iptables tutorial

iptables is a tool used in linux distribution to control kernel’s netfilter’s firewall.

iptables firewall contains 3 tables, every table contains chains. Those chains are default. User is able to define new chains and link from default chains to those user defined chains.

1. iptables tables
--------------------

iptables contains 3 tables:
a. filter table
b. nat table
c. mangling table

a. filter table:

This is responsible for packet filtering. It has three built-in chains in which you can place your firewall policy rules. These are the:

* Forward chain: Filters packets to servers protected by the firewall.
* Input chain: Filters packets destined for the firewall.
* Output chain: Filters packets originating from the firewall.

This table is used to filter packets that pass the firewall. Its purpose is only packet filtering, and will filter packets that comes to the machine (incoming), packets that goes out (outgoing) and packets that are forwarded between network cards (filtering), in case that machine has two or more network cards.

b. nat table:

The third table is the nat queue which is responsible for network address translation. It has two built-in chains; these are:

* Pre-routing chain: 
NATs packets when the destination address of the packet needs to be changed.
* Post-routing chain: 
NATs packets when the source address of the packet needs to be changed

This table is used to change source of the IP.

PREROUTING chain - 
Address translation occurs before routing. Facilitates the transformation of 
the destination IP address to be compatible with the firewall's routing table.
POSTROUTING chain -
 Address translation occurs after routing.
OUTPUT chain -
 Network address translation for packets generated by the firewall.

c. mangle:
This tables is used to modify packets. Modification of the TCP packet quality of service bits before routing occurs

2. Syntax of a iptables rule:
————————————
iptables name_of_table name_of_chain layer3_object layer4_object jump_target

Notes:
– by default if name of table is not specify (with “-t nat” for example, for nat table, or “-t mangle” for mangle table), default table is used: filter table;
– layer4_object is not mandatory;

iptables Examples:
iptables -A INPUT -s 192.168.0.1 -j DROP  
# will drop all packets that comes from IP 192.168.0.1

3. Chain management
—————————–

List tables and chains:

iptables -L       # will list all rules from all chains from filter table
iptables -L -v  
# will list all rules from all chains from filtering table, in verbose

# showing also packets and bytes that matched that rules
iptables -L -v --line-numbers     # will show above and also rule numbers
iptables -L INPUT      # will show all rules from INPUT chain from filter table
iptables -L -t nat       # will show all rules from all chains from nat table
iptables -t nat -L PREROUTING   
# will show all rules from PREROUTING chain from nat table
iptables -L -t mangle  # will show all rules from all chains from mangle table

Adding rules to chains:

To add a rule to a chain use:
iptables -A INPUT -s 192.168.0.1 -j ACCEPT    
                 # will allow traffic from source IP 192.168.0.1
iptables -A INPUT -p tcp --dport 22 -j DROP      
                 # will drop all traffic to destination port 22 (our ssh port)

iptables -A will append rule at the end of rules list  in your specified chain. if you want to insert a rule on a specific position in your chain, then you must use -I.

iptables -I INPUT 1 -s 192.168.0.1 -j ACCEPT    
                 # will add rule in position 1 in your INPUT chain
iptables -I INPUT 10 -p tcp --dport 22 -j DROP   
                 # will add a rule in position 10 of your INPUT chain.

Rules are evaluated from first to last rule. On ACCEPT or DROP rules, if a rule is matched, it will not be evaluated to next rules.

Note 1:  if you want to block traffic that comes to your machine you must add rule on INPUT chain. If you want to block traffic to a destination IP from your machine you must add rule in OUTPUT chain. Also you must have networking knowledge and you must understand how firewall works.

Note 2: Each chain have a default policy. Policy can be ACCEPT or DROP, by default all CHAIN have ACCEPT policy.

Note 3: When adding a rule -j parameter (jump) can have the following values: ACCEPT, DROP, REJECT, DENY, LOG.

Delete all rules from all chains:
iptables -F                            # will delete all rules from filter table
iptables -F -t nat                   # will delete all rules from nat table
iptables -F -t mangle             # will delete all rules from mangle table

Deleting a rule from a chain:
To delete a rule from a chain you have two posibilities: to delete a rule using rule number or to delete using syntax used when rule was added:

iptables -D INPUT 10           # will delete rule 10 from INPUT chain
iptables -D PREROUTING 10 -t nat     
          # will delete rule 10 from PREROUTING chain from nat table
iptables -D INPUT -s 192.168.0.1 -j ACCEPT      
         # will delete rule that was added with 
                  iptables -A INPUT -s 192.168.0.1 -j ACCEPT

Note: On our previous example, the first rule that match that syntax will be deleted. If are many similar rules, only first will be deleted. To delete all rules that match that syntax, you must use previous command multiple times until you delete all rules.

To delete all rules you can also use (on some old versions of linux, it will not work with -F but with –flush, because of some bugs):

iptables --flush

Saving / Restoring iptables rules:

iptables-save >rules.txt
iptables-restore <rules.txt

(If iptables is not in your path, you can use absolute paths: /sbin/iptables-save, and /sbin/iptables-restore).
Running iptables-save will output rules on standard output (usualy this is screen, so because of that you must use redirections).

4. Chain policy
As I said previously, each chain have a default policy that can be ACCEPT or DROP and by default all CHAIN have ACCEPT policy. To change chain policy use:

iptables -P INPUT DROP

Advertisements

Iptables kernel panic

A quick and dirty workaround to the known issue with RHEL4/CentOS4 APF and IPTABLES kernel panic.

In the file /etc/init.d/iptables go to line 197 and change it from this:

rmmod_r ${IPV}_tables
let ret+=$?;
rmmod_r ${IPV}_conntrack
let ret+=$?;

To this:

rmmod_r ${IPV}_conntrack
let ret+=$?;
rmmod_r ${IPV}_tables
let ret+=$?;

You are taking lines 197 and 198 and moving them down 2 spots to be after the ip_conntrack.

Enjoy 🙂