[[http://tmade.de|Home tmade.de]]

[[http://wiki.tmade.de|Home Wiki]]

===== IP-Tables =====
Tutorial:

https://www.frozentux.net/iptables-tutorial/iptables-tutorial.html

==== SLES ====

1. Step: IP-Tables will be set:

  /usr/sbin/iptables -A FORWARD -p tcp --destination-port 80 -j ACCEPT
  /usr/sbin/iptables -A FORWARD -p tcp --destination-port 443 -j ACCEPT
  /usr/sbin/iptables -t nat -A PREROUTING -j REDIRECT -p tcp --destination-port 80 --to-ports 8080
  /usr/sbin/iptables -t nat -A PREROUTING -j REDIRECT -p tcp --destination-port 443 --to-ports 8443
  /usr/sbin/iptables -A OUTPUT -d 172.16.123.23/32 -j REJECT --reject-with icmp-port-unreachable       
  /usr/sbin/iptables -A OUTPUT -d 172.16.123.141/32 -j REJECT --reject-with icmp-port-unreachable
  /usr/sbin/iptables -A OUTPUT -d 172.16.123.22/32 -j REJECT --reject-with icmp-port-unreachable
  
2. Step: IP-Tables will be saved

  iptables-save > /etc/iptables_custom.conf	
  
3. Step: A script will be created and IP_Tables exported

  echo '#!/bin/sh' > /etc/sysconfig/network/if-up.d/iptables
  echo 'echo "IPTABLES will be started"' >> /etc/sysconfig/network/if-up.d/iptables
  echo "iptables-restore < /etc/iptables_custom.conf" >> /etc/sysconfig/network/if-up.d/iptables

4. Step: Make the startscript (Init-Script) executable
  
  chmod +x /etc/sysconfig/network/if-up.d/iptables
  
5. Step: Check the tables after reboot
  
  iptables --list
or
  iptables -L -n 
  
To show all settings run

  iptables-save
  
or to show NAT Rules
  
  iptables -t nat -L -vn 

==== Systemd ====
Create a executable script (e. g.: "chmod 750 /sbin/iptables.sh") with following content:

<code bash iptables.sh>
#!/bin/bash
# Configure iptables

# Limit PATH
PATH="/sbin:/usr/sbin:/bin:/usr/bin"

# iptables configuration
firewall_start() {
  # Define rules
  /usr/sbin/iptables -A FORWARD -p tcp --destination-port 80 -j ACCEPT
  /usr/sbin/iptables -A FORWARD -p tcp --destination-port 443 -j ACCEPT
  /usr/sbin/iptables -t nat -A PREROUTING -j REDIRECT -p tcp --destination-port 80 --to-ports 8080
  /usr/sbin/iptables -t nat -A PREROUTING -j REDIRECT -p tcp --destination-port 443 --to-ports 8443
}

# clear iptables configuration
firewall_stop() {
  iptables -P INPUT ACCEPT
  iptables -P FORWARD ACCEPT
  iptables -P OUTPUT ACCEPT
  iptables -t nat -F
  iptables -t mangle -F
  iptables -F
  iptables -X
}

# execute action
case "$1" in
  start|restart)
    echo "Starting firewall"
    firewall_stop
    firewall_start
    ;;
  stop)
    echo "Stopping firewall"
    firewall_stop
    ;;
    
esac
</code>

Create unit-file:

<code>
cat << EOF | sudo tee /etc/systemd/system/iptables.service
[Unit]
Description=iptables service
After=network.target

[Service]
Type=oneshot
ExecStart=/sbin/iptables.sh start
RemainAfterExit=true
ExecStop=/sbin/iptables.sh stop
StandardOutput=journal

[Install]
WantedBy=multi-user.target
EOF
</code>

Update systemd:

  systemctl daemon-reload

Usage:

  systemctl start iptables.service
  systemctl stop iptables.service
  systemctl status iptables.service
  systemctl is-enabled iptables.service      #check, if active on system boot
  systemctl enable iptables.service          #enable to start with system



==== Delete IP-Tables ====

  iptables -P INPUT ACCEPT
  iptables -P FORWARD ACCEPT
  iptables -P OUTPUT ACCEPT
  iptables -t nat -F
  iptables -t mangle -F
  iptables -F
  iptables -X
  
To delete/add manually:

  iptables-save > somefile
  
Edit with favourite texteditor like vi, than

  iptables-restore < somefile
  
==== Delete Single Rules ====

Execute:

    iptables -L INPUT --line-numbers
    iptables -L FORWARD --line-numbers
    iptables -L OUTPUT --line-numbers
    
Output example:

<code>
root@rasp:~# iptables -L FORWARD --line-numbers
Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination
1    ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
2    ACCEPT     all  --  anywhere             anywhere
3    ACCEPT     all  --  anywhere             anywhere
</code>
    
To delete rule 1 run:

  iptables -D FORWARD 1

  


==== Forwarding ====
To forward incomming trafic to another IP:

First you have to check "cat /proc/sys/net/ipv4/ip_forward"

If you are getting "0" forwarding isn´t allowed. To change it run

  echo "1" > /proc/sys/net/ipv4/ip_forward
  
or

  sysctl net.ipv4.ip_forward=1
  
Check it with "cat /proc/sys/net/ipv4/ip_forward" and you get "1"

Afterwards you can set your rules such as e.g.:

  iptables -t nat -A PREROUTING -p tcp --dport 22 -j DNAT --to-destination 192.168.1.30:22
  iptables -t nat -A POSTROUTING -j MASQUERADE
  
To forward to IP range:

  iptables -t nat -A PREROUTING -p tcp --dport 1111 -j DNAT --to-destination 192.168.1.100-192.168.1.200:1111
  iptables -t nat -A POSTROUTING -j SNAT --to-source 192.168.1.100-192.168.1.200

To forward to a port range:

  iptables -t nat -A PREROUTING -p tcp --dport 1024:65000 -j DNAT --to-destination 192.168.1.30:1024-65000
  
==== Commands ====

    iptables -vnL                            #Show hom many times a rule was used
    iptables -t filter -L FORWARD -nv        #Show hom many times a forward rule was used
    iptables -t filter -L INPUT -nv
    iptables -t filter -L OUTPUT -nv
    iptables -L INPUT --line-numbers
    iptables -L FORWARD --line-numbers
    iptables -L OUTPUT --line-numbers