Introduction to the IPtables Command
What is IPtables?Iptables is a firewall that is usually built into Linux. Technically, IPtables is the interface for the kernel module Netfilter. In other words, IPtables resides in userspace and allows the user to enter firewall rules, and Netfilter is the kernel module that does the actual filtering.Before we get into actually setting up our firewall rules let's get an idea of the concepts involved. Iptables uses IP addresses, ports, and protocols to filter packets. Rules are placed into predefined chains and IP packets are checked against the rules in a chain for a decision to be made. The actions taken by the rules are known as targets, the most common targets being ACCEPT and DROP.
Predefined ChainsThe three chains in the filter table are:
- INPUT - inbound packets
- OUTPUT - outbound packets
- FORWARD - packets that are neither destined for or coming from our host, but rather just passing through (used mainly for routers)
Working with IPtablesWorking with IPtables requires root privileges, so, either use su or sudo before the commands below. IPtables is installed by default on most Linux distros. You can check if the module is loaded with;
you can list the current rules with;
lsmod | grep ip_tables
If not installed use your distro's package manager to install the iptables package.You can start IPtables on a host running systemd with;
You can enable it on boot with;
systemctl start iptables
systemctl enable iptables
Writing the rulesNow let’s add some rules to our IPtables that will create a basic SPI (stateful packet inspection) firewall. In your terminal enter;
What’s going on in the above commands is as follows;iptables -P INPUT ACCEPT This allows for remote connections by setting the default policy to ACCEPT, which can be important if you’re going to be connecting to the host via SSH.iptables -F This flushes the current chains.iptables -A INPUT -m state ESTABLISHED, RELATED -j ACCEPT If you were configuring this host remotely this would allow the connection to persist after the firewall rules are updated.iptables -A INPUT -i lo -j ACCEPT This accepts connections on the local loopback address.iptables -A INPUT -p tcp --dport 22 -j ACCEPT This accepts all connections destined for port 22 the default ssh port.iptables -P OUTPUT ACCEPT This sets the default policy for outbound connections to accept.iptables -P INPUT DROP This set the default policy for inbound connections to drop.iptables -P FORWARD DROP This sets the forward default policy to drop. For further explanation, the -j switch is the jump parameter and takes a target, such as DROP as it’s argument. You can save your rules with the command;
iptables -P INPUT ACCEPTiptables -Fiptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPTiptables -A INPUT -i lo -j ACCEPTiptables -A INPUT -p tcp --dport 22 -j ACCEPTiptables -P OUTPUT ACCEPTiptables -P INPUT DROPiptables -P FORWARD DROP
After saving your firewall rules you may restart the IPtables service on systems running systemd with the command;
iptables-save > /etc/iptables.rules
systemctl reload iptables
Fine tuning IPtables rulesSomething like the above example might be fine for some, but others may want to fine tune their rules a littler further to allow or deny access to a certain host or a specific interface. In the example above we do this with the
Here we are appending to the INPUT chain the rule that when packets destined for the loopback interface arrive jump to the ACCEPT target. This can be done with other interfaces as well such as eth0.IP addresses can also be used to fine tune IPtables rules. For example;
iptables -A INPUT -i lo -j ACCEPT
With this rule we append to the INPUT chain that packets with the source address 192.168.0.50 on the /24 subnet destined for tcp port 22 should be dropped. Logging what your firewall is doing is pretty important so let’s see how we might do that;
iptables -A INPUT -s 192.168.0.50/24 -p tcp --dport 22 -j DROP
In the above example, we create two rules with matching criteria. One pointing to the LOG target and the next to the DROP. The LOG rule tells Netfilter that when a packet with the source address 192.168.0.50/24 destined for TCP port 22; jump to the LOG chain. As well as prefix [DENIED:INPUT] to the Syslog. The second rule is similar to the example above; drop packets with the specified source address destined for the specified port.
iptables -A INPUT -s 192.168.0.50/24 -p tcp --dport 22-j LOG --log-prefix “[DENIED:INPUT] ” --log-level 7iptables -A INPUT -s 192.168.0.50/24 -p tcp --dport 22 -j DROP
Now what?It is also possible to create your own chains with the
switch, as well as writing your rules into a script which will make things much easier. Still, with this knowledge, you should be able to get up and running with IPtables.
Do you like to write about your infosec knowledge, skills, opinions, or exploits?
Publish your original research, tutorials, articles, or other written content on Cybray's blog to be seen by thousands of infosec readers daily!