Ready to Start Your Career?

Introduction to the IPtables Command

By: lscianni

March 29, 2017

What is IPtables? Iptables is a firewall that is usually built into Linux. Technically, IPtables is the interface for the kernel module Netfilter. In other words, IPtables resides in userspace and allows the user to enter firewall rules, and Netfilter is the kernel module that does the actual filtering.Before we get into actually setting up our firewall rules let's get an idea of the concepts involved. Iptables uses IP addresses, ports, and protocols to filter packets. Rules are placed into predefined chains and IP packets are checked against the rules in a chain for a decision to be made. The actions taken by the rules are known as targets, the most common targets being ACCEPT and DROP. Predefined Chains The three chains in the filter table are:

INPUT - inbound packets
OUTPUT - outbound packets
FORWARD - packets that are neither destined for or coming from our host, but rather just passing through (used mainly for routers)

Normally we are concerned with the INPUT chain for protecting our network from external threats, but it may be a good idea to add some filters for outbound traffic as well (blocking outbound internet connections on a subnet with test systems on it for instance).In summary, rules are added in a list to the chains, packets are checked against each rule, and then an action is taken based on the rules.If a packet doesn't match any of the rules then the default action for that chain is applied. This is referred to as the default policy which can be set to either ACCEPT or DROP.Now we must decide how we are going to organize our firewall. There are two choices; one is to set the default policy to DROP and then add specific rules to ACCEPT packets from a specific host (implicit deny) or you can set the default policy to ACCEPT which will drop that which does not come from a trusted host (explicit deny). Generally, option one is implemented for ease of administration and better overall security. Working with IPtables Working with IPtables requires root privileges, so, either use su or sudo before the commands below. IPtables is installed by default on most Linux distros. You can check if the module is loaded with;

lsmod | grep ip_tables

you can list the current rules with;

iptables -L

If not installed use your distro's package manager to install the iptables package.You can start IPtables on a host running systemd with;

systemctl start iptables

You can enable it on boot with;

systemctl enable iptables

Writing the rules Now let’s add some rules to our IPtables that will create a basic SPI (stateful packet inspection) firewall. In your terminal enter;

iptables -P INPUT ACCEPTiptables -Fiptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPTiptables -A INPUT -i lo -j ACCEPTiptables -A INPUT -p tcp --dport 22 -j ACCEPTiptables -P OUTPUT ACCEPTiptables -P INPUT DROPiptables -P FORWARD DROP

What’s going on in the above commands is as follows;iptables -P INPUT ACCEPT This allows for remote connections by setting the default policy to ACCEPT, which can be important if you’re going to be connecting to the host via SSH.iptables -F This flushes the current chains.iptables -A INPUT -m state ESTABLISHED, RELATED -j ACCEPT If you were configuring this host remotely this would allow the connection to persist after the firewall rules are updated.iptables -A INPUT -i lo -j ACCEPT This accepts connections on the local loopback address.iptables -A INPUT -p tcp --dport 22 -j ACCEPT This accepts all connections destined for port 22 the default ssh port.iptables -P OUTPUT ACCEPT This sets the default policy for outbound connections to accept.iptables -P INPUT DROP This set the default policy for inbound connections to drop.iptables -P FORWARD DROP This sets the forward default policy to drop. For further explanation, the -j switch is the jump parameter and takes a target, such as DROP as it’s argument. You can save your rules with the command;

iptables-save > /etc/iptables.rules

After saving your firewall rules you may restart the IPtables service on systems running systemd with the command;

systemctl reload iptables

Fine tuning IPtables rules Something like the above example might be fine for some, but others may want to fine tune their rules a littler further to allow or deny access to a certain host or a specific interface. In the example above we do this with the

iptables -A INPUT -i lo -j ACCEPT

Here we are appending to the INPUT chain the rule that when packets destined for the loopback interface arrive jump to the ACCEPT target. This can be done with other interfaces as well such as eth0.IP addresses can also be used to fine tune IPtables rules. For example;

iptables -A INPUT -s 192.168.0.50/24 -p tcp --dport 22 -j DROP

With this rule we append to the INPUT chain that packets with the source address 192.168.0.50 on the /24 subnet destined for tcp port 22 should be dropped. Logging what your firewall is doing is pretty important so let’s see how we might do that;

iptables -A INPUT -s 192.168.0.50/24 -p tcp --dport 22-j LOG --log-prefix “[DENIED:INPUT] ” --log-level 7iptables -A INPUT -s 192.168.0.50/24 -p tcp --dport 22 -j DROP

In the above example, we create two rules with matching criteria. One pointing to the LOG target and the next to the DROP. The LOG rule tells Netfilter that when a packet with the source address 192.168.0.50/24 destined for TCP port 22; jump to the LOG chain. As well as prefix [DENIED:INPUT] to the Syslog. The second rule is similar to the example above; drop packets with the specified source address destined for the specified port. Now what? It is also possible to create your own chains with the

-N

switch, as well as writing your rules into a script which will make things much easier. Still, with this knowledge, you should be able to get up and running with IPtables.