Introducing iptables part 1

This article provides an overview of how to understand the Linux kernel firewall for ipv4 using iptables and the Filter table. It is intended for beginners to intermediate linux users and provides an insight on basic configuration concepts.


What is "iptables"?

The iptables program lets slice admins configure the Linux kernel firewall. This tool proves quite useful when you need to block, filter, manipulate or redirect network traffic. Iptables is used specifically for IPv4 whereas ip6tables is used for IPv6, which we'll save for a future article. In this article we'll cover the Filter table within iptables.

Fun stuff... If you've followed one of our previous distro setup articles, you've probably already gotten your hands wet a bit.

Hows it work then?

In this section we'll go over how to look at your current iptables ruleset.

You must have root privileges when using iptables. To list your current iptables rules try:

sudo /sbin/iptables -L

The default setup is usually an empty rule set and would look something like:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

If you're using CentOS, Fedora or RHEL, the default iptables rules would look something like:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

And if you have followed our initial setup articles, your iptables list output should show your current ruleset and look something similar to:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
REJECT     all  --  anywhere             127.0.0.0/8         reject-with icmp-port-unreachable
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:https
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:30000
ACCEPT     icmp --  anywhere             anywhere            icmp echo-request
LOG        all  --  anywhere             anywhere            limit: avg 5/min burst 5 LOG level debug prefix `iptables denied: '
REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere

Iptables rules are grouped into Chains. A Chain is a ruleset that describes what to do with a packet. This shows us our three Chains - INPUT, FORWARD AND OUTPUT - which are all part of the Filter table.

The INPUT Chain lists all the rules for packets that are destined for the local slice. The FORWARD Chain is used for packets passing through the system(routing etc). And the OUTPUT chain is for packets originating from the slice.

The target column lists the following actions - ACCEPT, REJECT and LOG - which perform as described. The prot column is for network protocols. Common options are tcp, icmp, udp and all. The source and destination columns tell us where the packet is coming from and going to.

Alternatively, you can show the source and destination ip's by issuing the following command with the '-n' flag:

sudo /sbin/iptables -L -n

And would look something similar to:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
REJECT     all  --  0.0.0.0/0            127.0.0.0/8         reject-with icmp-port-unreachable 
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 8 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:30000 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:443 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:80 
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
LOG        all  --  0.0.0.0/0            0.0.0.0/0           limit: avg 5/min burst 5 LOG flags 0 level 7 prefix `iptables denied: ' 
REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-port-unreachable 

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-port-unreachable 

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0  

Backup and Restore

Before making any changes to your config it's always a good idea to have a backup. We can use the iptables-save program to do this:

sudo sh -c '/sbin/iptables-save > /etc/iptables.save'

This will save your current iptables configuration to the /etc directory under the name iptables.save. The '-c' part and the quotes are necessary to ensure the sudo permissions are applied to the whole command (otherwise the output redirect at the end could yield a 'permission denied' error).

Now if something gets fouled you can restore it easily using the iptables-restore program as follows:

sudo /sbin/iptables -F
sudo sh -c '/sbin/iptables-restore < /etc/iptables.save'

Be sure to do the 'iptables -F' if the ruleset was not empty as this flushes the current rules from memory.

Here is our example iptables rules file. If you look at this file in a text editor you would see a series of commands, which we will go over in Part 2. This is essentially the output of an iptables-save with some added comments for clarity. You can restore this for the above configuration with:

sudo sh -c '/sbin/iptables-restore < iptables.txt'

Note that you want the file to begin and end with just the text of the rules file. Extra newlines at the beginning or end can confuse iptables-restore.

You should now be able to verify the rules have been restored!

sudo /sbin/iptables -L

Continuing on to Part 2

Now that we know what were looking at, let's move onto basic syntax for adding and deleting rules in Part 2.

  • -- Natorious
Want to comment?


(not made public)

(optional)

(use plain text or Markdown syntax)