Networking / Beginners

iptables

iptables is part of the Netfilter project. Netfilter is a set of Linux kernel hooks that communicate with the network stack. iptables is a command and the table structure that contains the rulesets that control the packet filtering.

iptables is complex. It filters packets by the fields in IP, TCP, UDP, and ICMP packet headers. A number of different actions can be taken on each packet, so the key to iptables happiness is simplicity. Start with the minimum necessary to get the job done, then add rules as you need them. It's not necessary to build vast iptables edifices, and in fact, it's a bad idea, as it makes it difficult to maintain, and will hurt performance.

iptables Policies and Rules

Policies are the default actions applied to packets that do not match any rules. There are three built-in tables: filter, NAT, and mangle. You will use the filter table the most, the NAT table a little, and the mangle table perhaps not at all (it is for advanced packet manipulation). Each table contains a number of built-in chains. You may also create custom chains. A chain is a list of rules that defines the actions applied to packets. Rules end with a target specification that tells what to do with the packet. This is done with the jump (-j) command, like this simple example that permits all loopback traffic with the ACCEPT target:

iptables -A INPUT -i lo -j ACCEPT

Once a packet reaches the ACCEPT target, that is the end of the road, and it does not traverse any more chains. Rules can be run from the command line or put in a script. This is what each part of this rule means:

  • iptables = The iptables command
  • No table is specified, so the default filter table is used
  • -A INPUT = Append this rule to the built-in INPUT chain
  • -i lo = Apply this rule to packets going to interface lo
  • -j ACCEPT = Jump to the built-in ACCEPT chain, which moves packets to their final destinations

iptables does stateful packet inspection, which is done via its connection tracking mechanism. In other words, it knows if a packet is attempting to start a new connection or if it belongs to an existing one. Seeing packets in context is very powerful, and makes it possible to do a lot of work with a few rules. If you are running no public services, you can then easily block all outside attempts to create a connection, because they have no legitimate reason to try to connect to you. When you do run services such as SSH, FTP, or a web or mail server, iptables can allow only traffic targeted for the services you are running, and reject all the rest. You might block all outgoing traffic initiated from your servers because they're only supposed to respond to connection attempts from the outside, not initiate them. These things would be difficult to do without stateful packet inspection.

iptables is extensible with the addition of custom kernel modules, so iptables features vary by Linux distribution and user modifications. To see what your installation supports, check your /boot/config-* file. If you're not thrilled by the notion of managing a bunch of kernel modules (and iptables can use quite a few), build a custom kernel with the iptables functions you want built-in.

Tables

There are three tables in iptables. Any rules or custom chains that you create will go into one of these tables. The filter table is the default, and is the one you'll use the most. You can think of it as the firewalling portion of iptables. The filter table contains these built-in chains:

INPUT
Processes incoming packets
FORWARD
Processes packets routed through the host
OUTPUT
Processes outgoing packets

The NAT table is used only to change the packet's Source Address field or Destination Address field. If you have a single public, routable IP address in front of a LAN that uses private addresses, which is common, NAT translates the source IP addresses on outgoing packets to the public address. It doesn't matter if you have a hundred hosts sharing the connection-it will appear that all your traffic is coming from a single host. Conversely, you may use it to enable access to public services with private IPs. The NAT table has these built-in chains:

PREROUTING
Alters incoming packets before routing
OUTPUT
Alters locally-generated packets before routing
POSTROUTING
Alters packets after routing

The mangle table lets you alter packet headers as you like. Here are a few ideas for inspiration:

  • Change the TOS field of packets for QoS (there are now better ways for managing QoS, but there it is)
  • MARKing packets to collect statistics for filtering, logging, or routing
  • Limit packet rate

It has these built-in chains:

PREROUTING
Alters incoming packets before routing
OUTPUT
Alters locally generated packets before routing
INPUT
Alters packets destined for the local machine
FORWARD
Processes packets routed through the host
POSTROUTING
Alters packets on their way out, after routing

Packets coming into your network must first pass through the mangle table, then the NAT table, and finally, the filter table.

User-defined chains can improve performance because packets traverse your rules and chains in the order they are listed. Defining your own chains lets you create shortcuts, so packets can jump directly to the chains you want them to traverse, instead of passing through a bunch of irrelevant rules and chains first. Or, you may save some configuration steps by building a custom chain to use over and over.

[Previous] [Contents] [Next]