Introducing iptables part 1
This article provides an overview of how to understand the Linux kernel firewall for ipv4 using iptables and the Filter table. It is intended for beginners to intermediate linux users and provides an insight on basic configuration concepts.
What is "iptables"?
The iptables program lets slice admins configure the Linux kernel firewall. This tool proves quite useful when you need to block, filter, manipulate or redirect network traffic. Iptables is used specifically for IPv4 whereas ip6tables is used for IPv6, which we'll save for a future article. In this article we'll cover the Filter table within iptables.
Fun stuff... If you've followed one of our previous distro setup articles, you've probably already gotten your hands wet a bit.
Hows it work then?
In this section we'll go over how to look at your current iptables ruleset.
You must have root privileges when using iptables. To list your current iptables rules try:
sudo /sbin/iptables -L
The default setup is usually an empty rule set and would look something like:
Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination
If you're using CentOS, Fedora or RHEL, the default iptables rules would look something like:
Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT icmp -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh REJECT all -- anywhere anywhere reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT) target prot opt source destination REJECT all -- anywhere anywhere reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT) target prot opt source destination
And if you have followed our initial setup articles, your iptables list output should show your current ruleset and look something similar to:
Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere REJECT all -- anywhere 127.0.0.0/8 reject-with icmp-port-unreachable ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp dpt:http ACCEPT tcp -- anywhere anywhere tcp dpt:https ACCEPT tcp -- anywhere anywhere tcp dpt:30000 ACCEPT icmp -- anywhere anywhere icmp echo-request LOG all -- anywhere anywhere limit: avg 5/min burst 5 LOG level debug prefix `iptables denied: ' REJECT all -- anywhere anywhere reject-with icmp-port-unreachable Chain FORWARD (policy ACCEPT) target prot opt source destination REJECT all -- anywhere anywhere reject-with icmp-port-unreachable Chain OUTPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere
Iptables rules are grouped into Chains. A Chain is a ruleset that describes what to do with a packet. This shows us our three Chains - INPUT, FORWARD AND OUTPUT - which are all part of the Filter table.
The INPUT Chain lists all the rules for packets that are destined for the local slice. The FORWARD Chain is used for packets passing through the system(routing etc). And the OUTPUT chain is for packets originating from the slice.
The target column lists the following actions - ACCEPT, REJECT and LOG - which perform as described. The prot column is for network protocols. Common options are tcp, icmp, udp and all. The source and destination columns tell us where the packet is coming from and going to.
Alternatively, you can show the source and destination ip's by issuing the following command with the '-n' flag:
sudo /sbin/iptables -L -n
And would look something similar to:
Chain INPUT (policy ACCEPT) target prot opt source destination REJECT all -- 0.0.0.0/0 127.0.0.0/8 reject-with icmp-port-unreachable ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:30000 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 5/min burst 5 LOG flags 0 level 7 prefix `iptables denied: ' REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable Chain FORWARD (policy ACCEPT) target prot opt source destination REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable Chain OUTPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
Backup and Restore
Before making any changes to your config it's always a good idea to have a backup. We can use the iptables-save program to do this:
sudo sh -c '/sbin/iptables-save > /etc/iptables.save'
This will save your current iptables configuration to the /etc directory under the name iptables.save. The '-c' part and the quotes are necessary to ensure the sudo permissions are applied to the whole command (otherwise the output redirect at the end could yield a 'permission denied' error).
Now if something gets fouled you can restore it easily using the iptables-restore program as follows:
sudo /sbin/iptables -F sudo sh -c '/sbin/iptables-restore < /etc/iptables.save'
Be sure to do the 'iptables -F' if the ruleset was not empty as this flushes the current rules from memory.
Here is our example iptables rules file. If you look at this file in a text editor you would see a series of commands, which we will go over in Part 2. This is essentially the output of an iptables-save with some added comments for clarity. You can restore this for the above configuration with:
sudo sh -c '/sbin/iptables-restore < iptables.txt'
Note that you want the file to begin and end with just the text of the rules file. Extra newlines at the beginning or end can confuse iptables-restore.
You should now be able to verify the rules have been restored!
sudo /sbin/iptables -L
Continuing on to Part 2
Now that we know what were looking at, let's move onto basic syntax for adding and deleting rules in Part 2.
- -- Natorious