IPTABLES Rules Chain Architecture NAT Example

Learning|Tutorial August 08, 2012
Important Notes
1) –sport –dport if we use the both option then we have to mention whether packet  is tcp or udp.
2) Iptables Configuration file located in /etc/sysconfig/iptabels
3)USEFUL Verification Command
To check what are the ports are open or not
#netstat -tulpn | grep port-number
Check Particular Service Status in Iptables
#iptables -L -v -n | grep (Service Name|Port Number)

LEVEL - 1
#iptables -A (INPUT|OUTPUT|FORWARD) -(s|d) (SOURCE|DESTINATION) -p (tcp|udp|icmp)  --sport|--dport -j (ACCEPT|REJECT|DROP)

#iptables
-A
INPUT
-p
tcp
-s
Source
--sport
-j
ACCEPT
OUTPUT
udp
REJECT
-d
Destination
--dport
FORWARD
DROP
icmp
LOG


LEVEL -2
NAT operate in the router.
Main Advantages is
1) Security, 2) address conversation.
-t nat
-i
Input Interface
Prerouting
DNAT
-o
Output Interface
Postrouting
SNAT
Router public -eth0    private- eth1
NOTE: nat iptabels rule we have to specify the two interface
-i eth1 -o eth0 – Outgoing Connection (First PRIVATE & then PUBLIC) 
-i eth0 -o eth1 – Incoming Connection (First PUBLIC & then PRIVATE)


SNAT:  (PREROUTING)
DNAT: (POSTROUTING)
Change source IP address (where is coming from) done in POSTROUTING.
change destination IP Address(where is going to) should done in PREROUTING
EX: $IPTABLES -t nat -A POSTROUTING -o eth0 -j SNAT --to 10.0.0.5

-j DNAT --to-destination w.x.y.z [ Change receipent address ] (mostly used in port forwarding or redirection)
$IPTABLES -t nat -A PREROUTING -p tcp -i eth0 –dport 80 -j DNAT --to 192.168.145.14:80

-j SNAT --to-source a.b.c.d [ Change the Source Address ]
PREROUTING:
1)alter the packet before routing
2)packet translation happen when packet comes to the system
3) Translate the destination IP something matches routing on the local server.
4)Translate one address always into another(one to one)
Mainly SNAT is used in may illustration.
POSTROUGING
1)alter packet after routing
2) Packet translation happens when packet leaving the system.
3) Translate source IP address of packet matches to the routing on destination server.
NOTE: PNAT – Port Network Address Translation

LEVEL - 3
-v(verbose)
-L(List)
-n(IP Address)
--line-numbers
Display iptables with Clear Details.
#iptables -t nat -v -L -n --line-numbers
-m state
-m(match)
--state
NEW
1st connection
RELATED
1response to 1st connection
ESTABLISHED
Further connection.

# iptabels .. -m state –state  NEW,RELATED,ESTABLISHED
-m [MATCH]
Specify any 2 ports
--match multiport --source-ports 23,24
--m mac
-m state
-m tcp/udp
-m iprange
--dport 6881:6886 [ allow 6881, 6882, 6883, 6884,6885 ]
Specify the continuous port
-p target policy
#Iptables -A INPUT -j DROP write into
#iptables -P INPUT DROP.
#iptabels -P OUPUT DROP.
#iptables -P FORWARD DROP.










Important iptables Rules
1)Configure  Router  Gateway using Iptables(NAT )
a) net.ipv4.ip_forward = 1 Line into /etc/sysctl.conf
To update #sysctl -p /etc/sysctl.conf (or)
echo 1 > /proc/sys/net/ipv4/ip_forward

b) #iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
-j MASQUERADE Replace sender address by router address.
2) How to Delete the ipatables nat table.
#iptables -t nat  -D POSTROUTING 1
Example 1) #iptabels -t (Table-Name) -D (PREROUTING|POSTROUTING|OUTPUT) Rule-No
Example 2)#iptabels -D (INPUT|FORWARD|OUTPUT) Rule-no
3)#iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW,RELTATED,ESTABLISHED -j ACCEPT
 1) client to server connection - NEW - 1st connections request
  2) server response to client   - RELATED – response to the request
  3) client create further  connection - ESTABLISHED – Further connection.
NOTE: INVALID – packet does not match any connection.
4)#iptables -t nat -A POSTROUTING -p tcp -o eth0 -j SNAT --to-source 194.236.50.155-194.236.50.160:1024-32000
5) Redirect port 80 traffic to 8080
#iptables -t nat -A PREROUTING -p tcp –dport 80 -j REDIRECT –to-port 8080
6)Initialize  the User-defined NEW Chains
#iptabels -N valid-src
#iptaebls  -N valid-dst
Iptables Important Picture.
http://networknuts.files.wordpress.com/2012/05/networknuts-iptables.png
SNAT & DNAT terms varies by vendor.
http://www.iu.hio.no/teaching/materials/MS004A/html/pictures/iptablesETH.png
Tags:
Learning|Tutorial

Posted by: Learning|Tutorial

I am a B.Tech/IT graduate with a total 11 Years of IT experience in Linux and High-Performance computing. When I was studying engineering, I publish this website. On this site I will give you an idea on Lab programs, Linux, Computer Graphics, Software components, and my IT experience. If you have any doubt about my article you can write to swstudenton@gmail.com. This website for those who need to learn and those who love to learn.

Post a Comment

0 Comments