The basics of iptables in Linux November 7, 2010Posted by Tournas Dimitrios in Linux.
This article is just an introduction to iptables , just to get started . Promise you this topic is not so difficult to understand . First read the article and then follow the three screen casts at the end of this article .So let’s get started
Iptables is in short a Linux based packet filtering firewall. Iptables interfaces to the Linux netfilter module to perform filtering of network packets. This can be to deny/allow traffic filter or perform Network Address Translation (NAT). With careful configuration iptables can be a very cost effective, powerful and flexible firewall or gateway solution. Iptables is available from http://www.netfilter.org/ or via your Linux distribution. A basic rule of thumb is that you want to block all inbound traffic and then specify which traffic you want to receive. Depending on levels of security needed this policy could also be applied to outgoing traffic. With iptables you first set rules to allow traffic you want to get through the firewall then set a rule to deny all traffic. Iptables rules are grouped into chains. A chain is a set of rules used to determine what to do with a packet. These chains are grouped into tables. Iptables has three built in tables filter, NAT, mangle. More tables can be added through iptables extensions.The mangle table is a more advanced topic , so I’ll skip it .
- Filter Table
The filter table is used to allow and block traffic, and contains three chains INPUT, OUTPUT, FORWARD. The input chain is used to filter packets destined for the local system. The output chain is used to filter packets created by the local system. The forward chain is used for packets passing through the system, mainly used for gateways/routers.
- NAT Table
The NAT table is used to setup the rules to rewrite packets allowing NAT to happen. This table also has 3 chains, PREROUTING, POSTROUTING, and OUTPUT. The prerouting chain is where packets come to prior to being parsed by the local routing table. The postrouting chain is where packets are sent after going through the local routing table. The output chain
The following 4 sections summarises the concept of iptables , read them twice before watching the three screen- casts
1. iptables tables
iptables contains 3 tables:
a. filter table
b. nat table
c. mangling table
a. filter table
This table is used to filter packets that pass the firewall. Its purpose is only packet filtering, and will filter packets that comes to the machine (incoming), packets that goes out (outgoing) and packets that are forwarded between network cards (filtering), in case that machine has two or more network cards.
That table contains 3 chains: INPUT chain, OUTPUT chain and FORWARD chain.
INPUT chain – used to filter incoming packets
OUTPUT chain – used to filter outgoing packets
FORWARD chain – used to filter forwarded packets (between network cards).
b. nat table
This table is used to change source of the IP.
PREROUTING chain – used to change IP before forwarding take place
POSTROUTING chain – used to change IP after forwarding take place
OUTPUT chain – used to filter on outgoing
This tables is used to modify packets.
2. Syntax of a iptables rule:
iptables name_of_table name_of_chain layer3_object layer4_object jump_target
– by default if name of table is not specify (with “-t nat” for example, for nat table, or “-t mangle” for mangle table), default table is used: filter table;
– layer4_object is not mandatory;
iptables -A INPUT -s 192.168.0.1 -j DROP # will drop all packets that comes from IP 192.168.0.1
3. Chain management
List tables and chains:
iptables -L # will list all rules from all chains from filter table
iptables -L -v # will list all rules from all chains from filtering table, in verbose mode, showing also packets and bytes that matched that rules
iptables -L -v –line-numbers # will show above and also rule numbers
iptables -L INPUT # will show all rules from INPUT chain from filter table
iptables -L -t nat # will show all rules from all chains from nat table
iptables -t nat -L PREROUTING # will show all rules from PREROUTING chain from nat table
iptables -L -t mangle # will show all rules from all chains from mangle table
Adding rules to chains:
To add a rule to a chain use:
iptables -A INPUT -s 192.168.0.1 -j ACCEPT # will allow traffic from source IP 192.168.0.1
iptables -A INPUT -p tcp –dport 22 -j DROP # will drop all traffic to destination port 22 (our ssh port)
iptables -A will append rule at the end of rules list in your specified chain. if you want to insert a rule on a specific position in your chain, then you must use -I.
iptables -I INPUT 1 -s 192.168.0.1 -j ACCEPT # will add rule in position 1 in your INPUT chain
iptables -I INPUT 10 -p tcp –dport 22 -j DROP # will add a rule in position 10 of your INPUT chain.
Rules are evaluated from first to last rule. On ACCEPT or DROP rules, if a rule is matched, it will not be evaluated to next rules.
Note 1: if you want to block traffic that comes to your machine you must add rule on INPUT chain. If you want to block traffic to a destination IP from your machine you must add rule in OUTPUT chain. Also you must have networking knowledge and you must understand how firewall works.
Note 2: Each chain have a default policy. Policy can be ACCEPT or DROP, by default all CHAIN have ACCEPT policy.
Note 3: When adding a rule -j parameter (jump) can have the following values: ACCEPT, DROP, REJECT, DENY, LOG.
Delete all rules from all chains:
iptables -F # will delete all rules from filter table
iptables -F -t nat # will delete all rules from nat table
iptables -F -t mangle # will delete all rules from mangle table
Deleting a rule from a chain:
To delete a rule from a chain you have two posibilities: to delete a rule using rule number or to delete using syntax used when rule was added:
iptables -D INPUT 10 # will delete rule 10 from INPUT chain
iptables -D PREROUTING 10 -t nat # will delete rule 10 from PREROUTING chain from nat table
iptables -D INPUT -s 192.168.0.1 -j ACCEPT # will delete rule that was added with iptables -A INPUT -s 192.168.0.1 -j ACCEPT
Note: On our previous example, the first rule that match that syntax will be deleted. If are many similar rules, only first will be deleted. To delete all rules that match that syntax, you must use previous command multiple times until you delete all rules.
To delete all rules you can also use (on some old versions of linux, it will not work with -F but with –flush, because of some bugs):
Saving / Restoring iptables rules:
(If iptables is not in your path, you can use absolute paths: /sbin/iptables-save, and /sbin/iptables-restore).
Running iptables-save will output rules on standard output (usualy this is screen, so because of that you must use redirections).
4. Chain policy
As I said previously, each chain have a default policy that can be ACCEPT or DROP and by default all CHAIN have ACCEPT policy.
To change chain policy use:
iptables -P INPUT DROP
Note 1: If you are logged to your machine remotely via SSH (and you are not at console) be careful when you change default policy to drop, to not lock you out. Usualy when sysadmins tests firewall remotely it is a good practice to add to your CRON service a rule that will open the firewall, and you enable that script to run every half an hour or 15 minutes, so if you will lock out of your box, after 15 minutes the firewall will be opened.
Note 2: When you design firewall rules to allo access to your machine and block everything else, take in consideration that traffic goes both ways. If you allow traffic on INPUT chaing but your OUTPUT chain block everything, your rule will not work. Usualy is a good practice when you protect your machine to allow everything on OUTPUT ( you want to be able from your machine to do anything), and block everything on INPUT (incoming) for connections that are not initiated from your machine. If your machine run public services, like for example a web server, or a mail server then you must allow connections from outside on INPUT only on ports used by those services (for example allow incoming on port 80 – http, port 25 – smtp, port 110 – pop3 and 143 -imap, mail services.) So as a conclusion when you design your firewall, setup your default policy on INPUT to drop all packets and on OUTPUT leave it default, to allow everything. And then design your firewall.
Note 3: If your machine is not only connected to Internet, but is also a router for your LAN clients, then you must also filter connections from LAN. It is recommended to change policy on FORWARD chain to DROP and then allow only IPs you want from LAN to be able to access Internet.
Read also : This article from CentOs HowTo’s
Now you are prepered to follow these screen casts
Mastering IPTables, Part I
Mastering IPTables, Part 2
Mastering IPTables, Final Installment