iptables Overview: Chains, Tables and Persistency

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
21 hours 25 minutes
Difficulty
Intermediate
CEU/CPE
21
Video Transcription
00:00
>> Hey there, Cybrarians. Welcome back to
00:00
the Linux plus course here at Cybrary.
00:00
I'm your Instructor Rob Goelz.
00:00
In today's lesson, we're going to
00:00
be working with iptables.
00:00
Upon completion of today's lesson,
00:00
you are going to be able to understand how
00:00
iptables implements firewall technologies.
00:00
We're also going to talk about the concept of
00:00
chains and tables that are used in iptables.
00:00
Then we're going to determine how iptables
00:00
handles persistency of firewall rules.
00:00
As mentioned in the last lesson,
00:00
iptables and Netfilter were developed together.
00:00
They're developed by the same organization
00:00
and they came together around the year 2000.
00:00
Now, iptables implements Netfilter concepts of
00:00
tables and chains in order to create firewall rules.
00:00
Each chain is just a list of
00:00
rules and then they can match a set of
00:00
packets and each table refers to a type of rule.
00:00
There are five iptables chains that are used to
00:00
route network packets to
00:00
the right application or to the right place.
00:00
There's prerouting.
00:00
Prerouting chain handles packets
00:00
as soon as they come into a system.
00:00
Input handles packets that
00:00
are designed for the local host.
00:00
Anything going to a local socket or local application.
00:00
The forward chain handles packets that are being
00:00
routed through our system to another remote system.
00:00
Maybe the system is acting as a firewall itself or
00:00
running some interference to forward things along.
00:00
There's post routing, which
00:00
does more routing for packets,
00:00
does more handling for packets
00:00
being sent through a remote system.
00:00
Then there's output which handles or alters
00:00
locally generated packets that
00:00
are outbound from the system.
00:00
There's also the concept of tables,
00:00
as we said in iptables.
00:00
There are five tables that represent
00:00
sets of rules for evaluating packets.
00:00
The filter table does basically what
00:00
we think of firewalls doing.
00:00
They allow or reject packets.
00:00
We also have NAT, which is
00:00
the network address translation table.
00:00
These are rules that change
00:00
the addresses before they exit the chain,
00:00
or they change the IP address
00:00
before they come into the system.
00:00
We have a mangle table which changes
00:00
features of the packet before exiting the chain.
00:00
For example, if you can change the Time To
00:00
Live value in the packet. We have raw.
00:00
The raw table marks packets so that they're
00:00
not included in stateful connection tracking.
00:00
If we don't really care about the connection
00:00
being managed and monitored by stateful firewall,
00:00
we can say just mark this as
00:00
a raw packet, don't worry about it.
00:00
Then security, security tables
00:00
applying mandatory access control.
00:00
If we think back to when we talked
00:00
about MAC, mandatory access control,
00:00
this is like SELinux in app armor.
00:00
Each chain is also going to have a policy value.
00:00
This is going to basically define how a packet
00:00
>> is handled if there is no rule in place
00:00
>> to apply to that packet.
00:00
>> It's going to basically
00:00
determine what we're going to do with
00:00
this packet if there's nothing there
00:00
to say what to do with it.
00:00
For example, we can have a policy
00:00
that accepts the packet.
00:00
It just passes the packet along to the next chain.
00:00
We can also say we by default reject,
00:00
we don't pass the packet along,
00:00
we send an error message.
00:00
Likewise, we can drop,
00:00
it's basically the same as a reject,
00:00
but we're not going to send an error message.
00:00
We're just going to drop the packet and
00:00
not pass along to the next chain.
00:00
Then there's also the concept of Queue.
00:00
Now, Queue sends packets to
00:00
another application to be evaluated.
00:00
This might be a security system that's looking at
00:00
the packets, and if there's no application available,
00:00
it just goes ahead and drops the packet.
00:00
This is all probably about
00:00
>> as clear as mud at this point.
00:00
>> Well, think about it this way.
00:00
Each chain is a point where
00:00
>> we do filtering on a packet.
00:00
>> Certain tables are needed
00:00
at certain filter points by default.
00:00
We see this over on the left-hand side in
00:00
the image that I've done courtesy of Wikimedia.
00:00
We can see that for example,
00:00
we have prerouting.
00:00
Prerouting can use the NAT
00:00
to go ahead and change the source address
00:00
before it sends it into local processes.
00:00
If we're nating something,
00:00
we're saying we're doing network address translation.
00:00
Outside of the system, if it thinks that we have
00:00
one IP address inside
00:00
of the system, it thinks we have many.
00:00
We might change the IP address
00:00
>> to go to a local process.
00:00
>> We also have output and postrouting.
00:00
You can see output down there at the bottom,
00:00
postrouting to the left of it.
00:00
We can use NAT here as well to change
00:00
the source address before sending it to a remote host.
00:00
We're going to say,
00:00
>> this is now going out of the system,
00:00
>> just like we talked about before.
00:00
We're going to change this IP address so
00:00
that it looks like it's coming from one IP,
00:00
even though there's several IPs behind it,
00:00
then we're going to change what the internal IP looks
00:00
like and then send it out to a remote host.
00:00
We can also do filtering at input,
00:00
forward, and output.
00:00
We can make decisions in here if we want to
00:00
accept or reject the packet using that filter.
00:00
Then we also can mangle everywhere.
00:00
You can look and see at any one of these chains,
00:00
any of these filter points,
00:00
we have the option to do a mangle.
00:00
The IP table software is managed by?
00:00
>> The iptables command, of course.
00:00
>> The syntax is iptables -t,
00:00
table, the command,
00:00
the chain, and then the options.
00:00
Let's go through a couple of examples,
00:00
maybe make this a little bit clearer.
00:00
One thing we could do right off the bat
00:00
is just run iptables -L,
00:00
and that's going to list all of the existing rules.
00:00
We can specify that we want to list the rules
00:00
just for the filter table by doing
00:00
iptables -t filter -L.
00:00
That's going to give us all the
00:00
rules that are in that table,
00:00
the filter table and associated chains.
00:00
Then we've got this really long nasty one.
00:00
iptables -A INPUT -s 0/0 -p http -j ACCEPT.
00:00
What does that mean? Well, let's break it down.
00:00
What this does is it uses
00:00
the -A option to add a rule to allow ACCEPT,
00:00
we see ACCEPT at the very end, all traffic.
00:00
So as -s for source, 0/0 means all.
00:00
Then we're going to say that this is going to be
00:00
the HTTP protocol, -p for a protocol, http traffic.
00:00
That is iptables,
00:00
all except add rule,
00:00
input, all port HTTP, and then do and accept.
00:00
We're telling it to do an accept at the end.
00:00
Rules created with iptables in
00:00
this fashion are not persistent.
00:00
Once you create the rule and you're satisfied,
00:00
it's working as you expect it to work,
00:00
what you have to do is save
00:00
the rule using iptables-save.
00:00
You can also restore rules from
00:00
a file using iptables-restore,
00:00
and that's specifying the
00:00
file that you want to restore from.
00:00
With that, in this lesson, we talked about how
00:00
iptables implements firewall technology
00:00
by building upon Netfilter.
00:00
We also talked about the concept of chains and tables.
00:00
Chains are filtering points where rules are applied,
00:00
>> and tables are types of rules that are applied,
00:00
>> as needed, at these filter points.
00:00
>> Then we talked about how iptables handles persistency.
00:00
We've got to save our rules.
00:00
Thanks so much for being here,
00:00
>> and I look forward to seeing you in the next lesson.
Up Next