All information pulled out from this link for personal notes and study.
How iptables work
The iptables work mainly in Internet layer and Transport layer. However, iptables can also work in Application layer, but it is not intended to do so.
Allows packet processing in specific ways. There are four types of tables:
- The filter table: Default and most popular table. It is used to decide whether a packet should be allowed or denied to reach its destination.
- The mangle table: Allows you to change packet headers.
- The nat table: Allows you to route packets to different hosts on a NAT by changing source and destination address of a packet.
- The raw table: Allows you to work with packets before the kernel starts tracking its state.
- The security table: Used by SELinux to implement SELinux policies.
Each table contains few chains which are attached to them. They allow you to inspect and filter traffic at various points. This is the list of chains iptables use:
- PREROUTING chain: Applies rules for packets that just arrived on the network interface. Supports nat, mangle, and raw tables.
- INPUT chain: Applies rules for packets just before they are given to a local process. Supports mangle and filter tables.
- OUTPUT chain: Applies rules for packets right after they are produced by a process. Supports raw, mangle, nat, and filter tables.
- FORWARD chain: Applies rules for packets that are routed through the current host. Supports mangle and filter tables.
- POSTROUTING chain: Applies rules for packets as they leave the network interface. Supports nat and mangle tables.
They decide whether packet is allowed or rejected. Commonly used terminating targets are:
- ACCEPT: iptables accepts the packet
- DROP: iptables drops the packet. For client, he cannot tell if this host exists.
- REJECT: iptables rejects the packet. For TCP, it sends “connection reset” packet, and for UDP or ICMP, it sends “destination host unreachable”
Setting default policies
Default policy governs how iptables handles packets that pass all rules. Imagine a system is candy factory and all bad candies are on a production line. If set to DROP, workers will pick up only good candies, and bad ones are going to a trash bin. Similarly, with policy set to DROP, a packet comes to a system and is waiting for firewall rules. Packet that matches a rule gets picked up from production line and the rest of them are dropped. Here is how to set this:
# iptables --policy INPUT DROP # iptables --policy OUTPUT DROP # iptables --policy FORWARD DROP
Or, we can set iptables to ACCEPT all packets that passed rules. For example, ACCEPT all packets except those with specified IP address. If one is found, rule will pick it up and it won’t find its way to the last rule, which ACCEPTs them. Lets use our candy factory analogy again. This time, all candies on production line are good. However, if bad candy is passing by, a worker will pick it up and throw out of the production. Good candies will make to the packaging and will be distributed. Here is how to set ACCEPT default policy:
# iptables --policy INPUT ACCEPT # iptables --policy OUTPUT ACCEPT # iptables --policy FORWARD ACCEPT
If set to REJECT, packets that find their way to the end of a list will be rejected. However, this rule sends back error message to a client. In this way, client will know firewall blocked his packet. In contrary, when set to DROP, firewall does not send any feedback to the client. It simply drops the packet and moves on.
Allowing or blocking connections
|-t||Specify the table where rule will apply to|
|-A||Apped this rule (INPUT) to the list of existing rules in INPUT chain|
|-s||Set source IP that you want to block|
|-j||iptables will reject traffic with REJECT target (sends packet back to the client)|
If you want iptables to not respond, use DROP target.
|-d||Block output traffic to this IP address|
|-L||List all rules within the chain|
|-n||Don’t resolve names|
|-F||Flush all rules within the chain|
|-R||Replace single rule (modify it)|
Blocking IP address
If you want to block an incoming IP address, you would block all incoming packets coming from that IP address. To add this rule to the INPUT chain of the filter table, use this:
# iptables -t filter -A INPUT -s 188.8.131.52 -j REJECT
Block range of IP addresses with CIDR notation, for example:
# iptables -t filter -A INPUT -s 184.108.40.206/24 -j REJECT
Or, if you want to block output traffic to that IP address, use OUTPUT chain, and –d to specify destination:
# iptables -t filter -A OUTPUT -d 220.127.116.11/24 -j DROP
If you want to see all rules (-L), from filter table (-t filter), and numbered (–line-number), and disable DNS lookup (-n) use the following command:
# iptables -L -n -t filter
To remove a rule, replace -A with -D:
# iptables -t filter -D INPUT -s 18.104.22.168 -j REJECT
or delete rule by its rule number:
# iptables -t filter -D INPUT 3
When you remove a rule from a chain, in this case INPUT chain, first delete ones with highest numbers (those at the end of list). For example:
# iptables -t filter -D INPUT 20 # iptables -t filter -D INPUT 9 # iptables -t filter -D INPUT 6
To remove all rules from a particular chain, use this:
# iptables -t filter -F INPUT
Inserting and replacing rules
Since the chain apply rules one by one (from first rule to the last), we must make sure they are properly positioned. So,the rule that is blocking all traffic from /24 subnet, cannot be before rule that whitelists single IP from that subnet. It must be the other way around. First, you whitelist an IP address, and then block the entire subnet:
Protocols and modules
To block all incoming TCP traffic you would use -p tcp flag, like so:
# iptables -t filter -A INPUT -p tcp -j DROP
To block all incoming traffic to port 22 (SSH) from IP range 22.214.171.124/24, you would type this:
# iptables -t filter -A INPUT -p tcp -m tcp --dport 22 -s 126.96.36.199/24 -j DROP
Let’s digest this formula from above:
|-t filter||Apply the following for filter table|
|-A INPUT||Now, append this rule to INPUT chain|
|-p tcp||Specify port type (TCP in this case)|
|-m tcp||Load TCP module (multiport for multiple ports)|
|–dport||And all incoming packets going to port 22 (–dports for multiple ports)|
|-s 188.8.131.52/24||And source IP / range 184.108.40.206/24|
|-j DROP||DROP them|
TCP Connection Tracking Module
iptables have a module that can control packet behavior from the state of a connection. Here are the states:
|NEW||This state represents first packet of a connection (HTTP request for example)|
|ESTABLISHED||This state is used for packets that are part of an existing connection. For a connections to be in this state,|
it must receive a reply from the other host
|RELATED||This state is used for packets that are related to another ESTABLISHED connection. For a packet that is part of an existing connection, but it requests new connection.|
|INVALID||This state means the packet doesn’t have proper state.|
|DNAT||This state is used to show packets whose destination address was changed by rules in nat table|
|SNAT||This state is used to show packets whose source address was changed by rules in nat table.|
# iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
If we set a INPUT chain policy to accept, like this (which is default rule):
[root@arch ~]# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination
Then, all traffic that comes to our system will be accepted. However, we can also use DROP to ban all incoming connections to our system, like so:
# iptables -P INPUT DROP
If doing this, we should ban all incoming traffic, from any IP, from any port. However, this will also restrict us to use all services, and also to use Internet.
Changes we make to iptables rules will be removed next time iptables service gets restarted. To save changes, run /sbin/iptables-save command
To remove all configured rules, and go back to default ones, use -F (flush):
# iptables -F