Questions about this topic? Sign up to ask in the talk tab.

Difference between revisions of "Iptables"

From NetSec
Jump to: navigation, search
Line 1: Line 1:
===1.0 - Introduction===
===1.0 - Introduction===

Revision as of 08:40, 5 September 2011


1.0 - Introduction

By default, IPtables have 3 traffic chains, these chains are INPUT, OUTPUT and FORWARD. You can view these chains by typing, iptables -nL, as root. This will also show you all of your firewall rules. Now, when adding a firewall you can either use INSERT or APPEND.

  • INSERT puts the rule at the BEGINNING of the chain.
  • APPEND puts the rule at the END of the chain.

iptables -A INPUT .... - would append a rule to the INPUT chain. Additionally, each chain has a default policy, which you can access with -P.

An example of a default firewall:

root ~ # iptables -nL
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Analysing this, all chains have the ACCEPT policy. To whitelist traffic, you want to give the chains DROP policies and then whitelist traffic with ACCEPT rules. There are several options that IPtables provides for reacting to traffic. These are specified with -j and can be DROP, REJECT, ACCEPT, LOG, etc. DROP means ignore the traffic and leave it be and REJECT means to politely request that the packet be returned to sender. REJECT for the TCP protocol has addition features, using -p allows you to specify a protocol. You can select the type of traffic rejection using --reject-with.

IPtables allows you to selectively block ports by matching strings or headers. It's a stateful firewall, meaning you can block any packets containing a string, useful for some types of DDoS attacks as you can drop all the traffic with a particular HTTP user-agent or going to a particular URL. You don't want to use REJECT if there is a chance of being DDoS'd as you really just want to DROP the traffic. During a DDoS, REJECT will cause your outbound pipe to be spammed with TCP resets if the traffic isn't dropped. Using REJECT can in clogging of both inbound and outbound pipes during a DDoS and result in server hell.

1.1 - Example

iptables -I INPUT -p tcp -s -j REJECT --reject-with icmp-host-unreachable

The -s switch is the source flag specifying the source IP address. Remember: During a DDoS attack you might want to drop some traffic instead.

1.2 - Side Note - IPtables Module

As a side note, you need the IPtables modules in your kernel:


These modules would be a useful starting point, remember to modprobe them unless they are built into kernel.

Using this, you can then make IPtables run string matches with ipt_string and QoS with ipt_conntrack. IPtables has a ton of modules so your mileage depends on how deep you search.

Pre-warning: One wrong move with IPtables can result in dropping all traffic to/from the box so it is suggested to make a script with a 5 minute timeout to restore your IPtables config to it's previous state before making any changes. This will ensure that you can test the configuration and always have a chance of recovery.

If you wanted to whitelist traffic on a webserver, you would run:

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -I INPUT -j ACCEPT -p tcp --dport 80
iptables -I INPUT -j ACCEPT -p tcp --sport 80

Now obviously, you will only want to do this if you have physical access to the machine, otherwise you will be locked out of the machine as SSH packets will be dropped. In a configuration like this, you need to whitelist port 22 for SSH as well as any other ports required for day to day server usage.

The -p flag of IPtables designates protocol, options are: tcp, udp, icmp, or all. When using the -p flag, you can then use two additional arguments: --sport and --dport, source port and destination port respectively. You cannot use --sport or --dport without the -p option.

-i specifies which interface to apply the rule to.

-A for the chain you want to add it to. INPUT for ingress traffic (ie. from an external source), and OUTPUT for traffic going out, (ie egress.) FORWARD for traffic routed through your machine.

FORWARD rules are complex and frustrating, with dozens of better solutions but IPtables is a nice, lightweight and scalable method. Writing the rules are more difficult for routing, if you aren't going to be forwarding any traffic, "iptables -P FORWARD DROP" is the way to go.

You can use IPtables to build a router, using your box as a router or gateway, kind of like a Linksys but with a Linux machine. Similar to connecting the box to the Internet and having a switch behind it. Additionally, it would become a router because it would route the packets through to the internal network. IPtables is firewall software and also supports CIDR notation. CIDR notation is a simplified method of representing classless subnet masks (ie. /26 as opposed to This allows you to have a very large range of networks inside of a 10.* (or subnet, making routing a little easier. There are 32 bits in an IP address, and you specify how many significant bits there are in the network (4 bytes total for the IP address, let's it be held in a CPU register).