What is IPtables
As described in the man page:
Iptables is used to set up, maintain, and inspect the tables of IPv4 packet filter rules in the Linux kernel. Several different tables may be defined. Each table contains a number of built-in chains and may also contain user-defined chains.
Each chain is a list of rules which can match a set of packets. Each rule specifies what to do with a packet that matches. This is called a `target’, which may be a jump to a user-defined chain in the same table.
IPtables is a packet-based type of firewall which operates at kernel level. This makes it a sophisticated system for making decisions based on previously received packets.
How it works
It is called “IPTables” as it has many tables which define different policies and rules for different uses. By default, IPtables has 4 tables
Filter, Nat, Mangle, Raw. Nat and mangle are for routing and manipulating packets and we will not consider them here.
Tables contain 5 chains:
PREROUTING,INPUT,FORWARD,OUTPUT,POSTROUTING to manage the rules. A chain might contain multiple rules. Rules are defined for packets.
So, the structure is: IPtables -> Tables -> Chains -> Rules. Let’s look more at this structure and the relation between tables and chains.
Here is how Packet flow and IPtables work:
- Packets come into a machine to use resources (Route A): The Packets are judged in
- Packets are forwarded to other places with the machine’s help (Route B): In this route, IPtables will help forward the packets to another destination. In this process, the packet will access
- Packets will be sent from the local machine (Route C): Every packet sent from the local machine will go through route C.
Mangle is usually ‘sleeping’, as it is seldom used. We can remove it to make our explanation clearer and easier to understand.
Filter with chain
Input, Output is the table which is most used in Linux machines.
Nat is an interesting table which can help mange the packet flow between machines in a Lan, functioning like a router.
Key points to remember for IPtables rules:
- Rules contain a criteria and a target.
- If the criteria is matched, it goes to the rules specified in the target or executes the special values mentioned in the target.
- If the criteria is not matched, it moves on to the next rule.
The possible special values that you can specify in the target are:
- ACCEPT – Firewall lets the packet through.
- DROP – Firewall drops the packet.
- QUEUE – Firewall lets the packet packet pass to the userspace.
- RETURN – Firewall will stop traversing this chain and resume at the next rule in the previous (calling) chain
IPtables also supports extension modules to add additional functionality. Extension targets such as
DNAT, MASQUERADE, REDIRECT etc. are common. See the man page for more information.
How to use IPtables
If you type “iptables –L” or, alternatively, “service iptables status”, you’ll see the firewall rules on your system. The example below displays the default input table, default input chain, forward chain, and output chain.
<code>root@theplant:/home/theplant# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination </code>
For more basic commands please read the Linux man page.
We can ask IPtables to help us filter any packet which has special key words:
iptables -A INPUT -p tcp -m string --algo kmp --string "ggffww" -j REJECT --reject-with tcp-reset $ nc -l 4230 & $ telnet localhost 4230 $ Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. ggffww Connection closed by foreign host.
With this test you will find IPtables can filter tcp packets which include the word
ggffww and reset it.
- To prevent an intrusion attempt
iptables -I INPUT 1 -p tcp --dport 80 -m string --string "cmd.exe" --algo bm -j DROP
- To defend DDOS to a service
iptables -I INPUT 1 -p tcp --dport 80 -m string --string "domain.com" --algo kmp -j DROP
- To defend against E-mail spoofing.
iptables -I INPUT -p tcp --dport 25 -m string --string "Subject" --algo bm -j DROP
This is a great feature of IPtables that makes it smarter than other normal Firewalls. The most common use for this is with FTP, using the
ip_conntrack_ftp.o module, which allows us to track FTP connections back into our network properly. When we download from an FTP server it will try to make a TCP connection back to our system.
<code>iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT </code>
With this feature and the above rule’s help, all we need to do is make 22 port available (provided you use this as the default port for FTP).
Make a Linux machine into a router (SNAT and DNAT)
If you have two network interfaces on one machine it can be interesting to build a simple router for other machines to connect to the Internet. How does it work? With the
Nat table and the
POSTRouting chain help we can change the source IP. Source NAT (SNAT) replaces the source IP address in the packets with their own external network IP and when the packets return, the NAT function knows who sent the packets and forwards them back to the originating workstation inside the network.
- On the
Routermachine: Set Lan Network interface IP to
# Open the ip_forward option to give linux the route function $ echo "1" > /proc/sys/net/ipv4/ip_forward # $EXTIF is the network interface which connects to Internet # 192.168.100.0/24 is the network client range LAN $ iptables -t nat -A POSTROUTING -s 192.168.100.0/24 -o $EXTIF -j MASQUERADE
- On the
Set NETWORK 192.168.100.0 IP 192.168.100.110 NETMASK 255.255.255.0 Gateway 192.168.100.253 For the DNS, set it as you do the `Router`
Done. Now the Client can surf the Internet with
DNAT can make the
Router machine have the
DMZ function like a real Router. It is really simple:
<code>iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination 192.168.100.110:80 </code>
This will redirect all requests from
eth0 on port 80 to
192.168.100.110. Yep, really simple.