Managing network traffic is one of the toughest jobs a system administrators has to deal with. He must configure the firewall in such a way that it will meet the system and users requirements for both incoming and outgoing connections, without leaving the system vulnerable to attacks.
This is where iptables come in handy as they are Linux command line firewall that allows system administrators to manage incoming and outgoing traffic via set of configurable table rules.
Iptables is a command line tool used to set up,and configure the firewall through set of tables to filter packets.
These tables contain multiple chains which are nothing, but the set of rules which can be built-in or user defined according to which the traffic is allowed on the machine. It is one of the way to set-up firewall as iptables monitors the traffic and filter it according to the specified rules.
There are currently five independent tables
-
Filter => default table used for filtering packets.
-
Nat => consulted when a packet that creates a new connection.
-
Mangle =>can be used for specialized packet alteration such as alteration ip-headers of the packet.
-
Raw => mainly used for configuring exemptions from connection tracking.
-
Security => used for Mandatory Access Control (MAC) networking rules
-
point in the route of the packet where we can apply rules
-
not all chains available for all tables
-
there are 5 types
- Pre-routing
- applied to any incomming packet very soon after entering network
- processed before any routing decision is made
- Input
- applied when a packet enteers a system
- processed after pre-routing
- Forward
- applied to a packet that is forwarded through our system
- Output
- applied to a packet that is originated from the system or packet going out
- Post-routing
- applied to a packet that is outgoing or forwarded
- processed after routing decision is made and just before packet is transmitted
- Pre-routing
-
they are user defined commands to manipulate the network traffic
-
if rules dosent match the next rule in chain is examined
-
if rules match then the next rule is specified by rules target value
-
rules created are not persistant
Table to show the order in which tables and their respective chains are traversed for validating rules:**
Tables/Chains | Pre-routing | Input | Forward | Output | Post-routing |
---|---|---|---|---|---|
Raw | Y | Y | |||
Mangle | Y | Y | Y | Y | Y |
Nat(DNAT) | Y | Y | |||
Filter | Y | Y | Y | ||
Security | Y | Y | Y | ||
Nat(SNAT) | Y | Y |
Some important chain sequence :
-
Incoming packets destined for the local system -> Pre -> Input
-
Incoming packets destined for another host-> Pre -> Forward -> Post
-
Locally generated packet -> Output -> Post
Lets say we want to block a particular ipaddress, then the following command can be used
# iptables -A OUTPUT -s ipaddress -j DROP
Here ' -s ipaddress ' is a matching component and ' -j DROP ' is a target component.
- different condition available to define rules.
- match by protocol type
- destination or source address
- destination or source port
- input or output interface
- headers etc
Also they can be combined to create complex rule set.
It is basically an action triggered when a packet meets a matching criteria and they are of 2 types:
-
terminating target which ends further traversal
-
non terminating which performs actions and continue the chain
- Check the status of iptables
# -L to list rules, -n for numeric format, -v for verbose
$ iptables -L -n -v
- Append new rule in a chain
# Block specific website
$ iptables -t table -A chain -s ipaddress -j DROP
- Delete rule no 5 from a chain
# //delete a particular rule by its rule number
$ iptables -t table -D chain rule_number
- Flushing or deleting IPTables rules
$ iptables -F
-
iptables-persistent
- Its a package which takes over the automatic loading of the saved iptables rules. For this to happen , the rules must be saved in the file /etc/iptables/rules.v4 (for IPv4 ).
- It can be installed by the following command if not available
$ apt-get install iptables-persistent
-
iptables-save and iptables-restore
-
save the current state of iptables
$ sudo sh -c 'iptables-save > /etc/iptables.conf'
-
restore from file again
$ sudo iptables-restore < /etc/iptables.conf
-
Note :the above command can be added to /etc/rc.local to enable automatic loading of the rules from iptables.conf