iptables Feuilles de chaleur
iptables est un programme d'utilitaire utilisateur-espace qui permet aux administrateurs système de configurer les règles de filtre de paquets IP du pare-feu du noyau Linux. C'est la solution de pare-feu la plus utilisée sur les systèmes Linux, fournissant un filtrage de paquets puissant, la traduction d'adresses réseau (NAT) et les capacités de moulage de paquets.
Concepts de base
Tables et chaînes
# Tables
filter # Default table for packet filtering
nat # Network Address Translation
mangle # Packet alteration
raw # Connection tracking exemption
security # Mandatory Access Control rules
# Built-in Chains
INPUT # Incoming packets to local system
OUTPUT # Outgoing packets from local system
FORWARD # Packets routed through the system
PREROUTING # Packets before routing decision
POSTROUTING # Packets after routing decision
Structure des règles
# Basic syntax
iptables -t table -A chain -m match --match-options -j target
# Components
-t table # Specify table (default: filter)
-A chain # Append rule to chain
-I chain # Insert rule at beginning
-D chain # Delete rule from chain
-m match # Match module
-j target # Jump target (action)
```_
## Commandes de base
### Règles d'affichage
```bash
# List all rules
iptables -L
# List rules with line numbers
iptables -L --line-numbers
# List rules in specific table
iptables -t nat -L
# List rules with packet/byte counters
iptables -L -v
# List rules in numeric format
iptables -L -n
# List rules with detailed output
iptables -L -v -n --line-numbers
# Show rules as commands
iptables-save
```_
### Gestion des règles de base
```bash
# Append rule to chain
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
# Insert rule at specific position
iptables -I INPUT 1 -p tcp --dport 80 -j ACCEPT
# Delete rule by specification
iptables -D INPUT -p tcp --dport 22 -j ACCEPT
# Delete rule by line number
iptables -D INPUT 3
# Replace rule at line number
iptables -R INPUT 1 -p tcp --dport 443 -j ACCEPT
# Flush all rules in chain
iptables -F INPUT
# Flush all rules in all chains
iptables -F
Gestion des chaînes
# Create new chain
iptables -N CUSTOM_CHAIN
# Delete empty chain
iptables -X CUSTOM_CHAIN
# Rename chain
iptables -E OLD_CHAIN NEW_CHAIN
# Set default policy
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
# Zero packet counters
iptables -Z
iptables -Z INPUT
Règles de filtrage
Filtrage par protocole
# TCP traffic
iptables -A INPUT -p tcp -j ACCEPT
# UDP traffic
iptables -A INPUT -p udp -j ACCEPT
# ICMP traffic
iptables -A INPUT -p icmp -j ACCEPT
# All protocols
iptables -A INPUT -p all -j ACCEPT
# Specific protocol by number
iptables -A INPUT -p 6 -j ACCEPT # TCP
Filtrage par port
# Single port
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --sport 80 -j ACCEPT
# Port range
iptables -A INPUT -p tcp --dport 1000:2000 -j ACCEPT
# Multiple ports
iptables -A INPUT -p tcp -m multiport --dports 22,80,443 -j ACCEPT
iptables -A INPUT -p tcp -m multiport --sports 80,443 -j ACCEPT
# Exclude port
iptables -A INPUT -p tcp ! --dport 22 -j DROP
Filtre d'adresse IP
# Single IP address
iptables -A INPUT -s 192.168.1.100 -j ACCEPT
iptables -A INPUT -d 192.168.1.100 -j ACCEPT
# IP range (CIDR notation)
iptables -A INPUT -s 192.168.1.0/24 -j ACCEPT
# IP range (explicit)
iptables -A INPUT -m iprange --src-range 192.168.1.10-192.168.1.20 -j ACCEPT
# Multiple IP addresses
iptables -A INPUT -s 192.168.1.100,192.168.1.101,192.168.1.102 -j ACCEPT
# Exclude IP address
iptables -A INPUT -s ! 192.168.1.100 -j ACCEPT
Filtrage par interface
# Specific interface
iptables -A INPUT -i eth0 -j ACCEPT
iptables -A OUTPUT -o eth0 -j ACCEPT
# Interface pattern
iptables -A INPUT -i eth+ -j ACCEPT
iptables -A INPUT -i wlan+ -j ACCEPT
# Loopback interface
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
Comparaison avancée
État de connexion
# Connection tracking
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state NEW -j ACCEPT
iptables -A INPUT -m state --state INVALID -j DROP
# Connection tracking (newer syntax)
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m conntrack --ctstate NEW -j ACCEPT
iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
Règles temporelles
# Time range
iptables -A INPUT -m time --timestart 09:00 --timestop 17:00 -j ACCEPT
# Specific days
iptables -A INPUT -m time --weekdays Mon,Tue,Wed,Thu,Fri -j ACCEPT
# Date range
iptables -A INPUT -m time --datestart 2023-01-01 --datestop 2023-12-31 -j ACCEPT
# Combined time restrictions
iptables -A INPUT -m time --timestart 09:00 --timestop 17:00 --weekdays Mon,Tue,Wed,Thu,Fri -j ACCEPT
Limite des taux
# Limit connection rate
iptables -A INPUT -p tcp --dport 22 -m limit --limit 3/min --limit-burst 3 -j ACCEPT
# Limit by recent connections
iptables -A INPUT -p tcp --dport 22 -m recent --set --name SSH
iptables -A INPUT -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 --name SSH -j DROP
# Hashlimit (per-source limiting)
iptables -A INPUT -p tcp --dport 80 -m hashlimit --hashlimit-above 10/min --hashlimit-burst 20 --hashlimit-mode srcip --hashlimit-name http -j DROP
Correspondance des chaînes
# Match string in packet payload
iptables -A INPUT -p tcp --dport 80 -m string --string "GET /admin" --algo bm -j DROP
# Case-insensitive string matching
iptables -A INPUT -p tcp --dport 80 -m string --string "admin" --algo bm --icase -j DROP
# Hex string matching
iptables -A INPUT -p tcp -m string --hex-string "|47 45 54|" --algo bm -j DROP
Longueur du paquet
# Packet length matching
iptables -A INPUT -m length --length 64 -j ACCEPT
iptables -A INPUT -m length --length 64:128 -j ACCEPT
iptables -A INPUT -m length --length :64 -j ACCEPT
iptables -A INPUT -m length --length 1500: -j DROP
Configuration NAT
Source NAT (SNAT)
# Basic SNAT
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 203.0.113.1
# SNAT with port range
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 203.0.113.1:1024-65535
# SNAT for specific source
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j SNAT --to-source 203.0.113.1
# Masquerading (dynamic SNAT)
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
# Masquerading with port range
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE --to-ports 1024-65535
Destination NAT (DNAT)
# Basic DNAT
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination 192.168.1.100
# DNAT with port change
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 8080 -j DNAT --to-destination 192.168.1.100:80
# DNAT with port range
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination 192.168.1.100-192.168.1.110
# Load balancing DNAT
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -m statistic --mode nth --every 3 --packet 0 -j DNAT --to-destination 192.168.1.100
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -m statistic --mode nth --every 2 --packet 0 -j DNAT --to-destination 192.168.1.101
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination 192.168.1.102
Redirection portuaire
# Redirect to local port
iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-port 8080
# Redirect incoming traffic
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080
# Transparent proxy
iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner ! --uid-owner proxy -j REDIRECT --to-port 8080
Règles de sécurité
Sécurité de base
# Drop invalid packets
iptables -A INPUT -m state --state INVALID -j DROP
# Allow loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Allow established connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Drop all other input
iptables -P INPUT DROP
Règles anti-DDoS
# SYN flood protection
iptables -A INPUT -p tcp --syn -m limit --limit 1/s --limit-burst 3 -j ACCEPT
iptables -A INPUT -p tcp --syn -j DROP
# Ping flood protection
iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s --limit-burst 2 -j ACCEPT
# Port scan protection
iptables -A INPUT -m recent --name portscan --rcheck --seconds 86400 -j DROP
iptables -A INPUT -m recent --name portscan --remove
iptables -A INPUT -p tcp -m tcp --dport 139 -m recent --name portscan --set -j LOG --log-prefix "portscan:"
iptables -A INPUT -p tcp -m tcp --dport 139 -m recent --name portscan --set -j DROP
# Connection limit per IP
iptables -A INPUT -p tcp --syn --dport 22 -m connlimit --connlimit-above 3 -j REJECT
Protection contre la force brute
# SSH brute force protection
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j LOG --log-prefix "SSH_brute_force: "
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
# HTTP brute force protection
iptables -A INPUT -p tcp --dport 80 -m string --string "POST /login" --algo bm -m recent --set --name HTTP_LOGIN
iptables -A INPUT -p tcp --dport 80 -m string --string "POST /login" --algo bm -m recent --update --seconds 300 --hitcount 5 --name HTTP_LOGIN -j DROP
Géobloquant
# Block specific countries (requires geoip module)
iptables -A INPUT -m geoip --src-cc CN,RU -j DROP
# Allow only specific countries
iptables -A INPUT -m geoip ! --src-cc US,CA,GB -j DROP
# Log blocked countries
iptables -A INPUT -m geoip --src-cc CN,RU -j LOG --log-prefix "GeoBlock: "
iptables -A INPUT -m geoip --src-cc CN,RU -j DROP
Exploitation forestière et surveillance
Configuration d'enregistrement
# Basic logging
iptables -A INPUT -j LOG --log-prefix "INPUT: "
# Detailed logging
iptables -A INPUT -j LOG --log-prefix "INPUT_DROP: " --log-level 4 --log-tcp-options --log-ip-options
# Log with rate limiting
iptables -A INPUT -m limit --limit 5/min -j LOG --log-prefix "INPUT_LIMITED: "
# Custom log target
iptables -A INPUT -j ULOG --ulog-nlgroup 1 --ulog-prefix "FIREWALL: "
Règles de suivi
# Monitor specific ports
iptables -A INPUT -p tcp --dport 22 -j LOG --log-prefix "SSH_ACCESS: "
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
# Monitor failed connections
iptables -A INPUT -p tcp --tcp-flags SYN,ACK,FIN,RST RST -j LOG --log-prefix "CONNECTION_RESET: "
# Monitor port scans
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j LOG --log-prefix "NULL_SCAN: "
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j LOG --log-prefix "XMAS_SCAN: "
Statistiques et comptoirs
# View packet counters
iptables -L -v -n
# Reset counters
iptables -Z
# Per-rule statistics
iptables -L INPUT -v -n --line-numbers
# Export statistics
iptables -L -v -n -x > /tmp/iptables_stats.txt
Persistance et gestion
Règles de sauvegarde
# Debian/Ubuntu
iptables-save > /etc/iptables/rules.v4
ip6tables-save > /etc/iptables/rules.v6
# Red Hat/CentOS
service iptables save
systemctl enable iptables
# Manual save/restore
iptables-save > /etc/iptables.rules
iptables-restore < /etc/iptables.rules
Chargement automatique
# Systemd service
cat > /etc/systemd/system/iptables-restore.service << EOF
[Unit]
Description=Restore iptables rules
After=network.target
[Service]
Type=oneshot
ExecStart=/sbin/iptables-restore /etc/iptables.rules
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target
EOF
systemctl enable iptables-restore
# Network interface script
cat > /etc/network/if-up.d/iptables << EOF
#!/bin/bash
iptables-restore < /etc/iptables.rules
EOF
chmod +x /etc/network/if-up.d/iptables
Gestion de la configuration
# Backup current rules
iptables-save > /backup/iptables-$(date +%Y%m%d).rules
# Test rules temporarily
iptables-restore < /tmp/test-rules.txt
# Rules will be lost on reboot if not saved
# Atomic rule replacement
iptables-restore --test < new-rules.txt && iptables-restore < new-rules.txt
Dépannage
Questions communes
# Check if iptables is running
systemctl status iptables
systemctl status netfilter-persistent
# Verify kernel modules
lsmod|grep ip_tables
lsmod|grep iptable_filter
lsmod|grep iptable_nat
# Load required modules
modprobe ip_tables
modprobe iptable_filter
modprobe iptable_nat
modprobe ip_conntrack
# Check for rule conflicts
iptables -L -v -n --line-numbers
Règles de débogage
# Trace packet path
iptables -t raw -A PREROUTING -p tcp --dport 80 -j TRACE
iptables -t raw -A OUTPUT -p tcp --dport 80 -j TRACE
# Monitor logs
tail -f /var/log/kern.log|grep iptables
tail -f /var/log/messages|grep kernel
# Test connectivity
nc -zv target_ip port
telnet target_ip port
nmap -p port target_ip
# Packet capture
tcpdump -i any -n port 80
tcpdump -i any -n host 192.168.1.100
Problèmes de performance
# Check connection tracking
cat /proc/net/nf_conntrack|wc -l
cat /proc/sys/net/netfilter/nf_conntrack_max
# Optimize connection tracking
echo 65536 > /proc/sys/net/netfilter/nf_conntrack_max
echo 300 > /proc/sys/net/netfilter/nf_conntrack_tcp_timeout_established
# Monitor rule performance
iptables -L -v -n|grep -E "pkts|Chain"
Caractéristiques avancées
Chaînes personnalisées
# Create custom chain
iptables -N CUSTOM_INPUT
# Add rules to custom chain
iptables -A CUSTOM_INPUT -p tcp --dport 22 -j ACCEPT
iptables -A CUSTOM_INPUT -p tcp --dport 80 -j ACCEPT
iptables -A CUSTOM_INPUT -j DROP
# Jump to custom chain
iptables -A INPUT -j CUSTOM_INPUT
# Return from custom chain
iptables -A CUSTOM_INPUT -p tcp --dport 443 -j RETURN
Marquage des paquets
# Mark packets
iptables -t mangle -A PREROUTING -s 192.168.1.0/24 -j MARK --set-mark 1
# Match marked packets
iptables -A FORWARD -m mark --mark 1 -j ACCEPT
# Copy marks
iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark
iptables -t mangle -A POSTROUTING -j CONNMARK --save-mark
L'intégration de la structure du trafic
# Mark traffic for QoS
iptables -t mangle -A POSTROUTING -p tcp --sport 22 -j MARK --set-mark 1
iptables -t mangle -A POSTROUTING -p tcp --sport 80 -j MARK --set-mark 2
iptables -t mangle -A POSTROUTING -p tcp --sport 443 -j MARK --set-mark 2
# Classify traffic
iptables -t mangle -A POSTROUTING -p tcp --sport 22 -j CLASSIFY --set-class 1:10
iptables -t mangle -A POSTROUTING -p tcp --sport 80 -j CLASSIFY --set-class 1:20
Meilleures pratiques
Pratiques exemplaires en matière de sécurité
# Default deny policy
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
# Allow only necessary traffic
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -s 192.168.1.0/24 -j ACCEPT
# Log dropped packets
iptables -A INPUT -j LOG --log-prefix "INPUT_DROP: "
iptables -A INPUT -j DROP
# Regular rule review
# Document all rules
# Remove unused rules
# Test rule changes
Meilleures pratiques en matière de rendement
# Order rules by frequency
# Most common rules first
# Specific rules before general rules
# Use connection tracking
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Minimize rule complexity
# Use custom chains for complex logic
# Avoid unnecessary string matching
# Optimize connection tracking
echo 'net.netfilter.nf_conntrack_max = 131072' >> /etc/sysctl.conf
echo 'net.netfilter.nf_conntrack_tcp_timeout_established = 300' >> /etc/sysctl.conf
Meilleures pratiques de gestion
# Version control
git init /etc/iptables
git add /etc/iptables/rules.v4
git commit -m "Initial iptables configuration"
# Testing procedures
# Test in staging environment
# Use iptables-restore --test
# Have rollback plan ready
# Documentation
# Document rule purposes
# Maintain change log
# Include contact information
# Monitoring
# Set up log monitoring
# Monitor rule hit counts
# Alert on policy violations
Ressources
- [manuel des tableaux] (LINK_5)
- [Documentation du filtre] (LINK_5)
- [didacticiels de tableaux] (LINK_5)
- [Tutoriel du pare-feu de Linux] (LINK_5)
- [Pistolets Extensions] (LINK_5)