iptables Cheatsheet¶
Intro¶
Basic Defense¶
Default Outbound DENY¶
In this scenario, the goal is to ALLOW outbound traffic over ports 443 and 53, but DROP traffic on a specified port and implement relevant logging.
sudo iptables -N LOGGING-OUTBOUND # Name the chain - this one is for outbound traffic and its logging
sudo iptables -A OUTPUT -j LOGGING-OUTBOUND # Insert it into the OUTPUT chain
sudo iptables -A OUTPUT -d 10.10.10.0/24 -p udp --dport 53 -j ACCEPT # Allow 53/udp traffic to the 10.10.10.0/24 network
sudo iptables -A OUTPUT -d 10.10.10.0/24 -p tcp --dport 443 -j ACCEPT # Allow 443/tcp traffic to the 10.10.10.0/24 network
sudo iptables -A OUTPUT -d 10.10.10.0/24 -p tcp --dport 12345 -j DROP # Drop 12345/tcp traffic to the 10.10.10.0/24 network
sudo iptables -A LOGGING-OUTBOUND -d 10.10.10.0/24 -p tcp --dport 12345 -m limit --limit 2/min --limit-burst 5 -j LOG --log-prefix "EGRESS-HIGH: " --log-level 4 # Log activity from this chain with the prefix "EGRESS HIGH: " and make it a WARNING by assigning it --log-level 4
Basic Offense¶
Firewall getting in the way?¶
I recently had a CTF challenge where we were supposed to determine what port and service were running on a hostname that was not giving much info. Nmap scans on the associated IP did not give much and the host would not respond to pings so we checked the iptables -L -v which indicated that we basically could not communicate with much of anything. The solution was to add some lines that would give us full access (run as root):
iptables -L -v # lists the current entries - results indicate that we can't go anywhere
iptables -P INPUT ACCEPT # give me access to incoming
iptables -P OUTPUT ACCEPT # give me access to outcoming
iptables -P FORWARD ACCEPT # give me forwarding access
iptables -F # flush