### iptables stuff

* stateful = able to maintain status on connections over the host; firewall can filter on connection state (finer grained control)
* stateless = only the packet header is inspected; cannot determine if packet is part of existing connection or isolated & malicious
* tables contain "chains", which contain rules; chains are for groups of rules
* 3 built-in tables: filter, nat, and mangle
* 3 built-in chains: FOWARD (packets entering host but destined elsewhere), INPUT, OUTPUT
* 3 built-in policies (actions): DROP, REJECT, ACCEPT; default policies are: I/O ACCEPT, FORWARD DROP
* if a device/destination isn't specified (-i/-d), then iptables assumes rule is applied to all interfaces/addresses
* service names can be used versus port numbers
* get ephmeral port range via /proc/sys/net/ipv4/ip_local_port_range
* use -j USER_CHAIN to redirect traffic to chain for better structuring
* logs must preceed rules first; --log-prefix "BLAH ", --log-level level, --log-tcp-sequence, --log-tcp-options, --log-ip-options
* log targets can have firewall syntax first, i.e. -m state --state NEW and terminate in -j LOG
* use icmp -p proto -h to see all options for chosen protocol
* use --icmp-type name|number for specific icmp types
* use "!" for negation; gotcha - always use an explicit ACCEPT with a source ip/range then use negation for remaining (ssh tests)
* consider blocking source IP address as INPUT target
* consider blocking non routable address spaces
* consider using the "INVALID" state for stopping floods
* log_martians, icmp_echo_ignore_all, icmp_echo_ignore_broadcasts kernel params

# icmp messages
* allow echo and echo reply for pings
* allow time exceeded and destination unreachable for traceroute

# flag details 
-A/-I = add to the end/top of chain(s); using -I n allows you to add a rule at a specific line (n)
--line-numbers = duh!
-t filter,nat,mangle = choose specific table to list; defaults to filter
-i/-o interface = dictates inout/output filter interface
--(s|d)port = source/destination ports (both can be specified in a rule)
--tcp-flags F,F F,F = applies rule based on specified flags
-p tcp,udp,icmp,n = use tcp, udp, icmp, or n (protocol number)
-m module_name = enables matching via modules; man iptables for modules (lots of goodies, os detection?!) 
-v = used with -L will show packet and byte counts 
-P policy = sets policy for chain
-R chain s# rule = replaces existing rule based on sequence number (line number)
-Z chain = zeros byte and packet counts on chain
-E old new = renames user created chain; cannot change built-ins
-X chain = deletes user chain; chain must be empty first

# nice modules
--state = for stateful matching
--limit n/second,minute,day = limiting return packets
--limit-burst n;

* custom IP chains (using iptables file)
* traffic matching rule gets processed by user defined chain and then returns to original chain (input, etc.)
* use chains for services/ports and then filter using custom chain, address, and policy (DROP/ACCEPT)
1.) Declare chain at top of iptables; :CUSTOMNAME - [0:0]
2.) Decide on default policy (INPUT, OUTPUT, FORWARD); -A policy options -j CUSTOMNAME
3.) create rule and policy to NAME; -A CUSTOMNAME options -j policy

* using -m for connection tracking
-m protocol -p protocol -m state --state BLAH,

* logging options go after -j LOG

* iptables ranges (better to use CIDR!!)
-m iprange --src-range 1.1.1.1-1.1.1.255
--dport 1:100