This document discusses iptables and related tools for packet filtering and network address translation (NAT). It provides information on xtables extensions that add new capabilities to iptables rules. Examples are given for common iptables rules using NAT, state tracking, and extensions. The document also covers DHCP and how to execute scripts using DHCP events like client lease commitment and expiration to dynamically update iptables rules based on DHCP leases.

1. Iptables
Advanced..

2. Content
• Iptables
• Packet’s journey
• xtables
• Rules
• DHCP
• DHCP events
• Problem statement
• reference

3. Packet’s journey

4. Xtables
• “Xtables-addons is the successor to patch-o-
matic(-ng). Likewise, it contains extensions
that were not accepted in the main iptables
package
• no patches (.diff files) or POM trees
• extensions built as modules
• no reboot, instant use – also perfect for
development

5. Xtables cont..
• Download the xtables-addons
• Extract the tar file and edit the mconfig file to
install the iptable module you want
• Just do configure ,make and make install as
per INSTALL file
• Geoip,string,ipp2p,TARPIT,pknock

6. Rules
• iptables -A PREROUTING -t nat -i eth0 --dst 204.215.46.78 -p tcp --dport 41234 -
j DNAT --to 10.12.12.1:3389 –j LOG –log-level 4
• iptables --table nat -A POSTROUTING -o eth0 --src 10.23.0.0/16 --dst
125.11.158.211 -p tcp --dport 3389 -j SNAT --to-source 204.215.46.78
• Iptables --table filter -A INPUT -p tcp --src 10.10.11.11 --sport 1024:65535 --dst
10.10.0.11 --dport 22 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
• Iptables --table filter -A OUTPUT -p tcp --src 10.10.0.11 --sport 22 --dst
10.10.0.11 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
• iptables -A PREROUTING -t mangle -i eth0 --src 10.10.0.10/16 -p tcp --dport 443
-j MARK --set-mark 2

7. Rules cont..
• iptables -A INPUT -p tcp -m pknock --knockports
4002,4001,4004 –strict --name SSH --time 10 --autoclose 60 --
dport 22 -j ACCEPT
• iptables -A FORWARD -t mangle -m ipp2p --bit --kazaa --edk --
dc –gnu –winmx --ares -j DROP
• iptables -A FORWARD -m geoip --src-cc CN --dst
187.78.0.90/24 -j DROP
• Iptables -A BLACKLIST -p tcp -d 10.0.10.11 --sport 443 -m time
--timestart 10:01 --timestop 07:59 --weekdays
Mon,Tue,Wed,Thu,Fri,Sat,Sun -m string --string “facebook" --
algo kmp -j DROP

8. DHCP

9. DHCP Events
• Commit
server has made a commitment of a
certain lease to a client
• Release
client has released the server from its
commitment
• Expiry
commitment expires

10. DHCP configuration
• on commit { set ClientIP = binary-to-ascii(10, 8, ".", leased-
address); execute("/home/commitip",ClientIP); }
• on release { set ClientIP = binary-to-ascii(10, 8, ".", leased-
address); execute("/home/releaseip",ClientIP); }
• on expiry { set ClientIP = binary-to-ascii(10, 8, ".", leased-
address); execute("/etc/rc5.d/expiryip",ClientIP); }
• Jun 18 09:48:39 dhcp dhcpd: execute_statement argv[0] = /home/commitip
Jun 18 09:48:39 dhcp dhcpd: execute_statement argv[1] = 192.168.34.67

11. Scripts..
Commit
• #!/bin/bash
iptables -L -n|grep -irw "$1"
z=$?
if [ $z -eq 0 ]
then
echo "nothing to add" >> /tmp/error
else
iptables -I FORWARD 1 --src 0.0.0.0/0 --dst $1 -j ACCEPT
Expire
#!/bin/bash
iptables -D FORWARD --src 0.0.0.0/0 --dst $1 -j ACCEPT

12. Reference
• http://www.linuxwizard.org/centos/xtables-addons-centos-6-iptables-geoip-
filtering/
• http://www.ipp2p.org/docu_en.html
• https://github.com/tinti/xtables-
addons/blob/master/extensions/pknock/libxt_pknock.man
• http://jpmens.net/2011/07/06/execute-a-script-when-isc-dhcp-hands-out-a-new-
lease/
• Siju Thomas