IPtables

Iptables is the linux kernel firewall.

It requires root permissions (if we are unable to use the root account but have sudo, we can enable it by creating a password, with sudo passwd root, then we will enter the new password twice). It works by specifying a set of rules to follow, for accepting or dropping packets.

To check the active rules in iptables: iptables -nL

Sometimes we may be trying to find out the rules in a system we have compromised, but still not have the root password, but we may still be lucky and be able to check this rules. If the victim machine root user has saved these rules with the command: A copy of the rules is saved to a file that can be read without root permissions by default. Depending on the OS, these files are:

Debian/Ubuntu: /etc/iptables/rules.v4

RHEL/CentOS: /etc/sysconfig/iptables

In iptables, 0.0.0.0/0 means any address To remove all rules (flush): iptables -F In iptables, input refers to incoming packages, forward to redirected packages, and output to outgoing packages. When creating rules, DROP forbids the packet, and ACCEPT allows it, wheter incoming or outgoing. With the -P option we modify a policy, for example, the following accepts incoming packets (DROP instead of ACCEPT would reject them). iptables -P INPUT ACCEPT Exceptions can be added to policies like the previous. For example: iptables -A INPUT -s 192.168.0.1/24 -j ACCEPT Here, -A means append a rule (in this case to INPUT), -s indicates the source of the packets, and -j means "jump", and it is used to change the rule of this policy to ACCEPT (only for this exception). With -p we can specify the protocol of the packets, and with --dport the port from which data comes. iptables -A INPUT -p tcp --dport 5160 -j ACCEPT With -D we can delete a rule: iptables -D INPUT 3 This deletes the third of the INPUT rules..