Introduction to Linux IPtables

By | 02/10/2012

Linux today is the fastest growing operating system that is replacing it’s competitors in almost every sphere of technology field. The major reason for this is the simplicity and robustness of this operating system. Besides, there is another quality in Linux that makes it favourite of many. This quality is the seamless customization that can be done with every aspect of this OS. One of the very important aspect is the Linux security. There are many protections and inbuilt security mechanisms that Linux incorporates in the name of system and network security. One of the inbuilt security mechanism is the Linux firewall. Linux provides a very flexible and powerful mechanism to customize the firewall. This mechanism is the Linux IPtables.

This is the topic of discussion for this article. Lets discuss the basics of netfilter/Iptables framework in the following sections.

Why configure firewall?

Someone who is new to Linux may ask why configuring your own firewall in Linux is such a big deal? Why would anyone want to do that?

Well, being able to configure you own firewall can have various advantages for you.

  • Unauthorized access to a Linux system can be blocked by specifying the trusted sources of communication.
  • For kids too, appropriate level of security can be applied to firewall by allowing only selected websites or IPs.
  • Firewall can be configured not only to control the traffic to and fro from internet but also to control the traffic between computers connected to local LAN.

So we see that being able to configure firewall is a huge plus.

 

Linux IPtables

 

Netfilter/IPtables

The term Netfilter/Iptables may sound a bit confusing because of the ‘Netfilter’ tag. To clear the confusion, Both Netfilter and Iptables are related to each other in the sense that Iptables is to user space what Netfilter is to Kernel space. Iptables provides the facility to users to customize and configure the Linux firewall from user space. This firewall is implemented in Linux kernel through the concept of Netfilters. This functionality of Netfilter was added to Linux kernel from version 2.4.x onwards. Prior to this the concept of Ipchains was used but as that had many bugs and shortcomings so the concept of Netfilter/Iptables was developed.

Types of tables

As the name suggests, IPtables can be used to configure three types of tables that are used for fire-walling packets.

  1. Filter table : This table is used for packet filtering.
  2. NAT table : This table is not used for packet filtering but it rather provides NAT/PAT capabilities and IP masquerading.
  3. Mangle table : This table is used to alter packet fields and is also used to mark packets for later filtering. Again this is also not used for packet filtering

Here in this article we will be focusing totally on the filter table of Netfilter/IPTables module.

Filer table

For any rule, the default table is the filter table. It is the only table where packet filtering takes place. This table consists of following types of chains.

  • Prerouting chain
  • Input chain
  • Output chain
  • Forward chain
  • Postrouting chain

 

The prerouting chain consists of rules that are applied to those packets that are to be forwarded. The packets enter this chain before the routing decision has been made.

The input chain consists of rules that are applicable for those packets that are destined for the machine on which Netfilter/IPTables firewall is running. So, this chain contains filtering rules for incoming packets.

The output chain consists of rules that are applicable for those packets that are originating from the machine on which Netfiler/Iptables firewall is running. So, this chain contains filtering rules for the outgoing packets.

The forward chain consists of rules that applicable for those packets which are to be forwarded by the machine on which Netfilter/Iptables firewall is running. For these kind of packets, the Linux machine acts as a router. So, this chain contains filtering rules for the packets being forwarded.

The postrouting chain consists of rules that are applied to those packets that are to be forwarded. The packets enter this chain just before being handed over to the hardware for routing..

As clear from the above explanation of chains, each of the above chains can have a set of rules associated or grouped with them. For any and every rule associated with the above chains, there is target that specifies what to do with the packet if the packet matches the rule. Also, apart from the standard chains described above, the system administrator can make as many chains as he/she would like to.

For example, if a rule is for packets with destination IP 10.234.138.32 and port 80 exists in output chain then any packet coming destined to this IP and port would match this rule.

As already discussed, once a packet matches a rule, there is target or the action that is to be taken. The targets or actions available for rules in filter table chains are :

ACCEPT: This target is applied to those packets that are trustworthy and can be passed through the firewall.

REJECT: This target is applied to those packets that are to be dropped but an ICMP reply is to be sent to the originator for information on what happened to the packet.

DROP: This target is applied to those packets that are to be just dropped without sending any ICMP reply as if it never reached firewall.

If a packet does not match to any rule in the chain then the default target is applied to the packet. The default target can be any of the three targets already explained above.

Selecting a default target depends upon the type of firewall configuration. For example, One can configure the firewall in a way that by default all packets are ACCEPTed but the one’s which match any rule are DROPped or REJECTed. A more fesable configuration could be a default target of DROP or REJECT but the packets that match any of the rule gets ACCEPTed.

How filter table works

Here are some basic steps :

  • Through IPtables the rules can be set for particular chains by users in the user space.
  • Whenever a packet arrives at the Linux system from outside then Linux kernel checks if it needs to be forward or is it destined for this system only. There-on it places it in the forward chain or input chain of the netfilter module respectively.
  • Whenever a packet is generated from inside the machine and destined to some other machine then Linux kernel places it in the output chain of the netfilter module.
  • This packet is matched against all the rules present in the chain until it matches a rule.
  • If packet successfully matches a rule then the target for that rule is applied to the packet and no further matching of packet to any rule takes place.
  • If the packet does not match any rule in the chain then the default target is applied to that packet.

 

In the next article of this series, we will discuss some more in-depth details of the filter table used by Linux Iptables.

Read this interesting article to learn how Iptables can be used to solve real world problems.

7 thoughts on “Introduction to Linux IPtables

  1. Rhonald

    That’s an awesome article about iptables. Looking forward to the next parts & apply on my home computers…

    Reply
  2. Roy Barnard

    A good way of understanding iptables scripts is to use FWBuilder to generate them.
    Read the bash script was a really good way of learning how to write iptables scripts by hand.

    Reply
  3. Duncan

    I’ve been running my own iptables config for some years now. Ironically, I found that every so-called firewall builder helper script that I looked at was harder to work with than iptables itself, once I decided to configure it. IMO that was because they were either too simple and inflexible, making it very difficult or impossible to do reasonably ordinary things without directly hacking the script that was supposed to be helping, or too complex, dealing with all sorts of things (like forwarding, since I just wanted something to run on the computer I was working on itself) I wasn’t interested in, making things needlessly complex.

    But iptables itself turned out to be just right. Since I wasn’t worried about forwarding, I could ignore that side of things entirely, but it was possible to configure what I WAS interested in, very simply and directly, in exactly the detail I needed, no more, no less.

    Later on, I bought a router and flashed OpenWRT to it. THEN I was interested in the forwarding, and was again worried that it would be difficult to configure. But the defaults were sane, and since I already knew the general logic of iptables/netfilter based on configuring it for the computer I was working on only, again it was much simpler than I expected.

    Tho I do need to reflash the router with something newer, something I’ve been putting off.

    Meanwhile, newer kernels have been logging a deprecation warning of some kind about auto-assigned-helpers or the like. I think FTP’s the only regularly used thing to trigger that, but I’ve googled a bit and haven’t seen any decent step-by-step on exactly what the implications are and how my iptables config must change to allow that to continue working once the deprecated functionality is removed (or the kernel/iptables version with which it’s scheduled to happen). But googling a bit here and there isn’t the same as actually deciding it’s time to do the research and change the config, and I’ve mostly been hoping to come across something dealing with that in my normal Linux community news/blog wandering.

    So hopefully, this series will touch on the appropriate new way to deal with that, and I’ll have it covered without ever having to actually go out and seriously research the changes. =:^)

    Thanks! =:^)

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *