Difference between revisions of "Iptables: Explanations, options & examples"

Configuration file location and command commands

Configuration file

The iptables configuration file is located at: /etc/sysconfig/iptables. The contains all the tables, chains and rules. Additional configurations can be added directly to this file or via command line tools, for example:

[root@srv1 ~]# iptables -A INPUT -i eth0 -j ACCEPT

Common Commands

# start iptables
[root@srv1 ~]# service iptables start	

# get current status
[root@srv1 ~]# service iptables status

# stop iptables
[root@srv1 ~]# service iptables stop

# restart iptables
[root@srv1 ~]# service iptables restart

# save any newly added rules
[root@srv1 ~]# service iptables save

Structure of /etc/sysconfig/iptables

Tables

iptables includes 3 default tables:

• *filter - Default table for filtering packets
• *nat - Default table for Network Address Translation
• *mangle - Default table used for specific type of packet alteration

Chains

Each table has a group of built-in chains, corresponding to the actions to be performed on the packets. The chains for each section are as follows:

• The built-in chains for the filter table:
  • INPUT - Applies to packets targeted at the host (incoming traffic)
  • OUTPUT - Applies to locally-generated packets heading out of the system (outgoing traffic)
  • FORWARD - Applies to packets routed through the host (forwarded/routed traffic)
• The built-in chains for the nat table:
  • PREROUTING - Alters packets when they arrive
  • OUTPUT - Alters locally-general packets before they leave
  • POSTROUTING - Alters packets before they leave
• The built-in chains for the mangle table:
  • INPUT - Alters packets targeted for the host
  • OUTPUT - Alters locally-generated packets before they leave
  • FORWARD - Alters to packets routed through the host
  • PREROUTING - Alters incoming packets before they are routed
  • POSTROUTING- Alters packets before they leave

Explanation of an example iptables rule

[root@srv1 ~]# iptables -A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT

• -A INPUT = Append the rule to the INPUT chain
• -i virbr0 = Interface = virbr0
• -p udp = Protocol = UDP
• -m udp = match = UDP - not sure what this means!
• --dport 53 = desintation port = 53
• -j ACCEPT = Jump to the target of ACCEPT. Basically, what to do if the packet matches the rule criteria. Option could be to ACCEPT, DENY, jump to another chain or a number of different possibilities.

This rule will basically accept UDP traffic on port 53 across virbr0. In practice, this rule will exist in the *filter table and will allow DNS operations over the KVM virtual network interface known as virbr0.

Example operations with iptables

Open up specific ports (port 80 in this example)

[root@srv1 ~]# iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT

This rule needs to be in the *filter table. It will allow TCP traffic over port 80.

NB - The --state NEW signifies the packet is establishing a new connection. ESTABLISHSED would mean the packet is associated with an existing connected which has seen packet transfer in both directions. RELATED would mean a packet is establishing a new connection but is associated with an existing connections (useful for FTP).

Traffic forwarding over bridged interface

[root@srv1 ~]# iptables -I FORWARD -m physdev --physdev-is-bridged -j ACCEPT

This rule will be inserted into the FORWARD chain and will all packed to be forward across the bridged network adapter

NB - The -I FORWARD signified that this rule should be inserted into the specified chain, rather than appended.

Port forwarding (to a different IP address)

This can be used to forward incoming traffic (e.g. web traffic) to a different host or vm. For example, a host system could be running a web server as a virtual machine and incoming web traffic on TCP port 80 should be forwarded to that vm.

[root@srv1 ~]# iptables -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.0.16:80

This rule will be appended to the PREROUTING chain within the *nat table.
As TCP traffic on port 80 data arrives across interface eth1, it is transferred to a host with IP address of 192.168.0.16 on port 80.

NB - DNAT is a virtual state, whereby the original destination differs from the reply source, which will be the case where NAT has or will take place.

Common rules for *filter table

Allow ICMP traffic

[root@srv1 ~]# iptables -A INPUT -p icmp -j ACCEPT

Allow any traffic from a given interface

[root@srv1 ~]# iptables -A INPUT -i lo -j ACCEPT
[root@srv1 ~]# iptables -A INPUT -i eth0 -j ACCEPT

Allow related and established traffic between two interfaces

[root@srv1 ~]# iptables -A FORWARD -i eth1 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT

Common rules for *nat table

Enable NAT for a specified interface

[root@srv1 ~]# iptables -A POSTROUTING -o eth1 -j MASQUERADE

Enable NAT for specific ports for a given IP subnet

[root@srv1 ~]# iptables -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535

Practical examples

Enable NAT/Masquerading on a new system

Firstly, the Linux kernel needs to be told to entertain IP forwarding;

[root@srv1 ~]# echo 1 > /proc/sys/net/ipv4/ip_forward

Or for a permanent solution, edit /etc/sysctl.conf and change the line that says net.ipv4.ip_forward = 0 to net.ipv4.ip_forward = 1.
Then:

[root@srv1 ~]# iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
[root@srv1 ~]# iptables -A FORWARD -i eth1 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
[root@srv1 ~]# iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT

To commit these new rules to the /etc/sysconfig/iptables configuration file, type:

[root@srv1 ~]# service iptables save