0P3N Blog Blog Post
Ready to Start Your Career?
Create Free Account
By: lscianni
March 29, 2017

Introduction to the IPtables Command

By: lscianni
March 29, 2017
By: lscianni
March 29, 2017

ip-tables_resize_1000x667

What is IPtables?

Iptables is a firewall that is usually built into Linux. Technically, IPtables is the interface for the kernel module Netfilter. In other words, IPtables resides in userspace and allows the user to enter firewall rules, and Netfilter is the kernel module that does the actual filtering.Before we get into actually setting up our firewall rules let's get an idea of the concepts involved. Iptables uses IP addresses, ports, and protocols to filter packets. Rules are placed into predefined chains and IP packets are checked against the rules in a chain for a decision to be made. The actions taken by the rules are known as targets, the most common targets being ACCEPT and DROP.
Predefined Chains
The three chains in the filter table are:
  • INPUT - inbound packets
  • OUTPUT - outbound packets
  • FORWARD - packets that are neither destined for or coming from our host, but rather just passing through (used mainly for routers)
Normally we are concerned with the INPUT chain for protecting our network from external threats, but it may be a good idea to add some filters for outbound traffic as well (blocking outbound internet connections on a subnet with test systems on it for instance).In summary, rules are added in a list to the chains, packets are checked against each rule, and then an action is taken based on the rules.If a packet doesn't match any of the rules then the default action for that chain is applied. This is referred to as the default policy which can be set to either ACCEPT or DROP.Now we must decide how we are going to organize our firewall. There are two choices; one is to set the default policy to DROP and then add specific rules to ACCEPT packets from a specific host (implicit deny) or you can set the default policy to ACCEPT which will drop that which does not come from a trusted host (explicit deny). Generally, option one is implemented for ease of administration and better overall security.

Working with IPtables

Working with IPtables requires root privileges, so, either use su or sudo before the commands below. IPtables is installed by default on most Linux distros. You can check if the module is loaded with;
lsmod | grep ip_tables
you can list the current rules with;
iptables -L
If not installed use your distro's package manager to install the iptables package.You can start IPtables on a host running systemd with;
systemctl start iptables
 You can enable it on boot with;
systemctl enable iptables
 

Writing the rules

Now let’s add some rules to our IPtables that will create a basic SPI (stateful packet inspection) firewall. In your terminal enter;
iptables -P INPUT ACCEPTiptables -Fiptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPTiptables -A INPUT -i lo -j ACCEPTiptables -A INPUT -p tcp --dport 22 -j ACCEPTiptables -P OUTPUT ACCEPTiptables -P INPUT DROPiptables -P FORWARD DROP
 What’s going on in the above commands is as follows;iptables -P INPUT ACCEPT This allows for remote connections by setting the default policy to ACCEPT, which can be important if you’re going to be connecting to the host via SSH.iptables -F This flushes the current chains.iptables -A INPUT -m state ESTABLISHED, RELATED -j ACCEPT If you were configuring this host remotely this would allow the connection to persist after the firewall rules are updated.iptables -A INPUT -i lo -j ACCEPT This accepts connections on the local loopback address.iptables -A INPUT -p tcp --dport 22 -j ACCEPT This accepts all connections destined for port 22 the default ssh port.iptables -P OUTPUT ACCEPT This sets the default policy for outbound connections to accept.iptables -P INPUT DROP This set the default policy for inbound connections to drop.iptables -P FORWARD DROP This sets the forward default policy to drop. For further explanation, the -j switch is the jump parameter and takes a target, such as DROP as it’s argument. You can save your rules with the command;
iptables-save > /etc/iptables.rules
 After saving your firewall rules you may restart the IPtables service on systems running systemd with the command;
systemctl reload iptables
 

Fine tuning IPtables rules

Something like the above example might be fine for some, but others may want to fine tune their rules a littler further to allow or deny access to a certain host or a specific interface. In the example above we do this with the
iptables -A INPUT -i lo -j ACCEPT 
Here we are appending to the INPUT chain the rule that when packets destined for the loopback interface arrive jump to the ACCEPT target. This can be done with other interfaces as well such as eth0.IP addresses can also be used to fine tune IPtables rules. For example;
iptables -A INPUT -s 192.168.0.50/24 -p tcp --dport 22 -j DROP
 With this rule we append to the INPUT chain that packets with the source address 192.168.0.50 on the /24 subnet destined for tcp port 22 should be dropped. Logging what your firewall is doing is pretty important so let’s see how we might do that;
iptables -A INPUT -s 192.168.0.50/24 -p tcp --dport 22-j LOG --log-prefix “[DENIED:INPUT] ” --log-level 7iptables -A INPUT -s 192.168.0.50/24 -p tcp --dport 22 -j DROP
 In the above example, we create two rules with matching criteria. One pointing to the LOG target and the next to the DROP. The LOG rule tells Netfilter that when a packet with the source address 192.168.0.50/24 destined for TCP port 22; jump to the LOG chain. As well as prefix [DENIED:INPUT] to the Syslog. The second rule is similar to the example above; drop packets with the specified source address destined for the specified port.

Now what?

It is also possible to create your own chains with the
-N
switch, as well as writing your rules into a script which will make things much easier. Still, with this knowledge, you should be able to get up and running with IPtables.

Do you like to write about your infosec knowledge, skills, opinions, or exploits?

Blog Icon

Publish your original research, tutorials, articles, or other written content on Cybray's blog to be seen by thousands of infosec readers daily!

Build your Cybersecurity or IT Career

Accelerate in your role, earn new certifications, and develop cutting-edge skills using the fastest growing catalog in the industry