1. Rules, Chain and Tables
iptables rules are grouped into chains. A chain is a set of rules used to determine what to do with a packet. These chains are grouped into tables. Iptables has three built in tables: filter, NAT, mangle and Raw
Filter table
The filter table is used to allow or block traffic and contains three chains: INPUT,OUTPUT and FORWARD.
The input chain is used to filter traffic destined for the local machine.
The output chain is used to filter packets created by the local system.
The forward chain is used to filter packets passing through the system, eg. gateway
NAT table
The NAT table is used to setup the rules to rewrite packets allowing NAT to happen. This table has three chains: PREROUTING, POSTROUTING and OUTPUT. Packets in a stream only traverse this table once.
This is the main reason why you should not do any filtering in this table
The prerouting chain is where packets come to prior to being parsed by the local routing table
The OUTPUT chain is used for altering locally generated packets (i.e., on the firewall) before they get to the routing decision.
The Postrouting chian s which is used to alter packets just as they are about to leave the firewall.
Raw Table
The raw table and its chains are used before any other tables in netfilter. It was introduced to use the NOTRACK target. It contain two chains: PREROUTING and OUTPUT,where they will handle packets before they hit any of the other netfilter subsystems
The PREROUTING chain can be used for all incoming packets to this machine, or that are forwarded
the OUTPUT chain can be used to alter the locally generated packets before they hit any of the other netfilter subsystems.
Basic Uses
Structure
Many iptables commands have the following structure:
iptables [-t |
In this example, the
When looking at the structure of an iptables command, it is important to remember that, unlike most other commands, the length and complexity of an iptables command can change based on its purpose. A simple command to remove a rule from a chain can be very short, while a command designed to filter packets from a particular subnet using a variety of specific parameters and options can be rather lengthy. When creating iptables commands it is helpful to recognize that some parameters and options may create the need for other parameters and options to further specify the previous option's request. In order to construct a valid rule, this must continue until every parameter and option that requires another set of options is satisfied.
Commands tell iptables to perform a specific action. Only one command is allowed per iptables command string. With the exception of the help command, all commands are written in upper-case characters.The iptables commands are as follows:
-
-A — Appends the iptables rule to the end of the specified chain. This is the command used to simply add a rule when rule order in the chain does not matter.
-
-C — Checks a particular rule before adding it to the user-specified chain. This command can help you construct complicated iptables rules by prompting you for additional parameters and options.
-
-D — Deletes a rule in a particular chain by number (such as 5 for the fifth rule in a chain). You can also type the entire rule, and iptables will delete the rule in the chain that matches it.
-
-E — Renames a user-defined chain. This does not affect the structure of the table.
-
-F — Flushes the selected chain, which effectively deletes every rule in the the chain. If no chain is specified, this command flushes every rule from every chain.
-
-h — Provides a list of command structures, as well as a quick summary of command parameters and options.
-
-I — Inserts a rule in a chain at a point specified by a user-defined integer value. If no number is specified, iptables will place the command at the top of the chain.
- -L — Lists all of the rules in the chain specified after the command. To list all rules in all chains in the default filter table, do not specify a chain or table. Otherwise, the following syntax should be used to list the rules in a specific chain in a particular table: iptables -L
-t -
-N — Creates a new chain with a user-specified name.
-
-P — Sets the default policy for a particular chain, so that when packets traverse an entire chain without matching a rule, they will be sent on to a particular target, such as ACCEPT or DROP.
-
-R — Replaces a rule in a particular chain. The rule's number must be specified after the chain's name. The first rule in a chain corresponds to rule number one.
-
-X — Deletes a user-specified chain. Deleting a built-in chain for any table is not allowed.
-
-Z — Zeros the byte and packet counters in all chains for a particular table.
Parameters
Once certain iptables commands are specified, including those used to add, append, delete, insert, or replace rules within a particular chain, parameters are required to construct a packet filtering rule.
-
-c — Resets the counters for a particular rule. This parameter accepts the PKTS and BYTES options to specify what counter to reset.
-
-d — Sets the destination hostname, IP address, or network of a packet that will match the rule. When matching a network, the following IP address/netmask formats are supported:
-
N.N.N.N/M.M.M.M — Where N.N.N.N is the IP address range and M.M.M.M is the netmask.
-
N.N.N.N/M — Where N.N.N.N is the IP address range and M is the netmask.
-
-
-f — Applies this rule only to fragmented packets.
By using the ! option after this parameter, only unfragmented packets will be matched.
-
-i — Sets the incoming network interface, such as eth0 or ppp0. With iptables, this optional parameter may only be used with the INPUT and FORWARD chains when used with the filter table and the PREROUTING chain with the nat and mangle tables.
This parameter also supports the following special options:
-
! — Tells this parameter not to match, meaning that any specified interfaces are specifically excluded from this rule.
-
+ — A wildcard character used to match all interfaces which match a particular string. For example, the parameter -i eth+ would apply this rule to any Ethernet interfaces but exclude any other interfaces, such as ppp0.
If the -i parameter is used but no interface is specified, then every interface is affected by the rule.
-
-
-j — Tells iptables to jump to a particular target when a packet matches a particular rule. Valid targets to be used after the -j option include the standard options, ACCEPT, DROP, QUEUE, and RETURN, as well as extended options that are available through modules loaded by default with the Red Hat Linux iptables RPM package, such as LOG, MARK, and REJECT, among others. See the iptables man page for more information on these and other targets.
You may also direct a packet matching this rule to a user-defined chain outside of the current chain so that other rules can be applied to the packet.
If no target is specified, the packet moves past the rule with no action taken. However, the counter for this rule is still increased by one, as the packet matched the specified rule.
-
-o — Sets the outgoing network interface for a rule and may only be used with OUTPUT and FORWARD chains in the filter table, and the POSTROUTING chain in the nat and mangle tables. This parameter's options are the same as those of the incoming network interface parameter (-i).
-
-p — Sets the IP protocol for the rule, which can be either icmp, tcp, udp, or all, to match every supported protocol. In addition, any protocols listed in /etc/protocols may also be used. If this option is omitted when creating a rule, the all option is the default.
-
-s — Sets the source for a particular packet using the same syntax as the destination (-d) parameter.
16.3.5. Match Options
Different network protocols provide specialized matching options which may be set in specific ways to match a particular packet using that protocol. Of course, the protocol must first be specified in the iptables command, by using -p tcp
16.3.5.1. TCP Protocol
These match options are available for the TCP protocol (-p tcp):
-
--dport — Sets the destination port for the packet. Use either a network service name (such as www or smtp), port number, or range of port numbers to configure this option. To browse the names and aliases of network services and the port numbers they use, view the /etc/services file. The --destination-port match option is synonymous with --dport.
To specify a specific range of port numbers, separate the two numbers with a colon (:), such as -p tcp --dport 3000:3200. The largest acceptable valid range is 0:65535.
Use an exclamation point character (!) after the --dport option to tell iptables to match all packets which do not use that network service or port.
-
--sport — Sets the source port of the packet using the same options as --dport. The --source-port match option is synonymous with --sport.
-
--syn — Applies to all TCP packets designed to initiate communication, commonly called SYN packets. Any packets that carry a data payload are not touched. Placing an exclamation point character (!) as a flag after the --syn option causes all non-SYN packets to be matched.
-
--tcp-flags — Allows TCP packets with specific bits, or flags, set to be matched with a rule. The --tcp-flags match option accepts two parameters. The first parameter is the mask, which sets the flags to be examined in the packet. The second parameter refers to the flag that must be set in order to match.
The possible flags are:
-
ACK
-
FIN
-
PSH
-
RST
-
SYN
-
URG
-
ALL
-
NONE
For example, an iptables rule which contains -p tcp --tcp-flags ACK,FIN,SYN SYN will only match TCP packets that have the SYN flag set and the ACK and FIN flags unset.
Using the exclamation point character (!) after --tcp-flags reverses the effect of the match option.
-
-
--tcp-option — Attempts to match with TCP-specific options that can be set within a particular packet. This match option can also be reversed with the exclamation point character (!).
16.3.5.2. UDP Protocol
These match options are available for the UDP protocol (-p udp):
-
--dport — Specifies the destination port of the UDP packet, using the service name, port number, or range of port numbers. The --destination-port match option is synonymous with --dport. Refer to the --dport match option in Section 16.3.5.1 TCP Protocol for ways to use this option.
-
--sport — Specifies the source port of the UDP packet, using the service name, port number, or range of port numbers. The --source-port match option is synonymous with --sport. Refer to the --sport match option in Section 16.3.5.1 TCP Protocol for ways to use this option.
16.3.5.3. ICMP Protocol
These match options are available for the Internet Control Message Protocol (ICMP) (-p icmp):
-
--icmp-type — Sets the name or number of the ICMP type to match with the rule. A list of valid ICMP names can be seen by typing the iptables -p icmp -h command.
16.3.5.4. Modules with Additional Match Options
Additional match options are also available through modules loaded by the iptables command. To use a match option module, load the module by name using the -m option, such as -m
A large number of modules are available by default. It is even possible to create your own modules to provide additional match option functionality.
Many modules exist, but only the most popular modules are discussed here.
-
limit module — Allows limit to be placed on how many packets are matched to a particular rule. This is especially beneficial when logging rule matches so that a flood of matching packets will not fill up the system logs with repetitive messages or use up system resources.
The limit module enables the following options:
-
--limit — Sets the number of matches for a particular range of time, specified with a number and time modifier arranged in a
/ format. For example, using --limit 5/hour only lets a rule match five times in a single hour.If a number and time modifier are not used, the default value of 3/hour is assumed.
-
--limit-burst — Sets a limit on the number of packets able to match a rule at one time. This option should be used in conjunction with the --limit option, and it accepts a number to set the burst threshold.
If no number is specified, only five packets are initially able to match the rule.
-
-
state module — Enables state matching.
The state module enables the following options:
-
--state — match a packet with the following connection states:
-
ESTABLISHED — The matching packet is associated with other packets in an established connection.
-
INVALID — The matching packet cannot be tied to a known connection.
-
NEW — The matching packet is either creating a new connection or is part of a two-way connection not previously seen.
-
RELATED — The matching packet is starting a new connection related in some way to an existing connection.
These connection states can be used in combination with one another by separating them with commas, such as -m state --state INVALID,NEW.
-
-
-
mac module — Enables hardware MAC address matching.
The mac module enables the following option:
-
--mac-source — Matches a MAC address of the network interface card that sent the packet. To exclude a MAC address from a rule, place an exclamation point (!) after the --mac-source match option.
-
To view other match options available through modules, refer to the iptables man page.
16.3.6. Target Options
Once a packet has matched a particular rule, the rule can direct the packet to a number of different targets that decide its fate and, possibly, take additional actions. Each chain has a default target, which is used if none of the rules on that chain match a packet or if none of the rules which match the packet specify a target.
The following are the standard targets:
-
— Replace with the name of a user-defined chain within the table. This target passes the packet to the target chain. -
ACCEPT — Allows the packet to successfully move on to its destination or another chain.
-
DROP — Drops the packet without responding to the requester. The system that sent the packet is not notified of the failure.
-
QUEUE — The packet is queued for handling by a user-space application.
-
RETURN — Stops checking the packet against rules in the current chain. If the packet with a RETURN target matches a rule in a chain called from another chain, the packet is returned to the first chain to resume rule checking where it left off. If the RETURN rule is used on a built-in chain and the packet cannot move up to its previous chain, the default target for the current chain decides what action to take.
In addition to these standard targets, various other targets may be used with extensions called target modules. For more information about match option modules, see Section 16.3.5.4 Modules with Additional Match Options.
There are many extended target modules, most of which only apply to specific tables or situations. A couple of the most popular target modules included by default in Red Hat Linux are:
-
LOG — Logs all packets that match this rule. Since the packets are logged by the kernel, the /etc/syslog.conf file determines where these log entries are written. By default, they are placed in the /var/log/messages file.
Various options can be used after the LOG target to specify the way in which logging occurs:
-
--log-level — Sets the priority level of a logging event. A list of priority levels can be found in the syslog.conf man page.
-
--log-ip-options — Any options set in the header of a IP packet is logged.
-
--log-prefix — Places a string of up to 29 characters before the log line when it is written. This is useful for writing syslog filters for use in conjunction with packet logging.
-
--log-tcp-options — Any options set in the header of a TCP packet are logged.
-
--log-tcp-sequence — Writes the TCP sequence number for the packet in the log.
-
-
REJECT — Sends an error packet back to the remote system and drops the packet.
The REJECT target accepts --reject-with
(where is the rejection type) which allows more detailed information to be sent back with the error packet. The message port-unreachable is the default error given if no other option is used. For a full list of options that can be used, see the iptables man page.
Other target extensions, including several that are useful for IP masquerading using the natmangle table, can be found in the iptables man page. table or with packet alteration using the
16.3.7. Listing Options
The default list command, iptables -L, provides a very basic overview of the default filter table's current chains. Additional options provide more information:
-
-v — Display verbose output, such as the number of packets and bytes each chain has seen, the number of packets and bytes each rule has matched, and which interfaces apply to a particular rule.
-
-x — Expands numbers into their exact values. On a busy system, the number of packets and bytes seen by a particular chain or rule may be abbreviated using K (thousands), MG (billions) at the end of the number. This option forces the full number to be displayed. (millions), and
-
-n — Displays IP addresses and port numbers in numeric format, rather than the default hostname and network service format.
-
--line-numbers — Lists rules in each chain next to their numeric order in the chain. This option is useful when attempting to delete a specific rule in a chain, or to locate where to insert a rule within a chain.
-
-t — Specifies a table name.
iptables allow you to allow traffic based on a number of different conditions, such as Ethernet interface, IP address, port and protocol.
Allowing incoming TCP traffic on port 22(ssh) for adapter eth0
iptables -A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
No comments:
Post a Comment