Just under construction, version 0.1, last update 2003/01/28
Iptables (3 pages)
What is Iptables?
Iptables is a command line tool to feed the linux kernel 2.4 based firewall
(netfilter) with rules. The netfilter architecture is build in a modular manner. That means
that new abilities can be loaded into the kernel. This is done via insmod.
So this architecture is open for modifications.
Besides it's modular architecture, the netfilter firewall has one new ability,
that makes it ready for competition with the Big Firewalls on the market. And this is state
tracking. Statefulness of firewalls means, that these firewalls are able to track the
connection states of network connections. This makes a firewall faster, because only the
packets, starting a connection, have to be checked against the rule set (the others are
only checked against the state table), and it makes it also more secure, because you can filter
out some types of portscans and traffic, that does not belong to a established connection.
The new linux firewall has also the chain concept of its predessor ipchains.
Chains are userdefined groups of rules you can pass packets to. That means, if a packet is matched by a rule, you
do not have to accept or reject this packet, but you can pass it to another chain for further inspection.
This chain concept has two advantages. First, it can reduce the complexity of your ruleset by dividing
your rules in sets of generel and specific ones. You can then pass packets form specific to general chains or vice versa.
The second advantage is, that chains can make your firewall faster. Firewalls normally check against the rules in a
sequential way, begining with the first rule defined. The first rule that matches the characteristics of a network packes
is performed on that packet. So it is accepted or rejected. The rules for packets occuring most often, should be
at top position of the ruleset to gain performance. This will normally make the ruleset more complex, because rules,
that belong to the same service, are seperated. With chains, you can reduce the average number of comparisions of packets
against rules by seperating the stream of packets according to their characteristics.
Builtin Chains and Building Chains
You can think about a chain as a group of rules. Every packet that is passed to a chain, is comapred
to the rules in that chain. If one rule matches, then a target is apllied. This can be ACCEPT or DROP or another chain
to which the packet is then passed. So you can build groups of rules that are connected in some sence like a real chain.
There are three builtin standard chains, namely INPUT, OUTPUT, and FORWARD. The names of the
chains describe exactly what they are doing. The input chain is responsible for all packets, that are received
by the firewall device. The OUTPUT chain is responsible for all packets leaving the firewall, and the FORWARD
chain is responsibe for passing packets from the INPUT to the OUTPUT chain, so basically it acts as a router.
If the firewall is not a
personal firewall, but acts as a router, every packet, that goes through it, first passes the INPUT chain, then
the FORWARD one, then the OUTPUT chain. If iptables acts as a personal firewall, then every packet passes
only the INPUT or the OUTPUT chain.
You can build new chains, for example to pass a packet from the INPUT chain to user defined
chain for further inspection. The syntax is:
iptables -N <name>
Example 1 shows how to build a new chain with the name TCP_IN.
| Example 1: Building a new chain |
|
$ iptables -N TCP_IN
|
You can flush a chain (remove all rules from that chain), by using the -F option.
The syntax is:
iptables -F <chain>
See example 2 for flushing the chain TCP_IN.
| Example 2: Flushing a chain |
|
$ iptables -F TCP_IN
|
If no chain is given, then all chains are flushed.
If you want to delete a chain, then you have to use the -X option.
The syntax is:
iptables -X <chain>
See example 3 for deleting the chain TCP_IN.
| Example 3: deleting a chain |
|
$ iptables -X TCP_IN
|
If no chain is given, then all chains are deleted.
Tables
I do not want to describe tables in much detail, because I will not use them
explicitly in my examples (but implicitly they are used). Tables contain chains. Three builtin tables exist.
These are the tables filter, nat, and mangle. The table filter contains the standard butltin chains
INPUT, OUTPUT, and FORWARD. nat is a special table used for network addess translation, and
mangle a specialized table for packet alteration. If you are interested in learning more about it,
read the related HOWTOs.
Targets
Target means the following: if a rule matches the characteristics of a packet (part
of network traffic), the firewall passes it to the defined target. Besides passing it to antoher chain for
further inspection, you can use the buildin targets that are: ACCEPT, DROP, QUEUE, RETURN. You can
also put LOG into the group of targets. LOG does print out a log line via syslog if the packet matches,
but instead of going on with the next packet, the firewall continues to compare the actual packtet
with the ruleset in order to find a rule (or the default policy) that tells her, what to do with the
packet (to accept or to drop it).
ACCEPT simply means, that the apacket is accepted, and so it passes the firewall,
whereas DROP means, that the firewall will not let the packet pass. RETURN will pass a packet, if it
has not matched any rule within a chain to the next chain, and QUEUE will pass the packet to userspace.
But the targets, that will be interesting for us, are only ACCEPT and DROP.
Targets are, with exceptions like in the default policy, used with the following syntax
iptables -A <chain> <rule specifications> -j <target>
So, in order to let all packets, that are received by the firewall, pass without
checking for further specifics (the same as the default policy ACCEPT), see example 4.
| Example 4: Setting a taget for a rule |
|
$ iptables -A INPUT -j ACCEPT
|
Default Policy
The default policy is the policy that is applied to a packet if no rule has matched.
Fortunately, you have to relate the way you write your rules to the default policy chosen.
There are mainly two ways. Everything, that is not allowed is accepted. So the default policy will
be drop or reject. Or, everything that is not denied or rejected, is allowed. In this case,
the default policy would be accept.
Normally, it is easier (and also much safer) to define, what traffic is allowed.
And so, the default policy is nearly always drop or reject. The syntax of defining a
default policy is:
iptables -P <chain> <target>
In example 5, I will set the default policies for INPUT, OUTPUT, and FORWARY on
deny.
| Example 5: Setting a default policy |
$ iptables -P INPUT DROP
$ iptables -P OUTPUT DROP
$ iptables -P FORWARD DROP
|
1 | 2 | 3 | next >>
back to top
| 
Security Tasks