Thursday 22 March 2018

what is tuples

What is tuples

  • A `tuple' is a structure containing the information to uniquely identify a connection.
    • ie. if two packets have the same tuple, they  are in the same connection; if not, they are not.
  • A 5-tuple refers to a set of five different values that comprise a Transmission Control Protocol/Internet Protocol (TCP/IP) connection. It includes a source IP address/port number, destination IP address/port number and the protocol in use
  • Protocol(tcp or  udp), src ip & port, dst ip & port.
  • It used in the ip tables to identify the unique connections & can able to redirect that connection. 
    • Eg: iptables -t nat -A PREROUTING -p tcp -s 192.168.1.99 --sport 58902 -d 173.223.52.123 --dport 80 -j DNAT --to-destination 192.168.1.254:80
Posted by at No comments:

Wednesday 21 March 2018

What is iptables


What is iptables

  • iptables is a command-line firewall utility that uses policy chains to allow or block traffic.
  • When a connection tries to establish itself on your system, iptables looks for a rule in its list to match it to. If it doesn’t find one, it resorts to the default action.
  • Different kernel modules and programs are currently used for different protocols; 
    • iptables applies to IPv4, ip6tables to IPv6
    • arptables to ARP, and ebtables to Ethernet frames.

Default tables are:

  • Raw
  • Mangle
  • NAT
  • Filter  

Table with  Chain:

  • PREROUTING: 
    • used by raw, mangle and nat tables
  • INPUT: 
    • used by mangle and filter tables
  • FORWARD: 
    • used by mangle and filter tables
  • OUTPUT: 
    • used by raw, mangle, nat and filter tables
  • POSTROUTING: 
    • used by mangle and nat tables

Type of chains:

  • Input :
    • This chain is used to control the behavior for incoming connections
    • Example, if a user attempts to SSH into your PC/server, iptables will attempt to match the IP address and port to a rule in the input chain.
    • Other Def: Its for the packets meant for your own local machine. Reply of a http request made by your browser will go through INPUT chain.
  • Forward:
    • This chain is used for incoming connections that aren’t actually being delivered locally. 
    • Think of a router – data is always being sent to it but rarely actually destined for the router itself; the data is just forwarded to its target.
  • OUTPUT:
    •  chain is for the packets going out of your machine. The http request made by your browser will go through this chain.

Some "target" which is executed when it is matched against a "criteria"

Following are the most common targets:
  • ACCEPT: 
    • Packet is accepted and goes to the application for processing.
  • DROP: 
    • Packet is dropped. No information regarding the drop is sent to the sender.
  • REJECT: 
    • Packet is dropped and information (error) message is sent to the sender.
  • LOG: 
    • Packet details are sent to syslogd for logging. 
  • DNAT: 
    • Rewrites the destination IP of the packet
  • SNAT: 
    • Rewrites the source IP of the packet

First four are used in Filter tables a lot. Now let us discuss some of the common criteria:

  • -p <protocol>: 
    • It matches protocols like tcp, udp, icmp and all
  • -s <ip_addr>: 
    • It matches source IP address
  • -d <ip_addr>: 
    • It matches destination IP address
  • --sport <port>: 
    • It matches the source port
  • --dport <port>: 
    • It matches the destination port
  • -i <interface>: 
    • It matches the interface from which the packet entered
  • -o <interface>: 
    • It matches the interface from which the packet exits
Posted by at No comments:
Labels: , ,
Subscribe to: Posts (Atom)