Develop Reference

How to pass to NFQUEUE all incoming connection packets

I develop an application to inspect packets arriving on a linux machine.
I would like to send in NFQUEUE all the incoming connection packets and only the incoming ones. Not only --state NEW but also --state ESTABLISHED, RELATED for connections that are initiated by a client.
One last thing, to make the tcp handshake for all ports I need this rule to works in addition:
iptables -A PREROUTING -t nat -p tcp -match multiport! --dport 64646 -j REDIRECT --to-ports 1234
Any help would be very appreciated.
Thank you!

I found the solution if it interests someone.
# Accept our ssh on a modified port
iptables -A PREROUTING -t raw -p tcp --dport 64646 -j ACCEPT
# Mark all packets of incoming NEW connection with mark 1 (netfilter connmark)
iptables -A PREROUTING -t mangle -m state --state NEW -j CONNMARK --set-mark 1
# Push into nfqueue all marked packets (netfilter nfqueue)
iptables -A PREROUTING -t mangle -m connmark --mark 1 -j NFQUEUE --queue-num 0
# Redirect all incoming connections to the userland listener to make TCP handshake
iptables -A PREROUTING -t nat -p tcp --match multiport ! --dport 64646 -j REDIRECT --to-ports 1234
Finally all the incoming packets go into nfqueue but if I work on the machine (update, upgrade, install...) packets do not match the rules.
In addition the redirection applies after nfqueue decision, so I log the base port (not 1234).

iptables --sport vs --dport. INPUT vs OUTPUT

I am having some trouble understanding iptables. I know it acts as a filter but something isn't clicking because it isn't working the way I think it should. Let me start by saying that I'm creating a white list, so all policies (INPUT, FORWARD, OUTPUT) default to DROP.
I have the following rules related to SMTP:
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p tcp --dport 25 -j ACCEPT
-A OUTPUT -p tcp --dport 25 -j ACCEPT //needed for receiving?
-A OUTPUT -p tcp --sport 25 -j ACCEPT //needed for sending?
*these 3 lines also exist verbatim for ports 587 & 465
If I remove the first OUTPUT line then my server won't receive emails & if I remove the last line it won't send emails. What I don't understand is why. Shouldn't:
-A INPUT -p tcp --dport 25 -j ACCEPT
-A OUTPUT -p tcp --sport 25 -j ACCEPT
be enough to let everything through? AFAIK all SMTP communication should go over 25, 587 or 465. My current understanding says an SMTP packet should always match one of these two rules. All input packets should come to port 25, and all output packets be sent from 25? What am I missing?

For SMTP you don't need any --sport rule. The source and destination don't depend on direction - they're match on the packet's source and destination ports. Every connection will have a random source port, so there's nothing to match on.
If I remove the first OUTPUT line then my server won't receive emails & if I remove the last line it won't send emails.
This is wrong. Only the INPUT line matters for receiving emails. Also, only the OUTPUT --dport 25 line matters for sending emails. So these rules should be enough:
-A INPUT -p tcp --dport 25 -j ACCEPT
-A OUTPUT -p tcp --dport 25 -j ACCEPT
The problem may be that you set OUTPUT to default to DROP, but allowed established connection on INPUT only. Usually people leave OUTPUT defaulting to ACCEPT. If you want to continue using a whitelist for OUTPUT, you'll have to add:
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
Also, please read up on SMTP ports. Some of those you listed are only needed for email submissions and deprecated encryption, not for server-to-server communication. This may change how you plan your rules.

Previous answer state: Also, only the OUTPUT --dport 25 line matters for sending emails.
This is not always true. For instance some systems are configured as smarthost where the MTA become a client. In such case, the MTA will connect to a remote server on submission port (587) USING SASL authentication to send mails.
To resume, a client is sending mail through a remote server and the remote server itself connect to another remote server on port 587 with SASL authentication.
In such case, the following iptable rules applies (for the smarthost)
iptables -I OUTPUT -p -tcp -dport 597 -j ACCEPT
iptables -I INPUT -p -tcp -sport 587 -j ACCEPT

iptables allow request started by server

As you can image, we need iptables to block the ports we do not need to protect server.
But I need to request some third party resource, and I got confuse on how to do it.
Here are my iptables rules
iptables -F
iptables -A INPUT -p UDP -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s 110.75.147.65/32 -j ACCEPT
iptables -A INPUT -s localhost -j ACCEPT
iptables -A INPUT -j DROP
And 110.75.147.65/32 is the one of third party servers' IP, I wonder if there are any way to allow all connection started by my server such as curl https://www.google.com/, otherwise I need to add all my third party servers' IP to the iptables rules.

How about
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables LOG and DROP in one rule

I am trying to log outgoing connections with iptables. What I want is, drop and accept connection while logging them also. I have found that -j option takes DROP/REJECT/ACCEPT/LOG. But I want to do something like DROP and LOG or ACCEPT and LOG. Is there a way to achieve this ?

Although already over a year old, I stumbled across this question a couple of times on other Google search and I believe I can improve on the previous answer for the benefit of others.
Short answer is you cannot combine both action in one line, but you can create a chain that does what you want and then call it in a one liner.
Let's create a chain to log and accept:
iptables -N LOG_ACCEPT
And let's populate its rules:
iptables -A LOG_ACCEPT -j LOG --log-prefix "INPUT:ACCEPT:" --log-level 6
iptables -A LOG_ACCEPT -j ACCEPT
Now let's create a chain to log and drop:
iptables -N LOG_DROP
And let's populate its rules:
iptables -A LOG_DROP -j LOG --log-prefix "INPUT:DROP: " --log-level 6
iptables -A LOG_DROP -j DROP
Now you can do all actions in one go by jumping (-j) to you custom chains instead of the default LOG / ACCEPT / REJECT / DROP:
iptables -A <your_chain_here> <your_conditions_here> -j LOG_ACCEPT
iptables -A <your_chain_here> <your_conditions_here> -j LOG_DROP

Example:
iptables -A INPUT -j LOG --log-prefix "INPUT:DROP:" --log-level 6
iptables -A INPUT -j DROP
Log Exampe:
Feb 19 14:18:06 servername kernel: INPUT:DROP:IN=eth1 OUT= MAC=aa:bb:cc:dd:ee:ff:11:22:33:44:55:66:77:88 SRC=x.x.x.x DST=x.x.x.x LEN=48 TOS=0x00 PREC=0x00 TTL=117 ID=x PROTO=TCP SPT=x DPT=x WINDOW=x RES=0x00 SYN URGP=0
Other options:
LOG
Turn on kernel logging of matching packets. When this option
is set for a rule, the Linux kernel will print some
information on all matching packets
(like most IP header fields) via the kernel log (where it can
be read with dmesg or syslogd(8)). This is a "non-terminating
target", i.e. rule traversal
continues at the next rule. So if you want to LOG the packets
you refuse, use two separate rules with the same matching
criteria, first using target LOG
then DROP (or REJECT).
--log-level level
Level of logging (numeric or see syslog.conf(5)).
--log-prefix prefix
Prefix log messages with the specified prefix; up to 29
letters long, and useful for distinguishing messages in
the logs.
--log-tcp-sequence
Log TCP sequence numbers. This is a security risk if the
log is readable by users.
--log-tcp-options
Log options from the TCP packet header.
--log-ip-options
Log options from the IP packet header.
--log-uid
Log the userid of the process which generated the packet.

At work, I needed to log and block SSLv3 connections on ports 993 (IMAPS) and 995 (POP3S) using iptables. So, I combined Gert van Dijk's How to take down SSLv3 in your network using iptables firewall? (POODLE) with Prevok's answer and came up with this:
iptables -N SSLv3
iptables -A SSLv3 -j LOG --log-prefix "SSLv3 Client Hello detected: "
iptables -A SSLv3 -j DROP
iptables -A INPUT \
-p tcp \! -f -m multiport --dports 993,995 \
-m state --state ESTABLISHED -m u32 --u32 \
"0>>22&0x3C# 12>>26&0x3C# 0 & 0xFFFFFF00=0x16030000 && \
0>>22&0x3C# 12>>26&0x3C# 2 & 0xFF=0x01 && \
0>>22&0x3C# 12>>26&0x3C# 7 & 0xFFFF=0x0300" \
-j SSLv3
Explanation
To LOG and DROP, create a custom chain (e.g. SSLv3):
iptables -N SSLv3
iptables -A SSLv3 -j LOG --log-prefix "SSLv3 Client Hello detected: "
iptables -A SSLv3 -j DROP
Then, redirect what you want to LOG and DROP to that chain (see -j SSLv3):
iptables -A INPUT \
-p tcp \! -f -m multiport --dports 993,995 \
-m state --state ESTABLISHED -m u32 --u32 \
"0>>22&0x3C# 12>>26&0x3C# 0 & 0xFFFFFF00=0x16030000 && \
0>>22&0x3C# 12>>26&0x3C# 2 & 0xFF=0x01 && \
0>>22&0x3C# 12>>26&0x3C# 7 & 0xFFFF=0x0300" \
-j SSLv3
Note: mind the order of the rules. Those rules did not work for me until I put them above this one I had on my firewall script:
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

nflog is better
sudo apt-get -y install ulogd2
ICMP Block rule example:
iptables=/sbin/iptables
# Drop ICMP (PING)
$iptables -t mangle -A PREROUTING -p icmp -j NFLOG --nflog-prefix 'ICMP Block'
$iptables -t mangle -A PREROUTING -p icmp -j DROP
And you can search prefix "ICMP Block" in log:
/var/log/ulog/syslogemu.log

for china GFW:
sudo iptables -I INPUT -s 173.194.0.0/16 -p tcp --tcp-flags RST RST -j DROP
sudo iptables -I INPUT -s 173.194.0.0/16 -p tcp --tcp-flags RST RST -j LOG --log-prefix "drop rst"
sudo iptables -I INPUT -s 64.233.0.0/16 -p tcp --tcp-flags RST RST -j DROP
sudo iptables -I INPUT -s 64.233.0.0/16 -p tcp --tcp-flags RST RST -j LOG --log-prefix "drop rst"
sudo iptables -I INPUT -s 74.125.0.0/16 -p tcp --tcp-flags RST RST -j DROP
sudo iptables -I INPUT -s 74.125.0.0/16 -p tcp --tcp-flags RST RST -j LOG --log-prefix "drop rst"

Allow ssh incoming/outgoing and blocking all outgoing besides specific ports

I am trying to create iptable rules that will allow incoming and outgoing ssh connections, and then allow outbound connections to specific ports, then finally drop anything that doesnt match.
These are the rules I have come up with, the SSH rules work, but when I tunnel into the box I cant seem to access http (port 80) even though i've allowed it. Can anyone spot the mistake?
#!/bin/bash
#clear iptables
iptables -F
iptables -X
#set default policy to drop
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
#accept everything no matter port on localhost
iptables -A INPUT -i lo -j ACCEPT
#allow established connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#allow input on port 22, (established connections auto accepted)
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
#allow traffic going to specific outbound ports
iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 6667 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 6697 -j ACCEPT
#...
#drop anything that doesnt match the rules above
iptables -A INPUT -j DROP
iptables -A OUTPUT -j DROP
Thanks for your time.

You might want to add the DNS ports, otherwise you may not be able to resolve any hostnames.
Allowing OUTPUT for TCP and UDP Port 53 should help.

You need to open port 80 for input and output with a rule like this:
iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT