From 93790bb9285ae89f8c1185951d7d5ffa46fa059f Mon Sep 17 00:00:00 2001 From: Whisker Jones Date: Sun, 19 May 2024 14:38:10 -0600 Subject: [PATCH] add iptables --- tech_docs/iptables.md | 154 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 154 insertions(+) create mode 100644 tech_docs/iptables.md diff --git a/tech_docs/iptables.md b/tech_docs/iptables.md new file mode 100644 index 0000000..8322fc3 --- /dev/null +++ b/tech_docs/iptables.md @@ -0,0 +1,154 @@ +## Comprehensive Guide to iptables Administration + +### Table of Contents + +1. Introduction to iptables +2. Understanding Chains and Tables + - PREROUTING + - INPUT + - FORWARD + - OUTPUT + - POSTROUTING +3. Comparison with Cisco Technologies +4. Practical Examples + - Viewing iptables Rules + - Basic Configuration + - Advanced Port Forwarding for LXC Containers +5. Persisting iptables Rules +6. Summary + +### 1. Introduction to iptables + +`iptables` is a command-line firewall utility in Linux that allows for packet filtering, network address translation (NAT), and other packet manipulation. It uses a set of rules organized into different chains and tables to control the flow of traffic through a Linux system. + +### 2. Understanding Chains and Tables + +#### Chains + +- **PREROUTING**: Processes packets as they arrive at the network interface before routing decisions. +- **INPUT**: Handles packets destined for the local system. +- **FORWARD**: Manages packets that are routed through the system. +- **OUTPUT**: Deals with packets generated by the local system. +- **POSTROUTING**: Alters packets just before they leave the interface after routing decisions. + +#### Tables + +- **filter**: Default table for filtering packets. +- **nat**: Used for network address translation. +- **mangle**: Used for specialized packet alteration. +- **raw**: Used for configuration exemptions from connection tracking. +- **security**: Used for Mandatory Access Control (MAC) rules. + +### 3. Comparison with Cisco Technologies + +- **PREROUTING**: Similar to ingress ACLs, where packets are inspected and potentially modified before being routed. +- **INPUT**: Comparable to inbound ACLs on Cisco devices for traffic directed to the device itself. +- **FORWARD**: Equivalent to ACLs applied to routed interfaces, controlling forwarded traffic. +- **OUTPUT**: Similar to outbound ACLs, applied to traffic generated by the device. +- **POSTROUTING**: Like egress ACLs or NAT rules, applied after routing decisions have been made. + +### 4. Practical Examples + +#### Viewing iptables Rules + +To view the current `iptables` rules: + +```bash +sudo iptables -L +sudo iptables -t nat -L +``` + +#### Basic Configuration + +1. **Allow SSH traffic to the local system (INPUT chain)**: + +```bash +sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT +``` + +2. **Allow outgoing HTTP requests from the local system (OUTPUT chain)**: + +```bash +sudo iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT +``` + +#### Advanced Port Forwarding for LXC Containers + +**Scenario**: Forward traffic from `192.168.1.10:81` to `10.0.0.1:80` and `192.168.1.10:82` to `10.0.0.2:80`. + +```mermaid +graph TD; + A[External Network] --> |Access Apache Services| B(LXC Host) + B --> |Forward to 192.168.1.10:81| C(LXC Container 192.168.1.10) + B --> |Forward to 192.168.1.10:82| C + C --> |Forward to 10.0.0.1:80| D[Apache2 Instance 1 10.0.0.1:80] + C --> |Forward to 10.0.0.2:80| E[Apache2 Instance 2 10.0.0.2:80] +``` + +1. **PREROUTING Chain**: + - Redirect packets from `192.168.1.10:81` to `10.0.0.1:80`. + - Redirect packets from `192.168.1.10:82` to `10.0.0.2:80`. + +```bash +sudo iptables -t nat -A PREROUTING -d 192.168.1.10 -p tcp --dport 81 -j DNAT --to-destination 10.0.0.1:80 +sudo iptables -t nat -A PREROUTING -d 192.168.1.10 -p tcp --dport 82 -j DNAT --to-destination 10.0.0.2:80 +``` + +2. **FORWARD Chain**: + - Allow forwarding for packets to `10.0.0.1:80`. + - Allow forwarding for packets to `10.0.0.2:80`. + +```bash +sudo iptables -A FORWARD -p tcp -d 10.0.0.1 --dport 80 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT +sudo iptables -A FORWARD -p tcp -d 10.0.0.2 --dport 80 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT +``` + +3. **POSTROUTING Chain**: + - Enable masquerading for outgoing packets. + +```bash +sudo iptables -t nat -A POSTROUTING -o br0 -j MASQUERADE +``` + +### 5. Persisting iptables Rules + +To ensure `iptables` rules persist across reboots, save them using `iptables-save` and restore them using `iptables-restore`: + +```bash +sudo iptables-save > /etc/iptables/rules.v4 +``` + +Create a systemd service to restore these rules at startup: + +```bash +# Create a systemd service file +sudo nano /etc/systemd/system/iptables-restore.service +``` + +Add the following content to the service file: + +```ini +[Unit] +Description=Restore iptables rules +After=network.target + +[Service] +Type=oneshot +ExecStart=/sbin/iptables-restore < /etc/iptables/rules.v4 +RemainAfterExit=yes + +[Install] +WantedBy=multi-user.target +``` + +Enable and start the service: + +```bash +sudo systemctl enable iptables-restore.service +sudo systemctl start iptables-restore.service +``` + +### 6. Summary + +This guide provided an overview of `iptables` chains and tables, compared them to similar Cisco technologies, and presented practical examples for configuring and managing `iptables` rules. By understanding and using these concepts, you can effectively control and manipulate network traffic in a Linux environment, leveraging your existing networking knowledge to achieve advanced configurations. +