UNIT V

IPTABLES
1. iptables basics
What is iptables:
Iptables is in short a Linux based packet filtering
firewall.
Iptables interfaces to the Linux netfilter module to
perform filtering of network packets.
This can be to deny/allow traffic filter or perform
Network Address Translation (NAT).
With careful configuration iptables can be a very cost
effective, powerful and flexible firewall or gateway
solution.
Iptables is available from http://www.netfilter.org/ or
via your Linux distribution.

iptables terms and syntax
Drop/Deny - When a packet is dropped or denied, it is simply deleted, and
no further actions are taken. No reply to tell the host it was dropped, nor
is the receiving host of the packet notified in any way. The packet simply
disappears.
Reject - This is basically the same as a drop or deny target or policy, except
that we also send a reply to the host sending the packet that was dropped.
The reply may be specified, or automatically calculated to some value. (To
this date, there is unfortunately no iptables functionality to also send a
packet notifying the receiving host of the rejected packet what happened
(i.e., doing the reverse of the Reject target). This would be very good in
certain circumstances, since the receiving host has no ability to stop
Denial of Service attacks from happening.)
State - A specific state of a packet in comparison to a whole stream of
packets. For example, if the packet is the first that the firewall sees or
knows about, it is considered new (the SYN packet in a TCP connection), or
if it is part of an already established connection that the firewall knows
about, it is considered to be established. States are known through the
connection tracking system, which keeps track of all the sessions.

Chain - A chain contains a ruleset of rules that are applied on packets that
traverses the chain. Each chain has a specific purpose (e.g., which table it
is connected to, which specifies what this chain is able to do), as well as a
specific application area (e.g., only forwarded packets, or only packets
destined for this host).

Table - Each table has a specific purpose, and in iptables there are 4
tables. The raw, nat, mangle and filter tables. For example, the filter table
is specifically designed to filter packets, while the nat table is specifically
designed to NAT (Network Address Translation) packets.

Match - This word can have two different meanings when it comes to IP
filtering. The first meaning would be a single match that tells a rule that
this header must contain this and this information. For example, the --
source match tells us that the source address must be a specific network
range or host address. The second meaning is if a whole rule is a match. If
the packet matches the whole rule, the jump or target instructions will be
carried out (e.g., the packet will be dropped.)
Target - There is generally a target set for each rule in a ruleset. If the rule
has matched fully, the target specification tells us what to do with the
packet. For example, if we should drop or accept it, or NAT it, etc. There is
also something called a jump specification, for more information see the
jump description in this list. As a last note, there might not be a target or
jump for each rule, but there may be.
Rule - A rule is a set of a match or several matches together with a single
target in most implementations of IP filters, including the iptables
implementation. There are some implementations which let you use
several targets/actions per rule.
Ruleset - A ruleset is the complete set of rules that are put into a whole IP
filter implementation. In the case of iptables, this includes all of the rules
set in the filter, nat, raw and mangle tables, and in all of the subsequent
chains. Most of the time, they are written down in a configuration file of
some sort.
Jump - The jump instruction is closely related to a target. A jump
instruction is written exactly the same as a target in iptables, with the
exception that instead of writing a target name, you write the name of
another chain. If the rule matches, the packet will hence be sent to this
second chain and be processed as usual in that chain
Connection tracking - A firewall which implements connection tracking is
able to track connections/streams simply put. The ability to do so is often
done at the impact of lots of processor and memory usage. This is
unfortunately true in iptables as well, but much work has been done to
work on this. However, the good side is that the firewall will be much
more secure with connection tracking properly used by the implementer
of the firewall policies.
Accept - To accept a packet and to let it through the firewall rules. This is
the opposite of the drop or deny targets, as well as the reject target.
Policy - There are two kinds of policies that we speak about most of the
time when implementing a firewall.
First we have the chain policies, which tell the firewall implementation the
default behavior to take on a packet if there was no rule that matched it. This
is the main usage of the word that we will use in this book.
The second type of policy is the security policy that we may have written
documentation on, for example for the whole company or for this specific
network segment. Security policies are very good documents to have thought
through properly and to study properly before starting to actually implement
the firewall.

Target

Description

Most common options

ACCEPT
iptables stops further
processing.

The packet is handed over to the
end application or the operating
system for processing

N/A

DROP
iptables stops further
processing.

The packet is blocked

N/A

LOG
The packet information is sent to
the syslog daemon for logging

iptables continues processing
with the next rule in the table

As you can't LOG and DROP at the
same time, it is common to have
two similar rules in sequence. The
first will LOG the packet, the
second will DROP it.

--log-prefix "string"

Tells iptables to prefix all log
messages with a user defined
string. Frequently used to tell why
the logged packet was dropped
Descriptions Of The Most Commonly Used Targets

Target

Description

Most common options

DNAT
Used to do Destination Network
Address Translation. i.e., rewriting
the destination IP address of the
packet

--to-destination ipaddress

Tells iptables what the destination
IP address should be

SNAT
Used to do Source Network
Address Translation. i.e., rewriting
the source IP address

of the packet

The source IP address is user
defined

--to-source <address>[-
<address>][:<port>-<port>]

Specifies the source IP address and
ports to be used by SNAT.

MASQUE
RADE
Used to do Source Network
Address Translation. i.e., rewriting
the source IP address of the packet

By default the source IP
address is the same as that
used by the firewall's interface

[--to-ports <port>[-<port>]]

Specifies the range of source ports
the original source port can be
mapped to.
General iptables Match Criteria

iptables command
Switch

Description

-t <table>

If you don't specify a table, then the filter table is
assumed. As discussed before, the possible built-in
tables include: filter, nat, mangle

-A

Append rule to end of a chain

-F

Flush. Deletes all the rules in the selected table

-p <protocol-type>

Match protocol. Types include, icmp, tcp, udp, all

-s <ip-address>

Match source IP address

-d <ip-address>

Match destination IP address

-i <interface-name>

Match "input" interface on which the packet enters.

-o <interface-name>

Match "output" interface on which the packet exits
Example:

iptables -A INPUT -s 0/0 -i eth0 -d 192.168.1.1 -p TCP -j ACCEPT

In this example iptables is being configured to allow the firewall to accept TCP
packets coming in on interface eth0 from any IP address destined for the
firewall's IP address of 192.168.1.1

Common TCP and UDP Match Criteria

switches used
with -p tcp

Description

switches used
with -p udp

Description

--sport
<port>

TCP source port Can be a single
value or a range in the format:

start-port- number:end-port-
number

--sport <port>

UDP source port

Can be a single value or a
range in the format:
starting- port:ending-port

--dport
<port>

TCP destination port

Can be a single value or a range
in the format:

starting- port:ending-port

--dport <port>

UDP destination port

Can be a single value or a
range in the format:

starting- port:ending-port

--syn

Used to identify a new
connection request

! --syn means, not a new
connection request

Example:
iptables -A FORWARD -s 0/0 -i eth0 -d 192.168.1.58
-o eth1 -p TCP -sport 1024:65535 -d port 80 -j ACCEPT

In this example iptables is being configured to allow the
firewall to accept TCP packets to be routed when they enter
on interface eth0 from any IP address destined for IP address
of 192.168.1.58 that is reachable via interface eth1. The
source port is in the range 1024 to 65535 and the destination
port is port 80 (www/http)
Common ICMP (Ping) Match Criteria


Matches used with ---icmp-type

Description

--icmp-type <type>

The most commonly used types are
echo-reply and echo-request
iptables -A OUTPUT -p icmp --icmp -type echo-request -j ACCEPT
iptables -A INPUT -p icmp --icmp -type echo-reply -j ACCEPT

In this example iptables is being configured to allow the firewall send ICMP
echo- requests (pings) and in turn, accept the expected ICMP echo-replies.
Example:
Common Match Extensions Criteria

TCP/UDP match extensions used
with -m multiport

Description

--sport <port, port>

A variety of TCP/UDP source ports
separated by commas

--dport <port, port>

A variety of TCP/UDP destination ports
separated by commas

Match extensions used
with -m state

Description

--state <state>

The most frequently tested states are:
ESTABLISHED
The packet is part of a connection which has seen
packets in both directions

NEW

The packet is the start of a new connection

RELATED

The packet is starting a new secondary connection.
This is a common feature of protocols such as an
FTP data transfer, or an ICMP error.
Example:

iptables -A FORWARD -s 0/0 -i eth0 -d 192.168.1.58 -o eth1 -p TCP
-sport 1024:65535 -m multiport -dport 80,443 -j ACCEPT

Iptables -A FORWARD -d 0/0 -o eth0 -s 192.168.1.58 -i eth1 -p TCP
-m state --state ESTABLISHED -j ACCEPT
This is an expansion on the previous example. Here iptables is being
configured to allow the firewall to accept TCP packets to be routed when they
enter on interface eth0 from any IP address destined for IP address of
192.168.1.58 that is reachable via interface eth1. The source port is in the
range 1024 to 65535 and the destination ports are port 80 (www/http) and
443 (https).

We are also allowing the return packets from 192.168.1.58 to be accepted
too. Instead of stating the source and destination ports, it is sufficient to
allow packets related to established connections using the -m state and --
state ESTABLISHED options.
Using User Defined Chains
iptables can be configured to have user-defined chains. This feature is
frequently used to help streamline the processing of packets. For example,
instead of having a single chain for all protocols, it is possible to have a
chain that determines the protocol type for the packet and then hands off
the actual final processing to a protocol specific chain. In other words, you
can replace a long chain with a main stubby chain pointing to multiple
stubby chains thereby shortening the total length of all chains the packet
has to pass through.
Example:

iptables -A INPUT -i eth0 -d 206.229.110.2 -j fast-input-queue iptables -A OUTPUT -o
eth0 -s 206.229.110.2 -j fast-output-queue

iptables -A fast-input-queue -p icmp -j icmp-queue-in iptables -A fast-output-queue -p icmp
-j icmp-queue-out

iptables -A icmp-queue-out -p icmp --icmp-type echo-request -m state --state NEW -j
ACCEPT

iptables -A icmp-queue-in -p icmp --icmp-type echo-reply j ACCEPT
In this example we have six queues with the following
characteristics to help assist in processing speed:

Chain

Description

INPUT

The regular built-in INPUT chain in
iptables

OUTPUT

The regular built-in OUTPUT chain in
iptables

fast-input-queue

Input chain dedicated to specific
protocols

fast-output-queue

Output chain dedicated to specific
protocols

icmp-queue-out

Output queue dedicated to ICMP

icmp-queue-in

Intput queue dedicated to ICMP
Traversing table and chains.
1. When a packet comes in (say, through the Ethernet card) the kernel first looks
at the destination of the packet: this is called `routing'.
2. If it's destined for this box, the packet passes downwards in the diagram, to
the INPUT chain. If it passes this, any processes waiting for that packet will
receive it. Incoming to a host
3. Otherwise, if the kernel does not have forwarding enabled, or it doesn't know
how to forward the packet, the packet is dropped. If forwarding is enabled,
and the packet is destined for another network interface (if you have another
one), then the packet goes rightwards on our diagram to the FORWARD
chain. If it is ACCEPTed, it will be sent out.
4. Finally, a program running on the box can send network packets. These
packets pass through the OUTPUT chain immediately: if it says ACCEPT, then
the packet continues out to whatever interfaces it is destined for.