iptables
- iptables
- netfilter
- The Linux kernel comes with a packet filtering framework named netfilter
- It allows you to allow, drop and modify traffic leaving in and out of a system.
- inside the Linux 2.4.x and later kernel series.
- Software inside this framework enables packet filtering, network address (and port) translation (
NA[P]T
) and other packet mangling. It is the re-designed and heavily improved successor of the previous Linux 2.2.xipchains
and Linux 2.0.xipfwadm
systems. - features
- stateless packet filtering (IPv4 and IPv6)
- stateful packet filtering (IPv4 and IPv6)
- all kinds of network address and port translation, e.g. NAT/NAPT (IPv4 and IPv6)
- flexible and extensible infrastructure
- multiple layers of API’s for 3rd party extensions
- iptables is a generic table structure for the definition of rulesets.
- Each rule within an IP table consists of a number of classifiers (iptables matches) and one connected action (iptables target)
- iptables provides different commands for these protocols —
iptables
for IPv4 andip6tables
for IPv6 - some abbreviations for
iptables
outputprot
: protocolopt
: ?dpt
: destination portct
: connect
- special options
-m
:extended match (may load extension)
with help by some modulestcp
multiport
icmp
conntrack
limit
: the job of this module is to place a limit to the number of packets passing through.recent
hashlimit
owner
: block traffic on a per user basisstate
: replaced byconntrack
--ctstate
INVALID
NEW
ESTABLISHED
RELATED
UNTRACKED
SNAT
DNAT
- Unfortunately, it turns out that iptables rules aren’t persistent — they’re lost when you reboot your system.
- commands
iptables-save
andiptables-restore
- On distributions such as RHEL and CentOS, there’s a package named “iptables-services”
- delete all rules currently inserted
iptables -F
- commands
- netfilter
- concepts
- tables
- a table is something that allows you to process packets in specific ways
- The default table is the
filter
table, although there are other tables too. - tables have chains attached to them
- on a modern Linux distributions, there are four tables:
filter
table- used to make decisions about whether a packet should be allowed to reach its destination
mangle
table- to alter packet headers in various ways, such as changing TTL values
nat
table- allows you to route packets to different hosts on NAT (Network Address Translation) networks by changing the source and destination addresses of packets
-j
: targetDNAT
- mainly used in cases where you have a public IP and want to redirect accesses to the firewall to some other host (on a DMZ for example). In other words, we change the destination address of the packet and reroute it to the host.
SNAT
- changing the source address of packets
MASQUERADE
: TheMASQUERADE
target is used basically the same as theSNAT
target, but it does not require any--to-source
option.- The reason for this is that the
MASQUERADE
target was made to work with, for example, dial-up connections, or DHCP connections, which gets dynamic IP addresses when connecting to the network in question. This means that you should only use theMASQUERADE
target with dynamically assigned IP connections, which we don’t know the actual address of at all times. - If you have a static IP connection, you should instead use the
SNAT
target.
- The reason for this is that the
REDIRECT
raw
table- iptables is a stateful firewall, which means that packets are inspected with respect to their “state”
- The
raw
table allows you to work with packets before the kernel starts tracking its state. - In addition, you can also exempt certain packets from the state-tracking machinery.
- in addition, some kernels also have a
security
table. It is used by SELinux to implement policies based onSELinux security contexts
. - each of these tables are composed of a few default chains
- chains
- allow you to inspect traffic at various points
- contain rules which associate with a target to match specific packets
- a few default chains
PREROUTING
chain- Rules in this chain apply to packets as they just arrive on the network interface.
- This chain is present in the
nat
,mangle
andraw
tables.
INPUT
chain- Rules in this chain apply to packets just before they’re given to a local process.
- This chain is present in the
mangle
andfilter
tables.
OUTPUT
chain- The rules here apply to packets just after they’ve been produced by a process.
- This chain is present in the
raw
,mangle
,nat
andfilter
tables.
FORWARD
chain- The rules here apply to any packets that are routed through the current host.
- This chain is only present in the
mangle
andfilter
tables.
POSTROUTING
chain- The rules in this chain apply to packets as they just leave the network interface.
- This chain is present in the
nat
andmangle
tables.
- targets
- a target decides the fate of a packet, such as allowing or rejecting it
- some targets are
terminating
, the packet won’t be matched against any other rules. The most commonly used terminating targets are:ACCEPT
DROP
- To anyone trying to connect to your system, it would appear like the system didn’t even exist.
REJECT
- It sends a “connection reset” packet in case of TCP, or a “destination host unreachable” packet in case of UDP or ICMP.
non-terminating
targetsLOG
RETURN
: return to the parent chain and match the other rules there
- steps
- When a packet arrives (or leaves, depending on the chain), iptables matches it against rules in these chains one-by-one. When it finds a match, it jumps onto the target and performs the action associated with it. If it doesn’t find a match with any of the rules, it simply does what the default
policy
of the chain tells it to. The default policy is also a target. By default, all chains have a default policy of allowing packets.
- When a packet arrives (or leaves, depending on the chain), iptables matches it against rules in these chains one-by-one. When it finds a match, it jumps onto the target and performs the action associated with it. If it doesn’t find a match with any of the rules, it simply does what the default
- tables
iptables --help
iptables v1.6.0
Usage: iptables -[ACD] chain rule-specification [options]
iptables -I chain [rulenum] rule-specification [options]
iptables -R chain rulenum rule-specification [options]
iptables -D chain rulenum [options]
iptables -[LS] [chain [rulenum]] [options]
iptables -[FZ] [chain] [options]
iptables -[NX] chain
iptables -E old-chain-name new-chain-name
iptables -P chain target [options]
iptables -h (print this help information)
Commands:
Either long or short options are allowed.
--append -A chain Append to chain
--check -C chain Check for the existence of a rule
--delete -D chain Delete matching rule from chain
--delete -D chain rulenum
Delete rule rulenum (1 = first) from chain
--insert -I chain [rulenum]
Insert in chain as rulenum (default 1=first)
--replace -R chain rulenum
Replace rule rulenum (1 = first) in chain
--list -L [chain [rulenum]]
List the rules in a chain or all chains
--list-rules -S [chain [rulenum]]
Print the rules in a chain or all chains
--flush -F [chain] Delete all rules in chain or all chains
--zero -Z [chain [rulenum]]
Zero counters in chain or all chains
--new -N chain Create a new user-defined chain
--delete-chain
-X [chain] Delete a user-defined chain
--policy -P chain target
Change policy on chain to target
--rename-chain
-E old-chain new-chain
Change chain name, (moving any references)
Options:
--ipv4 -4 Nothing (line is ignored by ip6tables-restore)
--ipv6 -6 Error (line is ignored by iptables-restore)
[!] --protocol -p proto protocol: by number or name, eg. `tcp'
[!] --source -s address[/mask][...]
source specification
[!] --destination -d address[/mask][...]
destination specification
[!] --in-interface -i input name[+]
network interface name ([+] for wildcard)
--jump -j target
target for rule (may load target extension)
--goto -g chain
jump to chain with no return
--match -m match
extended match (may load extension)
--numeric -n numeric output of addresses and ports
[!] --out-interface -o output name[+]
network interface name ([+] for wildcard)
--table -t table table to manipulate (default: `filter')
--verbose -v verbose mode
--wait -w [seconds] wait for the xtables lock
--line-numbers print line numbers when listing
--exact -x expand numbers (display exact values)
[!] --fragment -f match second or further fragments only
--modprobe=<command> try to insert modules using this command
--set-counters PKTS BYTES set the counter during insert/append
[!] --version -V print package version.
Valid ICMP Types
any
echo-reply (pong)
destination-unreachable
network-unreachable
host-unreachable
protocol-unreachable
port-unreachable
fragmentation-needed
source-route-failed
network-unknown
host-unknown
network-prohibited
host-prohibited
TOS-network-unreachable
TOS-host-unreachable
communication-prohibited
host-precedence-violation
precedence-cutoff
source-quench
redirect
network-redirect
host-redirect
TOS-network-redirect
TOS-host-redirect
echo-request (ping)
router-advertisement
router-solicitation
time-exceeded (ttl-exceeded)
ttl-zero-during-transit
ttl-zero-during-reassembly
parameter-problem
ip-header-bad
required-option-missing
timestamp-request
timestamp-reply
address-mask-request
address-mask-reply
nftables
nftables
replaces the popular {ip,ip6,arp,eb}tables
. This software provides a new in-kernel packet classification framework that is based on a network-specific Virtual Machine (VM) and a new nft
userspace command line tool. nftables
reuses the existing Netfilter subsystems such as the existing hook infrastructure, the connection tracking system, NAT, userspace queueing and logging subsystem.