Lab on iptables

3/9/2017 CSC4430 - LAB ON IPTABLES Page 1

iptables
Actually, iptables is a user-level program that controls the
kernel-level network module called netfilter.

iptables Netfilter Internal

Manipulations
command Structure

Linux Kernel

3/9/2017 CSC4430 - LAB ON IPTABLES Page 2

 iptables – Tables and Chains
Each function provided by the netfilter architecture is presented as a table.

netfilter

Tables filter nat mangle

This table is in charge of This table is in charge of This table is in charge of

filtering packets. translating IP addresses changing packet
of the packets. content.

3/9/2017 CSC4430 - LAB ON IPTABLES Page 3

 iptables – Tables and Chains
Under each table, there are a set of chains.
◦ Under each chain, you can assign a set of rules.
netfilter

Tables filter nat mangle

Chains
INPUT PREROUTING INPUT PREROUTING

OUTPUT POSTROUTING OUTPUT POSTROUTING

FORWARD OUTPUT FORWARD

3/9/2017 CSC4430 - LAB ON IPTABLES Page 4

 iptables – Tables and Chains
Table name: filter The command: list
Chain name: INPUT

[csci4430@vm-a]$ sudo iptables –t filter –L

Chain INPUT (policy ACCEPT)
target prot opt source destination
There is one DROP icmp -- anywhere anywhere
rule set in the
INPUT chain. Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)

The other target prot opt source destination
two chains. [csci4430@vm-a]$ _

The rule in the INPUT chain means:

When a packet with ICMP payload passes through the INPUT hook,
DROP that packets, no matter it is from anywhere and to anywhere.

3/9/2017 CSC4430 - LAB ON IPTABLES Page 5

 iptables – Tables and Chains
[csci4430@vm-a]$ sudo iptables -t filter -A INPUT --protocol icmp --jump DROP
[csci4430@vm-a]$ sudo iptables –t filter –L
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP icmp -- anywhere anywhere

Chain FORWARD (policy ACCEPT)

target prot opt source destination

Chain OUTPUT (policy ACCEPT)

target prot opt source destination
[csci4430@vm-a]$ _

Add a new rule to The protocol of If a packet

the INPUT chain. the packets in (1) passes through the
which this rule is INPUT hook, and
interested is (2) is an ICMP packet,
This entry shows that a new rule is
ICMP.
added to the INPUT chain of the filter
then the packet jumps
table successfully.
to the target DROP –
to discard the packet.
3/9/2017 CSC4430 - LAB ON IPTABLES Page 6
NAT Rules Set Up
• Your private network can “access” CUHK
network and itself only.
[csci4430@vm-a]$ sudo iptables -t nat -A POSTROUTING \
-s 10.0.<vm_group_id>.0/24 -d 137.189.0.0/16 \
-j MASQUERADE

• Your private network can only use SSH to reach

the outside world!
[csci4430@vm-a]$ sudo iptables -t nat -A POSTROUTING \
-p tcp -d ! 10.0.<vm_group_id>.0/24 --dport 22 \
-j MASQUERADE

3/9/2017 CSC4430 - LAB ON IPTABLES Page 7

iptables – More rules
• Clear all existing rules
• Flush all entries in the filter table
 iptables –t filter –F
• Flush all entries in the nat table
 iptables –t nat -F
• Flush all entries in the mangle table
 iptables –t mangle –F
• List all entries in the nat table
 iptables –t nat –L
• Always take the manual for reference.

3/9/2017 CSC4430 - LAB ON IPTABLES Page 8

 Classwork 1: Filter ICMP
Packets
•Please do the following task:
1. Make a SSH connection to VM a and VM b with putty
2. Flush all existing rules at VM a
 sudo iptables –t filter –F
 sudo iptables –t nat –F
 sudo iptables –t mangle –F
3. Ping VM a at VM b in normal case
 ping -c 1 10.0.<vm_group_id>.1
4. Check /proc/sys/net/ipv4/ip_forward at VM a
 cat /proc/sys/net/ipv4/ip_forward
 If the value is not ‘1’, sudo nano /proc/sys/net/ipv4/ip_forward
◦ Filter ICMP packet from VM b to VM a at VM a
1. sudo iptables –A INPUT –p icmp –s 10.0.<vm_grou_id>.2 –d
10.0.<vm_group_id>.1 –j DROP
1. Ping VM a at VM b again, you will find it can not work
1. ping -c 1 10.0.<vm_goup_id>.1
2. Capture the result of ping at VM b, and save it as “capture1.png”

3/9/2017 CSC4430 - LAB ON IPTABLES Page 9

 Classwork 2: Try NAT Rules
• Please do the following task:
1. Make a SSH connection to VM a with putty
2. Flush all existing rules at VM a
 sudo iptables –t filter –F
 sudo iptables –t nat –F
 sudo iptables –t mangle –F
3. Check /proc/sys/net/ipv4/ip_forward at VM a
 cat /proc/sys/net/ipv4/ip_forward
 If the value is not ‘1’, sudo nano /proc/sys/net/ipv4/ip_forward
4. Enable to access CUHK CSE Linux2 (137.189.88.145) at VM a
 sudo iptables -t nat -A POSTROUTING -s 10.0.<vm_group_id>.0/24 -d
137.189.88.145 -j MASQUERADE
5. Start a netcat (nc) server at Linux2 with the following command. Note that the
random port should be a number in (10000, 12000)
 nc –l –p <a random port> -v
◦ Make a SSH connection to VM b with putty

3/9/2017 CSC4430 - LAB ON IPTABLES Page 10

Classwork 2: Try NAT Rules
6. At VM b, add the private IP of VM a as the default gateway
 sudo route add default gw 10.0.<vm_group_id>.1
7. Start a netcat (nc) client at VM b with the following command
 nc 137.189.88.145 <port for nc server at linux2> -v
8. After the connection between Linux2 and VM b is built successfully,
transfer some messages on both sides.
9. Capture the output at Linux2 and VM b respectively, and save them as
“capture2.png” and “capture3.png”
10. Stop nc at Linux2 and VM a
11. Flush all existing rules at VM a
 sudo iptables –t filter –F
 sudo iptables –t nat –F
 sudo iptables –t mangle –F

3/9/2017 CSC4430 - LAB ON IPTABLES Page 11

Classwork Submission
 Pleaseemail the “capture1.png”, “capture2.png” and
“capture3.png” to mzhang@cse.cuhk.edu.hk
The email’s subject should be “lab3-classwork- <your
name> - <your SID>”

3/9/2017 CSC4430 - LAB ON IPTABLES Page 12