IPWorks IPTables Service Configuration

Contents

1Introduction
1.1Prerequisite
1.2Related Information

2
Iptables Overview

3
IPWorks IPtables Configuration
3.1Hardening overview
3.2LDE Iptables Commands
3.3Iptables Configuration for IPWorks

4
Appendix: Iptables Introduction
4.1IP Filtering Terms and Expressions
4.2Building Rules
4.3Iptables Targets

Reference List

1   Introduction

This document provides the configuration information for IPWorks iptables service.

For security reasons, IPWorks uses iptables software to enable the basic IP packet filtering.

Scope

This document includes:

Target Groups

This document is intended for personnel who want to implement IPWorks cluster nodes (SC and PL nodes) IP packet filter.

1.1   Prerequisite

The personnel implementing the IPWorks node IP packet filter must fulfill the following prerequisites:

1.2   Related Information

Trademark information, typographic conventions, and definition and explanation of abbreviations and terminology can be found in the following documents:

2   Iptables Overview

Iptables is used to set up, maintain, and inspect the tables of IPv4 packet filter rules in the Linux kernel while ip6tables is the corresponding software for IPv6 filtering.

To configure iptables, the following must be known:

For more information about Iptables, see Appendix: Iptables Introduction.

3   IPWorks IPtables Configuration

This section describes how to configure iptables and ip6tables for IPWorks SCs and PLs nodes.

3.1   Hardening overview

Figure 1 shows the basic communication between IPWorks service and the service needed by IPWorks to communicate with other service (like OSSRC, SSH client, etc).

Figure 1   Iptables Hardening Interfaces

The iptables rules apply to following interfaces:

  1. The internal interface is used for the communication between IPWorks services. For example: connection between Storage Server (SS) and MySQL, connection between Server Manager (SM) and SS, connection between ENUM and MySQL, connection between IPWCLI and SS.

    The communications between SC and PL for the LDE services are also through the internal interface, For example: DHCP, TFTP, NFS, and SSH services, etc.

    Therefore, for the internal interface, it is recommended to open it for in/out packets.

  2. For the SC nodes, the OAM interface is used for the services: SSH, SFTP, NETCONF, ECLI, SNMP and provisioning.

    Here, it is recommended to do the ipfilter according to these services.

  3. For the SC nodes, the Provisioning interface is used for the customer to do the provisioning via SSH.

    So, it is recommended to do the ipfilter according the SSH service.

  4. For the SC nodes, for Geograph redundancy feature, the sqlnode is connected with the Geograph redundancy node's SC-1/2 via port 3307. Here, it is recommended to do the ipfilter according to these services.
  5. For the PL nodes, the traffic interface is used for the DNS, ENUM, ASDNS, ENUM-FE sync, AAA, and DHCP to communicate with external network.

    Here, it is recommended to do the ipfilter according to the DNS/ENUM, AAA, and DHCP service.

Table 1 lists LDE services that are related to the hardening.

Table 1    LDE Services

Service

IPWorks Port

Peer Port

Interface

Needed Hardened?

SSH

22

Dynamic TCP port

OAM & Provisioning

Yes

SFTP

22

Dynamic TCP port

OAM

Yes

NETCONF

830

Dynamic TCP port

OAM

Yes

ECLI

830

Dynamic TCP port

OAM

Yes

SNMP

161

Dynamic TCP port

OAM

Yes

Dynamic UDP port

162

OAM

Yes

Dynamic UDP port

123

OAM

Yes

Rsyslog

Dynamic UDP port

514

OAM

Yes

Dynamic TCP port

10514

OAM

Yes

LDAP Auth

Dynamic TCP port

389

OAM

Yes

ERH and AAA subagent to SS7 stack Operation and Maintenance (OAM)

Dynamic TCP port

6669

OAM

Yes

Table 2 lists IPWorks services that are related to the hardening.

Table 2    IPWorks Services

Service

IPWorks Port

Peer Port

Interface

Needed Hardened?

MySQL NDB Cluster

1186 (Management Node)

Dynamic TCP port

Internal

No

3307 (SQL Node)

Dynamic TCP port

Internal

No

3307 (SQL Node)

Dynamic TCP port

Provisioning

Yes

Storage Server

17071

Dynamic TCP port

Internal

No

17071

Dynamic TCP port

External for IPWorks DNS Management

Yes

IPWCLI

Dynamic TCP port

17071

Internal

No

Server Manager

Dynamic TCP port

17071

Internal

No

DNS

53

Dynamic TCP port

EVIP/Loopback

Yes

5300

Dynamic UDP port

EVIP/Loopback

Optional

ENUM

53

Dynamic UDP port

EVIP

Yes

Diameter AAA

3868 (Authentication/ Authorization)

Dynamic TCP/SCTP port

EVIP

Yes

18681 (OM Stack)

Dynamic TCP port

Internal

No

FE (ENUM and AAA)

Dynamic TCP port

389

EVIP

Yes

ASDNS

ICMP

ICMP

Traffic

Yes

FESync

8080

Dynamic TCP port

EVIP

Yes

ASDNS

Dynamic UDP port

161

EVIP

Yes

SS7CAF

2905

Dynamic SCTP port

EVIP

Yes

Radius AAA

1812 (Authentication)

Dynamic UDP port

EVIP

Yes

1813 (Accounting)

Dynamic UDP port

EVIP

Yes

3799 (Dynamic Authority)

3799 (Dynamic Authority)

EVIP

Yes

6826 (OM Stack)

Dynamic TCP port

Internal

No

6827

Dynamic TCP port

Internal

No

6828

Dynamic TCP port

Internal

No

56165 (CSV Engine)

Dynamic TCP port

Internal

No

DHCPv4

67

Dynamic UDP port

EVIP

Yes

68

Dynamic UDP port

EVIP

Yes

647 (Failover Protocol)

Dynamic TCP port

Internal

No

847 (Failover Protocol)

Dynamic TCP port

Internal

No

3.2   LDE Iptables Commands

The LDE iptables is configured in /cluster/etc/cluster.conf on LDE.

The following tables list the command introductions that are provided by LDE.

Table 3    Iptables

Syntax

iptables <target> <command>

Description

Defines a rule in iptables.


Rules will be run in the order specified in this configuration.

Options

<target>


<command>

Target blade(s).


Specifies the parameters that should be passed to iptables. This can be any parameter accepted by iptables.

 

Examples

On all nodes, drop packets destined from source address 10.0.0.1:


iptables all -A INPUT -s 10.0.0.1 -j DROP


On all nodes, accept SSH traffic destined for the 192.168.0.0/24 network and drop all other SSH traffic:


iptables all -A INPUT -p tcp --dport 22 -d 192.168.0.0/24 -j ACCEPT


iptables all -A INPUT -p tcp --dport 22 -j DROP

Table 4    Ip6tables

Syntax

ip6tables <target> <command>

Description

Defines a rule in ip6tables.


Rules will be run in the order specified in this configuration.

Options

<target>


<command>

Target node(s).


Specifies the parameters that are to be passed to ip6tables.


This can be any parameter accepted by ip6tables.

Examples

ip6tables all -A INPUT -s fe80::21f:29ff:fe04:f9fa -j DROP

3.3   Iptables Configuration for IPWorks

Iptables is configured by adding rules to /cluster/etc/cluster.conf. The creation of iptables rules is associated with the information provided in Section 3.1 and Section 3.2.

Following table 1 is an example for the configuration of the cluster.conf for IPWorks.

Table 5    Parameter Description

Parameter

Explanation

<ssh client ip/net>

The client IP/net used to access control node through SSH.

<ssh port>

The SSH listening port with the default value 22.


If you have configured the SSH port according to IPWorks OS Hardening Guide, make sure that the values are consistent.

<ecli client ip/net>

The client IP/net that you want to access the ECLI to do the configuration.

<OSSRC ip/net>

The OSSRC IP/net.

<Remote log server IP>

The IP address of remote log server to which you want to transfer your security log.

<Remote log server UDP port>

The UDP port of remote log server with the default value 514.


According to IPWorks Security Log Management Guide, if you reset it, you need to change it.

<Remote log server TCP port>

The TCP port of remote log server with the default value 10514.


If you have configured the SSH port according to IPWorks Security Log Management Guide, make sure that the values are consistent.

<Ldap server IP>

The LDAP server IP that is used for OAM authentication.

<Ldap server port>

The LDAP server listening port with the default value 389. It is according to your LDAP server configuration.

<provision client ip/net>

The ip/net of IPWorks remote provisioning.

<CUDB IP>,

The CUDB IP address.

<SS7 client IP>

The SS7 client IP addresses.

<M3UA port>

The M3UA port number with the default value 2905.


If you have configured the SSH port according to Configuring SS7 Signaling Network, SCCP, M3, make sure that the values are consistent.

<MIP of MySQL Cluster SQL Node in peer Site>

The MIP of MySQL Cluster SQL Node/provision in peer site.

<Lodal site's SC-1 oam address>

The SC-1 OAM address of Local Site.

<Lodal site's SC-2 oam address>

The SC-2 OAM address of Local Site.

Note:  
For the IPTables configuration example, you can see the example in the file IPtables Configuration Example.





4   Appendix: Iptables
Introduction



4.1   IP Filtering Terms
and Expressions




To fully understand the upcoming chapters, below is a list of the
most common terms used in the IP filtering that one must understand.




The list also includes details about the TCP/IP chapter.










4.2   Building Rules




A rule can be described as the directions the firewall adheres
to when blocking or permitting different connections and packets in
a specific chain. 




Each command line inserted in a chain is considered a rule.




4.2.1   Typical Iptables Commands




iptables command [match] [target/jump]



Command

The following tables show the details for command ( Table 6), Options ( Table 7), Generic Matches
( Table 8), TCP Matches ( Table 9),
UDP Matches ( Table 10), ICMP Matches ( Table 11) respectively.





Table 6    Command




Command




-A, --append







Example




iptables -A INPUT







Explanation




This command appends the rule to the end of the chain. 



The rule is always put last in the rule-set and hence checked
last, unless you append more rules after it.







Command




-D, --delete







Example




iptables -D INPUT -p tcp --dport 80 -j DROP, iptables -D
INPUT 1 







Explanation




This command deletes a rule in a chain. 



This can be done in two ways:



    

  • Entering the whole rule to match. If you use this one,
your entry must match the entry in the chain exactly.
    

    • 

  • Specifying the rule number that you want to match. If
you use this one, you must match the number of the rule you want to
delete. The rules are numbered from the top of each chain, starting
with number 1.
    

    • 








Command




-R, --replace







Example




iptables -R INPUT 1 -s 192.168.0.1 -j DROP







Explanation




This command replaces the old entry at the specified line.



This commands works in the same way as the --delete command.



However, instead of totally deleting the entry, it replaces it
with a new entry. 







Command




-I, --insert







Example




iptables -I INPUT 1 -p tcp --dport 80 -j ACCEPT







Explanation




This command inserts a rule somewhere in a chain. 



The rule is inserted as the actual number that we specify. The
above example is inserted as rule 1 in the INPUT chain, and hence
from now on it is the first rule in the chain.







Command




-L, --list







Example




iptables -L INPUT







Explanation




This command lists all the entries in the specified chain.



In the above case, we would list all the entries in the INPUT chain. 



It's also legal to not specify any chain at all.



The exact outputs are different depending on different options
this command is used with, for example, the -n and -v options and so on.







Command




-F, --flush







Example




iptables -F INPUT







Explanation




This command flushes all rules from the specified chain
and is equivalent to deleting all rules one by one, but faster. 



The command is used without options, and can delete all rules
in all chains within the specified table.







Command




-Z, --zero







Example




iptables -Z INPUT







Explanation




This command tells the program to zero all counters in
a specific chain, or in all chains. 



This command works the same as -L,
except that -Z does not list the rules. 



If -L and -Z are used together (which is legal):



    

  • Firstly, the chains are listed.
    

    • 

  • Secondly, the packet counters are zeroed.
    

    • 








Command




-N, --new-chain







Example




iptables -N allowed







Explanation




This command tells the kernel to create a new chain of
the specified name in the specified table. 



In the above example, we create a chain called allowed.(1)







Command




-X, --delete-chain







Example




iptables -X allowed







Explanation




This command deletes the specified chain from the table. 



The prerequisite of this command is:



You must replace or delete all rules referring to the chain before
actually deleting the chain.



If this command is used without any options, all chains but those
built into the specified table are deleted.







Command




-P, --policy







Example




iptables -P INPUT DROP







Explanation




This command tells the kernel to set a specified default
target, or policy, on a chain. 



All packets that do not match any rule are then forced to use
the policy of the chain. 



Legal targets are:



    

  • Drop.
    

    • 

  • Accept.
    

    • 








Command




-E, --rename-chain







Example




iptables -E allowed disallowed







Explanation




This command tells iptables to change the first name of
a chain to the second name. 



In the example above, we change the name of the chain from allowed to disallowed.(2)


(1)   Make sure no chain
or target of the same name exists.
(2)   This doesn't affect the actual way the table works, but it's just
a cosmetic change to the table.





Table 7    Options




Option




-v, --verbose







Commands used with




--list, --append, --insert, --delete, --replace







Explanation




This option gives the verbose output.



This option is mainly used with --list command, and the program outputs:



    

  • The interface address.
    

    • 

  • Rule options.
    

    • 

  • TOS masks.
    

    • 




If the --verbose option is set, the --list command also includes a byte and packet counter
for each rule. 



These counters use below multipliers:



    

  • K (x1000)
    

    • 

  • M (x1,000,000)
    

    • 

  • G (x1,000,000,000)
    

    • 




To overrule this and get exact output, you can use the -x option as described
below. 



Besides mainly used with --list command,
this option can also be used with the --append,, --insert, --delete or --replace commands, the program outputs
detailed information as below and so on:



    

  • How the rule is interpreted.
    

    • 

  • Whether it is inserted correctly.
    

    • 








Option




-x, --exact







Commands used with




--list







Explanation




This option expands the numerics. 



The output from --list  does not contain
the K, M or G multipliers. 



Instead we can get an exact output from the packet and byte counters
about how many packets and bytes that have matched the rule in question.



This option is only applicable to the --list command and isn't relevant to any other command.







Option




-n, --numeric







Commands used with




--list







Explanation




This option tells iptables to output numerical values.
IP addresses and port numbers are printed by using their numerical
values and not host-names, network names or application names.



This option is only applicable to the --list command and only in this situation, this option overrides the default
of resolving all numerics to hosts and names.







Option




--line-numbers







Commands used with




--list







Explanation




The option is used together with the --list command to output line numbers. 



This option outputs a corresponding number for each rule, so it
is convenient to know which rule has which number when inserting rules.



This option is only applicable to the --list command.







Option




-c, --set-counters







Commands used with




--insert, --append, --replace







Explanation




This option is used to:



    

  • Firstly, create a rule or modify a rule.
    

    • 

  • Secondly, initialize the packet and byte counters for
the rule.
    

    • 




The syntax is something like --set-counters 20 4000, which tells the kernel to set the packet counter to 20 and byte
counter to 4000.







Option




--modprobe







Commands used with




All







Explanation




This option tells iptables which module to use when probing
for modules or adding them to the kernel. 



This option is useful only when the modprobe command is not in the search path and so on.



In other words, you must specify this option so the program knows
what to do in case a required module is not loaded.



This option can be used with all commands.






Table 8    Generic Matches




Match




-p, --protocol







Example




iptables -A INPUT -p tcp







Explanation




This match is used to check certain protocols. 



The protocol must be one of the internally specified as below:





This protocol can also :



    

  • Take a value specified in the /etc/protocols file. If iptables can't find the protocol there, it replies with
an error.
    

    • 

  • Be an integer value. For example, the ICMP protocol
is an integer value 1, TCP is 6 and UDP is 17.
    

    • 

  • Take the value ALL. ALL means that it matches only TCP, UDP and ICMP. If
this match is given the integer value of zero (0), it means all protocols,
which in turn is the default behavior, if the --protocol match is not used. 
    

    • 




To invert this match, add a  ! sign,
so  --protocol ! tcp means matching UDP
and ICMP. 







Match




-s, --src, --source







Example




iptables -A INPUT -s 192.168.1.1







Explanation




This match is used to match packets based on their source
IP address. The main form can be used to match single IP addresses,
such as 192.168.1.1.



It can be used with:



    

  • A netmask in a CIDR "bit" form, by specifying the number
of ones (1's) on the left side of the network mask. This means that
we can for example add /24 to use a 255.255.255.0 netmask. Then we can match the whole
IP ranges, such as our local networks or network segments behind the
firewall. The line then looks something like 192.168.0.0/24. This can match all packets in the 192.168.0.x range.
    

    • 

  • A regular netmask in the 255.255.255.255 form (For example,
192.168.0.0/255.255.255.0).
    

    • 




To invert this match, add an ! sign.



For example, if we use a match in the form of --source
! 192.168.0.0/24, we can match all packets with a source
address not coming from any one within the 192.168.0.x range.



The default is to match all IP addresses.







Match




-d, --dst, --destination







Example




iptables -A INPUT -d 192.168.1.1







Explanation




This match is used for packets based on their destination
address or addresses.



This match works basically the same as the --source match and has the same syntax, except that the --destination match is based on where the packets are going.



To match an IP range, we can add a netmask either in the exact
netmask form, or in the number of ones (1's) counted from the left
side of the netmask bits. 



For example: 192.168.0.0/255.255.255.0 or 192.168.0.0/24. They
are equivalent. 



To invert this match, add an  ! Sign. 



For example, --destination ! 192.168.0.1 matches all packets except those destined to the 192.168.0.1 IP
address.







Match




-i, --in-interface







Example




iptables -A INPUT -i eth0







Explanation




This match is used for the interface the packet came in
on.



This option is only legal in the INPUT, FORWARD and PREROUTING chains and will return an error message when used anywhere else.



The default behavior of this match, if no particular interface
is specified, is to assume a string value of +. 



The + value is used to match a string
of letters and numbers. 



In other words, a single + tells the
kernel to match all packets without considering which interface it
came in on. 



The + string can also be appended to
the type of interface, so  eth+ can be all
Ethernet devices. 



To invert this match, add an !sign. 



For example,  -i ! eth0 matches all
incoming interfaces except eth0.







Match




-o, --out-interface







Example




iptables -A FORWARD -o eth0







Explanation




The --out- interface match is
used for packets on the interface from which they are leaving.



This match is only available in the OUTPUT, FORWARD and POSTROUTING chains, the opposite to the  --in- interface
match



Other than this, it works basically the same as the --in- interface match. 



The + extension means matching all
devices of similar type, and eth+ means matching all eth devices and
so on.



To invert this match, add ! sign. 



If no --out-interface is specified,
the default behavior of this match is to match all devices, regardless
of where the packet is going.







Match




-f, --fragment







Example




iptables -A INPUT -f







Explanation




This match is used to match the second and third part of
a fragmented packet. The reasons are:



    

  • In the case of fragmented packets, we can't tell the
source or destination ports of the fragments, nor the ICMP types,
among other things.
    

    • 

  • In some rather special cases, fragmented packets can
be used to compound attacks against other computers. These packet
fragments can not be matched by other rules.
    

    • 




To invert this match, add an ! sign. 



However, in this case the ! sign must
precede the match. For example,  ! -f means
:



    

  • We match all the first fragments of fragmented packets,
and not the second, third, and so on.
    

    • 

  • We match all packets that have not been fragmented during
transfer.
    

    • 




(1)(2)






 


 

(1)  You can use other good defragmentation options within the
kernel.
(2)  If you use connection tracking, you can't see
any fragmented packets, since they are dealt with before hitting any
chain or table in iptables.





Table 9    TCP Matches




Match




--sport, --source-port







Example




iptables -A INPUT -p tcp --sport 22







Explanation




The match(1) is
used to match packets based on their source port. Without it, we imply
all source ports. 



This match can either take a service name or a port number:



    

  • If you specify a service name, the service name must
be in the /etc/services file,
since iptables uses this file in which to find.
    

    • 

  • If you specify the port by its number, the rule can
load slightly faster, since iptables doesn't have to check up the
service name.
    

    • 




However, using a port number is harder to read than using a service
name. If you are writing a rule-set consisting of a 200 rules or more,
you can use port numbers, since the difference is noticeable. (On
a slow box, this could make as much as 10 seconds' difference, if
you have configured a large rule-set containing 1000 rules or so).



You can also use the --source-port match
to match any range of ports, --source-port 22:80 for example. This example matches all source ports between 22 and
80.



    

  • If the first port specification is omitted, port 0 is
assumed (implicit). --source-port :80 then
matches port 0 through 80
    

    • 

  • If the last port specification is omitted, port 65535
is assumed . If you write --source-port 22:, you must have specified a match for all ports from port 22 through
port 65535.
    

    • 




If you invert the port range, iptables automatically reverses
your inversion.



If you write --source-port 80:22, it
is simply interpreted as --source-port 22:80.



To invert this match, adding a ! sign.



For example, --source-port ! 22 means
that you want to match all ports but port 22.



The inversion is used with a port range and then looks like --source-port ! 22:80, which in turn means that
you want to match all ports but ports 22 through 80. For more information,
see Section  4.2.2.3.







Match




--dport, --destination-port







Example




iptables -A INPUT -p tcp --dport 22







Explanation




This match (1) is used
to match TCP packets depending on their destination port. 



This match:



    

  • Uses exactly the same syntax as the --source-port match.
    

    • 

  • Understands port and port range specifications, as well
as inversions.
    

    • 

  • Reverses high and low ports in port range specifications,
as above.
    

    • 

  • Assumes values of 0 and 65535 if the high or low port
is left out in a port range specification, exactly the same as the --source-port syntax. 
    

    • 




For more information, see Section  4.2.2.3.







Match




--tcp-flags







Example




iptables -A INPUT -p tcp --tcp-flags SYN,FIN,ACK SYN







Explanation




This match is used to match the TCP flags in a packet.



    

  • The match takes a list of flags to compare (a mask).
    

    • 

  • The match takes a list of flags that are set to 1, or
turned on.
    

    • 




Both lists are comma-delimited.(2) You can see the correct syntax
in the example above.



This match :



    

  • Knows about the SYN, ACK, FIN, RST, URG, PSH flags
    

    • 

  • Recognizes the words ALL and NONE. ALL and NONE is pretty
much self describing: ALL means to use
all flags and NONE means to use no flags
for the option. --tcp-flags ALL NONE means
to check all of the TCP flags and match if none of the flags are set.
    

    • 




To invert this match, add a  ! sign. 



For example, if we specify ! SYN,FIN,ACK SYN, we get a match that matches packets that had the ACK and FIN bits
set, but not the SYN bit. 







Match




--syn







Example




iptables -A INPUT -p tcp --syn







Explanation




This match is an old relic from the ipchains and is still
there for:



    

  • Backward compatibility.
    

    • 

  • Making it easier to transit from one to another.
    

    • 




This match is used to match packets if they have the SYN bit set
and the ACK and RST bits unset.



In this case, this command works exactly the same as the --tcp-flags SYN, RST, ACK SYN match. Such packets are
mainly used to request new TCP connections from a server. 



If you block these packets, you effectively block all incoming
connection attempts. However, you don't block the outgoing connections
. These connections are used by lots of exploits today (For example,
hacking a legitimate service and then installing a program or suchlike
that enables initiating an existing connection to your host, instead
of opening up a new port on it.). 



To invert this match, add an  ! sign.
For example, ! --syn way. 



This matches all packets with the RST or the ACK bits set, in
other words packets in an already established connection.







Match




--tcp-option







Example




iptables -A INPUT -p tcp --tcp-option 16







Explanation




This match is used to match packets depending on their
TCP options. A TCP Option is a specific part of the header. 



This part consists of 3 different fields:



    

  • First: 8 bits long - describing which Options are used
in this stream
    

    • 

  • Second:8 bits long - describing how long the options
field is
    

    • 

  • Third: describing the content of the used option.
    

    • 




 The reason for this length field is that TCP options are optional.
To be compliant with the standards, we do not need to implement all
the options, but instead we can just look at what kind of option it
is, and if we do not support it, we just look at the length field
and can then jump over this data.



This match is used to match different TCP options depending on
their decimal values. 



To invert this match, add an! sign,
so that the match matches all TCP options but the option given to
the match.


(1)   This match
does not handle multiple separated ports and port ranges.
(2)   The comma delimitation
should not include spaces.





Table 10    UDP Matches




Match




--sport, --source-port







Example




iptables -A INPUT -p udp --sport 53







Explanation




This match works exactly the same as its TCP counterpart.
This match is used to perform matches on packets based on their source
UDP ports. 



It supports below items with the same syntax:



    

  • Port ranges
    

    • 

  • Single ports
    

    • 

  • Port inversions
    

    • 




To specify a UDP port range, you can use 22:80 which matches UDP
ports 22 through 80:



    

  • If the first value is omitted, port 0 is assumed.
    

    • 

  • If the last port is omitted, port 65535 is assumed.
    

    • 

  • If the high port comes before the low port, the ports
switch place with each other automatically.
    

    • 




For Single UDP port matches, see the above example.



To invert the port match, add an ! sign.



 For example, --source-port ! 53 matches all ports but port 53. 



The match understands service names, as long as the names are
available in the /etc/services file. (1)For more information, see Section  4.2.2.3.







Match




--dport, --destination-port







Example




iptables -A INPUT -p udp --dport 53







Explanation




This match (1) is the same as the --source-port match above. 



It is equivalent to the TCP match, but here it applies to the
UDP packets based on their UDP destination port.



This match handles:



    

  • Port ranges.
    

    • 

  • Single ports.
    

    • 

  • Port inversions.
    

    • 




To match a single port, for example, you use --destination-port
53. It matches all UDP packets going to port 53.



To invert this match, add an ! sign.
For example, --destination-port ! 53 matches
all packets but those going to the destination port 53.



    

  • The first matches all UDP packets going to port 53.
    

    • 

  • The second matches the packets but those going to the
destination port 53. 
    

    • 




To specify a port range, for example, you use --destination-port
9:19. It matches all packets destined for UDP port 9
through 19.



    

  • If the first port is omitted, port 0 is assumed.
    

    • 

  • If the second port is omitted, port 65535 is assumed.
    

    • 

  • If the high port is placed before the low port, they
automatically switch place, so the low port winds up before the high
port.
    

    • 




For more information, See  Multiport Match Extension.


(1)  This match does not handle multiple separated ports
and port ranges. 





Table 11    ICMP Matches




Match




--icmp-type







Example




iptables -A INPUT -p icmp --icmp-type 8







Explanation




This match is used to specify the ICMP type to match. 



ICMP types can be specified either by either of the following:



    

  • Their numeric values.
    

    • 

  • Their names.
    

    • 




Numerical values are specified in RFC 792.



To find a complete listing of the ICMP name values, do either
of the following:



    

  • Type iptables --protocol icmp --help
    

    • 

  • Check the ICMP types appendix.
    

    • 




To invert this match, add an ! sign
in this --icmp-type ! 8 way. (1) 



The type and code can be specified by their type names, numeric
types, and type/code as well. 



For example --icmp-type network-redirect, --icmp-type 8 or --icmp-type
8/0. 



For a complete listing of the names, type:



iptables -p icmp --help



(2)


(1)   Some
ICMP types are obsolete, and others again may be "dangerous" for an
unprotected host since they may, among other things, redirect packets
to the wrong places.
(2)   Netfilter uses ICMP type 255 to match all ICMP types.
If you try to match this ICMP type, you will wind up with matching
all ICMP types.




4.2.2   Explicit Matches



4.2.2.1   IP Range Match




The IP range match is used to match IP ranges, just as the --source and --destination matches are able to do as well. However, this match adds a different
matching that the manner of from IP - to IP can match but the --source
and --destination matches can not. This is needed in some specific
network setups, which is more flexible.




Use -m iprange keyword to load the IP
range match.






Table 12    IP Range Match




Match




--src-range







Example




iptables -A INPUT -p tcp -m iprange --src-range 192.168.1.13-192.168.2.19







Explanation




This matches a range of source IP addresses. The range
includes every single IP address from the first to the last, so the
example above includes everything from 192.168.1.13 to 192.168.2.19. 



The match can be inverted by adding an ! sign. The above example would then look like -m iprange ! --src-range
192.168.1.13-192.168.2.19, which matches every single IP address,
except the ones specified.







Match




--dst-range







Example




iptables -A INPUT -p tcp -m iprange --dst-range 192.168.1.13-192.168.2.19







Explanation




The --dst-range works exactly
the same as the --src-range match, except
that it matches destination IP's instead of source IP's.





4.2.2.2   Length Match




The length match is used to match packets based on their length. 




Use the length match if you want to do either of the following:








Table 13    Length Match




Match




--length







Example




iptables -A INPUT -p tcp -m length --length 1400:1500







Explanation




The example --length matches
all packets with a length between 1400 and 1500 bytes.



To invert this match, add an ! sign.
For example, -m length ! --length 1400:1500.



To only match a specific length, remove the : sign and onwards. For example: -m length --length 1400.





4.2.2.3   Multiport Match




The multiport match extension is used to specify multiple destination
ports and port ranges. Otherwise, you must use multiple rules of the
same type to match different ports.






Table 14    Multiport Match Options




Match




--source-port







Example




iptables -A INPUT -p tcp -m multiport --source-port 22,53,80,110







Explanation




This match matches multiple source ports. 



A maximum of 15 separate ports can be specified. The ports must
be comma delimited, as in the above example. 



The match can only be used with the  -p tcp or -p udp matches and in this case, it
is an enhanced version of the normal --source-port match.







Match




--destination-port







Example




iptables -A INPUT -p tcp -m multiport --destination-port
22,53,80,110







Explanation




This match is used to match multiple destination ports. 



It works exactly the same way as the above mentioned --source-port match, except that it matches destination
ports.



It also has a maximum of 15 ports and can only be used with -p tcp and -p udp.







Match




--port







Example




iptables -A INPUT -p tcp -m multiport --port 22,53,80,110







Explanation




This match(1) extension can be used to match packets based both on their
destination port and source port. 



It works the same way as the  --source-port and --destination-port matches above. 



It can take a maximum of 15 ports and can only be used with -p tcp and -p udp.


(1)   The --port match only matches packets coming in from and going to the same
port. For example, port 80 to port 80, port 110 to port 110 and so
on.






4.3   Iptables Targets




The target tells the rule what to do with a packet that is a perfect
match with the match section of the rule. 




This section describes the basic targets.




4.3.1   ACCEPT Target




This target needs no further options. ACCEPT is
specified as the target as soon as the match specification for a packet
is fully satisfied.




The rule is accepted and does not continue traversing the current
chain or any other ones in the same table.



Note:  
However, a packet that was accepted in one chain can still
travel through chains within other tables, and can still be dropped
there.




This target has nothing special and does not work with other options.
To use this target, we simply specify -j ACCEPT. 




4.3.2   DROP Target




This target drops packets dead and does not carry out any further
processing. A packet that matches a rule perfectly is then Dropped
and blocked. 



Note:  
This action has unwanted effects in certain cases since it
can leave dead sockets around on either host. When experiencing the
likely cases, a better solution is to use the REJECT target, especially when you want to block port scanners from getting
too much information, such as on filtered ports and so on.

 If a packet has the DROP action taken on it in
a subchain, the packet is not processed in any of the main chains
either in the present or in any other table. The packet is totally
dead.






4.3.3   LOG Target




This target is designed to log detailed information for packets.






Table 15    LOG Target Options




Option




--log-level







Example




iptables -A FORWARD -p tcp -j LOG --log-level debug 







Explanation




This option tells iptables and syslog which log level to
use. 



For a complete list of log levels, see syslog.conf Manual.



General Log levels (or priorities) are listed below:



    

  • Debug
    

    • 

  • Info
    

    • 

  • Notice
    

    • 

  • Warning
    

    • 

  • Warn
    

    • 

  • Err
    

    • 

  • Error
    

    • 

  • Crit
    

    • 

  • Alert
    

    • 

  • Emerg
    

    • 

  • Panic
    

    • 




The keyword error is the same as err, warn is the same as warning and panic is the
same as emerg(1). 



The priority defines the severity of the message being logged.
All messages are logged through the kernel facility. Steps are listed
below: 



    

  • Setting kern.=info /var/log/iptables in your syslog.conf file.
    

    • 

  • Letting all your LOG messages in iptables use log level info make all messages appear in the /var/log/iptables file(2)
    

    • 








Option




--log-prefix







Example




iptables -A INPUT -p tcp -j LOG --log-prefix "INPUT packets"







Explanation




This option tells iptables to prefix all log messages with
a specific prefix, which can then easily be combined with grep or
other tools to track specific problems and output from different rules. 



The prefix is up to 29 letters long, including white-spaces and
other special symbols.







Option




--log-tcp-sequence







Example




iptables -A INPUT -p tcp -j LOG --log-tcp-sequence







Explanation




This option logs the TCP Sequence numbers, together with
the log messages. 



The TCP Sequence numbers are special numbers that identify each
packet and where it fits into a TCP sequence, as well as how the stream
is reassembled(3).







Option




--log-tcp-options







Example




iptables -A FORWARD -p tcp -j LOG --log-tcp-options







Explanation




The option logs the different options from the TCP packet
headers and is valuable when trying to debug what can go wrong, or
what has actually gone wrong. 



This option does not take any variable fields or anything like
that, just as most of the LOG options don't. 







Option




--log-ip-options







Example




iptables -A FORWARD -p tcp -j LOG --log-ip-options







Explanation




The option will log most of the IP packet header options.
This option works exactly the same as the --log-tcp-options option, but instead , it works on the IP options. These logging
messages are valuable when trying to debug or track specific culprits,
as well as for debugging - in the same way as the previous option. 


(1)   All three of these
are deprecated, in other words do not use error, warn and panic.
(2)   If other parts of the kernel use the info priority, other messages appear here as well.
(3)   This option causes a security risk if the logs
are readable by unauthorized users, or by the world for that matter.




4.3.4   REJECT Target




This target works basically the same as the DROP target, but it also sends back an error message to the host sending
the packet that was blocked.






Table 16    REJECT Target Options




Option




--reject-with







Example




iptables -A FORWARD -p TCP --dport 22 -j REJECT --reject-with
tcp-reset







Explanation




This option tells the REJECT target what response to send to the host that sent the packet that
we are rejecting. See below process:



    

  • We get a packet that matches a rule in which we have
specified this target.
    

    • 

  • Our host first of all sends the associated reply.
    

    • 

  • The packet is then be dropped dead. (1)
    

    • 




The following reject types are currently valid:



    

  • icmp-net-unreachable
    

    • 

  • icmp-host-unreachable
    

    • 

  • icmp-port-unreachable
    

    • 

  • icmp-proto-unreachable
    

    • 

  • icmp-net-prohibited
    

    • 

  • icmp-host-prohibited
    

    • 




The default error message is to send a port-unreachable to the
host. All of the above are ICMP error messages and can be set as you
wish. 



You can find further information on their various purposes in
the appendix ICMP types. Finally, there is one more option called tcp-reset, which may only
be used together with the TCP protocol. The tcp-reset option will
tell REJECT to send a TCP RST packet in reply to the sending host.
TCP RST packets are used to close open TCP connections gracefully. 



For more information about the TCP RST, see RFC 793 - Transmission
Control ProtocolRFC 793 - Transmission
Control Protocol.



This is mainly useful for blocking ident probes which frequently
occur when sending mail to broken mail hosts that do not otherwise
accept your mail. 


(1)  Just as the
Drop option that drops it.







Reference List


Ericsson Documents
[1] Trademark Information. 
[2] Typographic Conventions. 
[3] Glossary of Terms and Acronyms. 















Copyright


© Ericsson AB 2017, 2018. All rights reserved.
No part of this document may be reproduced in any form without the
written permission of the copyright owner.




Disclaimer


The contents of this document are subject to revision
without notice due to continued progress in methodology, design and
manufacturing. Ericsson shall have no liability for any error or damage
of any kind resulting from the use of this document.




Trademark List



All trademarks mentioned herein
are the property of their respective owners. These are shown in the
document Trademark Information.












     IPWorks IPTables Service Configuration