Difference between revisions of "Iptables: Explanations, options & examples"
| Line 141: | Line 141: | ||
== Saving and restoring an iptables config in ubuntu == | == Saving and restoring an iptables config in ubuntu == | ||
| − | Unlike RedHat based distros, ubuntu | + | Unlike RedHat based distros, ubuntu does not, by default, save the iptables config to a text file and the <code>service iptables save</code> option is not available so any changes will, without and further action, be lost in the event of a system reboot. |
| + | <br><br> | ||
| + | Settings can be saved and restored by using the '''<code>iptables-save</code>''' and '''<code>iptables-restore</code>''' commands. | ||
=== Save iptables config to a file === | === Save iptables config to a file === | ||
Revision as of 14:30, 4 August 2014
Configuration file location and command commands
Configuration file
The iptables configuration file is located at: /etc/sysconfig/iptables. The contains all the tables, chains and rules. Additional configurations can be added directly to this file or via command line tools, for example:
[root@srv1 ~]# iptables -A INPUT -i eth0 -j ACCEPTCommon Commands
# start iptables
[root@srv1 ~]# service iptables start
# get current status
[root@srv1 ~]# service iptables status
# stop iptables
[root@srv1 ~]# service iptables stop
# restart iptables
[root@srv1 ~]# service iptables restart
# save any newly added rules
[root@srv1 ~]# service iptables saveStructure of /etc/sysconfig/iptables
Tables
iptables includes 3 default tables:
*filter- Default table for filtering packets*nat- Default table for Network Address Translation*mangle- Default table used for specific type of packet alteration
Chains
Each table has a group of built-in chains, corresponding to the actions to be performed on the packets. The chains for each section are as follows:
- The built-in chains for the filter table:
INPUT- Applies to packets targeted at the host (incoming traffic)OUTPUT- Applies to locally-generated packets heading out of the system (outgoing traffic)FORWARD- Applies to packets routed through the host (forwarded/routed traffic)
- The built-in chains for the nat table:
PREROUTING- Alters packets when they arriveOUTPUT- Alters locally-general packets before they leavePOSTROUTING- Alters packets before they leave
- The built-in chains for the mangle table:
INPUT- Alters packets targeted for the hostOUTPUT- Alters locally-generated packets before they leaveFORWARD- Alters to packets routed through the hostPREROUTING- Alters incoming packets before they are routedPOSTROUTING- Alters packets before they leave
Explanation of an example iptables rule
[root@srv1 ~]# iptables -A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT-A INPUT= Append the rule to the INPUT chain-i virbr0= Interface = virbr0-p udp= Protocol = UDP-m udp= match = UDP - not sure what this means!--dport 53= desintation port = 53-j ACCEPT= Jump to the target of ACCEPT. Basically, what to do if the packet matches the rule criteria. Option could be to ACCEPT, DENY, jump to another chain or a number of different possibilities.
This rule will basically accept UDP traffic on port 53 across virbr0. In practice, this rule will exist in the *filter table and will allow DNS operations over the KVM virtual network interface known as virbr0.
Example operations with iptables
Open up specific ports (port 80 in this example)
[root@srv1 ~]# iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPTThis rule needs to be in the *filter table.
It will allow TCP traffic over port 80.
NB - The --state NEW signifies the packet is establishing a new connection. ESTABLISHSED would mean the packet is associated with an existing connected which has seen packet transfer in both directions. RELATED would mean a packet is establishing a new connection but is associated with an existing connections (useful for FTP).
Traffic forwarding over bridged interface
[root@srv1 ~]# iptables -I FORWARD -m physdev --physdev-is-bridged -j ACCEPTThis rule will be inserted into the FORWARD chain and will all packed to be forward across the bridged network adapter
NB - The -I FORWARD signified that this rule should be inserted into the specified chain, rather than appended.
Port forwarding (to a different IP address)
This can be used to forward incoming traffic (e.g. web traffic) to a different host or vm. For example, a host system could be running a web server as a virtual machine and incoming web traffic on TCP port 80 should be forwarded to that vm.
[root@srv1 ~]# iptables -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.0.16:80This rule will be appended to the PREROUTING chain within the *nat table.
As TCP traffic on port 80 data arrives across interface eth1, it is transferred to a host with IP address of 192.168.0.16 on port 80.
NB - DNAT is a virtual state, whereby the original destination differs from the reply source, which will be the case where NAT has or will take place.
Common rules for *filter table
Allow ICMP traffic
[root@srv1 ~]# iptables -A INPUT -p icmp -j ACCEPTAllow any traffic from a given interface
[root@srv1 ~]# iptables -A INPUT -i lo -j ACCEPT
[root@srv1 ~]# iptables -A INPUT -i eth0 -j ACCEPT[root@srv1 ~]# iptables -A FORWARD -i eth1 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPTCommon rules for *nat table
Enable NAT for a specified interface
[root@srv1 ~]# iptables -A POSTROUTING -o eth1 -j MASQUERADEEnable NAT for specific ports for a given IP subnet
[root@srv1 ~]# iptables -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535Practical examples
Enable NAT/Masquerading on a new system
Firstly, the Linux kernel needs to be told to entertain IP forwarding;
[root@srv1 ~]# echo 1 > /proc/sys/net/ipv4/ip_forwardOr for a permanent solution, edit /etc/sysctl.conf and change the line that says net.ipv4.ip_forward = 0 to net.ipv4.ip_forward = 1.
Then:
[root@srv1 ~]# iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
[root@srv1 ~]# iptables -A FORWARD -i eth1 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
[root@srv1 ~]# iptables -A FORWARD -i eth0 -o eth1 -j ACCEPTTo commit these new rules to the /etc/sysconfig/iptables configuration file, type:
[root@srv1 ~]# service iptables saveSaving and restoring an iptables config in ubuntu
Unlike RedHat based distros, ubuntu does not, by default, save the iptables config to a text file and the service iptables save option is not available so any changes will, without and further action, be lost in the event of a system reboot.
Settings can be saved and restored by using the iptables-save and iptables-restore commands.
Save iptables config to a file
sudo sh -c "iptables-save > /etc/iptables.rules"Manually restore settings from config file
iptables-restore < /etc/iptables.rulesAutomatically restore when an interface come up
Edit the /etc/network/interfaces file to include the following for an interface:
pre-up iptables-restore < /etc/iptables.rulesFor example:
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
# The loopback network interface
auto lo
iface lo inet loopback
# The primary network interface
auto em1
auto em2
iface em1 inet static
pre-up iptables-restore < /etc/iptables.rules
address 10.17.1.1
netmask 255.0.0.0
gateway 10.0.0.3
iface em2 inet static
address 172.28.0.2
netmask 255.255.0.0
broadcast 172.28.255.255
gateway 172.28.0.2
dns-nameservers 172.28.0.2
dns-search pxe.boston.co.uk