IPTABLES



Iptables (or IP tables) is the name of a program in Linux, which consists of several tables.

These tables manage all of the traffic on the device, which is to pass from and/or to the connected network (including traffic that reaches the computer from the Internet).

This software is also effectively the Linux firewall, in that it blocks, or allows, the passage of information according to defined criteria, but it is much more flexible than a standard firewall.

Its flexibility is manifested in that it allows the user a very wide range of actions with which to manage the incoming and outgoing data.

For example, the functionality of the program allows not only for the blocking of information according to given criteria, but also for the routing of said information to other destinations.

Furthermore, it allows the forwarding of information intended to a certain port to another, or the forwarding of information intended to a certain IP address to another IP address instead.

It also allows a combination of the aforementioned manipulations and conditions, that is, to redirect all of the information destined to a certain port on a certain IP address to another IP address, or all the information addressed to a certain IP address on a certain port, to another specific port, and so on.

So, unlike other firewalls, which allow redirection of specific traffic from ports to other ports only, the IP-tables allow port forwarding based on the specification of only an IP address or only of a port, or of a specific IP address and port combination.

They also allow redirection to other (non-local) IP addresses according to the aforementioned conditions.

In addition, the flexibility is manifested in our ability to determine the timing of when the tables operate on the information. We have the ability to define with the tables, that rules will be applied before processing the information on the computer or after it had already begun being processed, but before it leaves to the next destination, or at the time the data is created.

The timing determines whether the change we make to the information will affect the processing on our computer (because it was performed before said processing) or not (because it is activated after the processing).

The above tables dictate to all the traffic that enters/leaves the computer its mode of operation (for example, the destinations, the ports through which it passes, whether its access is prohibited/allowed, etc.). They consist of rules with a fixed and identical format, where each rule defines the way of management of the information according to its compatibility with certain criteria.

Each rule is made up of two main parts, where what is written before the flag '-J' defines the conditions according to which the data will be examined, and in fact, the type of data on which the action will be performed and everything that comes after the ‘-J ’defines the action itself that will be performed on the traffic if it is found that it fits the criteria/meets the requirements (reminiscent of conditional expressions in a programming language). In fact, the first part can be divided once more because even before defining the conditions for performing the action it is defined to which table the rule pertains and in what manner.

The rules are dictated by the user of the operating system and are entered in their required and fixed format (a rule written incorrectly will not be accepted and will not be added to the table).

When there are two conflicting rules on one table, the one that is displayed as higher on the table will take precedence, and it is the one that will determine how the traffic is handled.

The new rules are either appended at the bottom of the list, or inserted at a specified numbered line or (if not specified) at the top line of the table.

There may well be a situation where a newer rule will not affect the data because there is a conflicting rule above it.

Therefore, it is necessary to plan the table in such a way that the desired rules will have an effect, either by deleting contradicting rules that are above them, or by replacing their position with the new rules.

The tables are divided according to the type of information handled (in the below example they are designated to the NAT table) and again are divided into chains (sort of like sub-tables) according to their direction, or the timing of their impact. These tabless are:

The PREROUTING table which handles the information trying to enter the computer from outside before it has been processed by our system (the rules it contains will apply to the incoming traffic, in accordance with additional criteria defined in the rules).

The POSTROUTING table which handles the traffic trying to leave the computer to the network, after being processed on our computer (the rules it contains will apply to the outgoing information, in accordance with additional criteria specified in the rules themselves).

The INPUT table, which defines rules that will affect traffic that enters the system, according to additional criteria specified by the rules themselves.

The OUTPUT table which defines rules that will affect information created in the system according to additional criteria specified on the rules themselves.

As mentioned, the rules are written in a fixed and identical format on all of the tables which is as follows:

Iptables -t <main table> <action to perform on table (identified by a flag)> <Which table the rule applies to> -p <type of protocol the rule applies to> –destination-port and/or destination ip -j <the actual way I want to handle such information>

Example: Iptables -t NAT -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 8080

This is the basic command skeleton, where additional flags may be appended to it (For example, the rule can be made more precise by using the flags and the desired IP address. For example if we use the “-d” flag The effect will be that the rule will only refer to information which original destination address is the address that appears after the -d flag.

This flag constitutes one of the flags that define the terms of the rule, and therefore will appear before the -J flag)

Analysis of the format:

Iptables is the first word in the rule that you type, and it basically calls the software to perform an action on the tables.

-t <table> (in our example the target is the NAT table)- This is a flag that reserves the type of table among the IP tables, that the rule will apply to.

<action to perform on table>, and in our example -A, that is APPEND, defines to the action, what I want to perform in relation to the above table.

for example to add a rule at the bottom with -A, or to delete it, using the -D flag.

The rule I define will be added to the table I specify or will be deleted from it, according to what I will choose this flag to be. Additional options are REPLACE reserved for the rule to take the place of another rule on the table according to the number I specify.

<which chain the rule applies to> and in our example case, PREROUTING.

Here we define a chain, which is sort of a subtable that belongs to the target table category. That is, which chain among the target tables that I specified with the ‘-T’ flag the rule will be appended\inserted into.

Does the table handle incoming/outgoing information, etc.

-p <info type/protocol> and in our example, TCP. Here I begin to define the threshold conditions according to which the information will be examined, and according to which it will be determined whether the action defined after the -J flag will be performed on or not.

That is, here begin the conditions that determine on which specific type of traffic the action written after the -J flag will be performed.

This specific flag examines the communication protocol type that the examined information belongs to (the options are ICMP, TCP , UDP or all).

-destinattion (can be a port or an IP address, or both) is the field in which the destination of the handled traffic is examined. If it fits the required destination defined by the rule, and the requirements specified before it, then the action defined by the rule will really take place.

If we want the rule to refer to information addressed to a certain target port, the syntax will be --destination-port or -dport for short and then the port to which the package is addressed. If we want the rule to apply to a destination that is an IP address, the syntax will be: -d <ip address> , where the IP address can also be entered as the textual URL address, and the DNS protocol will translate/resolve it.

* (You can also add the flag -s here, which will limit the reference of the rule only to the information that comes from the address of a specified source that will be written after it. )

-J (in our example REDIRECT TO) As mentioned above, here begins the second part of the rule which actually defines the way of handling the traffic if it fits the requirements of the first part.

The command REDIRECT can be appended to --to-port, and this syntax will define routing to the port that will be specified after the command.

Additional flag arguments for ‘-J ’ are:

A. DNAT –to-destination <ip address> and this syntax will define routing to the IP address that will be defined in this field.

B. DROP which omits the package (forbids its passage).

C. ACCEPT which allows the acceptance of the information.

D. MASQUERADE - This command does not touch the destination for which the package is addressed, but it overwrites the sender's information, or rather leaves it as it were when it had arrived on our computer.

Normally, a package sent from us will specify our computer as the sender, but using this command will make our computer transparent to the target device.

The resultant packets will show the initial sender (who had sent us the package) as the only direct sender of the package to the destination.

G. SNAT - In addition, the source address can be rewritten as any address we want (not necessarily the initial source address of the device that had it sent to us), using the ‘-snat’ flag, which will be written after the ‘-J’ flag, and will indicate any address we want to use to spoof the source.

The above example ( Iptables -t NAT -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 8080 ), is a rule that is implemented as part of a "man in the middle" attack, wherein the attacker intercepts SSL encrypted information and needs to decrypt (or strip) the encryption.

In order to do this, there’s a need to redirect all of the traffic that enters the device on port 80 (the browsing port of the browser) to another port, where the attacker can perform the process of stripping the SSL.

The command basically specifies, "Insert the following instruction into the incoming NAT table:

'If information from port 80 of the protocol TCP enters this device, it must be redirected to port 8080'".

On port 8080 the information will be decrypted by the software SSLSTRIP which we had instructed to listen on this port beforehand.

Another example of the use of iptables:

Iptables -t nat -A PREROUTING -p tcp -s 10.0.0.8 –d www.google.com -j DNAT –to-destination www.gogle.co.il

And with this command I actually alter the destination of the package from Google to another site (could be a phishing site I had prepared). As part of the "man-in-the-middle attack" I can perform this manipulation on the traffic that passes through my device from the victim (in this case, the address 10.0.0.8) to the router, and thus all of the information that will be sent by him to a site X will reach the site Y which I had defined instead.