Netfilter IPTables Mini Howto

From LinodeWiki

Contents 1 Overview 2 iptables Tables 2.1 filter Table 2.2 nat Table 2.3 mangle Table 3 Basic Syntax 3.1 Append rules 3.2 Insert rules 3.3 Remove rules 3.4 List rules 3.5 Flush rules 4 Matching packets 4.1 Address matching 4.2 Protocol matching 4.3 State matching 5 Scripts 6 Links

[edit] Overview

iptables splits the packet handling into three different tables, each of which contain a number of chains. The firewalling rules, which we create, are included within a particular chain. The three tables are:

1. filter: used for packet filtering
2. nat: used to provide packet modification capabilities; NAT/PAT and IP masquerading
3. mangle: used for setting packet options and marking packets for further filtering or routing

[edit] iptables Tables

[edit] filter Table

The filter table is the default table for any rule. It is where the bulk of the work in an iptables firewall occurs. Avoid filtering in any other table as it may not work.

This table contains three chains:

1. INPUT: used for traffic which is entering our system and belongs to an IP address which is on our local machine
2. OUTPUT: used for traffic which originated on the local system, otherwise known as the firewall
3. FORWARD: used for traffic which is being routed between two network interfaces on our firewall

There are three main targets for a rule within the filter table.

1. ACCEPT: allows the packet to be passed through the firewall without any noticeable interaction
2. DROP: simply drops the packet as if it has never been in the system
3. REJECT: drops the packet then sends a ICMP reply back to the client telling it why the connection failed

[edit] nat Table

The Network Address Translation or nat table is used to translate the source or destination field in packets. A system with a static IP should use Source Network Address Translation (snat) since it uses fewer system resources. However, iptables also supports hosts with a dynamic connection to the Internet with a masquerade feature. Masquerade uses the current address on the interface for address translation.

[edit] mangle Table

The mangle table is used to alter certain fields in the headers of IP packets. It can be used to change the Time to Live or TTL, change the Type of Service or TOS field, or mark packets for later filtering.

[edit] Basic Syntax

It is important to notice when making rules that whichever rule matches first will be the target for the packet and no other rules will be checked.

[edit] Append rules

The basic syntax of an iptables command is:

iptables -A INPUT -s 10.0.0.0/8 -j ACCEPT

This would add a rule into the INPUT chain, which matches any packet with a source address in the 10.0.0.0/8 netblock. If a packet matches this criteria, then it would use the ACCEPT target, which simply allows the packet on through.

[edit] Insert rules

We can also insert a rule into a specific location of the chain, ensuring that it is checked before other rules. Instead of using -A we use -I instead:

iptables -I INPUT 3 -s 10.0.0.0/8 -j ACCEPT

This would insert the rule into the third ‘slot’ of the chain. If we neglect any slot value with -I, the rule will be inserted into the top of the chain.

[edit] Remove rules

To remove rules from the chain we can do it in several ways:

1. Remove a rule in a specific slot location
2. Based upon the options used when inserting or adding the chain

To delete the first rule in the chain, we would do:

iptables -D INPUT 1

Or to delete the above rule which we inserted:

iptables -D INPUT -s 10.0.0.0/8 -j ACCEPT

If for some reason there are two rules within a chain with exactly the same options, then -D will delete the first one it finds in the chain.

[edit] List rules

To list the rules we have on our system use:

iptables -nL

[edit] Flush rules

• To flush (drop) all the rules we can use:

iptables -F

[edit] Matching packets

We need to be able to clearly define which packets we want to block and which we want to allow through.

[edit] Address matching

The two most basic match conditions are:

1. source address of the packet
2. destination address of the packet

• Note: These can either be individual IP addresses or a whole netblock.

If we wanted to block packets heading to 172.25.0.1 from anything on the 10.0.0.0/8 network, we would do:

iptables -A INPUT -s 10.0.0.0/8 -d 172.25.0.1 -j DROP

[edit] Protocol matching

We can also match based on protocol used, (TCP, UDP, ICMP, etc.), as well as the specific port or service type used by that protocol. As an example, a common usage is to block connections to port 113 via TCP, which is used by identd:

iptables -A INPUT -p tcp --dport 113 -j REJECT --rejectwith tcp-reset

• Note: The tcp-reset REJECT option causes the client to reset the TCP connection to our system.

We can mix the protocol and source or destination address into one whole rule:

iptables -I INPUT -p tcp --dport 113 -s 10.0.0.0/8 -j ACCEPT

[edit] State matching

We can also specific a ‘match’ option, using the -m flag. This allows us to use a kernel module to provide extra packet matching capabilities, the most popular usage of which is for connection tracking matching.

The ‘state’ match has four different types of connection which we can match against:

1. ESTABLISHED: corresponds to a connection which is already up and running. If the connection originated within our network, as soon as the packet passes through our firewall on its way to the Internet, it is tracked as ESTABLISHED.
2. RELATED: is provided by a protocol helper module. The most common use for this is with FTP by using the ip_conntrack_ftp.o module, which allows us to track FTP connections back into our network properly, as when we download from a FTP server, it will try to make a TCP connection back to our system.
3. NEW: means that the packet is part of a new connection, meaning that it has not yet been tracked by the connection tracking system.
4. INVALID: means that the connection is in an invalid state, so generally these should be dropped.

As a basic rule, we want to allow all ESTABLISHED and RELATED packets into our network, and selectively allow NEW packets through depending on the destination port.

iptables -A INPUT -m state --state INVALID -j DROP
iptables -A INPUT -m state --state NEW -j DROP
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j DROP
iptables -A INPUT -m state --state RELATED, ESTABLISHED -j ACCEPT

[edit] Scripts

#---------------------------------------------------------------
# Initialize all the chains by removing all the rules
# tied to them
#---------------------------------------------------------------

iptables --flush
iptables -t nat --flush
iptables -t mangle --flush
 
#---------------------------------------------------------------
# The loopback interface should accept all traffic
# Necessary for X-Windows and other socket based services
#---------------------------------------------------------------
 
iptables -A INPUT  -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
 
#---------------------------------------------------------------
# Allow outbound DNS queries from the FW and the replies too
#
# - Interface eth0 is the internet interface
#
# Zone transfers use TCP and not UDP. Most home networks
# websites using a single DNS server won't require TCP statements
#
#---------------------------------------------------------------
 
iptables -A OUTPUT -p udp -o eth0 --dport 53 --sport 1024:65535 \
         -j ACCEPT
iptables -A INPUT -p udp -i eth0 --sport 53 --dport 1024:65535 \
         -j ACCEPT
 
#---------------------------------------------------------------
# Allow previously established connections
# - Interface eth0 is the internet interface
#---------------------------------------------------------------
 
iptables -A OUTPUT -o eth0 -m state --state ESTABLISHED,RELATED \
         -j ACCEPT

#---------------------------------------------------------------
# Allow port 80 (www) and 22 (SSH) connections to the firewall
#---------------------------------------------------------------

iptables -A INPUT -p tcp -i eth0 --dport 22 --sport 1024:65535 \
         -m state --state NEW -j ACCEPT

iptables -A INPUT -p tcp -i eth0 --dport 80 --sport 1024:65535 \
         -m state --state NEW -j ACCEPT

#---------------------------------------------------------------
# Allow port 80 (www) and 443 (https) connections from the firewall
#---------------------------------------------------------------

iptables -A OUTPUT -j ACCEPT -m state \
         --state NEW,ESTABLISHED,RELATED -o eth0 -p tcp \  
         -m multiport --dport 80,443 -m multiport --sport 1024:65535

#---------------------------------------------------------------
# Allow previously established connections
# - Interface eth0 is the internet interface
#---------------------------------------------------------------

iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED  \
         -i eth0 -p tcp

#---------------------------------------------------------------
# If a packet doesn't match one of the built in chains, then
# The policy should be to drop it
#---------------------------------------------------------------

iptables -A INPUT -j DROP
iptables -A OUTPUT -j DROP
iptables -A FORWARD -j DROP

[edit] Links

• Iptables Tutorial
• HOWTO Using iptables