What Is iptables?
Originally, the most popular firewall/NAT package running on Linux was ipchains, but it had a number of shortcomings. To rectify this, the Netfilter organization decided to create a new product called iptables, giving it such improvements as:
-
Better integration with the Linux kernel with the capability of loading iptables-specific kernel modules designed for improved speed and reliability.
-
Stateful packet inspection. This means that the firewall keeps track of each connection passing through it and in certain cases will view the contents of data flows in an attempt to anticipate the next action of certain protocols. This is an important feature in the support of active FTP and DNS, as well as many other network services.
-
Filtering packets based on a MAC address and the values of the flags in the TCP header. This is helpful in preventing attacks using malformed packets and in restricting access from locally attached servers to other networks in spite of their IP addresses.
-
System logging that provides the option of adjusting the level of detail of the reporting.
-
Better network address translation.
-
Support for transparent integration with such Web proxy programs as Squid.
-
A rate limiting feature that helps iptables block some types of denial of service (DoS) attacks.
Considered a faster and more secure alternative to ipchains, iptables has become the default firewall package installed under Red Hat and Fedora Linux.
How to Start iptables
You can start, stop, and restart iptables after booting by using the commands:
[root@bigboy tmp]# service iptables start
[root@bigboy tmp]# service iptables stop
[root@bigboy tmp]# service iptables restart
To get iptables configured to start at boot, use the chkconfig command:
[root@bigboy tmp]# chkconfig iptables on
Determining the Status of iptables
You can determine whether iptables is running or not via the service iptables status command. Fedora Core will give a simple status message. For example:
[root@bigboy tmp]# service iptables status
Firewall is stopped.
[root@bigboy tmp]#
Packet Processing in iptables
All packets inspected by iptables pass through a sequence of built-in tables (queues) for processing. Each of these queues is dedicated to a particular type of packet activity and is controlled by an associated packet transformation/ filtering chain.
There are three tables in total. The first is the mangle table, which is responsible for the alteration of quality of service bits in the TCP header. This is hardly used in a home or SOHO environment.
The second table is the filter queue, which is responsible for packet filtering. It has three built-in chains in which you can place your firewall policy rules:
-
FORWARD chain: Filters packets to servers protected by the firewall.
-
INPUT chain: Filters packets destined for the firewall.
-
OUTPUT chain: Filters packets originating from the firewall.
The third table is the nat queue, which is responsible for network address translation. It has two built-in chains:
-
PREROUTING chain: NATs packets when the destination address of the packet needs to be changed.
-
POSTROUTING chain: NATs packets when the source address of the packet needs to be changed.
provides more details on each queue.
|
Queue Type |
Queue Function |
Packet Transformation Chain in Queue |
Chain Function |
filter |
Packet filtering |
FORWARD |
Filters packets to servers accessible by another NIC on the firewall. |
INPUT |
Filters packets destined to the firewall. |
|---|---|---|---|
|
OUTPUT |
Filters packets originating from the firewall. |
||
|
NAT |
Network Address Translation |
PREROUTING |
Address translation occurs before routing. Facilitates the transformation of the destination IP address to be compatible with the firewall’s routing table. Used with NAT of the destination IP address, also known as destination NAT or DNAT. |
|
POSTROUTING |
Address translation occurs after routing. This implies that there was no need to modify the destination IP address of the packet as in prerouting. Used with NAT of the source IP address using either one to one or many to one NAT. This is known as source NAT or SNAT. |
||
|
OUTPUT |
Network address translation for packets generated by the firewall. (Rarely used in SOHO environments.) |
||
|
mangle |
TCP header modification |
PREROUTING, POSTROUTING, OUTPUT, INPUT, FORWARD |
Modification of the TCP packet quality of service bits before routing occurs. (Rarely used in SOHO environments.) |
You need to specify the table and the chain for each firewall rule you create. There is an exception: Most rules are related to filtering, so iptables assumes that any chain that’s defined without an associated table will be a part of the filter table. The filter table is therefore the default.
To help make this clearer, take a look at the way packets are handled by iptables. In TCP packet from the Internet arrives at the firewall’s interface on Network A to create a data connection.
The packet is first examined by your rules in the mangle table’s PREROUTING chain, if any. It is then inspected by the rules in the nat table’s PREROUTING chain to see whether the packet requires DNAT. It is then routed.
If the packet is destined for a protected network, then it is filtered by the rules in the FORWARD chain of the filter table and, if necessary, the packet undergoes SNAT before arriving at Network B. When the destination server decides to reply, the packet undergoes the same sequence of steps.
If the packet is destined for the firewall itself, then it is filtered by the rules in the INPUT chain of the filter table before being processed by the intended application on the firewall. At some point, the firewall needs to reply. This reply is inspected by your rules in the OUTPUT chain of the mangle table, if any. The rules in the OUTPUT chain of the nat table determine whether address translation is required and the rules in the OUTPUT chain of the filter table are then inspected before the packet is routed back to the Internet.
It is now time to discuss the ways in which you add rules to these chains.
Targets and Jumps
Each firewall rule inspects each IP packet and then tries to identify it as the target of some sort of operation. Once a target is identified, the packet needs to jump over to it for further processing. Table 14.2 lists the built-in targets that iptables uses.
|
Target |
Description |
Most Common Options |
iptables stops further processing. The packet is handed over to the end application or the operating system for processing. |
N/A |
iptables stops further processing. The packet is blocked. |
N/A |
|---|---|---|
|
The packet information is sent to the syslog daemon for logging. iptables continues processing with the next rule in the table. As you can’t log and drop at the same time, it is common to have two similar rules in sequence. The first logs the packet, the second drops it. |
--log-prefix "string" Tells iptables to prefix all log messages with a user defined string. Frequently used to tell why the logged packet was dropped. |
|
|
Works like the DROP target, but also returns an error message to the host sending the packet that the packet was blocked. |
--reject-with qualifier The qualifier tells what type of reject message is returned. Qualifiers include icmp-port-unreachable (default) icmp-net-unreachable icmp-host-unreachable icmp-proto-unreachable icmp-net-prohibited icmp-host-prohibited tcp-reset echo-reply |
|
|
Used to do destination network address translation, rewriting the destination IP address of the packet. |
--to-destination ipaddress Tells iptables what the destination IP address should be. |
|
|
Used to do source network address translation, rewriting the source IP address of the packet. |
--to-source <address> [-<address>][:<port>-<port>] The source IP address is user defined. Specifies the source IP address and ports to be used by SNAT. |
|
|
Used to do source network address translation. By default the source IP address is the same as that used by the firewall’s interface. |
[--to-ports <port>[-<port>]] Specifies the range of source ports to which the original source port can be mapped. |