Github

iptables

The main operation done by a packet filter of "inspecting" all the incoming, outgoing and traversing packets allowing to "pass" the firewall only the packets that match a set of creteria.

The main types of firewall are:

  1. Stateless packet filters inspection is based on the protocol type, the source and destination addresses and the source and destination ports.

    • If packets don't match criteria:

      • packet dropped silently discarded

      • packet rejected: discarded but with an error message sent back to the source

    • Otherwise, packets will pass the firewall

  2. Stateful packet filters inspection is based on same basic operations of a stateless one but inspection capability reach the transport layer.

    It has the ability to:

    • keep track of previously seen packets

    • determine if the current packet is part of an already existing "conversation", is the beginning of a new one or nothing of the previous

    • speed up the packet processing allowing the current packet to pass the firewall without further elaboration when it is part of an already existing "conversation""Conversation" state

    • can be kept not only for packets that use connection-oriented as TCP (information in TCP header parameters)

    • in connectionless as UDP the "connection" state is obtained wathing the time between two UDP packets. Two UDP packets are considered part of the same conversation if the second is the reply to the first (source and destination addresses and ports of the second are switched in comparison to those of the first) and the time interval between them is less then some value.

iptables

iptables is a tool in user-space that acting on its kernel-space counterpart (NetFilter) let us implement a stateful packet filter (with network address and port translation) on Linux machines.

Netfilter is composed by four tables that contain chains (predefined or user-defined):

  • filter

  • nat

  • mangle

  • raw

A firewall of this type splits the network traffic it is part of in three categories:

  • input stream incoming packets that have as their "true" final destination processes local to the firewall itself

    1. a packet enters one of the network interface of the firewall

    2. PREROUTING chain of the table nat tipically used for destination network address and port translation (DNAT) operations

    3. it's time to route the packet happens after DNAT operations take place so that the packet contains its "true" destination address.

    4. the packet enters the INPUT chain of the filter table. Here is where filtering happens

    5. if allowed the packet reaches its destination (a local process)

  • output stream all outgoing packets originated from processes local to the firewall itself

    1. local process generate a packet

    2. the routing process decides which output interface

    3. the packet enters the OUTPUT chain of the filter table where filtering happens

    4. the packet enters POSTROUTING table of the nat table tipically used for source network address and port translation (SNAT) operations

    5. packet exits on one of the network interfaces

  • forward stream all the incoming packets that traverse the firewall itself

    1. the packet enters one of the firewall network interfaces

    2. enters the PREROUTING chain of the nat table used for destination network address and port translation (DNAT) operations

    3. it's time to route the packet. DNAT operations happens before routing decision and filtering

    4. the packet enters the FORWARD chain of the filter table where all filtering happens

    5. if allowed the packet reaches the POSTROUTING chain of the nat table tipically used for source network address and port translation (SNAT) operations.

Linux firewall network streams
Packet stream diagram in details

Tables

filter

It's used for basic packet filtering operations. The predefined chains are:

  • INPUT

  • OUTPUT

  • FORWARD Every chain contains a list of rules each defining a matching criteria and an action (or target). The fate of the packet is decided by the first matching rule. If there's no matching rule at all the default policyof the chain is applied.

The most common targets are:

  • ACCEPT to accept the packet

  • DROP to silently discard it

  • REJECT to discard it but with an error message sent back to the packet sender

  • user-defined-chain to redirect the packet to a user-defined chain

  • RETURN to return from the user-defined chain

nat

It's used for network address and port translation operations and contains the following predefined chains:

  • PREROUTING

  • OUTPUT

  • POSTROUTING Every chain contains a list of rules (a matching criteria and a target) but the target are packets (in particular addresses and port) manipulation operation for the acceptance of a pakcket.

The most common targets are:

  • DNAT to change the destination address and port of a packet

  • SNAT to change the source address and port of a packet

  • MASQUERADE to change the source address and port of a packet exactly as SNAT but in a scenario where the public IP address of the firewall can change over time

  • REDIRECT to redirect the packet to the firewall itself

mangle

It's used for specific packet alteration (such as the Time to Live or the Type of Service fields) and contains the following predefined chains:

  • PREROUTING

  • INPUT

  • OUTPUT

  • FORWARD

  • POSTROUTING

raw

It's used for setting up exceptions to the "conversation" tracking system and contains the following predefined chains:

  • PREROUTING

  • OUTPUT

Usage

Basic Firewall Rules

# Flush existing rules
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X

# Set default policies
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

# Allow loopback (localhost) traffic
iptables -A INPUT -i lo -j ACCEPT

# Allow established and related incoming traffic
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

# Allow SSH (port 22)
iptables -A INPUT -p tcp --dport 22 -j ACCEPT

# Allow HTTP (port 80) and HTTPS (port 443)
iptables -A INPUT -p tcp -m multiport --dports 80,443 -j ACCEPT

# (Optional) Allow ping
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT

# Log dropped packets (rate limited)
iptables -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

Save and Load Rules

  • On Debian/Ubuntu:

    iptables-save > /etc/iptables/rules.v4

  • On RedHat/CentOS (use iptables-services):

    service iptables save

  • To restore:

    iptables-restore < /etc/iptables/rules.v4
PreviousServicesNextProgramming

Last updated