We use cookies to improve our services and provide a better experience. By continuing to use this site, you agree with our Cookies Policy.

Tutorials

More than 400 step-by-step articles to guide you through online project development.
HomeTutorialsHosting ServicesCloud Servers

Introduction To Iptables

Linux KVM Hosting

Iptables is a built-in firewall in all Linux distributions. It is designed to filter incoming, outgoing packets, manage NAT rules for Linux operating systems. From the first look, Iptables can look complex or confusing, but as soon as you understand the basics and structure of Iptables, it is not that difficult as it seems. This tutorial will explain the structure and fundamentals of Iptables, as well as chains and rules of this firewall system.

Iptables can be used to set-up, maintain and inspect tables of IP packet filter rules in the Linux kernel. Several different tables may be defined. Every table can have a number of built-in and user specified chains. Each chain is a list of rules which can match a set of packets.

The structure of Iptables firewall: Iptables → Tables → Chains → Rules.

Introduction To Iptables

Iptables firewall has 4 built-in tables:

1. Filter Table

The filter table is mainly used for filtering packets. It contains 3 built-in chains: INPUT (for filtering incoming packets), OUTPUT (for filtering outgoing packets), FORWARD – (for forwarding rules for another network interfaces on the local server).

2. NAT (Network Address Translation) Table

This table should only be used for NAT (Network Address Translation) on different packets. It has 3 built-in chains: PREROUTING (alters packets before routing), POSTROUTING (alters packets after routing) and OUTPUT (for altering locally generated packets on the firewall).

3. Mangle Table

Mangle table is designed for packet alteration. It alters QOS bits in the TCP header. It has 5 chains: PREROUTING (for altering incoming packets before routing), OUTPUT (for altering locally-generated packets before routing), FORWARD (for altering packets being routed through the box), INPUT (for packets coming into the box itself), POSTROUTING (for altering packets as they are about to go out).

4. RAW Table

Raw table is mainly used for setting a mark on packets that they should not be handled by the connection tracking system. It has 2 built-in chains: PREROUTING and OUTPUT.

Tables consist of chains that are lists of rules which are followed in order. Totally there are 5 default chains:

INPUT – for packets coming into the box itself.

OUTPUT – for altering locally-generated packets before routing.

FORWARD – for forwarding rules for another network interfaces on the local server.

PREROUTING – for altering incoming packets before routing.

POSTROUTING – for altering packets as they are about to go out.

As it was written in the beginning of this tutorial, Iptables consist of Tables, Chains and Rules. Every rule contains CRITERIA and TARGET, if criteria is matched, the packet goes to the specified target and so on.

Targets

There are four target values that can be specified in the rule:


ACCEPT
– to let the packet through.

DROP – to drop the packet on the floor.

QUEUE – to pass the packet to user’s space.

RETURN – to stop traversing this chain and resume at the next rule in the previous (calling) chain.

Current rules of Iptables can be listed by typing iptables –L command, which is the default command for listing ALL rules:

[root@server ~]# iptables -L

Chain INPUT (policy ACCEPT)

target prot opt source destination

Chain FORWARD (policy ACCEPT)

target prot opt source destination

Chain OUTPUT (policy ACCEPT)

target prot opt source destination

As you can see in the example above, the default policy for INPUT, FORWARD and OUTPUT chains is ACCEPT. That means that Iptables are not blocking any connections to, from and inside the server.

The default policy can be changed by typing the following commands:

iptables -P INPUT ACCEPT iptables -P OUTPUT ACCEPT iptables -P FORWARD ACCEPT

Iptables allows user to user for targets:

ACCEPT – accept the packet and stop processing rules in this chain.

DROP – silently ignore the packet and stop processing rules in this chain.

REJECT – reject the packet and notify the sender that it was done, and stop processing rules in this chain.

LOG – log the packet and continue processing more rules in this chain.

You can block or allow (depends on your default input/output policy) specific IP addresses or ranges from accessing your system using Iptables rules:

iptables –A INPUT –s IP-ADDRESS –j DROP

Referring back to the list above, you can see that this tells Iptables:

-A INPUT – append rule for incoming traffic.

-s IP-ADDRESS – specify source address.

-j DROP – tells that to do if packet meets previous requirements.

The same command is used for blocking the range of IP addresses, but you must specify the range of IP addresses you want block in the following manner: IP-ADDRESS/RANGE. For example, if you want to block all IP addresses from 192.168.0 range:

iptables –A INPUT –s 192.168.0.0/24 –j DROP

Let’s check how it looks in Iptables configuration:

root@server:~# iptables -L

Chain INPUT (policy ACCEPT)

target prot opt source destination

DROP all — 192.168.0.0/24 anywhere

Chain FORWARD (policy ACCEPT)

target prot opt source destination

Chain OUTPUT (policy ACCEPT)

target prot opt source destination

If you want to allow specific IP addresses or ranges to access your system, you have to use ACCEPT argument:

iptables –A INPUT –s IP-ADDRESS –j ACCEPT

Drop rule does not override accept rule automatically, so you have to delete the first rule before adding another for the same source/target. It can be deleted by replacing –A (APPEND) rule with –D (DELETE). So the following command must be used to delete an existing rule:

iptables –D INPUT –s IP-ADDRESS –j ACCEPT

It is recommended to keep opened the ports which are required for you to perform your tasks only, so in this part of the tutorial you will learn how to allow or drop connections on specific ports.

First, you have to allow connections to a port which you are using for SSH connections (it is important because you can close SSH port and you will not be able to access your server for management via SSH). Let’s say that you are using default port – 22 – for SSH connections:

iptables –A INPUT –p tcp --dport 22 –j ACCEPT

Get familiar with two new values defined in this rule:

-p – specifies protocol used for connections.

--dport – specifies the port.

Check current rules (iptables –L):

Chain INPUT (policy ACCEPT)

target prot opt source destination

ACCEPT tcp — anywhere anywhere tcp dpt:ssh

Or you can drop all packages that goes to this port:

iptables –A INPUT –p tcp --dport 22 –j DROP

Disabling ICMP echo response:

iptables -A INPUT -p icmp --icmp-type echo-request -j DROP

Dropping connections to ICMP, but allowing user to know that the request has been dropped:

iptables -A INPUT -p icmp --icmp-type echo-request -j REJECT

Not only Iptables allows to manage connections from specific IP addresses or ports, but also it allows you to manage connections from a specific IP address to a specific port. If you want to allow SSH connections from a specific IP address only:

iptables –A INPUT –p tcp --dport 22 –s IP-ADDRESS –j ACCEPT

Packet forwarding is another useful feature supported by Iptables firewall. It allows the user to forward packets inside the system. For example, you can forward packets to another network interface or forward ports if needed.

Forwarding between network interfaces:

iptables –A FORWARD –i venet0 –o venet0:0 –j ACCEPT

In the example above, the packet is being forwarded from venet0 network interface to venet0:0 interface. Where:

-i – input network interface.

-o – output network interface.

Port forwarding:

iptables -t nat -A PREROUTING -p tcp -d 192.168.102.12 --dport 222 -j DNAT --to 192.168.102.127:123

In this example, all the connections that come to 222 port are being forwarded to another network

interface (different IP on internal system) and to different port (123).

Another great feature of Iptables is that this program can log all the activity that goes through your system. You can drop the packages, but these attempts can still be logged in your log files.

iptables –A INPUT –p icmp --icmp-type echo-request –j LOG --log-prefix “IPTABLES package logged:” --log-level 7

All attempts to access your server via icmp echo protocol will be logged in /var/log/messages file. You can find all activity related to these requests using the following command:

cat /var/log/messages | grep IPTABLES

All the rules you specified must be saved, otherwise they will be lost after rebooting the system.

RHEL/CentOS:

service iptables save

All other distributions:

iptables-save > /root/my.firewall.rules

Rules can be restored as follows:

RHEL/CentOS:

service iptables restart

All other distributions:

iptables-restore < /root/my.firewall.rules

Iptables rules can be easily flushed and reset to default values using these two commands:

iptables –F

iptables –X

Flush rules for NAT table only:

iptables -t nat -F

iptables -t nat –X

Flush rules for MANGLE table only:

iptables -t mangle -F

iptables -t mangle –X

Flush rules for RAW table only:

iptables -t raw -F

iptables -t raw –X

After reading this tutorial you should have a basic understanding of Iptables firewall. You may already know how it works and be able to set up basic rules for your system. If you want to build complex rules for your system, it is recommended to read the manual of Iptables firewall.

Windows Cloud Server
Rate this Tutorial:
No Comments