Iptables
Did a client give you a bunch of exclusions on an Internal? Looking for a layer of redundancy on top of Nessus exclusions? Iptables is the tool for you! Assume that all commands shown in this guide are run as root.
In terms of scope exclusions, firewall rules only really need to target the OUTPUT chain. You can view the rules at any time with iptables -L
# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Specifically, you can list OUTPUT rules with iptables -L OUTPUT.
# iptables -L OUTPUT
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
For most exclusions, the format will follow iptables -A OUTPUT <options> -j DROP. -A OUTPUT adds the rule to the OUTPUT chain and -j DROP specifies that the rule should “jump” to the “DROP” target, i.e. drop the packet instead of sending it along.
Persistent Iptables
Before discussing rules, it should first be mentioned that iptables rules are transient and don’t survive a reboot. To enable persistent rules, install the iptables-persistent package. Iptables saved will now persist between reboots.
# apt-get install iptables-persistent
Installing the iptables-persistent package will prompt to automatically save rules. Choose to do so if you’ve already configured some. If you still have to configure some, run the following command to save them manually:
# iptables-save > /etc/iptables/rules.v4
Starting Iptables Service
WARNING
If the iptables service isn’t started on your implant, your firewall rules may not be persistent. Make sure the service is running and enabled to run at boot to ensure you don’t lose your exclusions if the implant is restarted.
Note that iptables is not typically present as a service without the
iptables-persistentpackage installed, so this step is not required if you choose not to use persistent rules.
After installing the iptables-persistent package, start the iptables service (and also enable it at boot) by running the following two commands as root:
# service iptables start
# systemctl enable iptables
Then check the service’s status with service iptables status to ensure that it is running properly.
Basic Rules
Block IP Address
To specify a destination IP address, use -A OUTPUT to append a rule for the OUTPUT table, along with the -d (destination) parameter. The rule below blocks any traffic whose destination IP address is 10.12.210.1:
# iptables -A OUTPUT -d 10.12.210.1 -j DROP
# iptables -L OUTPUT
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DROP all -- anywhere 10.10.210.1
Block Port
To affect connections to a specific port, indicate the protocol with -p and the port with --dport. The rules below block any TCP traffic whose destination is port 54321 and any UDP traffic destined for port 65432 on any host.
# iptables -A OUTPUT -p tcp --dport 54321 -j DROP
# iptables -A OUTPUT -p udp --dport 65432 -j DROP
# iptables -L OUTPUT
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DROP tcp -- anywhere anywhere tcp dpt:54321
DROP udp -- anywhere anywhere udp dpt:65432
Advanced Rules
Multiple IP Addresses
If you need to exclude several non-consecutive IP addresses, you can loop over the list of IP addresses and create individual rules, or you can use one rule to exclude multiple IP addresses. You can accomplish this using the same parameters but enter your IP addresses as a comma-separated string, and iptables automatically creates multiple rules for them.
# iptables -A OUTPUT -d 10.1.1.10,20.2.2.20,30.3.3.30 -j DROP
# iptables -L OUTPUT
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DROP all -- anywhere 10.1.1.10
DROP all -- anywhere 20.2.2.20
DROP all -- anywhere 30.3.3.30
This is most useful in conjunction with specifying several ports, just to keep rules easier to manage.
IP Address Ranges
Iptables handles CIDR ranges implicitly:
# iptables -A OUTPUT -d 10.10.10.0/24 -j DROP
# iptables -L OUTPUT
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DROP all -- anywhere 10.10.10.0/24
However, some more advanced parameters can be used to address a range of IP address that are not given (or are not easily representable) in CIDR notation.
# iptables -A OUTPUT -m iprange --dst-range 1.2.3.4-1.2.3.9 -j DROP
# iptables -L OUTPUT
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DROP all -- anywhere anywhere destination IP range 1.2.3.4-1.2.3.9
Multiple Ports
Multiple ports can be specified at once.
# iptables -A OUTPUT -p tcp -m multiport --dport 21,22,23 -j DROP
# iptables -A OUTPUT -p udp -m multiport --dport 21,22,23 -j DROP
# iptables -L OUTPUT
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DROP tcp -- anywhere anywhere multiport dports ftp,ssh,telnet
DROP udp -- anywhere anywhere multiport dports fsp,22,23
Removing Rules
Remove Specific Rules
To remove a single rule, use the same command you used to create the rule but replace -A (append) with -D (delete).
# iptables -A OUTPUT -d 10.012.210.01 -j DROP
# iptables -L OUTPUT
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DROP all -- anywhere 10.10.210.1
# iptables -D OUTPUT -d 10.012.210.01 -j DROP
# iptables -L OUTPUT
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Remove All Rules
If you want to remove all OUTPUT rules, the -F (flush) parameter does that without needing to list specific rules. Run iptables -F OUTPUT:
# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP all -- anywhere 10.100.100.10
DROP all -- anywhere 10.101.101.10
DROP all -- anywhere 10.102.102.10
DROP all -- anywhere 10.103.103.10
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DROP all -- anywhere 10.100.100.10
DROP all -- anywhere 10.101.101.10
DROP all -- anywhere 10.102.102.10
DROP all -- anywhere 10.103.103.10
# iptables -F OUTPUT
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP all -- anywhere 10.100.100.10
DROP all -- anywhere 10.101.101.10
DROP all -- anywhere 10.102.102.10
DROP all -- anywhere 10.103.103.10
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
If you want to remove all rules for all chains, run iptables -F:
# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP all -- anywhere 10.100.100.10
DROP all -- anywhere 10.101.101.10
DROP all -- anywhere 10.102.102.10
DROP all -- anywhere 10.103.103.10
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DROP all -- anywhere 10.100.100.10
DROP all -- anywhere 10.101.101.10
DROP all -- anywhere 10.102.102.10
DROP all -- anywhere 10.103.103.10
# iptables -F
# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination