Skip to content

iptables utility

links: SPA TOC - Linux Firewall - Index

Overview

  • the utility iptables is used to set up, view, delete and modify chains and their rules
  • more information: iptables -h or man 8 iptables
  • version of iptables: iptables -V

Tables

  • use -t to specify a table (see generic tables)
  • if no table is specified, the filter table is chosen automatically
iptables -t filter # specifies filter table
iptables -t nat    # specifies nat table

Listing of chains and rules

  • use -L to list all rules of a selected chain
  • use -v (verbose) to list interface name, packets, byte counters, ...
  • use -n (numeric) to display IP addresses and port numbers in numeric format \(\rightarrow\) by default, it tries to resolve addresses and port numbers and display them as host/network/service names, this can be time consuming
  • use --line-numbers to print line/rule numbers
iptables -t filter -L # rules of the filter table
iptables -t nat -L -v # verbose rules of the mangle table
iptables -t mangle -n # rules of the mangle table in numeric format

Set default policy

  • use -P to set up a default policy of a built-in chain \(\rightarrow\) be aware, not all tables have all chains (see iptables table architecture)
iptables -t nat -P OUTPUT ACCEPT # set default policy of OUTPUT chain in nat table

User-defined chains

  • use -N to create a user-defined chain
  • use -X to delete a user-defined chain
  • use -E to rename a user-defined chain
iptables -t nat -N mynat        # create new chain "mynat" in nat table
iptables -X junk                # delete user-defined chain "junk" from filter table
iptables -t mangle -E test work # rename chain "test" to "work" in mangle table

Flush chains, reset counters

  • use -F (Flush) to flush a chain (clear all custom rules from the chain and set to default state!)
  • use -Z (Zero) to set all counters of a chain to zero
iptables -t nat -F PREROUTING # flush PREROUTING chain of nat table
iptables -t mangle -Z INPUT   # reset counters of INPUT chain of mangle table

Save and restore rule sets

  • use the command iptables-save and iptables-restore
iptables-save               # write to STDOUT
iptables-save > rulefile    # save to file
iptables-restore < rulefile # restore from file
iptables-restore rulefile   # restore from file

Rules

Rules of a chain can be modified using following options:

  • -A, --append chain <rule-specification>
  • -D, --delete chain <rule-specification>
  • -D, --delete chain rulenum
  • -I, --insert chain [rulenum] <rule-specification>

  • -R, --replace chain rulenum <rule-specification>

  • rulenum can be found out using --line-numbers

  • <rule-specification> contains the packet matching rule and can be very complex

Rule specification

The following options can be used to define packet matching filter rules:

  • -p, --protocol [!] protocol
  • -s, --source [!] address[/mask]
  • -d, --destination [!] address[/mask]
  • -i, --in-interface [!] name
  • -o, --out-interface [!] name

The target of a rule is defined using the -j (jump) option (available targets):

  • -j, --jump target

Match extensions

  • iptables can use extended packet matching modules
  • they can be specified either:
    • implicitly using the option -p, --protocol or
    • using the option -m, --match followed with the name of an extension module
  • depending on the module, more extra command line options become available
  • multiple modules can be specified in one rule
  • use ! before the module name to invert the match of packets

iptables-match-extension-modules.png

Stateless rules

# allow SSH access to the local system
iptables -A INPUT -p tcp -m tcp --sport 1024:65535 --dport 22 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --sport 22 --dport 1024:65535 \
    ! --tcp-flags ACK,RST,SYN,FIN SYN -j ACCEPT

Explanation of second rule:

  • -A OUTPUT: add rule to the OUTPUT chain of the filter table (matching packets that are generated by the host machine itself and are on their way out)
  • -p tcp: apply rule to TCP protocol packets
  • -m tcp: invokes the TCP module for additional match options
  • --sport 22: match source port 22
  • --dport 1024:65535: destination port range
  • ! --tcp-flags ACK,RST,SYN,FIN SYN: negated tcp-flags match. It matches packets that do not have the SYN flag set while having any combination of the ACK, RST and FIN flags.
  • This rule match packets that are part of an established connection, excluding the initial packet trying to establish a new connection
# forward DNS queries and zone transfers (originating from net 192.0.2.0/24)
iptables -A FORWARD -s 192.0.2.0/24 -p tcp -m tcp --sport 1024:65535 \
    --dport 53 -j ACCEPT
iptables -A FORWARD -d 192.0.2.0/24 -p tcp -m tcp --sport 53 \
    --dport 1024:65535 ! --syn -j ACCEPT
iptables -A FORWARD -s 192.0.2.0/24 -p udp -m udp --sport 1024:65535 \
    --dport 53 -j ACCEPT
iptables -A FORWARD -d 192.0.2.0/24 -p udp -m udp --sport 53 \
    --dport 1024:65535 -j ACCEPT

Stateful rules

# allow ssh access to local system
iptables -A INPUT -p tcp -m tcp --sport 1024:65535 --dport 22 \
    -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --sport 22 --dport 1024:65535 \
    -m conntrack --ctstate ESTABLISHED -j ACCEPT

iptables -A FORWARD -d 192.0.2.0/24 -m conntrack --ctstate RELATED,ESTABLISHED \
    -j ACCEPT
iptables -A FORWARD -s 192.0.2.0/24 -m conntrack --ctstate NEW \
    -p tcp -m tcp --sport 1024:65535 --dport 53 -j ACCEPT
iptables -A FORWARD -s 192.0.2.0/24 -m conntrack --ctstate NEW \
    -p udp -m udp --sport 1024:65535 --dport 53 -j ACCEPT

iproute2 policy routing

  • we can mark packets for the iproute2 policy routing

iptables-iproute2.png

links: SPA TOC - Linux Firewall - Index