This article describe fundamentals of the Linux iptables which is very useful for RedHat exams and as well as daily sys-admin tasks. Lets go through brief of Linux iptables.
Summary of Linux iptables
* Iptables is shipped with most of the Linux distribution such as RHEL, Centos.
* Iptables is a front-end tool to talk to the kernel and decides the packets to filter. Simply it decides the fate of the packets which is comes to or pass through the Linux server.
* There are 3 tables.
Filter – Packet filtering
NAT – Network Address Translation
Mangle – TCP header modification
* iptables contains chain ( chains are called as group of rules). There are 5 predefined chains.
INPUT – Packet is going to be locally delivered. It does not have anything to do with processes having an opened socket; local delivery is controlled by the “local-delivery” routing table.
OUTPUT – Packets sent from the machine itself will be visiting this chain.
FORWARD – All packets that have been routed and were not for local delivery will traverse this chain. (From one NIC to another NIC but within same server).
PREROUTING – Packets will enter this chain before a routing decision is made
POSTROUTING – Routing decision has been made. Packets enter this chain just before handing them off to the hardware
Table | Table Function | Chain | Chain Function |
Filter | Packet filtering | INPUT | Incoming to firewall. ( packets coming to the local server ) |
OUTPUT | Filters packets originating from the firewall (local server) | ||
FORWARD | Packet for another NIC on the local server. For packets routed through the local server. | ||
Nat | Network Address Translation | PREROUTING | Packets will enter this chain before a routing decision is made. |
POSTROUTING | Routing decision has been made. Packets enter this chain just before handing them off to the hardware. | ||
OUTPUT | NAT for locally generated packets on the firewall. | ||
Mangle | TCP header modification | PREROUTING, POSTROUTING, OUTPUT, INPUT, FORWARD |
Modification of the TCP packet quality of service bits before routing occurs. |
Linux iptables rules processing flow
* Rules are processed from upper to lower.
* Once rule is matched , no further processing would be done and it goes to the rules specified in the target (or) executes the special values
mentioned in the target.
* If the criteria is not matched, it moves on to the next rule. Remember default iptables rules is to drop the any packets other than SSH traffic.
Target Values
ACCEPT – Firewall will accept the packet. Default value.
DROP – Firewall will drop the packet. No message would be sent back to packet sender.
REJECT – Firewall will reject the packet. A Courtesy message would be sent back to packet sender.
Basic of iptables
* Install iptables
yum install iptables
You can find how to install iptables on CentOS 7 from here
* How to start, stop and restart Iptabes
[root@apacheserver ~]# service iptables start [root@apacheserver ~]# service iptables stop [root@apacheserver ~]# service iptables restart
* To start linux iptables on system boot, use the following command
[root@apacheserver ~]# chkconfig --level 345 iptables on
* To save iptables ruleset use below command.If you don’t save current rules will be reset when system reboot or iptable service restar. So don’t forget to save if you modify the rules.
[root@apacheserver ~] # service iptables save
* Take backup of iptables
[root@apacheserver ~] # iptables-save > /opt/iptables.backup
* Restore iptables
[root@apacheserver ~] # iptables-restore < /opt/iptables.backup
Useful Linux iptables rules.
Following is most common linux iptable command structure.
iptables [-t <table-name>] <command> <chain-name> <parameter-1> <option-1> <parameter-n> <option-n>
1) Checking the status of iptables
Options “-L” (List ruleset), “-v” (Verbose) and “-n” (Displays in numeric format).
[root@apacheserver ~]# iptables -L -n -v Chain INPUT (policy ACCEPT 330 packets, 71670 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3128 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3129 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 339 packets, 72242 bytes) pkts bytes target prot opt in out source destination [root@apacheserver ~]#
2) Checking specific tables
(INPUT table) and “–line-numbers” (display sequence number of the rule)
[root@apacheserver ~]# iptables -L INPUT -n --line-numbers Chain INPUT (policy ACCEPT) num target prot opt source destination 1 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 2 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 3 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:3128 4 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:3129 [root@apacheserver ~]#
3) Append rules to iptables
[root@apacheserver ~]# iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
4) Insert an iptables rule on a specific line number
[root@apacheserver ~]# iptables -I INPUT 5 -p tcp -m tcp --dport 80 -j ACCEPT
5) Delete specific rule
Deleting line number 5 of INPUT chain.
[root@apacheserver ~]# iptables -D INPUT 5
6) To clear all the currently configured rules
you can execute the flush command
[root@apacheserver ~]# iptables -F