iptables - The poor man's robust firewall for Linux

October 17, 2005
A firewall is a software which is used to control the movement of network traffic according to a set of rules. Linux ships with an excellent GPLed firewall called iptables. Here I will explain the rudimentary concepts in using iptables.

Iptables is a packet filter which supersedes the erstwhile ipchains. It forms the first point of contact for packets that flow into or out of your network. In fact the packets are checked in the following order when it reaches your computer.

+-----------+
| Incoming |
| packet |
+-----------+
|
|
v
+-----------+
| Iptables | --> Block
+-----------+
| Pass
|-------> Forward to another system
|
| Kernel Space
----------------------------------------
| User Space
|
v
+--------------+
| TCP Wrappers | --> Block
+--------------+
| Pass
|
v
+--------------------+
| xinetd based rules | --> Block
+--------------------+
| Pass
|
v
Onward journey
of the packet

As you can see in the above diagram, iptables works in the kernel space.

Here I will give a simple introduction to this very useful and powerful but cryptic form of securing ones network.
If you are using kernel 2.4 and above, you will be using iptables. Iptables functionality is directly compiled into the Linux kernel as a module (netfilter). The policies are checked at the layers 2, 3 and 4 of the OSI Reference Model. That is 'Datalink', 'Network' and 'Transport' layer. It is very fast because only the packet headers are inspected. There is a wonderful tutorial on configuring firewalls using iptables at Netfilter.org. But if you are lazy (like me :) ) to plod through over 130 pages of the tutorial, then read on ...

Netfilter is divided into tables which in turn are divided into chains. And each chain can have different targets.

Netfilter tables :
There are three inbuilt tables. They are as follows:
  1. filter - This is the default table if no table name is specified in the rule. The main packet filtering is performed in this table.
  2. nat - This is where Network Address Translation is performed. For example, if you are using your machine as a router or sharing your internet connection with other machines on your network, you might use the NAT table in your rule.
  3. mangle - This is where a limited number of 'special effects' can happen. This table is rarely used.
Netfilter chains :
I said above that each table has a number of inbuilt chains. These are as follows:
For filter table
  1. INPUT - Handles packets destined for the local system, after the routing decision.
  2. OUTPUT - This chain handles packets after they have left their sending process and before being processed by POSTROUTING (applicable to nat and mangle) chain.
  3. FORWARD - This chain handles packets routed through the system but which are actually destined for another system on your LAN.
For the nat table
  1. OUTPUT - see explanation above.
  2. PREROUTING - This is the entry point of packets on their arrival. All packets first pass through this chain before even passing through the routing decision.
  3. POSTROUTING - If PREROUTING is the first chain that a packet encounters, POSTROUTING is the final point of contact for any packet before it leaves the system.
For mangle table
  • The mangle table contains a union of all the chains in the filter and nat tables.

Note: Over and above the builtin chains, you can also have custom user defined chains too. Usually you use a custom chain to group a series of actions together before passing it to one of the inbuilt chains.

Rule targets :
As I said above, each chain can have different targets. They are broadly classified into builtin and extension targets. The target names must be preceded by the option -j . -j as in jump. These are the targets:

Builtin targets
  • DROP - As the name indicates, discards the packet. No message is relayed back to the sender of the packet.
  • ACCEPT - Allows the packet to pass through the firewall.
  • RETURN - This is a built in target which is created for convenience. Because most targets do not return. That is if a packet matches a rule, the checking of that packet ceases and the chain is exited.
Extension targets
  • LOG - This is used to log messages to your system of offending or blocked packets. Usually, control is passed to the syslog facility which logs the message to the file /var/log/messages and then returns the control back to the iptables.
  • REJECT - If this target is used, a notice is sent back to the sender. Like for example "you are denied access to this service" message.
  • DNAT - Used for destination NAT ie rewriting the destination IP address of the packet.
  • SNAT - Used for rewriting the source IP address of the packet.
  • MASQUERADE - This is used to do either SNAT or DNAT. Basically this target is used to set up internet connection sharing in your network.
Note: All extension targets are usually implemented in special-purpose kernel modules. To know which all modules are loaded on your system, execute the command:


# lsmod |grep ipt

ipt_limit 1792 8
iptable_mangle 2048 0
ipt_LOG 4992 8
ipt_MASQUERADE 2560 0
iptable_nat 17452 1 ipt_MASQUERADE
ipt_TOS 1920 0
ipt_REJECT 4736 1
ipt_state 1536 6
ip_conntrack 24968 5 ipt_MASQUERADE,
iptable_nat,ip_conntrack_irc,ip_conntrack_ftp,ipt_state
iptable_filter 2048 1
ip_tables 13440 9 ipt_limit,iptable_mangle,ipt_LOG,
ipt_MASQUERADE,iptable_nat,ipt_TOS,ipt_REJECT,ipt_state,
iptable_filter

These are the modules that are loaded on my system. As you can see, all modules that start with the name 'ipt_' are extension modules. So in the above listing, iptable_nat module uses a extension module called ipt_MASQUERADE . And to use the LOG extension target, you should have loaded the ipt_LOG extension module. So on and so forth :) .

A few examples to whet your appetite

# iptables -t filter -A INPUT -p tcp -s 192.168.0.5 -j DROP
The above rule can be read as follows. In the filter table (-t), append (-A) to the INPUT chain the rule that, all packets using the protocol (-p) tcp and originating (-s) from the remote machine with IP address 192.168.0.5 should be dropped (-j DROP).

# iptables -A FORWARD -s 0/0 -p TCP -i eth0 -d 192.168.5.5
-o
eth1
--sport
1024:65535 --dport 80 -j ACCEPT
This rule reads as follows: Append (-A) to the FORWARD chain, the rule that all packets coming from anywhere (-s 0/0) using the protocol (-p) TCP and using unreserved ports (--sport 1024:65535), incoming (-i) through the interface eth0 , and destined (--dport) for port 80 on address (-d) 192.168.5.5 and outgoing (-o) through the interface eth1 should be accepted.

# iptables -L
List (-L) all the rules in the iptables.

# iptables -F
Flush (-F) all the rules from iptables. Now you can start afresh.

# iptables -A OUTPUT -j LOG
# iptables -A INPUT -j LOG
Log all incoming and outgoing rules in the filter table to the file /var/log/messages.

I hope you have got the drift ;) . Iptables is a very powerful and flexible tool and can be used to block anything or everything that comes into or goes out of your computer.

Wait there is one more thing ...

Usually the commands that you executed above will reside in memory but will not persist across rebooting. Which means, once you reboot, all your rules are lost and you have to start all over. So to avoid this, you save your rules into a file which is read by the OS when you reboot your machine.
In RedHat/Fedora, the iptables rules are saved in the file /etc/sysconfig/iptables . You save it using the programs iptables-save as follows:
# iptables-save > /etc/sysconfig/iptables 

or do the following :
# service iptables save 

There is another script called iptables-restore which can be used to load the rules from a file into memory.

1 comments:

  • Nice article, indeed. There is one important thing left to mention. iptables is a _stateful_ inspection packet filter, that can not only block/drop or accept packets, but checks relations of packets via connection tracking, even for udp or icmp.

    This is pretty easy done by simply utilizing "--m state --state" and worth to mention.

    May be you want to add some hint.

    polarizers 2cent