In: Categories » Computers and technology » Linux » Iptables Target Specifications in Linux
For the filter table, the most used targets for firewall rules are DROP and ACCEPT. If a rule matches the filtering specifications and has a DROP target, the packet will simply be discarded. If a packet matches a rule with a DROP target, the Linux kernel will drop the packet without consulting other rules in the firewall. If the target is ACCEPT, then the packet is accepted without further consultation of other firewall rules.
An alternative to DROP is the REJECT target, which drops the packet but sends an ICMP packet to the source IP of the packet. By default, the REJECT target will send an ICMP 'port unreachable' message to the sender, but that can be overwritten using the "--reject-with" switch.
The target in an iptables rule can also be used to pass a packet to a user-defined chain. For example, if we create a new chain like "iptables –N SSH", we need to tell the kernel to look for this chain for all incoming TCP connections on port 22 like this:
iptables -A INPUT -p tcp --dport 22 -j SSH
Another useful target is LOG, which can be used to log packets matching a filtering specification in the kernel log, which can be read with dmesg or syslogd. LOG target options are:
- --log-level level: The level of logging can be a name or a number. The valid names are debug, info, notice, warning, err, crit, alert, and emerg with corresponding numbers from 7 to 0.
- --log-prefix prefix: Log prefix is followed by a string of up to 29 characters, placed at the beginning of the log message.
- --log-tcp-sequence: Logs TCP sequence numbers.
- --log-tcp-options: Logs the option field of TCP packet headers.
- --log-ip-options: Logs the option field of the IP packet headers.
- --log-uid: Logs the user ID of the process that generated the packet.
The LOG target is not a terminating target like ACCEPT, DROP, and REJECT. This means that if a packet matches a rule that has the LOG target, the kernel looks up the rules that follow to also match this packet. A limit match for rules with LOG targets would be a good idea to prevent flooding the log files.
As an example, earlier we created the SSH chain and passed packets coming in on port 22/TCP. Now, we want to accept incoming SSH connections from 192.168.0.0/27 and 10.10.15.0/24, for example, and log all other attempts, but we will limit logging to 5/s, because in the case of a SYN flood on port 22/TCP, the logs would fill quickly.
First, we will append the rules to the SSH chain to allow connections from the trusted hosts:
iptables -A SSH -s 192.168.0.0/27 -j ACCEPT
iptables -A SSH -s 10.10.15.0/24 -j ACCEPT
Next, we will add the logging rule:
iptables -A SSH -m limit --limit 5/s -j LOG
And then DROP all other connections:
iptables -A SSH -j DROP
We need to verify the configuration, and we will use iptables -L -n for that. We will see in the INPUT chain:
root@router:~/lucix# iptables -L –n
And we will see the SSH chain:
Chain SSH (1 references)
target prot opt source destination
ACCEPT all -- 192.168.0.0/27 0.0.0.0/0
ACCEPT all -- 10.10.15.0/24 0.0.0.0/0
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 5/sec burst 5 LOG flags 0 level 4
DROP all -- 0.0.0.0/0 0.0.0.0/0
To test the SSH chain we will try to telnet port 22 from an unauthorized host. Using iptables -L -n -v, we will see that the packet matched the LOG and DROP rules:
Chain SSH (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 192.168.0.0/27 0.0.0.0/0
0 0 ACCEPT all -- * * 10.10.15.0/24 0.0.0.0/0
1 48 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
limit: avg 5/sec burst 5 LOG flags 0 level 4
1 48 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Now, if you look at the logs using dmesg command, you will see:
IN=eth0 OUT= MAC=00:d0:b7:a7:6f:74:00:04:23:cf:14:e6:08:00 SRC=192.168.168.168 DST=192.168.0.1 LEN=48 TOS=0x00 PREC=0x00 TTL=109 ID=54250 DF PROTO=TCP SPT=27276 DPT=22 WINDOW=16384 RES=0x00 SYN URGP=0
which tells us that 192.168.168.168 tried to connect on port 22 TCP.
legal notice
Our website is not responsible for the information contained by this article. Web-articles is a free articles resource.
Suggestion: If you need fresh, daily updated content for your website, feel free to use our service. Click here for more information.
Useful tools and features
If you like this article (tutorial), please link to it from your web page using the information above.
related articles
Let's think about one world-wide service that wouldn't have been possible without standardization, like email services. There are so many email client software applications out there, and all of them use the same protocols to transmit and receive data. Let's say you are in a company LAN and you want to send an email. Layer 7: You use an email client (like Outlook Express for example), which has SMTP and POP3 functions according to OSI Layer 7 (application). Layer 6: You send t...
2. The TCP/IP Internet Layer
The Internet layer in the TCP/IP model has the functions of OSI Layer 3 network. The purpose for the Internet layer is to select a path (preferably the best path) in the network for end-to-end delivery. The main protocol found at the Internet layer is IP (Internet Protocol), which provides connectionless, best-effort delivery routing of packets. IP handles logical addressing, and its primary concern is to find the best path between the endpoints, without caring about the contents of the packet. IP does not perform error checking and...
3. IP Addressing, IP Subnetting, and IP Supernetting
The Internet Protocol (IP) found at OSI Layer 3 is responsible for end-to-end delivery of data between computers in an IP network (the Internet). To find a path between two computers in a large network such as the Internet, computers must be uniquely identified. To do that, the Internet Protocol defines IP Addresses, which are unique 32 bit sequences of one and zeros. For example, 11000000101010000000000100000001 is a valid IP address. For the ease of use, IP addresses are represented in a form called the dotted decimal forma...
4. Public and Private IP Addresses
The Internet is a public network, and therefore a device connected directly to the Internet has a public IP address. Those IP addresses must be administered by someone in such way that two devices connected to the public network don't use the same IP address or that two networks don't have the same network address. This job was done by InterNIC (Internet Network Information Center), which has been succeeded by IANA (Internet Assigned Numbers Authority). IANA makes sure to provide unique IP network addresses to Internet Service Provide...
5. IP Supernetting or CIDR
CIDR stands for "Classless Inter-Domain Routing". It is a new addressing scheme for the Internet, intended to replace the old classful (Class A, B, C) address scheme. CIDR allows a more efficient allocation of IP addresses and uses routing aggregation for minimizing the routing table entries, and is also called supernetting. A recapitulation of classful IP addressing shows us the following: Address ...
6. Linux Security Threats
Creating firewalls may block some malicious attempts on your network, but this step is far from running an entirely secure network. As a network administrator or security consultant, to design a proper firewall for your network you need to know what you defend your network from. We cannot fully discuss this topic, even in 1000 pages, but we want to explain some principles that you should consider in running a safe network. As hard as it may seem to protect your network from the outside world, the most dangerous threats always come f...
7. IP Spoofing
An attacker might spoof a trusted IP address when communicating to a host in order to gain unauthorized access on that host. There are a variety of tools that can be found on the Internet to do IP spoofing. Using IP spoofing, attackers can also initiate Denial of Service by sending data with the source IP spoofed to the attacked IP address. The receiver then sends back replies that can contain large amounts of data to the attacked IP address resulting in...
8. BIND Domain Name System DNS
BIND (Berkley Internet Name Domain) is the most used DNS server on the Internet. Nowadays, every Linux distribution has a BIND package for DNS services. The problem with BIND and any DNS server is that in order to be able to translate names into IP addresses it has to communicate with a whole lot of other DNS servers, and so, filtering DNS packets is not possible. DNS services are vital for internet connection; so in order to disrupt services to victims, attackers have a great interest in bringing down DNS servers. Although BIN...