«

»

Oct 24

Linux iptables fundamentals

This article describe fundamentals of the Linux iptables which is very useful for RedHat exams and as well as daily sys-admin tasks.                     Lets go through brief of Linux iptables.

Summary of Linux iptables

* Iptables is shipped with most of the Linux distribution such as RHEL, Centos.

* Iptables is a front-end tool to talk to the kernel and decides the packets to filter. Simply it decides the fate of the packets which is comes to or pass through the Linux server.

* There are 3 tables.

Filter – Packet filtering
NAT – Network Address Translation
Mangle – TCP header modification

* iptables contains chain ( chains are called as group of rules). There are 5 predefined chains.

INPUT – Packet is going to be locally delivered. It does not have anything to do with processes having an opened socket; local delivery is controlled by the “local-delivery” routing table.

OUTPUT –  Packets sent from the machine itself will be visiting this chain.

FORWARD – All packets that have been routed and were not for local delivery will traverse this chain. (From one NIC to another NIC but within same server).

PREROUTING –  Packets will enter this chain before a routing decision is made

POSTROUTING – Routing decision has been made. Packets enter this chain just before handing them off to the hardware

 

Table Table Function Chain Chain Function
Filter Packet filtering INPUT Incoming to firewall. ( packets coming to the local server )
OUTPUT Filters packets originating from the firewall (local server)
FORWARD Packet for another NIC on the local server. For packets routed through the local server.
Nat Network Address Translation PREROUTING Packets will enter this chain before a routing decision is made.
POSTROUTING Routing decision has been made. Packets enter this chain just before handing them off to the hardware.
OUTPUT NAT for locally generated packets on the firewall.
Mangle TCP header modification PREROUTING, POSTROUTING,
OUTPUT, INPUT,
FORWARD
Modification of the TCP packet quality of service bits before routing occurs.

 

Linux iptables rules processing flow

* Rules are processed from upper to lower.
* Once rule is matched , no further processing would be done and it goes to the rules specified in the target (or) executes the special values
mentioned in the target.
* If the criteria is not matched, it moves on to the next rule. Remember default iptables rules is to drop the any packets other than SSH traffic.

Target Values

ACCEPT – Firewall will accept the packet. Default value.
DROP – Firewall will drop the packet. No message would be sent back to packet sender.
REJECT – Firewall will reject the packet. A Courtesy message would be sent back to packet sender.

 


 

Basic of iptables

* Install iptables

yum install iptables

You can find how to install iptables on CentOS 7 from here

* How to start, stop and restart Iptabes

[root@apacheserver ~]# service iptables start
[root@apacheserver ~]# service iptables stop
[root@apacheserver ~]# service iptables restart

* To start linux iptables on system boot, use the following command

[root@apacheserver ~]# chkconfig --level 345 iptables on

* To save iptables ruleset use below command.If you don’t save current rules will be reset when system reboot or iptable service restar. So don’t forget to save if you modify the rules.

[root@apacheserver ~] # service iptables save

* Take backup of iptables

[root@apacheserver ~] # iptables-save > /opt/iptables.backup

* Restore iptables

[root@apacheserver ~] # iptables-restore < /opt/iptables.backup

 


 

 

Useful Linux iptables rules.

Following is most common linux iptable command structure.
iptables [-t <table-name>] <command> <chain-name> <parameter-1> <option-1> <parameter-n> <option-n>

1) Checking the status of iptables

Options “-L” (List ruleset), “-v” (Verbose) and “-n” (Displays in numeric format).

[root@apacheserver ~]# iptables -L -n -v
Chain INPUT (policy ACCEPT 330 packets, 71670 bytes)
pkts bytes target     prot opt in     out     source               destination
0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:80
0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:443
0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:3128
0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:3129

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 339 packets, 72242 bytes)
pkts bytes target     prot opt in     out     source               destination
[root@apacheserver ~]#

2) Checking specific tables

(INPUT table) and “–line-numbers” (display sequence number of the rule)

[root@apacheserver ~]# iptables -L INPUT -n --line-numbers
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination
1    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:80
2    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:443
3    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:3128
4    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:3129
[root@apacheserver ~]#

3) Append rules to iptables

[root@apacheserver ~]# iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT

4) Insert an iptables rule on a specific line number

[root@apacheserver ~]# iptables -I INPUT 5 -p tcp -m tcp --dport 80 -j ACCEPT

5) Delete specific rule

Deleting line number 5 of INPUT chain.

[root@apacheserver ~]# iptables -D INPUT 5

6) To clear all the currently configured rules

you can execute the flush command

[root@apacheserver ~]# iptables -F

 

Leave Your Thought Here