Linux iptables
Among big topic of networking, iptables is incredibly versatile and widely used despite being replaced by nftables on Linux. Iptables works as a command-line firewall that filters packets according to the defined rules. With Iptables, users can accept, refuse, or onward connections.
Iptables glossary
- TARGET: A target is an action you want Iptables to apply when a packet matches a rule.
- CHAIN: A chain is a list of rules; available built-in chains are: INPUT, OUTPUT, FORWARD, PREROUTING, and POSTROUTING.
- TABLE: Tables are iptables features for each purpose, available tables are filter, nat, raw, security, and mangle. Each table contains rule chains and they are using for routing tasks and another table for filtering tasks.
The following list shows what chains include each table[1]
| FILTER | INPUT | OUTPUT | FORWARD | ||
|---|---|---|---|---|---|
| NAT | PREROUTING | POSTROUTING | OUTPUT | ||
| RAW | PREROUTING | OUTPUT | |||
| MANGLE | PREROUTING | POSTROUTING | OUTPUT | INPUT | FORWARD |
| SECURITY | INPUT | OUTPUT | FORWARD |
Types of policies
Iptables permissive and restrictive policies
permissive policy by accepting all incoming connections except for these you specifically drop or reject. e.g, every connection is allowed unless you define a rule to refuse it specifically.
On the contrary, restrictive policies refuse all connections except for these you specifically accept. In this case, every connection is refused unless you define a rule to accept it.
| Policy | Description | Notes |
|---|---|---|
| ACCEPT | allows connections | |
| REJECT | refuses connections returning an error | an ICMP packet returns destination-unreachable to the source host. |
| DROP | refuses connections without producing errors | UDP packets are dropped, and the behavior will be the same as connecting to a port with no service. TCP packets will return an ACK/RST, which is the same response that an open port with no service on it will respond with |
#When you deal with Iptables, you need first to define the three policies for each chain.
sudo iptables -P INPUT <ACCEPT/DROP/REJECT>
sudo iptables -P OUTPUT <ACCEPT/DROP/REJECT>
sudo iptables -P FORWARD <ACCEPT/DROP/REJECT>
#Applying a permissive policy example
# Set policy
sudo iptables -P INPUT ACCEPT
sudo iptables -P OUTPUT ACCEPT
sudo iptables -P FORWARD DROP
# Blocks ssh access to all IPs belonging to the range 192.168.1.100 and 192.168.1.110
sudo iptables -A INPUT -p tcp --dport 22 -m iprange --src-range 192.168.1.100-192.168.1.110 -j REJECT
# Block a specific port for all ssh port connections
sudo iptables -A INPUT -p tcp --destination-port 22 -j DROP
Save and restore iptables
Iptables rules are not persistent. the rules will not be restored after rebooting.
iptables-save > /etc/iptables/rules.v4
#After reboot, depending on distribution, systemd-networkd will load the rules.v4
#or need to reload somewhere using following
iptables-restore < /etc/iptables/rules.v4
SNAT and Masquerade using iptables
SNAT means source NAT that usually being used for IP router, for example, single WAN interface with multiple LAN or Wifi interface devices. in which environment, the traffic from multiple private LAN devices is sharing a single WALN interface for communication.
#SNAT for LAN - WAN IP routing
# For ADSL public IP on ppp0, -o output interface name
sudo iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
# For static public IP on eth0
sudo iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to <public IP>
# For dynamic DHCPed public IP on eth0
sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
# Check nat status
sudo iptables -t nat -L #by port name
sudo iptables -t nat -nL #by port number
# make sure that LAN to WAN ip_forward configuration in sysctl
sudo sh -c "echo 1 > /proc/sys/net/ipv4/ip_forward"
DNAT using iptables
DNAT means Destination NAT that usually being used for load balancing or simple firework inbetween WAN and LAN.
#DNAT use PREROUTING, for example
sudo iptables -A PREROUTING -t nat -p tcp -d <EXTERNAL IP> --dport 80 -j DNAT --to <PRIVATE IP>:80
#when incommping packet received on EXTERNAL IP with port # 80
#Then bypassing it to PRIVATE IP:80
#for mail server (wellknown port 25) example
sudo iptables -A PREROUTING -t nat -p tcp -d <EXTERNAL IP> --dport 25 -j DNAT <PRIVATE IP>:25
# DNS server (well know port UDP 53) example,
sudo iptables -A PREROUTING -t nat -p udp -d <EXTERNAL IP> --dport 53 -j DNAT --to <PRIVATE IP>:53
Flushing or removing Iptables rules
#Remove all chains' iptables rules
sudo iptables -F # this remove all exist policy including the default of Docker, good news is Docker's default rules can be load by restarting dockerd.service
#remove a specific chain like INPUT
sudo iptables -F INPUT
#remove all nat table's rules
sudo iptables -t nat -F
#Remove specific rules
sudo iptables -D <the rules that already appled>
Command line options and meaning
| Command Options | Description | short for | example |
|---|---|---|---|
| -L | show list existing policies and rules | List | |
| -P <chain> | set policy to the chain | Policy | sudo iptables -P INPUT DROP
sudo iptables -P OUTPUT ACCEPT sudo iptables -P FORWARD DROP |
| -A | Appending rules | Append | #instructs Iptables to accept incoming packets from the traffic coming from or related to connections started by your device.
sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
sudo iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
|
| -j | Do action | Jump | |
| -D | Delete rules | Delete | |
| -i | Input interface | Input interface | |
| -o | Output interface |
Possible states Iptables can check with -m conntrack
| conntrack state | Description |
|---|---|
| NEW | The packet or traffic you allow or block tries to start a new connection |
| ESTABLISHED | The packet or traffic you allow or block is part of an established connection |
| RELATED | The packet or traffic starts a new connection but is related to an existing connection |
| INVALID | The packet or traffic is unknown without the state |