-left:.125em}
#toc ul.sectlevel0>li>a{font-style:italic}
#toc ul.sectlevel0 ul.sectlevel1{margin:.5em 0}
#toc ul{font-family:"Open Sans","DejaVu Sans",sans-serif;list-style-type:none}
#toc li{line-height:1.3334;margin-top:.3334em}
#toc a{text-decoration:none}
#toc a:active{text-decoration:underline}
#toctitle{color:#7a2518;font-size:1.2em}
@media screen and (min-width:768px){#toctitle{font-size:1.375em}
body.toc2{padding-left:15em;padding-right:0}
#toc.toc2{margin-top:0!important;background:#f8f8f7;position:fixed;width:15em;left:0;top:0;border-right:1px solid #e7e7e9;border-top-width:0!important;border-bottom-width:0!important;z-index:1000;padding:1.25em 1em;height:100%;overflow:auto}
#toc.toc2 #toctitle{margin-top:0;margin-bottom:.8rem;font-size:1.2em}
#toc.toc2>ul{font-size:.9em;margin-bottom:0}
#toc.toc2 ul ul{margin-left:0;padding-left:1em}
#toc.toc2 ul.sectlevel0 ul.sectlevel1{padding-left:0;margin-top:.5em;margin-bottom:.5em}
body.toc2.toc-right{padding-left:0;padding-right:15em}
body.toc2.toc-right #toc.toc2{border-right-width:0;border-left:1px solid #e7e7e9;left:auto;right:0}}
@media screen and (min-width:1280px){body.toc2{padding-left:20em;padding-right:0}
#toc.toc2{width:20em}
#toc.toc2 #toctitle{font-size:1.375em}
#toc.toc2>ul{font-size:.95em}
#toc.toc2 ul ul{padding-left:1.25em}
body.toc2.toc-right{padding-left:0;padding-right:20em}}
#content #toc{border-style:solid;border-width:1px;border-color:#e0e0dc;margin-bottom:1.25em;padding:1.25em;background:#f8f8f7;-webkit-border-radius:4px;border-radius:4px}
#content #toc>:first-child{margin-top:0}
#content #toc>:last-child{margin-bottom:0}
#footer{max-width:100%;background:rgba(0,0,0,.8);padding:1.25em}
#footer-text{color:rgba(255,255,255,.8);line-height:1.44}
#content{margin-bottom:.625em}
.sect1{padding-bottom:.625em}
@media screen and (min-width:768px){#content{margin-bottom:1.25em}
.sect1{padding-bottom:1.25em}}
.sect1:last-child{padding-bottom:0}
.sect1+.sect1{border-top:1px solid #e7e7e9}
#content h1>a.anchor,h2>a.anchor,h3>a.anchor,#toctitle>a.anchor,.sidebarblock>.content>.title>a.anchor,h4>a.anchor,h5>a.anchor,h6>a.anchor{position:absolute;z-index:1001;width:1.5ex;margin-left:-1.5ex;display:block;text-decoration:none!important;visibility:hidden;text-align:center;font-weight:400}
#content h1>a.anchor::before,h2>a.anchor::before,h3>a.anchor::before,#toctitle>a.anchor::before,.sidebarblock>.content>.title>a.anchor::before,h4>a.anchor::before,h5>a.anchor::before,h6>a.anchor::before{content:"\00A7";font-size:.85em;display:block;padding-top:.1em}
#content h1:hover>a.anchor,#content h1>a.anchor:hover,h2:hover>a.anchor,h2>a.anchor:hover,h3:hover>a.anchor,#toctitle:hover>a.anchor,.sidebarblock>.content>.title:hover>a.anchor,h3>a.anchor:hover,#toctitle>a.anchor:hover,.sidebarblock>.content>.title>a.anchor:hover,h4:hover>a.anchor,h4>a.anchor:hover,h5:hover>a.anchor,h5>a.anchor:hover,h6:hover>a.anchor,h6>a.anchor:hover{visibility:visible}
#content h1>a.link,h2>a.link,h3>a.link,#toctitle>a.link,.sidebarblock>.content>.title>a.link,h4>a.link,h5>a.link,h6>a.link{color:#ba3925;text-decoration:none}
#content h1>a.link:hover,h2>a.link:hover,h3>a.link:hover,#toctitle>a.link:hover,.sidebarblock>.content>.title>a.link:hover,h4>a.link:hover,h5>a.link:hover,h6>a.link:hover{color:#a53221}
details,.audioblock,.imageblock,.literalblock,.listingblock,.stemblock,.videoblock{margin-bottom:1.25em}
details>summary:first-of-type{cursor:pointer;display:list-item;outline:none;margin-bottom:.75em}
.admonitionblock td.content>.title,.audioblock>.title,.exampleblock>.title,.imageblock>.title,.listingblock>.title,.literalblock>.title,.stemblock>.title,.openblock>.title,.paragraph>.title,.quoteblock>.title,table.tableblock>.title,.verseblock>.title,.videoblock>.title,.dlist>.title,.olist>.title,.ulist>.title,.qlist>.title,.hdlist>.title{text-rendering:optimizeLegibility;text-align:left;font-family:"Noto Serif","DejaVu Serif",serif;font-size:1rem;font-style:italic}
table.tableblock.fit-content>caption.title{white-space:nowrap;width:0}
.paragraph.lead>p,#preamble>.sectionbody>[class="paragraph"]:first-of-type p{font-size:1.21875em;line-height:1.6;color:rgba(0,0,0,.85)}
table.tableblock #preamble>.sectionbody>[class="paragraph"]:first-of-type p{font-size:inherit}
.admonitionblock>table{border-collapse:separate;border:0;background:none;width:100%}
.admonitionblock>table td.icon{text-align:center;width:80px}
.admonitionblock>table td.icon img{max-width:none}
.admonitionblock>table td.icon .title{font-weight:bold;font-family:"Open Sans","DejaVu Sans",sans-serif;text-transform:uppercase}
.admonitionblock>table td.content{padding-left:1.125em;padding-right:1.25em;border-left:1px solid #dddddf;color:rgba(0,0,0,.6)}
.admonitionblock>table td.content>:last-child>:last-child{margin-bottom:0}
.exampleblock>.content{border-style:solid;border-width:1px;border-color:#e6e6e6;margin-bottom:1.25em;padding:1.25em;background:#fff;-webkit-border-radius:4px;border-radius:4px}
.exampleblock>.content>:first-child{margin-top:0}
.exampleblock>.content>:last-child{margin-bottom:0}
.sidebarblock{border-style:solid;border-width:1px;border-color:#dbdbd6;margin-bottom:1.25em;padding:1.25em;background:#f3f3f2;-webkit-border-radius:4px;border-radius:4px}
.sidebarblock>:first-child{margin-top:0}
.sidebarblock>:last-child{margin-bottom:0}
.sidebarblock>.content>.title{color:#7a2518;margin-top:0;text-align:center}
.exampleblock>.content>:last-child>:last-child,.exampleblock>.content .olist>ol>li:last-child>:last-child,.exampleblock>.content .ulist>ul>li:last-child>:last-child,.exampleblock>.content .qlist>ol>li:last-child>:last-child,.sidebarblock>.content>:last-child>:last-child,.sidebarblock>.content .olist>ol>li:last-child>:last-child,.sidebarblock>.content .ulist>ul>li:last-child>:last-child,.sidebarblock>.content .qlist>ol>li:last-child>:last-child{margin-bottom:0}
.literalblock pre,.listingblock>.content>pre{-webkit-border-radius:4px;border-radius:4px;word-wrap:break-word;overflow-x:auto;padding:1em;font-size:.8125em}
@media screen and (min-width:768px){.literalblock pre,.listingblock>.content>pre{font-size:.90625em}}
@media screen and (min-width:1280px){.literalblock pre,.listingblock>.content>pre{font-size:1em}}
.literalblock pre,.listingblock>.content>pre:not(.highlight),.listingblock>.content>pre[class="highlight"],.listingblock>.content>pre[class^="highlight "]{background:#f7f7f8}
.literalblock.output pre{color:#f7f7f8;background:rgba(0,0,0,.9)}
.listingblock>.content{position:relative}
.listingblock code[data-lang]::before{display:none;content:attr(data-lang);position:absolute;font-size:.75em;top:.425rem;right:.5rem;line-height:1;text-transform:uppercase;color:inherit;opacity:.5}
.listingblock:hover code[data-lang]::before{display:block}
.listingblock.terminal pre .command::before{content:attr(data-prompt);padding-right:.5em;color:inherit;opacity:.5}
.listingblock.terminal pre .command:not([data-prompt])::before{content:"$"}
.listingblock pre.highlightjs{padding:0}
.listingblock pre.highlightjs>code{padding:1em;-webkit-border-radius:4px;border-radius:4px}
.listingblock pre.prettyprint{border-width:0}
.prettyprint{background:#f7f7f8}
pre.prettyprint .linenums{line-height:1.45;margin-left:2em}
pre.prettyprint li{background:none;list-style-type:inherit;padding-left:0}
pre.prettyprint li code[data-lang]::before{opacity:1}
pre.prettyprint li:not(:first-child) code[data-lang]::before{display:none}
table.linenotable{border-collapse:separate;border:0;margin-bottom:0;background:none}
table.linenotable td[class]{color:inherit;vertical-align:top;padding:0;line-height:inherit;white-space:normal}
table.linenotable td.code{padding-left:.75em}
table.linenotable td.linenos{border-right:1px solid currentColor;opacity:.35;padding-right:.5em}
pre.pygments .lineno{border-right:1px solid currentColor;opacity:.35;display:inline-block;margin-right:.75em}
pre.pygments .lineno::before{content:"";margin-right:-.125em}
.quoteblock{margin:0 1em 1.25em 1.5em;display:table}
.quoteblock:not(.excerpt)>.title{margin-left:-1.5em;margin-bottom:.75em}
.quoteblock blockquote,.quoteblock p{color:rgba(0,0,0,.85);font-size:1.15rem;line-height:1.75;word-spacing:.1em;letter-spacing:0;font-style:italic;text-align:justify}
.quoteblock blockquote{margin:0;padding:0;border:0}
.quoteblock blockquote::before{content:"\201c";float:left;font-size:2.75em;font-weight:bold;line-height:.6em;margin-left:-.6em;color:#7a2518;text-shadow:0 1px 2px rgba(0,0,0,.1)}
.quoteblock blockquote>.paragraph:last-child p{margin-bottom:0}
.quoteblock .attribution{margin-top:.75em;margin-right:.5ex;text-align:right}
.verseblock{margin:0 1em 1.25em}
.verseblock pre{font-family:"Open Sans","DejaVu Sans",sans;font-size:1.15rem;color:rgba(0,0,0,.85);font-weight:300;text-rendering:optimizeLegibility}
.verseblock pre strong{font-weight:400}
.verseblock .attribution{margin-top:1.25rem;margin-left:.5ex}
.quoteblock .attribution,.verseblock .attribution{font-size:.9375em;line-height:1.45;font-style:italic}
.quoteblock .attribution br,.verseblock .attribution br{display:none}
.quoteblock .attribution cite,.verseblock .attribution cite{display:block;letter-spacing:-.025em;color:rgba(0,0,0,.6)}
.quoteblock.abstract blockquote::before,.quoteblock.excerpt blockquote::before,.quoteblock .quoteblock blockquote::before{display:none}
.quoteblock.abstract blockquote,.quoteblock.abstract p,.quoteblock.excerpt blockquote,.quoteblock.excerpt p,.quoteblock .quoteblock blockquote,.quoteblock .quoteblock p{line-height:1.6;word-spacing:0}
.quoteblock.abstract{margin:0 1em 1.25em;display:block}
.quoteblock.abstract>.title{margin:0 0 .375em;font-size:1.15em;text-align:center}
.quoteblock.excerpt>blockquote,.quoteblock .quoteblock{padding:0 0 .25em 1em;border-left:.25em solid #dddddf}
.quoteblock.excerpt,.quoteblock .quoteblock{margin-left:0}
.quoteblock.excerpt blockquote,.quoteblock.excerpt p,.quoteblock .quoteblock blockquote,.quoteblock .quoteblock p{color:inherit;font-size:1.0625rem}
.quoteblock.excerpt .attribution,.quoteblock .quoteblock .attribution{color:inherit;text-align:left;margin-right:0}
table.tableblock{max-width:100%;border-collapse:separate}
p.tableblock:last-child{margin-bottom:0}
td.tableblock>.content>:last-child{margin-bottom:-1.25em}
td.tableblock>.content>:last-child.sidebarblock{margin-bottom:0}
table.tableblock,th.tableblock,td.tableblock{border:0 solid #dedede}
table.grid-all>thead>tr>.tableblock,table.grid-all>tbody>tr>.tableblock{border-width:0 1px 1px 0}
table.grid-all>tfoot>tr>.tableblock{border-width:1px 1px 0 0}
table.grid-cols>*>tr>.tableblock{border-width:0 1px 0 0}
table.grid-rows>thead>tr>.tableblock,table.grid-rows>tbody>tr>.tableblock{border-width:0 0 1px}
table.grid-rows>tfoot>tr>.tableblock{border-width:1px 0 0}
table.grid-all>*>tr>.tableblock:last-child,table.grid-cols>*>tr>.tableblock:last-child{border-right-width:0}
table.grid-all>tbody>tr:last-child>.tableblock,table.grid-all>thead:last-child>tr>.tableblock,table.grid-rows>tbody>tr:last-child>.tableblock,table.grid-rows>thead:last-child>tr>.tableblock{border-bottom-width:0}
table.frame-all{border-width:1px}
table.frame-sides{border-width:0 1px}
table.frame-topbot,table.frame-ends{border-width:1px 0}
table.stripes-all tr,table.stripes-odd tr:nth-of-type(odd),table.stripes-even tr:nth-of-type(even),table.stripes-hover tr:hover{background:#f8f8f7}
th.halign-left,td.halign-left{text-align:left}
th.halign-right,td.halign-right{text-align:right}
th.halign-center,td.halign-center{text-align:center}
th.valign-top,td.valign-top{vertical-align:top}
th.valign-bottom,td.valign-bottom{vertical-align:bottom}
th.valign-middle,td.valign-middle{vertical-align:middle}
table thead th,table tfoot th{font-weight:bold}
tbody tr th{display:table-cell;line-height:1.6;background:#f7f8f7}
tbody tr th,tbody tr th p,tfoot tr th,tfoot tr th p{color:rgba(0,0,0,.8);font-weight:bold}
p.tableblock>code:only-child{background:none;padding:0}
p.tableblock{font-size:1em}
ol{margin-left:1.75em}
ul li ol{margin-left:1.5em}
dl dd{margin-left:1.125em}
dl dd:last-child,dl dd:last-child>:last-child{margin-bottom:0}
ol>li p,ul>li p,ul dd,ol dd,.olist .olist,.ulist .ulist,.ulist .olist,.olist .ulist{margin-bottom:.625em}
ul.checklist,ul.none,ol.none,ul.no-bullet,ol.no-bullet,ol.unnumbered,ul.unstyled,ol.unstyled{list-style-type:none}
ul.no-bullet,ol.no-bullet,ol.unnumbered{margin-left:.625em}
ul.unstyled,ol.unstyled{margin-left:0}
ul.checklist{margin-left:.625em}
ul.checklist li>p:first-child>.fa-square-o:first-child,ul.checklist li>p:first-child>.fa-check-square-o:first-child{width:1.25em;font-size:.8em;position:relative;bottom:.125em}
ul.checklist li>p:first-child>input[type="checkbox"]:first-child{margin-right:.25em}
ul.inline{display:-ms-flexbox;display:-webkit-box;display:flex;-ms-flex-flow:row wrap;-webkit-flex-flow:row wrap;flex-flow:row wrap;list-style:none;margin:0 0 .625em -1.25em}
ul.inline>li{margin-left:1.25em}
.unstyled dl dt{font-weight:400;font-style:normal}
ol.arabic{list-style-type:decimal}
ol.decimal{list-style-type:decimal-leading-zero}
ol.loweralpha{list-style-type:lower-alpha}
ol.upperalpha{list-style-type:upper-alpha}
ol.lowerroman{list-style-type:lower-roman}
ol.upperroman{list-style-type:upper-roman}
ol.lowergreek{list-style-type:lower-greek}
.hdlist>table,.colist>table{border:0;background:none}
.hdlist>table>tbody>tr,.colist>table>tbody>tr{background:none}
td.hdlist1,td.hdlist2{vertical-align:top;padding:0 .625em}
td.hdlist1{font-weight:bold;padding-bottom:1.25em}
.literalblock+.colist,.listingblock+.colist{margin-top:-.5em}
.colist td:not([class]):first-child{padding:.4em .75em 0;line-height:1;vertical-align:top}
.colist td:not([class]):first-child img{max-width:none}
.colist td:not([class]):last-child{padding:.25em 0}
.thumb,.th{line-height:0;display:inline-block;border:solid 4px #fff;-webkit-box-shadow:0 0 0 1px #ddd;box-shadow:0 0 0 1px #ddd}
.imageblock.left{margin:.25em .625em 1.25em 0}
.imageblock.right{margin:.25em 0 1.25em .625em}
.imageblock>.title{margin-bottom:0}
.imageblock.thumb,.imageblock.th{border-width:6px}
.imageblock.thumb>.title,.imageblock.th>.title{padding:0 .125em}
.image.left,.image.right{margin-top:.25em;margin-bottom:.25em;display:inline-block;line-height:0}
.image.left{margin-right:.625em}
.image.right{margin-left:.625em}
a.image{text-decoration:none;display:inline-block}
a.image object{pointer-events:none}
sup.footnote,sup.footnoteref{font-size:.875em;position:static;vertical-align:super}
sup.footnote a,sup.footnoteref a{text-decoration:none}
sup.footnote a:active,sup.footnoteref a:active{text-decoration:underline}
#footnotes{padding-top:.75em;padding-bottom:.75em;margin-bottom:.625em}
#footnotes hr{width:20%;min-width:6.25em;margin:-.25em 0 .75em;border-width:1px 0 0}
#footnotes .footnote{padding:0 .375em 0 .225em;line-height:1.3334;font-size:.875em;margin-left:1.2em;margin-bottom:.2em}
#footnotes .footnote a:first-of-type{font-weight:bold;text-decoration:none;margin-left:-1.05em}
#footnotes .footnote:last-of-type{margin-bottom:0}
#content #footnotes{margin-top:-.625em;margin-bottom:0;padding:.75em 0}
.gist .file-data>table{border:0;background:#fff;width:100%;margin-bottom:0}
.gist .file-data>table td.line-data{width:99%}
div.unbreakable{page-break-inside:avoid}
.big{font-size:larger}
.small{font-size:smaller}
.underline{text-decoration:underline}
.overline{text-decoration:overline}
.line-through{text-decoration:line-through}
.aqua{color:#00bfbf}
.aqua-background{background:#00fafa}
.black{color:#000}
.black-background{background:#000}
.blue{color:#0000bf}
.blue-background{background:#0000fa}
.fuchsia{color:#bf00bf}
.fuchsia-background{background:#fa00fa}
.gray{color:#606060}
.gray-background{background:#7d7d7d}
.green{color:#006000}
.green-background{background:#007d00}
.lime{color:#00bf00}
.lime-background{background:#00fa00}
.maroon{color:#600000}
.maroon-background{background:#7d0000}
.navy{color:#000060}
.navy-background{background:#00007d}
.olive{color:#606000}
.olive-background{background:#7d7d00}
.purple{color:#600060}
.purple-background{background:#7d007d}
.red{color:#bf0000}
.red-background{background:#fa0000}
.silver{color:#909090}
.silver-background{background:#bcbcbc}
.teal{color:#006060}
.teal-background{background:#007d7d}
.white{color:#bfbfbf}
.white-background{background:#fafafa}
.yellow{color:#bfbf00}
.yellow-background{background:#fafa00}
span.icon>.fa{cursor:default}
a span.icon>.fa{cursor:inherit}
.admonitionblock td.icon [class^="fa icon-"]{font-size:2.5em;text-shadow:1px 1px 2px rgba(0,0,0,.5);cursor:default}
.admonitionblock td.icon .icon-note::before{content:"\f05a";color:#19407c}
.admonitionblock td.icon .icon-tip::before{content:"\f0eb";text-shadow:1px 1px 2px rgba(155,155,0,.8);color:#111}
.admonitionblock td.icon .icon-warning::before{content:"\f071";color:#bf6900}
.admonitionblock td.icon .icon-caution::before{content:"\f06d";color:#bf3400}
.admonitionblock td.icon .icon-important::before{content:"\f06a";color:#bf0000}
.conum[data-value]{display:inline-block;color:#fff!important;background:rgba(0,0,0,.8);-webkit-border-radius:100px;border-radius:100px;text-align:center;font-size:.75em;width:1.67em;height:1.67em;line-height:1.67em;font-family:"Open Sans","DejaVu Sans",sans-serif;font-style:normal;font-weight:bold}
.conum[data-value] *{color:#fff!important}
.conum[data-value]+b{display:none}
.conum[data-value]::after{content:attr(data-value)}
pre .conum[data-value]{position:relative;top:-.125em}
b.conum *{color:inherit!important}
.conum:not([data-value]):empty{display:none}
dt,th.tableblock,td.content,div.footnote{text-rendering:optimizeLegibility}
h1,h2,p,td.content,span.alt{letter-spacing:-.01em}
p strong,td.content strong,div.footnote strong{letter-spacing:-.005em}
p,blockquote,dt,td.content,span.alt{font-size:1.0625rem}
p{margin-bottom:1.25rem}
.sidebarblock p,.sidebarblock dt,.sidebarblock td.content,p.tableblock{font-size:1em}
.exampleblock>.content{background:#fffef7;border-color:#e0e0dc;-webkit-box-shadow:0 1px 4px #e0e0dc;box-shadow:0 1px 4px #e0e0dc}
.print-only{display:none!important}
@page{margin:1.25cm .75cm}
@media print{*{-webkit-box-shadow:none!important;box-shadow:none!important;text-shadow:none!important}
html{font-size:80%}
a{color:inherit!important;text-decoration:underline!important}
a.bare,a[href^="#"],a[href^="mailto:"]{text-decoration:none!important}
a[href^="http:"]:not(.bare)::after,a[href^="https:"]:not(.bare)::after{content:"(" attr(href) ")";display:inline-block;font-size:.875em;padding-left:.25em}
abbr[title]::after{content:" (" attr(title) ")"}
pre,blockquote,tr,img,object,svg{page-break-inside:avoid}
thead{display:table-header-group}
svg{max-width:100%}
p,blockquote,dt,td.content{font-size:1em;orphans:3;widows:3}
h2,h3,#toctitle,.sidebarblock>.content>.title{page-break-after:avoid}
#toc,.sidebarblock,.exampleblock>.content{background:none!important}
#toc{border-bottom:1px solid #dddddf!important;padding-bottom:0!important}
body.book #header{text-align:center}
body.book #header>h1:first-child{border:0!important;margin:2.5em 0 1em}
body.book #header .details{border:0!important;display:block;padding:0!important}
body.book #header .details span:first-child{margin-left:0!important}
body.book #header .details br{display:block}
body.book #header .details br+span::before{content:none!important}
body.book #toc{border:0!important;text-align:left!important;padding:0!important;margin:0!important}
body.book #toc,body.book #preamble,body.book h1.sect0,body.book .sect1>h2{page-break-before:always}
.listingblock code[data-lang]::before{display:block}
#footer{padding:0 .9375em}
.hide-on-print{display:none!important}
.print-only{display:block!important}
.hide-for-print{display:none!important}
.show-for-print{display:inherit!important}}
@media print,amzn-kf8{#header>h1:first-child{margin-top:1.25rem}
.sect1{padding:0!important}
.sect1+.sect1{border:0}
#footer{background:none}
#footer-text{color:rgba(0,0,0,.6);font-size:.9em}}
@media amzn-kf8{#header,#content,#footnotes,#footer{padding:0}}
</style>
<link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/4.7.0/css/font-awesome.min.css">
</head>
<body class="article toc2 toc-right">
<div id="header">
<h1>Iptables !</h1>
<div class="details">
<span id="author" class="author">Apostolos rootApostolos@swarmlab.io</span><br>
</div>
<div id="toc" class="toc2">
<div id="toctitle">Table of Contents</div>
<ul class="sectlevel1">
<li><a href="#_iptables">1. iptables</a>
<ul class="sectlevel2">
<li><a href="#_installation">1.1. Installation</a></li>
<li><a href="#_front_ends">1.2. Front-ends</a>
<ul class="sectlevel3">
<li><a href="#_console">1.2.1. Console</a></li>
<li><a href="#_graphical">1.2.2. Graphical</a></li>
</ul>
</li>
</ul>
</li>
<li><a href="#_basic_concepts">2. Basic concepts</a>
<ul class="sectlevel2">
<li><a href="#_table">2.1. Table</a>
<ul class="sectlevel3">
<li><a href="#_filter">2.1.1. Filter</a></li>
<li><a href="#_nat">2.1.2. Nat</a></li>
<li><a href="#_mangle">2.1.3. Mangle</a></li>
<li><a href="#_raw">2.1.4. Raw</a></li>
<li><a href="#_security">2.1.5. Security</a></li>
</ul>
</li>
<li><a href="#_rules">2.2. Rules</a></li>
<li><a href="#_traversing_chains">2.3. Traversing Chains</a></li>
</ul>
</li>
<li><a href="#_usage">3. Usage</a>
<ul class="sectlevel2">
<li><a href="#_showing_the_current_rules">3.1. Showing the current rules</a></li>
<li><a href="#_resetting_rules">3.2. Resetting rules</a></li>
<li><a href="#_editing_rules">3.3. Editing rules</a></li>
<li><a href="#_examples">3.4. Examples</a>
<ul class="sectlevel3">
<li><a href="#_block_traffic_by_portpermalink">3.4.1. Block Traffic by PortPermalink</a></li>
<li><a href="#_drop_traffic">3.4.2. Drop Traffic</a></li>
<li><a href="#_block_or_allow_traffic_by_port_number">3.4.3. Block or Allow Traffic by Port Number</a></li>
</ul>
</li>
<li><a href="#_more_examples">3.5. More Examples</a></li>
</ul>
</li>
<li><a href="#_how_to_use_iptables">Appendix A: How to use iptables</a></li>
</ul>
</div>
</div>
<div id="content">
<div id="preamble">
<div class="sectionbody">
<div class="paragraph">
<p><br></p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_iptables">1. iptables</h2>
<div class="sectionbody">
<div class="paragraph">
<p><strong>iptables</strong> is a command line utility for configuring Linux kernel <strong>firewall</strong> implemented within the <a href="https://en.wikipedia.org/wiki/Netfilter">Netfilter</a> project. The term ''iptables'' is also commonly used to refer to this kernel-level firewall. It can be configured directly with iptables, or by using one of the many</p>
</div>
<div class="paragraph">
<p><a href="https://en.wikipedia.org/wiki/Iptables">More: wikipedia</a></p>
</div>
<div class="ulist">
<ul>
<li>
<p>Console tools</p>
</li>
</ul>
</div>
<div class="paragraph">
<p>and</p>
</div>
<div class="ulist">
<ul>
<li>
<p>Graphical front-ends.</p>
</li>
</ul>
</div>
<div class="paragraph">
<p><strong>iptables</strong> is used for <a href="https://en.wikipedia.org/wiki/IPv4">IPv4</a> and ''ip6tables'' is used for ihttps://en.wikipedia.org/wiki/IPv6[IPv6]. Both ''iptables'' and ''ip6tables'' have the same syntax, but some options are specific to either IPv4 or IPv6.</p>
</div>
<div class="sect2">
<h3 id="_installation">1.1. Installation</h3>
<div class="paragraph">
<p>The Swarmlab.io kernel is compiled with iptables support.</p>
</div>
</div>
<div class="sect2">
<h3 id="_front_ends">1.2. Front-ends</h3>
<div class="sect3">
<h4 id="_console">1.2.1. Console</h4>
<div class="ulist">
<ul>
<li>
<p>Shorewall, High-level tool for configuring Netfilter.</p>
</li>
</ul>
</div>
<div class="paragraph">
<p>You describe your firewall/gateway requirements using entries in a set of configuration files.</p>
</div>
<div class="paragraph">
<p><a href="http://www.shorewall.net/">shorewall</a></p>
</div>
<div class="ulist">
<ul>
<li>
<p>Arno&#8217;s Secure firewall for both single and multi-homed machines.</p>
</li>
</ul>
</div>
<div class="paragraph">
<p>Very easy to configure, handy to manage and highly customizable. Supports: NAT and SNAT, port forwarding, ADSL ethernet modems with both static and dynamically assigned IPs, MAC address filtering, stealth port scan detection, DMZ and DMZ-2-LAN forwarding, protection against SYN/ICMP flooding, extensive user definable logging with rate limiting to prevent log flooding, all IP protocols and VPNs such as IPsec, plugin support to add extra features.|</p>
</div>
<div class="paragraph">
<p><a href="http://rocky.eld.leidenuniv.nl/">arno-iptables-firewall</a></p>
</div>
<div class="ulist">
<ul>
<li>
<p>FireHOL Language to express firewalling rules, not just a script that produces some kind of a firewall. It makes building even sophisticated firewalls easy - the way you want it.</p>
</li>
</ul>
</div>
<div class="paragraph">
<p><a href="http://firehol.sourceforge.net" class="bare">http://firehol.sourceforge.net</a></p>
</div>
<div class="ulist">
<ul>
<li>
<p>firewalld (firewall-cmd) Daemon and console interface for configuring network and firewall zones as well as setting up and configuring firewall rules.</p>
</li>
</ul>
</div>
<div class="paragraph">
<p><a href="https://firewalld.org">firewalld</a></p>
</div>
</div>
<div class="sect3">
<h4 id="_graphical">1.2.2. Graphical</h4>
<div class="ulist">
<ul>
<li>
<p>Firewall Builder</p>
</li>
</ul>
</div>
<div class="paragraph">
<p>firewall configuration and management tool that supports iptables (netfilter), ipfilter, pf, ipfw, Cisco PIX (FWSM, ASA) and Cisco routers extended access lists. The program runs on Linux, FreeBSD, OpenBSD, Windows and macOS and can manage both local and remote firewalls.</p>
</div>
<div class="paragraph">
<p><a href="http://fwbuilder.sourceforge.net">fwbuilder</a></p>
</div>
<div class="ulist">
<ul>
<li>
<p>firewalld</p>
</li>
</ul>
</div>
<div class="paragraph">
<p>(firewall-config) Daemon and graphical interface for configuring network and firewall zones as well as setting up and configuring firewall rules.</p>
</div>
<div class="paragraph">
<p><a href="https://firewalld.org">firewalld</a></p>
</div>
<div class="ulist">
<ul>
<li>
<p>FireStarter</p>
</li>
</ul>
</div>
<div class="paragraph">
<p>High-level GUI Iptables firewall for Linux systems</p>
</div>
<div class="paragraph">
<p><a href="http://www.fs-security.com">firestarter</a></p>
</div>
</div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_basic_concepts">2. Basic concepts</h2>
<div class="sectionbody">
<div class="paragraph">
<p>iptables is used to inspect, modify, forward, redirect, and/or drop IP packets.</p>
</div>
<div class="ulist">
<ul>
<li>
<p>The code for filtering IP packets is already built into the kernel and is organized into a collection of <strong>tables</strong>, each with a specific purpose.</p>
</li>
<li>
<p>The tables are made up of a set of predefined <strong>chains</strong>, and the chains contain <strong>rules</strong> which are traversed in order.</p>
</li>
<li>
<p>Each rule consists of a predicate of potential matches and a corresponding action (called a <strong>target</strong>) which is executed if the predicate is true; i.e. the conditions are matched.</p>
</li>
<li>
<p>If the IP packet reaches the end of a built-in chain, including an empty chain, then the chain&#8217;s <strong>policy</strong> target determines the final destination of the IP packet.</p>
</li>
</ul>
</div>
<div class="paragraph">
<p>iptables is the user utility which allows you to work with these chains/rules.</p>
</div>
<div class="admonitionblock note">
<table>
<tr>
<td class="icon">
<i class="fa icon-note" title="Note"></i>
</td>
<td class="content">
<div class="title">Understanding how iptables works</div>
<div class="paragraph">
<p>The key to understanding how iptables works is <a href="http://docs.swarmlab.io/lab/sec/tables_traverse.jpg">this chart</a>.</p>
</div>
<div class="paragraph">
<p>The lowercase word on top is the <strong>table</strong> and the upper case word below is the <strong>chain</strong>.</p>
</div>
<div class="ulist">
<ul>
<li>
<p>Every IP packet that comes in <strong>on any network interface</strong> passes through this flow chart from top to bottom.</p>
</li>
</ul>
</div>
<div class="paragraph">
<p><strong>All interfaces are handled the same way; it&#8217;s up to you to define rules that treat them differently.</strong></p>
</div>
<div class="paragraph">
<p>Some packets</p>
</div>
<div class="ulist">
<ul>
<li>
<p>are intended for local processes, hence come in from the top of the chart and stop at <strong>Local Proces</strong>,</p>
</li>
<li>
<p>while other packets are generated by local processes; hence start at <strong>Local Process</strong> and proceed downward through the flowchart.</p>
</li>
</ul>
</div>
<div class="paragraph">
<p>A detailed explanation <a href="http://docs.swarmlab.io/SwarmLab-HowTos/labs/os2/ex-3a_iptables-flow-chart.adoc.html">here</a>.</p>
</div>
</td>
</tr>
</table>
</div>
<div class="paragraph">
<p>In the vast majority of use cases you won&#8217;t need to use the <strong>raw</strong>, <strong>mangle</strong>, or <strong>security</strong> tables at all.</p>
</div>
<div class="paragraph">
<p>Consequently, the following chart depicts a simplified network packet flow through <strong>iptables</strong>:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="highlight"><code class="language-bash" data-lang="bash"> XXXXXXXXXXXXXXXXXX
XXX Network XXX
XXXXXXXXXXXXXXXXXX
+
|
v
+-------------+ +------------------+
|table: filter| &lt;---+ | table: nat |
|chain: INPUT | | | chain: PREROUTING|
+-----+-------+ | +--------+---------+
| | |
v | v
[local process] | **************** +--------------+
| +---------+ Routing decision +------&gt; |table: filter |
v **************** |chain: FORWARD|
**************** +------+-------+
Routing decision |
**************** |
| |
v **************** |
+-------------+ +------&gt; Routing decision &lt;---------------+
|table: nat | | ****************
|chain: OUTPUT| | +
+-----+-------+ | |
| | v
v | +-------------------+
+--------------+ | | table: nat |
|table: filter | +----+ | chain: POSTROUTING|
|chain: OUTPUT | +--------+----------+
+--------------+ |
v
XXXXXXXXXXXXXXXXXX
XXX Network XXX
XXXXXXXXXXXXXXXXXX</code></pre>
</div>
</div>
<div class="sect2">
<h3 id="_table">2.1. Table</h3>
<div class="paragraph">
<p>iptables contains five tables:</p>
</div>
<div class="admonitionblock note">
<table>
<tr>
<td class="icon">
<i class="fa icon-note" title="Note"></i>
</td>
<td class="content">
<div class="title">Chains</div>
<div class="paragraph">
<p>Tables consist of <strong>chains</strong>, which are lists of rules which are followed in order.</p>
</div>
</td>
</tr>
</table>
</div>
<div class="sect3">
<h4 id="_filter">2.1.1. Filter</h4>
<div class="paragraph">
<p>This is the default table.</p>
</div>
<div class="listingblock">
<div class="title">Its built-in chains are:</div>
<div class="content">
<pre class="highlight"><code class="language-bash" data-lang="bash"> Input: packets going to local sockets
Forward: packets routed through the server
Output: locally generated packets</code></pre>
</div>
</div>
</div>
<div class="sect3">
<h4 id="_nat">2.1.2. Nat</h4>
<div class="paragraph">
<p>When a packet creates a new connection, this table is used.</p>
</div>
<div class="listingblock">
<div class="title">Its built-in chains are:</div>
<div class="content">
<pre class="highlight"><code class="language-bash" data-lang="bash"> Prerouting: designating packets when they come in
Output: locally generated packets before routing takes place
Postrouting: altering packets on the way out</code></pre>
</div>
</div>
</div>
<div class="sect3">
<h4 id="_mangle">2.1.3. Mangle</h4>
<div class="paragraph">
<p>Used for special altering of packets.</p>
</div>
<div class="listingblock">
<div class="title">Its built-in chains are:</div>
<div class="content">
<pre class="highlight"><code class="language-bash" data-lang="bash"> Prerouting: incoming packets
Postrouting: outgoing packets
Output: locally generated packets that are being altered
Input: packets coming directly into the server
Forward: packets being routed through the server</code></pre>
</div>
</div>
</div>
<div class="sect3">
<h4 id="_raw">2.1.4. Raw</h4>
<div class="paragraph">
<p>Primarily used for configuring exemptions from connection tracking.</p>
</div>
<div class="listingblock">
<div class="title">Its built-in chains are:</div>
<div class="content">
<pre class="highlight"><code class="language-bash" data-lang="bash"> Prerouting: packets that arrive by the network interface
Output: processes that are locally generated</code></pre>
</div>
</div>
</div>
<div class="sect3">
<h4 id="_security">2.1.5. Security</h4>
<div class="paragraph">
<p>Used for Mandatory Access Control (MAC) rules. After the filter table, the security table is accessed next.</p>
</div>
<div class="listingblock">
<div class="title">Its built-in chains are:</div>
<div class="content">
<pre class="highlight"><code class="language-bash" data-lang="bash"> Input: packets entering the server
Output: locally generated packets
Forward: packets passing through the server</code></pre>
</div>
</div>
<div class="admonitionblock note">
<table>
<tr>
<td class="icon">
<i class="fa icon-note" title="Note"></i>
</td>
<td class="content">
<div class="paragraph">
<p>In most common use cases you will only use two of these: <strong>filter</strong> and <strong>nat</strong>.</p>
</div>
</td>
</tr>
</table>
</div>
</div>
</div>
<div class="sect2">
<h3 id="_rules">2.2. Rules</h3>
<div class="paragraph">
<p>Packet filtering is based on <strong>rules</strong>, which are specified by multiple <strong>matches</strong> (conditions the packet must satisfy so that the rule can be applied), and one <strong>target</strong> (action taken when the packet matches all conditions).</p>
</div>
<div class="paragraph">
<p>The typical things a rule might match on are</p>
</div>
<div class="ulist">
<ul>
<li>
<p>what interface the packet came in on (e.g eth0 or eth1),</p>
</li>
<li>
<p>what type of packet it is (ICMP, TCP, or UDP),</p>
</li>
<li>
<p>or the destination port of the packet.</p>
</li>
</ul>
</div>
<div class="paragraph">
<p>Targets are specified using the <strong>-j</strong> or <strong>--jump</strong> option.</p>
</div>
<div class="paragraph">
<p>Targets can be either
- user-defined chains (i.e. if these conditions are matched, jump to the following user-defined chain and continue processing there), one of the special built-in targets,
- or a target extension.</p>
</div>
<div class="admonitionblock note">
<table>
<tr>
<td class="icon">
<i class="fa icon-note" title="Note"></i>
</td>
<td class="content">
<div class="ulist">
<ul>
<li>
<p>Built-in targets are <strong>ACCEPT</strong>, <strong>DROP</strong>, <strong>QUEUE</strong> and <strong>RETURN</strong></p>
</li>
<li>
<p>target extensions are, for example, <strong>REJECT</strong> and <strong>LOG</strong>.</p>
</li>
</ul>
</div>
</td>
</tr>
</table>
</div>
<div class="ulist">
<ul>
<li>
<p>If the target is a built-in target, the fate of the packet is decided immediately and processing of the packet in current table is stopped.</p>
</li>
<li>
<p>If the target is a user-defined chain and the fate of the packet is not decided by this second chain, it will be filtered against the remaining rules of the original chain.</p>
</li>
</ul>
</div>
<div class="paragraph">
<p>Target extensions can be either <strong>terminating</strong> (as built-in targets) or <strong>non-terminating</strong> (as user-defined chains)</p>
</div>
</div>
<div class="sect2">
<h3 id="_traversing_chains">2.3. Traversing Chains</h3>
<div class="paragraph">
<p>A network packet received on any interface traverses the traffic control chains of tables in the order shown in the <a href="http://docs.swarmlab.io/lab/sec/tables_traverse.jpg">this chart</a></p>
</div>
<div class="ulist">
<ul>
<li>
<p>The first routing decision involves deciding if the final destination of the packet is the local machine (in which case the packet traverses through the <strong>INPUT chains</strong></p>
</li>
<li>
<p>or elsewhere (in which case the packet traverses through the <strong>FORWARD chains</strong>.</p>
</li>
<li>
<p>Subsequent routing decisions involve deciding what interface to assign to an outgoing packet.</p>
</li>
</ul>
</div>
<div class="paragraph">
<p>At each chain in the path, every rule in that chain is evaluated in order and whenever a rule matches, the corresponding target/jump action is executed.</p>
</div>
<div class="paragraph">
<p>The 3 most commonly used targets are <strong>ACCEPT</strong>, <strong>DROP</strong>, and <strong>jump</strong> to a user-defined chain.</p>
</div>
<div class="admonitionblock note">
<table>
<tr>
<td class="icon">
<i class="fa icon-note" title="Note"></i>
</td>
<td class="content">
<div class="paragraph">
<p>While built-in chains can have default policies, user-defined chains can not.</p>
</div>
</td>
</tr>
</table>
</div>
<div class="ulist">
<ul>
<li>
<p>If every rule in a chain that you jumped fails to provide a complete match, the packet is dropped back into the calling chain as illustrated
<a href="http://docs.swarmlab.io/lab/sec/images/table_subtraverse.jpg">here</a>.</p>
</li>
<li>
<p>If at any time a complete match is achieved for a rule with a <strong>DROP</strong> target, the packet is dropped and no further processing is done.</p>
</li>
<li>
<p>If a packet is <strong>ACCEPT</strong>ed within a chain, it will be <strong>ACCEPT</strong>ed in all superset chains also and it will not traverse any of the superset chains any further.</p>
</li>
</ul>
</div>
<div class="paragraph">
<p>However, be aware that the packet will continue to traverse all other chains in other tables in the normal fashion.</p>
</div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_usage">3. Usage</h2>
<div class="sectionbody">
<div class="sect2">
<h3 id="_showing_the_current_rules">3.1. Showing the current rules</h3>
<div class="listingblock">
<div class="content">
<pre class="highlight"><code class="language-bash" data-lang="bash"># iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination</code></pre>
</div>
</div>
<div class="paragraph">
<p>If the output looks like the above, then there are no rules (i.e. nothing is blocked) in the default filter table</p>
</div>
</div>
<div class="sect2">
<h3 id="_resetting_rules">3.2. Resetting rules</h3>
<div class="paragraph">
<p>You can flush and reset iptables to default using these commands:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="highlight"><code class="language-bash" data-lang="bash"># iptables -F
# iptables -X
# iptables -t nat -F
# iptables -t nat -X
# iptables -t mangle -F
# iptables -t mangle -X
# iptables -t raw -F
# iptables -t raw -X
# iptables -t security -F
# iptables -t security -X
# iptables -P INPUT ACCEPT
# iptables -P FORWARD ACCEPT
# iptables -P OUTPUT ACCEPT</code></pre>
</div>
</div>
<div class="paragraph">
<p>The -F command with no arguments flushes all the chains in its current table. Similarly, -X deletes all empty non-default chains in a table.</p>
</div>
<div class="paragraph">
<p>Individual chains may be flushed or deleted by following -F and -X with a [chain] argument.</p>
</div>
</div>
<div class="sect2">
<h3 id="_editing_rules">3.3. Editing rules</h3>
<div class="paragraph">
<p>Rules can be edited by</p>
</div>
<div class="ulist">
<ul>
<li>
<p>appending -A a rule to a chain,</p>
</li>
<li>
<p>inserting -I it at a specific position on the chain,</p>
</li>
<li>
<p>replacing -R an existing rule,</p>
</li>
<li>
<p>or deleting -D it.</p>
</li>
</ul>
</div>
<div class="paragraph">
<p>The first three commands are exemplified in the following.</p>
</div>
<div class="paragraph">
<p>First of all, our computer is not a router (unless, of course, it is a router). We want to change the default policy on the FORWARD chain from ACCEPT to DROP.</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="highlight"><code class="language-bash" data-lang="bash"># iptables -P FORWARD DROP</code></pre>
</div>
</div>
</div>
<div class="sect2">
<h3 id="_examples">3.4. Examples</h3>
<div class="admonitionblock note">
<table>
<tr>
<td class="icon">
<i class="fa icon-note" title="Note"></i>
</td>
<td class="content">
<div class="paragraph">
<p>We are going to use Shorewall as an iptables configuration tool.</p>
</div>
<div class="paragraph">
<p>See Appendix.</p>
</div>
</td>
</tr>
</table>
</div>
<div class="paragraph">
<p>Here are some examples of "raw" iptables command lines.</p>
</div>
<div class="sect3">
<h4 id="_block_traffic_by_portpermalink">3.4.1. Block Traffic by PortPermalink</h4>
<div class="paragraph">
<p>You may use a port to block all traffic coming in on a specific interface.</p>
</div>
<div class="paragraph">
<p>For example:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="highlight"><code class="language-bash" data-lang="bash">iptables -A INPUT -j DROP -p tcp --destination-port 110 -i eth0</code></pre>
</div>
</div>
<div class="paragraph">
<p>Let’s examine what each part of this command does:</p>
</div>
<div class="ulist">
<ul>
<li>
<p><strong>-A</strong> will add or append the rule to the end of the chain.</p>
<div class="literalblock">
<div class="content">
<pre>**INPUT** will add the rule to the table.</pre>
</div>
</div>
<div class="literalblock">
<div class="content">
<pre>**DROP** means the packets are discarded.</pre>
</div>
</div>
</li>
<li>
<p><strong>-p tcp</strong> means the rule will only drop TCP packets.</p>
</li>
<li>
<p><strong>--destination-port 110</strong> filters packets targeted to port 110.</p>
</li>
<li>
<p><strong>-i eth0</strong> means this rule will impact only packets arriving on the eth0 interface.</p>
</li>
</ul>
</div>
</div>
<div class="sect3">
<h4 id="_drop_traffic">3.4.2. Drop Traffic</h4>
<div class="paragraph">
<p>In order to drop all incoming traffic from a specific IP address, use the iptables command with the following options:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="highlight"><code class="language-bash" data-lang="bash">iptables -I INPUT -s 198.51.100.0 -j DROP</code></pre>
</div>
</div>
<div class="paragraph">
<p>To remove these rules, use the <strong>--delete</strong> or <strong>-D</strong> option:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="highlight"><code class="language-bash" data-lang="bash">iptables --delete INPUT -s 198.51.100.0 -j DROP
iptables -D INPUT -s 198.51.100.0 -j DROP</code></pre>
</div>
</div>
</div>
<div class="sect3">
<h4 id="_block_or_allow_traffic_by_port_number">3.4.3. Block or Allow Traffic by Port Number</h4>
<div class="paragraph">
<p>One way to create a firewall is to block all traffic to the system and then allow traffic on certain ports.</p>
</div>
<div class="paragraph">
<p>Below is a sample sequence of commands to illustrate the process:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="highlight"><code class="language-bash" data-lang="bash">iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i lo -m comment --comment "Allow loopback connections" -j ACCEPT
iptables -A INPUT -p icmp -m comment --comment "Allow Ping to work as expected" -j ACCEPT
iptables -A INPUT -p tcp -m multiport --destination-ports 22,25,53,80,443,465,5222,5269,5280,8999:9003 -j ACCEPT
iptables -A INPUT -p udp -m multiport --destination-ports 53 -j ACCEPT
iptables -P INPUT DROP
iptables -P FORWARD DROP</code></pre>
</div>
</div>
<div class="paragraph">
<p>Let’s break down the example above.</p>
</div>
<div class="paragraph">
<p>The <strong>first two</strong> commands add or append rules to the <strong>INPUT chain</strong> in order to allow access on specific ports.</p>
</div>
<div class="paragraph">
<p>The <strong>-p tcp</strong> and <strong>-p udp</strong> options specify either <strong>UDP</strong> or <strong>TCP</strong> packet types.</p>
</div>
<div class="paragraph">
<p>The <strong>-m</strong> multiport function matches packets on the basis of their source or destination ports, and can accept the specification of up to 15 ports.</p>
</div>
<div class="paragraph">
<p>Multiport also accepts <strong>ranges such as 8999:9003</strong> which counts as 2 of the 15 possible ports, but matches ports 8999, 9000, 9001, 9002, and 9003.</p>
</div>
<div class="paragraph">
<p>The next command <strong>allows all incoming</strong> and <strong>outgoing packets</strong> that are associated with existing connections so that they will not be inadvertently blocked by the firewall.</p>
</div>
<div class="paragraph">
<p>The final two commands use the <strong>-P</strong> option to describe the <strong>default policy</strong> for these chains. As a result, all packets processed by <strong>INPUT</strong> and <strong>FORWARD</strong> will be dropped by default.</p>
</div>
<div class="admonitionblock note">
<table>
<tr>
<td class="icon">
<i class="fa icon-note" title="Note"></i>
</td>
<td class="content">
<div class="paragraph">
<p>Note that the rules described above only control incoming packets, and do not limit outgoing connections.</p>
</div>
</td>
</tr>
</table>
</div>
</div>
</div>
<div class="sect2">
<h3 id="_more_examples">3.5. More Examples</h3>
<div class="listingblock">
<div class="content">
<pre class="highlight"><code class="language-bash" data-lang="bash"># Allow all loopback (lo0) traffic and reject traffic
# to localhost that does not originate from lo0.
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -s 127.0.0.0/8 -j REJECT
# Allow ping.
-A INPUT -p icmp -m state --state NEW --icmp-type 8 -j ACCEPT
# Allow SSH connections.
-A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT
# Allow HTTP and HTTPS connections from anywhere
# (the normal ports for web servers).
-A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
-A INPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT
# Allow inbound traffic from established connections.
# This includes ICMP error returns.
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Log what was incoming but denied (optional but useful).
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables_INPUT_denied: " --log-level 7
# Reject all other inbound.
-A INPUT -j REJECT
# Log any traffic that was sent to you
# for forwarding (optional but useful).
-A FORWARD -m limit --limit 5/min -j LOG --log-prefix "iptables_FORWARD_denied: " --log-level 7
# Reject all traffic forwarding.
-A FORWARD -j REJECT</code></pre>
</div>
</div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_how_to_use_iptables">Appendix A: How to use iptables</h2>
<div class="sectionbody">
<div class="paragraph">
<p>Shorewall is not the easiest to use of the available iptables configuration tools but I believe that it is the most flexible and powerful.</p>
</div>
<div class="paragraph">
<p>It can handle complex and fast changing network environments.</p>
</div>
<div class="paragraph">
<p>It needs multiple configuration files, even for simple setups.</p>
</div>
<div class="paragraph">
<p>Suitable for powerusers! - Most likely there are a lot of these among our Students :-)</p>
</div>
<div class="paragraph">
<p>Shorewall is very popular!</p>
</div>
<div class="paragraph">
<p><a href="https://wiki.archlinux.org">Origin</a></p>
</div>
<div class="paragraph">
<p><br>
<br>
</p>
</div>
<hr>
</div>
</div>
</div>
<div id="footer">
<div id="footer-text">
Last updated 2020-07-09 15:06:14 UTC
</div>
</div>
</body>
</html>