Introduction
This article is about understanding and using the functions of iptables.
Attention: Caution is advised, due to ill-considered changes to the firewall, you can quickly be locked out of the system.
Prerequisites
root
access to a Linux shell with iptables
installed
Section 1 - What is iptables?
iptables is a userspace program that is used to configure the netfilter firewall in the Linux kernel. iptables is only a tool to configure the firewall integrated in the Linux kernel.
iptables is divided into two areas, with separate tools for IPv4 and IPv6. For IPv4 you use iptables
and for IPv6 ip6tables
. All the following commands can be used with both tools in the same way.
Through the netfilter it is possible to:
- filter incoming packets before they are routed to the target application.
- filter outgoing packets before they leave the computer.
- check packets routed through the computer (router).
- perform packet manipulation.
Section 1.1 - Structure
Package checking with iptables has a three-step structure (top to bottom):
- tables
- chains
- filter rules
If one of the defined filter rules in the tables / chains applies, it will be executed. If no rule is defined or none of the defined rules apply, the defined policy will be applied (more on this later).
Tables
In the tables, different chains are grouped together according to the basic task.
Table | Description |
---|---|
filter | The standard table here all filter rules are stored |
nat | This table is used for NAT (Network Address Translation) and port forwarding. |
mangle | This table is used for packet manipulation. |
raw | This table is used to define connection tracking exceptions. |
Chains
The chains determine when a package is checked, e.g. before it is sent. A chain can occur in several tables.
Chain | Table | Description |
---|---|---|
INPUT | filter, mangle | Applied to all packets directed to the local address. |
OUTPUT | filter, nat, mangle, raw | Applies to all packets coming from the local address. |
FORWARD | filter, mangle | Applies to all packets that are routed. |
PREROUTING | nat, mangle, raw | applied to all packets before they are routed. |
POSTROUTING | nat, mangle | Apply to all packets after they are routed. |
Section 2 - Definition of filter rules
The most common CLI parameters for creating filter rules are listed here, along with their meaning.
Option | Description |
---|---|
-t Table | This filter rule applies to the named table. |
-I Chain (Position) | Rule is added to selected position of the chain. By default, the rule is added at the beginning of the chain. |
-A Chain | Rule is added to the chain. |
-D Chain | Rule is deleted from the chain. |
-F Chain | Delete all rules in the chain. |
-L Chain | List all rules in the chain. |
-p Protocol | The packet is only checked if it complies with the protocol (e.g. TCP, UDP, ICMP). |
-s IP Address | The packet is only checked if it originates from the defined IP address / IP network. |
-d IP address | The packet is only checked if it is sent to the defined IP address. |
-i Network Interface | The packet is only checked if it has arrived via the corresponding network interface. |
-o Network Interface | The packet is only checked if it is sent via the corresponding network interface. |
--sport (port) or --source-port (port) | The packet is only checked if it comes from the defined port. Must be used in conjunction with -p |
--dport (port) or --destination-port (port) | The packet is only checked if it is sent to the defined port. Must be used in conjunction with -p |
-j Action | Defines which action should be applied to the packet. |
Section 2.1 - Definition of actions
Action | Description |
---|---|
ACCEPT | The package is accepted and accepted. |
DROP | The packet is not accepted, the sender does not receive a message. |
REJECT | The packet is not accepted, the sender is notified. |
LOG | The packet data is recorded in the system log, then the next rule in the chain is checked and applied if necessary. |
Section 2.2 - Defining Policies
A policy is to be seen as a principle rule - it always applies if no other filter rule applies.
A policy consists of a chain and an action:
iptables -P INPUT DROP
Attention: This policy blocks the incoming traffic if no rules are defined.
In this example, all incoming packets in the Filter table are discarded by the policy.
Section 3 - Loopback Interface (127.0.0.1)
On every Linux system there is a local network adapter called lo
.
Internal host applications run over this, these sometimes communicate via IPC (Inter Process Communication) using this adapter.
It is therefore advisable not to apply any filter rules to this adapter, as this can lead to communication problems.
This adapter should be allowed to communicate without restrictions:
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
Section 4 - Practical Examples
Create a packet filter rule
This rule allows incoming HTTPS traffic:
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
Create a host filter rule
This rule allows incoming traffic from the specified host:
iptables -A INPUT -s 10.0.0.1 -j ACCEPT
This rule prohibits incoming traffic from the specified host:
iptables -A INPUT -s 10.0.0.1 -j DROP
Rules can also be added at a specific location:
iptables -I INPUT 2 -s 10.0.0.1 -j DROP
This rule is, for example, in second place.
Delete all rules
Deletes all rules in all chains:
iptables -F
Deletes all rules in the INPUT chain:
iptables -F INPUT
Delete a rule
This specifies the rules with the corresponding numbers:
iptables -L --line-numbers
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT tcp -- anywhere anywhere tcp dpt:https
2 ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
This number can now be used to delete the desired rule:
iptables -D INPUT 1
Connection State
Connection state filters can be used so that not every packet has to go through the filter for connections already established.
Allow incoming packets for existing connections:
iptables -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
Allow outgoing packets for existing connections:
iptables -A OUTPUT -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
Hint: The connection state rules should be high up in the firewall list, otherwise they lose their use.
Discarding invalid packages
This command discards all incoming packets that do not comply with the TCP / IP format:
iptables -A INPUT --ctstate INVALID -j DROP
Syn-Flood Protection
These entries prevent the server from being overloaded by too many requests:
iptables -N syn_floodiptables -A INPUT -p tcp --syn -j syn_floodiptables -A syn_flood -m limit --limit 1/s --limit-burst 3 -j RETURN
iptables -A syn_flood -j DROP
iptables -A INPUT -p icmp -m limit --limit 1/s --limit-burst 1 -j ACCEPT
iptables -A INPUT -p icmp -m limit --limit 1/s --limit-burst 1 -j LOG --log-prefix PING-DROP:
iptables -A INPUT -p icmp -j DROP
iptables -A OUTPUT -p icmp -j ACCEPT
Section 5 - Persistence
The configured firewall rules are not automatically persistent. To change this, the package iptables-persistent
must be installed.
After that, you can use the command:
iptables-save > /etc/iptables/rules.v4 # For IPv4
ip6tables-save > /etc/iptables/rules.v6 # For IPv6
The current configuration can be saved.
Section 6 - Countries Block
With the included script you can create IP drop rules for whole countries.
Note: This blocking is limited to IPv4 addresses.
#!/bin/bash
###PUT HERE SEPARATED LIST OF COUNTRY CODE###
COUNTRIES=(de at)
WORKDIR=$(mktemp -d)
#######################################
for i in "${COUNTRIES[@]}";
do
curl http://www.ipdeny.com/ipblocks/data/countries/$i.zone >> $WORKDIR/iptables-blocklist.txt;
done
if [ -f $WORKDIR/iptables-blocklist.txt ]; then
iptables -F
BLOCKDB="$WORKDIR/iptables-blocklist.txt"
IPS=$(grep -Ev "^#" $BLOCKDB)
for i in $IPS
do
echo iptables -A INPUT -s $i -j DROP >> input.sh
echo iptables -A OUTPUT -d $i -j DROP >> output.sh
done
fi
rm -r $WORKDIR
In the script above, the variables 'COUNTRIES' can be updated to include any countries you want to block. When the script is executed it creates two files input.sh
and output.sh
which contain the iptables commands needed to block the IP addresses of the countries.
Summary
In this article, the functionality of iptables was explained. In addition, practical examples were used to illustrate the different ways of using iptables in an optimal way.