Iptables
The iptables command is a piece of software that filters packets at the kernel stack layer. The filter can be configured to perform certain actions when certain conditions are met (e.g. drop traffic) and therefore can be useful as a software firewall as well as for routing.
Contents
Basic command line
- Interface
- Addresses
- Basic examples
Conditions
Networking tables
- nat
- filter
Firewall Chains
- Input chain
- Output chain
- Forward chain
Routing Chains
- Prerouting
- Postrouting
Actions
Firewall Actions:
- Drop
- Reject
- Accept
Routing Options:
- SNAT
- DNAT
- Masquerade
Additional Modules
Introduction
By default, IPtables have 3 traffic chains, these chains are INPUT, OUTPUT and FORWARD. These chains can be viewed by typing, iptables -nL, as root. This will also show all of the firewall rules. The commands INSERT of APPEND can be used when adding to a firewall.
- INSERT puts the rule at the BEGINNING of the chain.
- APPEND puts the rule at the END of the chain.
iptables -A INPUT .... - would append a rule to the INPUT chain. Additionally, each chain has a default policy, which can be accessed with -P.
An example of a default firewall:
root ~ # iptables -nL Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination
Analyzing this, all chains have the ACCEPT policy. To whitelist traffic, the chains need to be given DROP policies and then whitelist traffic with ACCEPT rules. There are several options that IPtables provides for reacting to traffic. These are specified with -j and can be DROP, REJECT, ACCEPT, LOG, etc. DROP means ignore the traffic and leave it be and REJECT means to politely request that the packet be returned to sender. REJECT for the TCP protocol has addition features, using -p allows specification of a protocol. You can select the type of traffic rejection using --reject-with.
IPtables allows ports to be selectively blocked by matching strings or headers. It's a stateful firewall, meaning packets can be blocked containing a string, useful for some types of DDoS attacks as all the traffic with a particular HTTP user-agent or going to a particular URL can be dropped. REJECT should not be used if there is a chance of being DDoS'd as the traffic should just be DROP(ed). During a DDoS, REJECT will cause the outbound pipe to be spammed with TCP resets if the traffic isn't dropped. Using REJECT can induce clogging of both inbound and outbound pipes during a DDoS and result in server hell.
Example
iptables -I INPUT -p tcp -s 10.0.0.3 -j REJECT --reject-with icmp-host-unreachable
The -s switch is the source flag specifying the source IP address. Remember: During a DDoS attack traffic should be dropped instead:
iptables -I INPUT -s 10.0.0.3 -j DROP
IPtables Module
As a side note, the IPtables modules is needed in the kernel:
ip_tables ipt_REJECT ipt_tos ipt_limit ipt_multiport iptable_filter iptable_mangle ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length ipt_state
These modules would be a useful starting point, remember to modprobe them unless they are built into kernel.
Using this, IPtables can be made to run string matches with ipt_string and QoS with ipt_conntrack. IPtables has a ton of modules so mileage depends on the depth of the search.
Pre-warning: One wrong move with IPtables can result in dropping all traffic to/from the box so it is suggested to make a script with a 5 minute timeout to restore the IPtables config to it's previous state before making any changes. This will ensure that configuration can be tested and in the event of failure, always have a chance of recovery.
If whitelisting traffic on a webserver is desired, the following would be run:
iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -I INPUT -j ACCEPT -p tcp --dport 80 iptables -I INPUT -j ACCEPT -p tcp --sport 80
This should only be done if physical access is available to the machine, otherwise the machine will prevent external access as SSH packets will be dropped. In a configuration like this, port 22 for SSH will need to be whitelisted as well as any other ports required for day to day server usage.
The -p flag of IPtables designates protocol, options are: tcp, udp, icmp, or all. When using the -p flag, two additional arguments can be used: --sport and --dport, source port and destination port respectively. --sport or --dport cannot be used without the -p option.
-i specifies which interface to apply the rule to.
-A for the chain you want to add it to. INPUT for ingress traffic (ie. from an external source), and OUTPUT for traffic going out, (ie egress.) FORWARD for traffic routed through the machine.
FORWARD rules are complex and frustrating, with dozens of better solutions but IPtables is a nice, lightweight and scalable method. Writing the rules are more difficult for routing, if traffic isn't going to be forwarded, "iptables -P FORWARD DROP" is the command to use.
IPtables can be used to build a router, using a box as a router or gateway, kind of like a Linksys but with a Linux machine. Similar to connecting the box to the Internet and having a switch behind it. Additionally, it would become a router because it would route the packets through to the internal network. IPtables is firewall software and also supports CIDR notation. CIDR notation is a simplified method of representing classless subnet masks (ie. /26 as opposed to 255.255.255.192.) This allows very large range of networks inside of a 10.* (or 10.0.0.0/8) subnet to exist, making routing easier. There are 32 bits in an IP address, and the number of significant bits there are in the network can be specified (4 bytes total for the IP address, let's it be held in a CPU register).
