Iptables in Linux Firewall
Managing network traffic is one of the toughest jobs a system administrators has to deal with. He must configure the firewall in such a way that it will meet the system and users requirements for both incoming and outgoing connections, without leaving the system vulnerable to attacks.
This is where iptables come in handy as they are Linux command line firewall that allows system administrators to manage incoming and outgoing traffic via set of configurable table rules.
What is an iptable
Iptables is a command line tool used to set up,and configure the firewall through set of tables to filter packets.
These tables contain multiple chains which are nothing, but the set of rules which can be built-in or user defined according to which the traffic is allowed on the machine. It is one of the way to set-up firewall as iptables monitors the traffic and filter it according to the specified rules.
There are currently five independent tables
Filter => default table used for filtering packets.
Nat => consulted when a packet that creates a new connection.
Mangle =>can be used for specialized packet alteration such as alteration ip-headers of the packet.
Raw => mainly used for configuring exemptions from connection tracking.
Security => used for Mandatory Access Control (MAC) networking rules
What are Chains
point in the route of the packet where we can apply rules
not all chains available for all tables
there are 5 types
- applied to any incomming packet very soon after entering network
- processed before any routing decision is made
- applied when a packet enteers a system
- processed after pre-routing
- applied to a packet that is forwarded through our system
- applied to a packet that is originated from the system or packet going out
- applied to a packet that is outgoing or forwarded
- processed after routing decision is made and just before packet is transmitted
they are user defined commands to manipulate the network traffic
if rules dosent match the next rule in chain is examined
if rules match then the next rule is specified by rules target value
rules created are not persistant
Table to show the order in which tables and their respective chains are traversed for validating rules:**
Some important chain sequence :
Incoming packets destined for the local system -> Pre -> Input
Incoming packets destined for another host-> Pre -> Forward -> Post
Locally generated packet -> Output -> Post
Examples to understand more
Lets say we want to block a particular ipaddress, then the following command can be used
# iptables -A OUTPUT -s ipaddress -j DROP
Here ' -s ipaddress ' is a matching component and ' -j DROP ' is a target component.
Matching component can contain :
- different condition available to define rules.
- match by protocol type
- destination or source address
- destination or source port
- input or output interface
- headers etc
Also they can be combined to create complex rule set.
It is basically an action triggered when a packet meets a matching criteria and they are of 2 types:
terminating target which ends further traversal
non terminating which performs actions and continue the chain
Important : All actions are not available for every table and chain
Commands with example
- Check the status of iptables
# -L to list rules, -n for numeric format, -v for verbose $ iptables -L -n -v
- Append new rule in a chain
# Block specific website $ iptables -t table -A chain -s ipaddress -j DROP
- Delete rule no 5 from a chain
# //delete a particular rule by its rule number $ iptables -t table -D chain rule_number
- Flushing or deleting IPTables rules
$ iptables -F
Making rules Persistant
- Its a package which takes over the automatic loading of the saved iptables rules. For this to happen , the rules must be saved in the file /etc/iptables/rules.v4 (for IPv4 ).
- It can be installed by the following command if not available
$ apt-get install iptables-persistent
iptables-save and iptables-restore
save the current state of iptables
$ sudo sh -c 'iptables-save > /etc/iptables.conf'
restore from file again
$ sudo iptables-restore < /etc/iptables.conf
Note :the above command can be added to /etc/rc.local to enable automatic loading of the rules from iptables.conf