Wednesday, December 14, 2011

IP Packet Filtering: iptables Explained For Beginners

iptables is a IP Filter which is shipped with kernel. Technically speaking, an IP filter will work on Network layer in TCP/IP stack but actually iptables work on data link and transport layer as well. In a broad sense, iptables consists on tables, which consists of chain which is further comprised of rules.
Default tables are:
  1. Raw
  2. Mangle
  3. NAT
  4. Filter
Default chains are (yes, they are written in upper case):
  1. PREROUTING: used by raw, mangle and nat tables
  2. INPUT: used by mangle and filter tables
  3. FORWARD: used by mangle and filter tables
  4. OUTPUT: used by raw, mangle, nat and filter tables
  5. POSTROUTING: used by mangle and nat tables
I'll discuss about Filter table here. It is the one which is most generally used but if you are interested in others as well you can find a detailed tutorial at frozentux. Filter table uses three chains, INPUT, FORWARD and OUTPUT. 
  • INPUT chain is for the packets meant for your own local machine. Reply of a http request made by your browser will go through INPUT chain.
  • OUTPUT chain is for the packets going out of your machine. The http request made by your browser will go through this chain.
  • FORWARD chain is for the packets which you receive but they are not meant for you. Your machine is just supposed to forward them to another device. This generally happens when the machine is configured as a gateway or something similar.
Now every iptables rules have some "target" which is executed when it is matched against a "criteria". Following are the most common targets:
  • ACCEPT: Packet is accepted and goes to the application for processing.
  • DROP: Packet is dropped. No information regarding the drop is sent to the sender.
  • REJECT: Packet is dropped and information (error) message is sent to the sender.
  • LOG: Packet details are sent to syslogd for logging. 
  • DNAT: Rewrites the destination IP of the packet
  • SNAT: Rewrites the source IP of the packet
First four are used in Filter tables a lot. Now let us discuss some of the common criteria:
  • -p <protocol>: It matches protocols like tcp, udp, icmp and all
  • -s <ip_addr>: It matches source IP address
  • -d <ip_addr>: It matches destination IP address
  • --sport <port>: It matches the source port
  • --dport <port>: It matches the destination port
  • -i <interface>: It matches the interface from which the packet entered
  • -o <interface>: It matches the interface from which the packet exits
Now we know the basic things to start building our rules. Let us try to write some rules for a few hypothetical (or real) situations. First we'll set default policy for iptables filter table using -P flag.
iptables -t filter -P INPUT DROP
iptables -t filter -P OUTPUT DROP


Now we'll allow this machine to send only http requests and ssh requests:
iptables -A INPUT -p tcp -i eth0 --dport 80
iptables -A INPUT -p tcp -i eth0 --dport 22

Note that -A flag is used because we want to append these rules to current iptables config. If we do not use -A then the rules will be overwritten.

Also assume that my machine acts as an ftp server so I should allow connections to port 20 and 21.
iptables -A OUTPUT -p tcp -i eth0 --sport 20
iptables -A OUTPUT -p tcp -i eth0 --sport 21


Also I would say that I trust my internal network:
iptables -A OUTPUT -j ACCEPT -p all -d 192.168.1.0/24 -o eth0
iptables -A INPUT -j ACCEPT -p all -s 192.168.1.0/24 -i eth0

So this is how my final iptables script would look like:

iptables -t filter -P INPUT DROP
iptables -t filter -P OUTPUT DROP
iptables -A INPUT -p tcp -i eth0 --dport 80
iptables -A INPUT -p tcp -i eth0 --dport 22
iptables -A OUTPUT -p tcp -i eth0 --sport 20
iptables -A OUTPUT -p tcp -i eth0 --sport 21
iptables -A OUTPUT -j ACCEPT -p all -d 192.168.1.0/24 -o eth0
iptables -A INPUT -j ACCEPT -p all -s 192.168.1.0/24 -i eth0

Note that rules are read sequentially. So other than policy rules, if any rule matches then reading will stop and action will be taken according to that rule.

5 comments:

  1. Thank you very much sir for sharing the important article

    ReplyDelete
  2. thanks for sharing this article , but do you have any tutorial explaining the mangle table ?

    ReplyDelete
  3. Too many compliments too little space, thanks!Networking Basics

    ReplyDelete
  4. can you please explain below commands..

    iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
    iptables -A OUTPUT -o eth0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT

    ReplyDelete
    Replies
    1. First rule is for allowing new or already established connections to your webserver.

      The second rule is for allowing your webserver to communicate back to the end user, if you disable the this rule the end user will no be able to receive back information from your server

      Delete

Note: Only a member of this blog may post a comment.