iptables what a powerfull and free swiss army knife

[SemiconductorCat]

Hi all, I'm glad to tell you all that I've successfully finished my lab exercise on iptables. And I'm
glad that I have the power of iptables in my CV. I would like to thank to our member 'nwclasantha' because
I have developed my interest digging into iptables through him. As well as notes as a case study.

The concept of iptables is just a kernel based firewall implemented into the linux kernel. Where you could
compile it as a separate module or as a something built into the kernel. So it's safe to assume that almost
all linux distributions up to date does have this tool.

iptable rules look pretty strange when a newbie look at the first time.I'm also faced such strangeness because
I wasn't understood the mechanics behind it. So which means black box approach won't work here. You have to
open the box and see what's going on !

Allright let's continue with my lab exercise that I have done in my home.
What I got.

* Core2Duo computer with windows installed. ( eth0 )
* Acer laptop with linux ubunthu installed. ( wlan0 eth0 ).
* Android phone. ( AndoidAP wifi access point ).

Even I have several Internet connections [2 dialog 1etisalat] I do only use my fixed dialog postpaid connection to
all my internet work. It's on the android phone and I share the same connection using WiFi thetethering. [if you
need more information you may read: https://robot.lk/index.php]

Now our lab exercise is to get internet connection to Core2Duo desktop computer over ethernet connected to the acer
laptop.

My connection would look like this.

[android phone] ----------<wifi>---------[wlan0| acer laptop |eth0]--------<ethernet>--------[eth0|Core2Duo Desktop]


Sorry for the diagramming.( The computer that I use does not have flash installed so I could not use any online
diagramming tools.).

on acer laptop you need to enter to the super-user mode. There is no root account
available on ubunthu. But you could use this trick. Unless otherwise use 'su' directly
instead.

Code: Select all

$ sudo su
****
#

Then we need to set up ip addresses. The ip address and the other settings for the wlan0 have been already
automatically setup by ubunthu utilities. But for make sure we should hit ifconfig.

Code: Select all

#ifconfig wlan0
wlan0  Link encap:Ethernet HWadr 20:7c:8f:12:2c:a4
          inet addr:192.168.1.249 Bcast: 192.168.43.255 Mask:255.255.255.0
          
          ...

So we need to setup eth0 into anther subnet. I'm using 192.168.1.0/24 network.Where my acer laptop
is 192.168.1.1 and desktop is 192.168.1.2 . So on acer laptop,

Code: Select all

# ifconfig eth0 192.168.1.1 netmask 255.255.255.0

Now I have to setup the Desktop computer too.Normally windows automatically configure it obtain the ip
address through DHCP server.That's the last thing that we need here. Because I'm not currently running
an DHCP server on my laptop.So go to the control panel->network connections->right click lan area connection->
properties->on general tab tick ipv4 then click properties button then setup like bellow.



NOTE: 8.8.8.8 is the google name server.
Depending on the hardware device that you use , you're computer may need a restart.

Now on from both machines you could ping each other.

Code: Select all

C:\Documents and Settings\tilak>ping 192.168.1.1

Pinging 192.168.1.1 with 32 bytes of data:

Reply from 192.168.1.1: bytes=32 time<1ms TTL=64
Reply from 192.168.1.1: bytes=32 time<1ms TTL=64
Reply from 192.168.1.1: bytes=32 time<1ms TTL=64

Ping statistics for 192.168.1.1:
    Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),
Reply from 192.168.1.1: Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms
bytes=32 Control-C
^C

Then you need to setup the default gateway on the linux machine.Actually we have nothing to setup
there. It should be automatically done when we connect to the AndroidAp. But make sure it.

Code: Select all

#ip route show
192.18.43./24 dev wlan0 scope link metric 100
default via 192.168.43.1 dev wlan0 proto static

So you could see it's already been there. In other words, any packet which going out of the kernel which does not
match above rules will routed through the default path.

There is a one problem however.For the security reasons linux implicitly does not allow forwarding packets from one interface
to other. In here we need to enable it explicitly. This could be enabled using writing to the proc file system ,invoke the
bellow command. This is called enabling ipv4 packet forwarding.

Code: Select all

#echo 1 > /proc/sys/net/ipv4/ip_forward 

[ please note that you need a space between '1' and '>' , unless shell thinks that you need to redirect '1' standard
output into /proc/sys/net/ipv4/ip_forward file. So it will write nothing there.]
Now you need to restart the network. Invoke this command

Code: Select all

#/etc/init.d/networking restart 

After resetting the network you again need to setup eth0 ip addresses. Because nothing something like DHCP
server on the network there to automatically configure it when bringing up the connection.

Code: Select all

#ifconfig eth0 192.168.1.1 netmask 255.255.255.0

( check again pining from both sides to each other).

Then we need to setup iptables.

First I'm going to flush and delete all rules. invoking the bellow command.

Code: Select all

#iptables -F

[ see the man page for iptables for -F option].

Then I list the Chains to make it sure.

Code: Select all

#iptables -L

Default policy should be "ACCEPT" to both INPUT ,FORWARD and OUTPUT chains on default (filter) table.
Now I'm going to enable IP MASQUERADE on wlan0. Invoke the bellow command.

Code: Select all

#iptables -A POSTROUTING -t nat -o wlan0 -j MASQUERADE

To make sure I could view the tables using , Here we query the nat table( -t nat) not the default filter table.

Code: Select all

#iptables -L -t nat
Chain POSTROUTING (Policy ACCEPT)
MASQUERADE all -- anywhere anywhere

now you could ping 8.8.8.8 name-server from my windows machine.


I will write how the tables and chains actually means and digging into this as a case study in my next reply
to this thread.

--Happy Linux--

[Neo]

Very nice article. iptables is a fantastic and can't live without tool in Linux. CSF provides a nice interface to it to control iptables in an automated way such as auto discovery of DDos attacks, etc...

[SemiconductorCat]

Very nice article. iptables is a fantastic and can't live without tool in Linux. CSF provides a nice interface to it to control iptables in an automated way such as auto discovery of DDos attacks, etc...

Thank you sir, Thanks for the encouragement.
Your encouragement is driving me to write more quality easy to understand tech articles.
As well as encourage other's to write more.

Technical writing is really a good thing. I have done a complete subject about 'Technical Writing'. So it's time
for me for some practice. So this is what I do.

Not only that I welcome all the comments and criticism , and criticism about the clarity of my articles from
audience who read it. Please feel free to make a comment, Unlike other's I'm open to learn from you.

I hope as well as I'm practicing technical writing you audience could also get a good knowledge while reading.
As well as could show my mistakes on writing, so I also could correct them.

So sounds welcoming to write more, that's appreciated. it's a pleasure to share some knowledge while I'm
practicing 'Technical Writing'.

--Thanks In Advance--