This article will discuss about linux firewall configuration traditionally (using iptables). If you are searching for newer interface such as UFW and FirewallD, this is not the case.
What is iptables?
IPTables is a user space application program that allows a system administrator to configure tables provided by the Linux Kernel Firewall (implemented as different Netfilter modules) and the chains and rules it stores or simply it used to manage firewall rules. To put it general, iptables is used for configuring the packets flow in the network, rules out what packets can be received, transmitted, or forwarded to or from IPs listed in the tables.
This article will give basic instruction of how iptables work and structured. We will also understanding rules for network management. Later, we might expected reading and writing iptables firewall rules will be easy.
Iptables is installed by default on every linux machine. However if you found no iptables, you can install it.
# Debian-based (Debian, Ubuntu, etc)
apt-get install iptables
# RPM-based (RHEL, Centos, etc)
yum install iptables
# Arch-based (Arch Linux, etc)
pacman -S iptables
# Zypper-based (Opensuse, etc)
zypper install iptables
It’s important to note that iptables operated on Linux Kernel Firewall, so we need root privilege.
Let’s start by executing this command on your linux terminal:
Those command will give summary of what iptables program can do.
On a high-level, iptables might contain multiple tables. Tables might contain multiple chains. It can be built-in or user-defined. Chains might contain multiple rules. Rules are defined for packets and will determine what fate will the packets got.
Summary, the structure will be: iptables -> tables -> chains -> rules.
By default, iptables has 4 built-in tables: filter table, nat table, mangle table, raw table.
1. Filter Table
Default for iptables. If another table is not defined, we will use filter table. The built in chains for filter table are:
- INPUT chain – incoming packet to firewall. It is the chain for packet coming to local server
- OUTPUT chain – outgoing from firewall. It is chain generated locally and going out of the local server
- FORWARD chain – packet for another NIC (Network Interface Card) on the local server. It is chain for packet routed through the local server.
2. NAT table
This is iptable for NAT (Network Address Translation). It has following built-in chains:
- PREROUTING chain – alter packets before routing. Packet translation happens immediately after the packet comes to the system (and before routing). This helps to translate the destination ip address of the packets to something that matches the routing on the local server. This is used for DNAT (Destination NAT)
- POSTROUTING chain – alter packets after routing. Packet translation happens when the packets are leaving the system. This helps to translate the source ip address of the packets to something that might match the routing on the destination server. This is used for SNAT (Source NAT).
- OUTPUT chain – NAT for locally generated packets on the firewall.
3. Mangle table
Table for specialized packet alteration. This table alters QoS bits in the TCP header. Mangle table has the following built-in chains:
- PREROUTING chain
- OUTPUT chain
- FORWARD chain
- INPUT chain
- POSTROUTING chain
4. Raw table
This table is for configuration excemptions. This table has following built-in chains:
- PREROUTING chain
- OUTPUT chain
Rules are the core of firewall. They are the law for your firewall to inspect packets and determine what it will do to them. Giving wrong instruction to firewall (giving wrong rules) will make you end in some uncomfortable situation. For example: it will drive your friends away or even can’t distinguish who are friends and who are enemy. Same with your firewall.
Now let’s see the basic of iptables rules.
- Rules contain a criteria and a target
- If the criteria matched, it goes to the rules specified in the target (or) executes the special values mention in the target
- If the criteria is not matched, it will moves on to the next rule and sequentially see rules until it found matched criteria or nothing at all
The value of possible action executed under the matched condition can be summarized to following values:
- ACCEPT – The packet will be accepted by firewall
- DROP – The packet will be discarded
- REJECT – Similar to DROP but firewall will give inform the sender for packet rejection
- QUEUE – The packet will be passed to userspace
- RETURN – The firewall will stop executing the next set of rules in the current chain for this packet and the control will be returned to the calling chain.
For every chains there would be columns like target, prot, opt, source, destination.
- Target is value or action took when the condition met. We have discuss above.
- Prot or protocol inform us what protocol used. It can be TCP, UDP, ICMP, etc
- Opt or special options for the specific rule.
- Source is source ip-addres of packet.
- Destination is destination ip-address of packet.
Basic IPTables Command
Now, let’s discuss about command used to manipulating rules. The command will be in bold form, while explanation will be next to it.
-A : append
This command append / add rule at the end of list / table.
iptables -A INPUT : append to INPUT chains on FILTER table.
-D : delete
This command delete one rule pointed by a single number which indicated row. The row number is called index. We have to specify the rule that want to be deleted by specifying row number / index where the rule resided.
iptables –D INPUT 1 : delete first entry on INPUT chain
-R : replace
It replace rule with new rule. The old rule will be overwritten and occupied by new one. The order of overall tables is still same.
iptables –R INPUT 2 –s 192.168.1.3 –j DROP : replace rules on entry number 2
-I : insert
Inserting new rule in the table. When we use insert, our new rule will be place on that index while the rest of index will be moved to next sequence. Simply we can say when we insert a rule to row 1, the old rule will be on row 2 later. And so on.
iptables –I INPUT 3 –s 192.168.1.3 –j ACCEPT : insert rule at entry number 3
-L : list
This command will list every rule we have created.
iptables –t nat –L : list all rules on chain in table nat
iptables –L : list all rules on chain in all tables
-F : flush
This command will flush / delete every rule on a table.
iptables –F OUTPUT : flush the content of OUTPUT
-N : new-chain
This command will create a new chain (table) with a name specified in the argument.
iptables –N cha-IN : create new chain in table filter with name cha-IN
-X : delete-chain
This command will delete chain. The deletable chain is the chain which created by -N command. In order the command executed successfully, the chain must be empty or no rules exists.
iptables –x cha-IN : remove chain cha-IN
-P : policy
This command create a default policy to a chain. When a packet which is not suitable with other rules occured, the default policy will determined what machine will do.
iptables –P INPUT DROP : set default policy that drop packet for every unhandled packet on chain INPUT
–E : rename-chain
This command will rename a chain. The renamable chain is the chain which created using -N command.
iptables –E eth0_IN cha-IN : rename eth0_IN to cha-IN
-h : help
print out help for iptables.
Iptables receive parameters. In this section we will discuss what is the function of parameter you find when you type `iptables –help` last time.
-p : protocol
Used for checking protocol type. Common protocols are TCP, UDP, ICMP, and ALL. You can read list of protocol available at /etc/protocols. Whenever we used ! we say as “not”. For example we want every protocol can over our network except ICMP. It means not ICMP.
iptables -A INPUT -p ! icmp : allow packet which is not icmp
iptables -A INPUT -p tcp : allow packet which is tcp
-s : source ip-address
Used for matching packet by source ip-address. The address specified here can be single node address such as 192.168.1.1 or a network by netmaskin such as 192.168.1.0/255.255.255.0 or also can be written as 192.168.1.0/24.
iptables -A INPUT -s 192.168.1.3
-d : destination
Used for matching packet by destination address. The usage is similiar to –s
iptables -A OUTPUT -d 192.168.1.3
-j : jump
Used to take values or action for matched packet.
iptables -A INPUT -j DROP
-i : in-interface
Used for matching by incoming interface. This matching is only applied to chain INPUT, FORWARD
iptables -A INPUT -i eth0
-o : out-interface
Used for matching by ougoing interface. The usage is similiar to. Only applied to chain OUTPUT, FORWARD
iptables -A OUTPUT -o eth1
MORE ON IPTABLES TARGET
Target or jump is what action we give to certain packet.
ACCEPT every packet will be received by firewall and forwarded to destination of packet.
iptables -A INPUT -p tcp -–dport 80 -j ACCEPT
Drop or throw every packet without warning to sender IP address.
iptables -A INPUT -p tcp -–dport 80 -j DROP
Reject received packet but will fives signal to sender IP address.
iptables -A INPUT -p tcp -–dport 80 -j REJECT
Reject every packet but firewall will gives ICMP error to packet sender. The default would be port-unreachable message. Message can be changed such as icmp-net-unreachable, icmp-host-unreachable, icmp-proto-unreachable, icmp-net-prohibited, etc
iptables -A INPUT -p tcp -–dport 80 -j REJECT –reject-with icmp-net-unreachable
There are some option used accompanying this target. First is to determining log level. Common log level used are debug, info, notice, warning, err, crit, alert and emerg. Second is -j LOG –log-prefix which used to give string on prefix log so the log reading can be easy.
iptables -A FORWARD -p tcp -j LOG -g-level debug
iptables -A INPUT -p tcp -j LOG -log-prefix “INPUT Packets”
Used for Source Network Address Translation. The target is applied for NAT table at chain POSTROUTING. If first packet of connection is applied to SNAT, the the next packet on that connection would have same condition.
iptables –t nat –A POSTROUTING –o eth0 –j SNAT –to-source 184.108.40.206-220.127.116.11:1024-32000
Opposite of SNAT, DNAT used for Destination Network Address Translation at packets header. DNAT Only applied to table NAT chain PREROUTING AND OUTPUT or user define chain called by those two.
iptables –t nat –A PREROUTING –p tcp –d 18.104.22.168 –dport 80 –j DNAT –to-destination 192.168.0.2
Work similiar with SNAT but this target doesn’t need option -to-source. MASQUERADE is designed to work on non-permanent connection like dial-up or DHCP that has dynamic IP allocation.
Like SNAT, the target work on table NAT on chain POSTROUTING.
iptables –t nat –A POSTROUTING –o eth0 -dport 80 –j MASQUERADE
REDIRECT used for redirecting route to machine. This target is used to redirect a packet that over some port through proxy application. Moreover it is used for establishing transparent proxy mechanism. For example we want to redirect all connection for http port so it will entering http proxy application such as Squid. This target is only applied for PREROUTING and OUTPUT chain on table NAT or user defined chain used by those chains.
iptables -t nat -A PREROUTING -i eth1 -p tcp –dport 80 -j REDIRECT –to-port 3128
iptables -t nat -A PREROUTING -p tcp -d 0/0 –dport 80 -j REDIRECT –to-port 8080