Iptables: Explanations, options & examples

From Define Wiki
Jump to navigation Jump to search

Configuration file location and command commands

Configuration file

The iptables configuration file is located at: /etc/sysconfig/iptables. The contains all the tables, chains and rules. Additional configurations can be added directly to this file or via command line tools, for example: 

[root@srv1 ~]# iptables -A INPUT -i eth0 -j ACCEPT

Common Commands

# start iptables
[root@srv1 ~]# service iptables start	

# get current status
[root@srv1 ~]# service iptables status

# stop iptables
[root@srv1 ~]# service iptables stop

# restart iptables
[root@srv1 ~]# service iptables restart

# save any newly added rules
[root@srv1 ~]# service iptables save

Structure of /etc/sysconfig/iptables

Tables

iptables includes 3 default tables:

  • *filter - Default table for filtering packets
  • *nat - Default table for Network Address Translation
  • *mangle - Default table used for specific type of packet alteration

Chains

Each table has a group of built-in chains, corresponding to the actions to be performed on the packets. The chains for each section are as follows:

  • The built-in chains for the filter table:
    • INPUT - Applies to packets targeted at the host (incoming traffic)
    • OUTPUT - Applies to locally-generated packets heading out of the system (outgoing traffic)
    • FORWARD - Applies to packets routed through the host (forwarded/routed traffic)
  • The built-in chains for the nat table:
    • PREROUTING - Alters packets when they arrive
    • OUTPUT - Alters locally-general packets before they leave
    • POSTROUTING - Alters packets before they leave
  • The built-in chains for the mangle table:
    • INPUT - Alters packets targeted for the host
    • OUTPUT - Alters locally-generated packets before they leave
    • FORWARD - Alters to packets routed through the host
    • PREROUTING - Alters incoming packets before they are routed
    • POSTROUTING- Alters packets before they leave

Explanation of an example iptables rule

[root@srv1 ~]# iptables -A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
  • -A INPUT = Append the rule to the INPUT chain
  • -i virbr0 = Interface = virbr0
  • -p udp = Protocol = UDP
  • -m udp = match = UDP - not sure what this means!
  • --dport 53 = desintation port = 53
  • -j ACCEPT = Jump to the target of ACCEPT. Basically, what to do if the packet matches the rule criteria. Option could be to ACCEPT, DENY, jump to another chain or a number of different possibilities.

This rule will basically accept UDP traffic on port 53 across virbr0. In practice, this rule will exist in the *filter table and will allow DNS operations over the KVM virtual network interface known as virbr0.

Example operations with iptables

Open up specific ports (port 80 in this example)

[root@srv1 ~]# iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT

This rule needs to be in the *filter table. It will allow TCP traffic over port 80.

NB - The --state NEW signifies the packet is establishing a new connection. ESTABLISHSED would mean the packet is associated with an existing connected which has seen packet transfer in both directions. RELATED would mean a packet is establishing a new connection but is associated with an existing connections (useful for FTP).

Traffic forwarding over bridged interface

[root@srv1 ~]# iptables -I FORWARD -m physdev --physdev-is-bridged -j ACCEPT

This rule will be inserted into the FORWARD chain and will all packed to be forward across the bridged network adapter

NB - The -I FORWARD signified that this rule should be inserted into the specified chain, rather than appended.

Port forwarding (to a different IP address)

This can be used to forward incoming traffic (e.g. web traffic) to a different host or vm. For example, a host system could be running a web server as a virtual machine and incoming web traffic on TCP port 80 should be forwarded to that vm. 

[root@srv1 ~]# iptables -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.0.16:80

This rule will be appended to the PREROUTING chain within the *nat table.
As TCP traffic on port 80 data arrives across interface eth1, it is transferred to a host with IP address of 192.168.0.16 on port 80.

NB - DNAT is a virtual state, whereby the original destination differs from the reply source, which will be the case where NAT has or will take place.

Common rules for *filter table

Allow ICMP traffic

[root@srv1 ~]# iptables -A INPUT -p icmp -j ACCEPT

Allow any traffic from a given interface

[root@srv1 ~]# iptables -A INPUT -i lo -j ACCEPT
[root@srv1 ~]# iptables -A INPUT -i eth0 -j ACCEPT

Allow related and established traffic between two interfaces

[root@srv1 ~]# iptables -A FORWARD -i eth1 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT

Common rules for *nat table

Enable NAT for a specified interface

[root@srv1 ~]# iptables -A POSTROUTING -o eth1 -j MASQUERADE

Enable NAT for specific ports for a given IP subnet

[root@srv1 ~]# iptables -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535

Practical examples

Enable NAT/Masquerading on a new system

Firstly, the Linux kernel needs to be told to entertain IP forwarding; 

[root@srv1 ~]# echo 1 > /proc/sys/net/ipv4/ip_forward

Or for a permanent solution, edit /etc/sysctl.conf and change the line that says net.ipv4.ip_forward = 0 to net.ipv4.ip_forward = 1.
Then: 

[root@srv1 ~]# iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
[root@srv1 ~]# iptables -A FORWARD -i eth1 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
[root@srv1 ~]# iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT

To commit these new rules to the /etc/sysconfig/iptables configuration file, type: 

[root@srv1 ~]# service iptables save

Saving and restoring an iptables config in ubuntu

Unlike RedHat based distros, ubuntu does not, by default, save the iptables config to a text file and the service iptables save option is not available so any changes will, without further action, be lost in the event of a system reboot.

Settings can be saved and restored by using the iptables-save and iptables-restore commands.

Save iptables config to a file

sudo sh -c "iptables-save > /etc/iptables.rules"

Manually restore settings from config file

iptables-restore < /etc/iptables.rules

Automatically restore when an interface come up

Edit the /etc/network/interfaces file to include the following for an interface: 

pre-up iptables-restore < /etc/iptables.rules

For example: 

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
auto em1
auto em2
iface em1 inet static
	pre-up iptables-restore < /etc/iptables.rules
	address 10.17.1.1
	netmask 255.0.0.0
	gateway	10.0.0.3
iface em2 inet static
	address 172.28.0.2
	netmask 255.255.0.0
	broadcast 172.28.255.255
	gateway 172.28.0.2
	dns-nameservers 172.28.0.2
        dns-search pxe.boston.co.uk
Retrieved from "http://wiki.define-technology.com/mediawiki-1.35.0/index.php?title=Iptables:_Explanations,_options_%26_examples&oldid=4679"