Friday, June 8, 2012

iptables Basics

iptables Basics

iptables is a linux utility for packet filtering. In a nutshell it examines each network packet based on some rules defined in the table and then decides the action to be taken on that packet. 
There are mutiple levels in iptables to deal with different scenarios. The highest level is tables, followed by chains and then rules. There are some predefined tables and the user can also setup their own tables. But for a basic usage, the predefined tables are more than enough. Following are the tables
  1. filter ( the default table ), as the name suggests used to filter out packets
  2. nat
  3. mangle
  4. raw
  5. security
As can be seen from the name, different tables are needed for different purpose. In this tutorial we are only going to lean about the table filter
The next level is chains. Each of the above tables contains multiple chains. There are some built-in chains and there can also be user-defined chains. The filter tables contains the following built-in chains
  1. INPUT --> Rules under this chain will be applied to the incoming packets
  2. OUTPUT --> Rules under this chain will be applied to the outgoing packets
  3. FORWARD --> For packets being routed through this box
Each of this chains contain set of rules. And each rule specification a "target", which is the action to be performed on each packet that matches the given rule. The target can be a user defined chain or the following pre-defined values
  1. ACCEPT
  2. QUEUE
  3. DROP
  4. RETURN
When a packet is received, the kernel determines the appropriate table and the chain. Then the kernel checks the packet against each rule in the chain. If a match is found then the target is executed and the check stops here unless the target is another chain
Now, lets look at some example commands.

  •  sudo /sbin/iptables --line-number --list
Lists the currently defined tables, their chains and rules under them
  •  sudo /sbin/iptables -A INPUT -j REJECT
Adds a rule to the chain INPUT on default table filter, to reject all the incoming packets. -j options stands for jump to target. Print the list using the previous command and note down the rule number.

  • sudo /sbin/iptables -D INPUT  1
Deletes the above rule number 1 on INPUT chain on default table filter.

  • sudo /sbin/iptables -I OUTPUT 1 -p tcp --dport 80 -j ACCEPT
Above command inserts a rule on chain OUTPUT, table filter on position 1, to allow all outgoing http connection requests.


Following table summarises some of the frequently used options



iptables command SwitchDesciption
-t <-table->If you don't specify a table, then the filter table is assumed. As discussed before, the possible built-in tables include: filter, nat, mangle
-j <target>Jump to the specified target chain when the packet matches the current rule.
-AAppend rule to end of a chain
-FFlush. Deletes all the rules in the selected table
-p <protocol-type>Match protocol. Types include, icmp, tcp, udp, and all
-s <ip-address>Match source IP address
-d <ip-address>Match destination IP address
-i <interface-name>Match "input" interface on which the packet enters.
-o <interface-name>Match "output" interface on which the packet exits



Common TCP and UDP Match Criteria

SwitchDesciption
-p tcp --sport <port>TCP source port. Can be a single value or a range in the format: start-port-number:end-port-number
-p tcp --dport <port>TCP destination port. Can be a single value or a range in the format: starting-port:ending-port
-p tcp --synUsed to identify a new TCP connection request. ! --syn means, not a new connection request
-p udp --sport <port>UDP source port. Can be a single value or a range in the format: starting-port:ending-port
-p udp --dport <port>UDP destination port. Can be a single value or a range in the format: starting-port:ending-port
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)