Linux IPTABLES Firewall Tutorial: Getting Started with basics

Sarath Pillai's picture
Linux Iptables Firewall

We had several requests from our readers to include tutorials and articles about basic things like security in Linux and how to configure it. The problem is “Security in Linux” is a pretty big topic that covers different aspects and tools related to Linux. Most of the times security entirely depends upon the kind of architecture you have. The thing applicable to one architecture might not be applicable to another.

 

The only solution in getting things clear is to keep on learning new stuff and try to collect more details about what a particular thing does, or what a configuration actually does.

 

We always try our level best to go deep inside a single tool or topic because understanding a topic in a detailed manner will always create more interest in the field. And sometimes, to be honest, when I sit to write and compile a post, I myself refer to too many books and other sources to make it more accurate and precise(Hence please bear with us, if there is a delay in publishing new articles.). Writing articles have helped me a lot in learning and understanding new things as well as revisit the thing I learned in a more better way.

 

As far as security in Linux is concerned, we already have a couple of articles on different topics related to security. With this article, we will be starting a tutorial series that will be entirely dedicated to Iptables firewall in Linux.

 

I know the fact that there are too many articles and tutorials on the internet that covers this topic. Being that said I will try my level best to make this tutorial series simple enough to understand even for a new comer.

 

I am 100 percent sure that those who are related to Linux and system administration, might have heard about IPTABLES. Its inevitable for a Linux user to spend his career without having heard the word IPTABLES.

 

The reason is that its the default firewall on most of the Linux flavors, and is quite strong and even simple in terms of configuration (Never mind if you are a newbie, because it might seem to be a complicated thing to configure at first, but once you learn it, its the best thing to configure.)

 

If you are having a networked Linux machine, then your system is always under the risk of being attacked or even compromised. You cant simply leave that machine, without configuring any form of access list or firewall.

 

Some might say that our servers are behind the office hardware firewall and everything is being filtered though that firewall, and hence there is no requirement of an additional firewall on the server. Agreed. Your hardware firewall might provide you with enough security measures to protect your servers. However its always better to have redundant level of security in place.

 

Its always better to have redundant(Multiple level's of security) rather than being compromised !

 

You might have heard of something called as Netfilter. Normally people use the term "Netfilter" & "Iptables" interchangeably. And why not, they (http://www.netfilter.org) are the people who developed this.

 

Since linux kernel 2.4.X, netfilter/Iptables is the default packet filtering scheme used by Linux systems.

 

Using Iptables, you can define a set of rules, which will be followed by the Linux kernel to verify all incoming and outgoing traffic/packets.

 

Some important things to remember about iptables, before we go ahead with this as well as the next tutorials in this series are mentioned below.

 

  1. The control and rules that you define using iptables is well integrated with Linux kernel.
  2. Rules you define in iptables are nothing but a categorized set of traffic patterns against which your defined action will be taken on a proper match.
  3. Whatever required for the functioning of Iptables firewall, is by default included as different components in your kernel
  4. Netfilter/iptables has become a very matured software that each kernel version released after 2.4 comes with this by default.
  5. All required processing of packets based on your defined rules is carried out by the Linux Kernel for you

 

As mentioned before, "iptables" and "netfilter" terms are used interchangeably by people in the industry, hence to avoid the confusion and put a final note on the difference...

Netfilter is the framework in the Linux kernel, which implements the rule and filters provided by the user, through an interface available to user called iptables.

 

The main idea behind iptables is to provide a higher level of control to the user, who can specify rules, which the kernel will match and verify upon each IP packet it receives.

 

In other words, its a set of rules based on which, the kernel will take an action on the traffic it receives. Iptable firewall has become a very matured firewall due to improvement and addition of various features over the years. It includes almost all the features provided by a proprietary commercial firewall. Some of the features it includes are mentioned below. (Don't worry about the terms mentioned below, i will cover all of them during this tutorial series.)

 

  1. Rate Limiting
  2. State Tracking
  3. Application Layer inspection

 

As discussed earlier, the main and primary objective of iptable firewall or any other firewall for that matter is to define a set of rules, based on which an inspection will be conducted, and the final end result will be an action taken by the firewall.

 

The action taken by the firewall can be any of the following.

 

  1. Allow the packet to get inside
  2. Deny the packet
  3. Or even modify the packet sometimes

 

The rules that a user defines in iptables is categorized to different tables, based on their broad usage. For example, when we say about the term packet filtering, its an understood fact that its some sort of filtering being done based on the rules we provide.

 

Filtering in iptable means, a method to filter out traffic (either allow, disallow, or reject, or either drop). Hence the first and the basic table in iptable, which is very highly and mostly used by normal user is called as FILTER table.

 

As mentioned before, ip table is a very matured firewall that includes so many functionalities other than the basic filtering. It has got the capability to resend a packet based on a rule we define. Am talking about Network Address Translation. The basic idea behind Network Address Translation is to modify the source and destination of a packet.

 

If you are newbie and want's to understand what is Network Address Translation, i would recommend to go through the below post, to get an idea.

 

Read: What is NAT (Network Address Translation)

 

Iptable firewall has got the capability to do NAT for you. In fact the default NAT mechanism used by all Linux system's is through iptables. This is the reason, A linux server with properly configured iptables can act as a router for your environment.

 

Due to this functionality of doing network address translation, iptables has a seprate table for it. And the table's name is NAT table.

 

The next table in iptables is a very less used table, its called the "mangle table". This table contains the rules, that will be used to alter the default values in an IP packet. This table is very usefull when you want to modify the TTL(Time To Live), TOS(Type of Service), or sometimes even mark the packets. Don't worry !!. We will be discussing these things in detail when we discuss mangle tables.

 

The last and the final table is called as Raw table. This table is primarily used only for one purpose. Iptable keeps track and state of each packet that it gets(When i discuss some terms which i am not describing in this article, please ignore that, because we will be having a dedicated article on that topic, which will be part of this tutorial series ). This table is used to add a rule, with which you can specify a particular packet, which does not require tracking.

 

Hence before going ahead, here is the list of table's and their use cases.

 

 

Table Name

Use Case

Filter TableUsed for Normal Filtering of traffic based on rules defined by user, like accept, reject etc. This is the highly used table in the iptables firewall. And is very helpful in carrying out normal day to day blocking and filtering.
NAT tableIptable firewall being a matured firewall has capabilities other than normal filtering. Iptable can be used for Network Address Translation Purposes. This table contains rules related to NAT
Mangle TableRules in this table can be used to modify the packets based on the user given criteria. User can modify the TTL, MSS value, Terms of Service (Like which traffic should be given more priority etc)
Raw TablePrimarily used to add No connection tracking Rules.

 

Let me repeat that..If you are not aware of some terms which i mentioned while discussing about different tables, then please be patient, because i will describe them in detail in the upcoming posts in this tutorial series.

 

As discussed earlier, the table's we saw are broad categories separated for different purposes. Before the emergence of iptables there were two different firewalls which were used in Linux. There are mentioned below.

 

  • Ipchains
  • Ipfwadm

 

Iptable still uses some of the ideas from ipfwadm and ipchains. Ipchains firewall had its rules defined in different chains. chains are nothing but a further categorization of rules. Iptable carried the idea of chains from ipchains firewall and is used for adding rules inside the filters previously mentioned.

 

Chains are pretty straight forward, the name of the chains are very much self explanatory. Let's see the main chains in the iptable firewall.

 

  • INPUT CHAIN: This chain is used for rules that are applicable to the traffic/packets are coming towards the server.

 

  • OUTPUT CHAIN:  This chain is used for rules that needs to be applied on outgoing traffic/packets from your server.

 

  • FORWARD CHAIN:  We have already discussed that iptable firewall can be used for purposes other than the basic filtering. This chain is used for adding rules related to forwarding of  an ip packet. This is normally used when you have a Linux machine as router connecting two networks together.

 

  • PRE-ROUTING CHAIN:  This chain is basically used to add rules that will define actions that needs to be taken before a routing decision is made by the kernel.

 

  • POST-ROUTING: This chain is used for adding rules that will define actions that needs to be taken after a routing decision is taken by the kernel. We will be discussing these chains in detail while we discuss NAT table.

 

So we have seen 4 tables inside the iptable firewall. And those 4 tables will contain the above mentioned chains. Not all of the table will contain all of those chains, but all table will contain some of these chains.

 

Let's see the chains inside different tables. Oh wait..before seeing these chains inside the tables, let's run some commands on our system, and see some basic things in iptables.

 

The first command we can run on our system is to check which version of iptable is installed. This can be done with the following command.

 

# iptables -V
iptables v1.4.12

 

 

Now let's see if there is some rules already applied on our system...

 

# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

 

The above command shows the current values in INPUT, FORWARD, and OUTPUT chains. While discussing the filter table, we saw that its the highly used table. And hence its the default table shown by iptable command, if you explicitly don't mention about the table name.

The above shown chains are part of filter table (because its the default table shown by iptable). The filter table output should also be exactly similar, because its the default table shown.

 

#iptables -t filter -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

 

-t option used in the above command specifies the table name. And the -L option says to list the rules.

 

If you see the output, it does not show any rule set. That's because we have not set any rule as of now. However some flavours of enterprise linux, like Red Hat linux, has got a default rule set, which denies quite a lot of incoming packets.

 

One thing is pretty clear from the above shown output, filter table has bot three default chains (INPUT, FORWARD, OUTPUT)

 

Now let's see what are the chains that are part of NAT table, Mangle Table, and Raw Table.

 

# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination

 

Nat table consist of Pre-routing, Post-routing, Input, Output chains by default.

 

# iptables -t mangle -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination

 

Mangle table has by default INPUT, FORWARD, OUTPUT, POST-ROUTING, PRE-ROUTING chains.

 

# iptables -t raw -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

 

Raw table has got Pre-Routing, and Output chains by default.

Apart from these chains, we can make our own custom chains, inside which we can define rules. We will see all of those in the coming articles of this tutorial series.

 

In the beginning of this article, we have seen that the entire show of filtering and netfilter framework is carried out by the kernel. Hence there must be some module that's already loaded for the proper functioning of iptable firewall. let's see which iptable modules are loaded by default  and what functionalities they provide.

 

# lsmod | grep ip_tables
ip_tables              27473  4 iptable_raw,iptable_nat,iptable_mangle,iptable_filter
x_tables               29938  4 iptable_raw,iptable_mangle,iptable_filter,ip_tables

 

 

lsmod command is used to list the kernel modules currently loaded. You can clearly see that the differnt table based functionalities are added by different kernel modules.

 

In the next upcoming articles related to this tutorial series we will be getting inside each table and understand their use cases and examples. Towards the end of the series, we will see some advanced use case of iptables.

Rate this article: 
Average: 4.2 (126 votes)

Comments

Good article...waiting for the next article in this series...thank you...

nice... where is the nest upcoming article???

nice one but where is next one ?

Hey dud great bt i'm waiting for next tutorial ....

I am using this box as Router and as per your suggestion in trial message I had configured the FORWARD chain of three user mac address, configuration mentioned below.
two User getting the IP Address from DHCP Server but not able to browser, so please can you help me how they can browse.....

DHCPACK on 192.168.23.171 to 90:72:40:58:a9:95 (is-iPhone)
DHCPACK on 192.168.23.178 to FC:75:16:67:3F:BE (android-f50ef57524010a1e)
DHCPACK on 192.168.23.100 to 00:25:64:A4:3F:01 (android-7306f0c1f5e73255)

# Generated by iptables-save v1.4.7
*filter
:INPUT ACCEPT [37:6239]
:FORWARD DROP [789:129680]
:OUTPUT ACCEPT [89:13144]
-A INPUT -i eth1 -m mac --mac-source 34:E67:00:B1:E6 -j ACCEPT
-A INPUT -s IP ADDRESS -p tcp -m tcp --dport 8888 -j ACCEPT
-A INPUT -s IP ADDRESS -p tcp -m tcp --dport 8888 -j ACCEPT
-A INPUT -s IP ADDRESS -p tcp -m tcp --dport 9888 -j ACCEPT
-A INPUT -s IP ADDRESS -p tcp -m tcp --dport 9888 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j DROP
-A INPUT -p icmp -m icmp --icmp-type 8 -j DROP
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A FORWARD -i eth1 -j ACCEPT
-A FORWARD -m mac --mac-source FC:75:16:67:3F:BE -j ACCEPT
-A FORWARD -m mac --mac-source 00:25:64:A4:3F:01 -j ACCEPT
-A FORWARD -m mac --mac-source 90:72:40:58:A9:95 -j ACCEPT
-A OUTPUT -p icmp -m icmp --icmp-type 0 -j DROP
COMMIT
# Completed on Tue Jan 5 18:47:41 2016
# Generated by iptables-save v1.4.7 on Tue Jan 5 18:47:41 2016
*nat
:PREROUTING ACCEPT [406:28986]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [1:108]
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Tue Jan 5 18:47:41 2016
# Generated by iptables-save v1.4.7 on Tue Jan 5 18:47:41 2016
*mangle
:PREROUTING ACCEPT [1596:188447]
:INPUT ACCEPT [130:13127]
:FORWARD ACCEPT [1466:175320]
:OUTPUT ACCEPT [90:13236]
:POSTROUTING ACCEPT [767:58876]
COMMIT
# Completed

Hi sarath I really appreciate your work of sharing complex knowledge in a simlper manner..I am a consistent reader of your articles..I have been waiting for the next article that u have promised..Thanks and Regards

nice intro to iptables

Add new comment

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
CAPTCHA
This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.