iptables utility¶
links: SPA TOC - Linux Firewall - Index
Overview¶
- the utility
iptables
is used to set up, view, delete and modify chains and their rules - more information:
iptables -h
orman 8 iptables
- version of iptables:
iptables -V
Tables¶
- use
-t
to specify a table (see generic tables) - if no table is specified, the filter table is chosen automatically
iptables -t filter # specifies filter table
iptables -t nat # specifies nat table
Listing of chains and rules¶
- use
-L
to list all rules of a selected chain - use
-v
(verbose) to list interface name, packets, byte counters, ... - use
-n
(numeric) to display IP addresses and port numbers in numeric format \(\rightarrow\) by default, it tries to resolve addresses and port numbers and display them as host/network/service names, this can be time consuming - use
--line-numbers
to print line/rule numbers
iptables -t filter -L # rules of the filter table
iptables -t nat -L -v # verbose rules of the mangle table
iptables -t mangle -n # rules of the mangle table in numeric format
Set default policy¶
- use
-P
to set up a default policy of a built-in chain \(\rightarrow\) be aware, not all tables have all chains (see iptables table architecture)
iptables -t nat -P OUTPUT ACCEPT # set default policy of OUTPUT chain in nat table
User-defined chains¶
- use
-N
to create a user-defined chain - use
-X
to delete a user-defined chain - use
-E
to rename a user-defined chain
iptables -t nat -N mynat # create new chain "mynat" in nat table
iptables -X junk # delete user-defined chain "junk" from filter table
iptables -t mangle -E test work # rename chain "test" to "work" in mangle table
Flush chains, reset counters¶
- use
-F
(Flush) to flush a chain (clear all custom rules from the chain and set to default state!) - use
-Z
(Zero) to set all counters of a chain to zero
iptables -t nat -F PREROUTING # flush PREROUTING chain of nat table
iptables -t mangle -Z INPUT # reset counters of INPUT chain of mangle table
Save and restore rule sets¶
- use the command
iptables-save
andiptables-restore
iptables-save # write to STDOUT
iptables-save > rulefile # save to file
iptables-restore < rulefile # restore from file
iptables-restore rulefile # restore from file
Rules¶
Rules of a chain can be modified using following options:
-A
,--append chain <rule-specification>
-D
,--delete chain <rule-specification>
-D
,--delete chain rulenum
-I
,--insert chain [rulenum] <rule-specification>
-
-R
,--replace chain rulenum <rule-specification>
-
rulenum
can be found out using--line-numbers
<rule-specification>
contains the packet matching rule and can be very complex
Rule specification¶
The following options can be used to define packet matching filter rules:
-p
,--protocol [!] protocol
-s
,--source [!] address[/mask]
-d
,--destination [!] address[/mask]
-i
,--in-interface [!] name
-o
,--out-interface [!] name
The target of a rule is defined using the -j
(jump) option (available targets):
-j
,--jump target
Match extensions¶
- iptables can use extended packet matching modules
- they can be specified either:
- implicitly using the option
-p
,--protocol
or - using the option
-m
,--match
followed with the name of an extension module
- implicitly using the option
- depending on the module, more extra command line options become available
- multiple modules can be specified in one rule
- use
!
before the module name to invert the match of packets
Stateless rules¶
# allow SSH access to the local system
iptables -A INPUT -p tcp -m tcp --sport 1024:65535 --dport 22 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --sport 22 --dport 1024:65535 \
! --tcp-flags ACK,RST,SYN,FIN SYN -j ACCEPT
Explanation of second rule:
-A OUTPUT
: add rule to theOUTPUT
chain of thefilter
table (matching packets that are generated by the host machine itself and are on their way out)-p tcp
: apply rule to TCP protocol packets-m tcp
: invokes the TCP module for additional match options--sport 22
: match source port 22--dport 1024:65535
: destination port range! --tcp-flags ACK,RST,SYN,FIN SYN
: negated tcp-flags match. It matches packets that do not have the SYN flag set while having any combination of the ACK, RST and FIN flags.- This rule match packets that are part of an established connection, excluding the initial packet trying to establish a new connection
# forward DNS queries and zone transfers (originating from net 192.0.2.0/24)
iptables -A FORWARD -s 192.0.2.0/24 -p tcp -m tcp --sport 1024:65535 \
--dport 53 -j ACCEPT
iptables -A FORWARD -d 192.0.2.0/24 -p tcp -m tcp --sport 53 \
--dport 1024:65535 ! --syn -j ACCEPT
iptables -A FORWARD -s 192.0.2.0/24 -p udp -m udp --sport 1024:65535 \
--dport 53 -j ACCEPT
iptables -A FORWARD -d 192.0.2.0/24 -p udp -m udp --sport 53 \
--dport 1024:65535 -j ACCEPT
Stateful rules¶
- use of the Connection Tracking Subsystem
- Available states
# allow ssh access to local system
iptables -A INPUT -p tcp -m tcp --sport 1024:65535 --dport 22 \
-m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --sport 22 --dport 1024:65535 \
-m conntrack --ctstate ESTABLISHED -j ACCEPT
iptables -A FORWARD -d 192.0.2.0/24 -m conntrack --ctstate RELATED,ESTABLISHED \
-j ACCEPT
iptables -A FORWARD -s 192.0.2.0/24 -m conntrack --ctstate NEW \
-p tcp -m tcp --sport 1024:65535 --dport 53 -j ACCEPT
iptables -A FORWARD -s 192.0.2.0/24 -m conntrack --ctstate NEW \
-p udp -m udp --sport 1024:65535 --dport 53 -j ACCEPT
iproute2 policy routing¶
- we can mark packets for the
iproute2
policy routing
links: SPA TOC - Linux Firewall - Index