IPtables (Netfilter) :
IPtables is the default firewall for Linux. Its a vast subject which can not be covered in one post. I will try to give as much info as possible at the same time not to make it complex. Lets start with basics.
What is a firewall?
Ans : A firewall is a part of a computer system or network that is designed to block unauthorized access while permitting authorized communications –Wikipedia.org
A IPtables firewall contains tables which in tern contains rules to block or unblock a perticular communication.
A table can be a
1.Filter table — Used to filter packets.
2.NAT(Network Adress Translator) table — Used for NATing of source and destination ip address(Used for sharing internet)
3.Mangale table — Its a combination of Filter and NAT tables
4.RAW table — Used to for marking packets not to track.
1.Filter table : This is the default table which contaions three chains.
a.INPUT Chain : To apply a rule on packets which are coming into the system.
b.FORWARD Chain : For packets being routed through the system
c.OUTPUT Chain : For packets locally generated which are going out from the system.
2.NAT table : This table is having three chains.
a.PREROUTING Chain : For altering the packets as soon as they come in to the system
b.OUTPUT Chain : For packets locally generated which are going out from the system.
c.POSTROUTING Chain : For altering the packets which are about to go out from the system.
3.MANGLE Table : This is a combination of forwording, security and translating packets. We can say this one as hybride table of both FILTER and NAT table. This contains five chains.
1.PREROUTING
2.OUTPUT
3.INPUT
4.FORWARD
5.POSTROUTING
4.RAW Table : Contaions two chains.
1.PREROUTING
2.OUTPUT
So let us go to the configuration of IPTables : In the following examples I will be taking FILTER Table to explain.
Example1 : To see/list what are the rules configured in the system
#iptables -L -t filter
This will list all the rules which are created under FILTER Table
-L for listing
-t for specifying table type(here table type is FILTER)
#iptables -L -t nat
#iptables -L -t mangle
#iptables -L -t raw
These three iptables are self explantory.
Example2 : Inserting a rule in to a table
#iptables -I INPUT 2 -t filter -s 192.168.0.1/24 -j DROP
-I for inserting a rule in to a table, so in this example I am inserting an INPUT rule and position two(2). So depending on number we can insert a rule in any position of a table.
-s for specifying the source of this packet. This source may be a IP adress/netmaks or a network-adress/netmask. -j for specifying what to do on the target packet. Here we specified to drop any packet which comes from 192.168.0.1, so there is no reply to the source about the packet status. With -j these are the options we can specify.
1.DROP — For droping a packet without informing the status of this packets to the source/destination. So there is no inforamtion to source/destination about the status of the packet.
2.REJECT — Will reject the packets and information is sent to source/destantion about the rejection of packet by the server.
3.ACCEPT — Will accpet for the delevery of the packet to designated destination.
4.QUEUE — this is used to queue the packets to user space. Let me put in this way.. this is just to forward all the packets to some other utility(such as SNORT) which take care of packet filtering.
What actually this rule is specifying?
Ans : This rule specifies it’s an input rule at second position of the filter table to drop all the communication which is originating from 192.168.0.1
Example3 : To append a rule in to a table
#iptables -A INPUT -t filter -d 132.160.0.0/16 -j REJECT
-A for append a rule at the end of a table
-d for specifying the destination of this packet. This destination may be a IP adress/netmaks or a network-adress/netmask.
What actually this rule is specifing?
Ans : This rule specifies it’s an input rule which is appended to a filter table to reject all the packets which are destinated to 132.160.0.0 network.
Example4 : Deleting perticular rule
#iptables -D INPUT 3 -t filter
-D for specifing deletion of a rule
What actually this rule is specifing?
Ans : This rule specifies delete an input rule which is in third position of the filter table.
Example5 : Flushing/removeing entire table
#iptables -F -t filter
-F for specifing to flush/remove a table from iptables configuration.
What actually this rule is specifing?
Ans : This rule specifies flush/remove all the rules which are in filter table.
From here we will see how to block a
1.Blocking network
2.Blocking an ip address
3.Blockign Entire protocal stack
4.Blocking protocol
5.Blocking port(source port or Destination port)
Example6 : Blocking(Rejecting) a perticular network
#iptables -A INPUT -t filter -s 192.168.0.0/24 -j REJECT
What actually this rule do?
Ans : This rule specifies under filter table please block(REJECT) all traffic from 192.168.0.0 to 192.168.0.225 ip addresses, nothing but entire 192.168.0.0/24 network.
Example7 : Blocking(Rejecting) a perticular ip address
#iptables -A INPUT -t filter -s 123.45.0.1 -j REJECT
What acutally this rule do?
Ans : This rule specifies under filter table please block(REJECT) all the traffic originating from 192.168.0.1 ip address.
Example8 : Blocking(Rejecting) entire protocol stack.
#iptables -A INPUt -t filter -s 192.168.0.1 -p all -j REJECT
What acutally this rule do?
Ans : This rule specifies under filter table please block all the traffic with all the protocols(such as TCP,UDP,ICMP etc) which are origenating from 192.168.0.1 ip address.
Example9 : Blocking a perticular protocol
#iptables -A INPUT -t filter -s 192.168.0.1 -p tcp -j REJECT
What acutally this rule do?
Ans : This rule specifies under filter table please block all the traffic which uses tcp protocol to communicate from 192.168.0.1 ip address.
Example10 : Blocking perticular destination port
#iptables -A INPUT -t filter -s 192.168.0.1 -p tcp -dport 21 -s 192.168.0.1 -j REJECT
What acutally this rule do?
Ans : This rule specifies under filter table please block all the FTP(port no:21) traffic orignating from 192.168.0.1 ip address.
Example11 : Blocking perticular source port
#iptables -A OUTPUT -t filter -d 192.168.0.1 -p udp -sport 1929 -j REJECT
What acutally this rule do?
Ans : This rule specifies under filter table please block all the traffic which is origanting from server through port 1929 destinated to 192.168.0.1 to be blocked.
5.Saving iptable :
#service iptables save
Why we actually require to save iptables?
Ans : Most of the services in linux have their own configuration files so same will be applicable for the iptables. So when ever we do iptables save the configuration by default will be saved to /etc/sysconfig/iptables
6.Satrting iptables :
#service iptables start
7.Restarting iptables :
#service iptables restart
Checking wether iptables is running or not
#service iptables status
Please comment your thoughts regarding this post:-)