Linux Firewall: IPTables Tutorial

iptables is a tool used in linux distributions to control kernel's netfilter's firewall. Here is a tutorial on iptables.

iptables firewall contains 3 tables, every table contains chains. Those chains are default. User is able to define new chains and link from default chains to those user defined chains.


1. iptables tables
--------------------

iptables contains 3 tables:
a. filter table
b. nat table
c. mangling table


a. filter table
This table is used to filter packets that pass the firewall. Its purpose is only packet filtering, and will filter packets that comes to the machine (incoming), packets that goes out (outgoing) and packets that are forwarded between network cards (filtering), in case that machine has two or more network cards.

That table contains 3 chains: INPUT chain, OUTPUT chain and FORWARD chain.

INPUT chain - used to filter incoming packets
OUTPUT chain - used to filter outgoing packets
FORWARD chain - used to filter forwarded packets (between network cards).

b. nat table
This table is used to change source of the IP.
PREROUTING chain - used to change IP before forwarding take place
POSTROUTING chain - used to change IP after forwarding take place
OUTPUT chain - used to filter on outgoing

c. mangle
This tables is used to modify packets.


2. Syntax of a iptables rule:
------------------------------------
iptables name_of_table name_of_chain layer3_object layer4_object jump_target

Notes:
- by default if name of table is not specify (with "-t nat" for example, for nat table, or "-t mangle" for mangle table), default table is used: filter table;
- layer4_object is not mandatory;

iptables Examples:
iptables -A INPUT -s 192.168.0.1 -j DROP       # will drop all packets that comes from IP 192.168.0.1


3. Chain management
-----------------------------
List tables and chains:
iptables -L                                   # will list all rules from all chains from filter table
iptables -L -v #                            # will list all rules from all chains from filtering table, in verbose mode,
                                                    # showing also packets and bytes that matched that rules
iptables -L -v --line-numbers       # will show above and also rule numbers

iptables -L INPUT                        # will show all rules from INPUT chain from filter table

iptables -L -t nat                          # will show all rules from all chains from nat table
iptables -t nat -L PREROUTING   # will show all rules from PREROUTING chain from nat table

iptables -L -t mangle                   # will show all rules from all chains from mangle table


Adding rules to chains:
To add a rule to a chain use:
iptables -A INPUT -s 192.168.0.1 -j ACCEPT     # will allow traffic from source IP 192.168.0.1
iptables -A INPUT -p tcp --dport 22 -j DROP      # will drop all traffic to destination port 22 (our ssh port)

iptables -A will append rule at the end of rules list  in your specified chain. if you want to insert a rule on a specific position in your chain, then you must use -I.

iptables -I INPUT 1 -s 192.168.0.1 -j ACCEPT    # will add rule in position 1 in your INPUT chain
iptables -I INPUT 10 -p tcp --dport 22 -j DROP   # will add a rule in position 10 of your INPUT chain.

Rules are evaluated from first to last rule. On ACCEPT or DROP rules, if a rule is matched, it will not be evaluated to next rules.

Note 1:  if you want to block traffic that comes to your machine you must add rule on INPUT chain. If you want to block traffic to a destination IP from your machine you must add rule in OUTPUT chain. Also you must have networking knowledge and you must understand how firewall works.

Note 2: Each chain have a default policy. Policy can be ACCEPT or DROP, by default all CHAIN have ACCEPT policy.

Note 3: When adding a rule -j parameter (jump) can have the following values: ACCEPT, DROP, REJECT, DENY, LOG.

Delete all rules from all chains:
iptables -F                                 # will delete all rules from filter table
iptables -F -t nat                       # will delete all rules from nat table
iptables -F -t mangle                 # will delete all rules from mangle table


Deleting a rule from a chain:
To delete a rule from a chain you have two posibilities: to delete a rule using rule number or to delete using syntax used when rule was added:

iptables -D INPUT 10                          # will delete rule 10 from INPUT chain
iptables -D PREROUTING 10 -t nat     # will delete rule 10 from PREROUTING chain from nat table

iptables -D INPUT -s 192.168.0.1 -j ACCEPT      # will delete rule that was added with iptables -A INPUT -s 192.168.0.1 -j ACCEPT

Note: On our previous example, the first rule that match that syntax will be deleted. If are many similar rules, only first will be deleted. To delete all rules that match that syntax, you must use previous command multiple times until you delete all rules.

To delete all rules you can also use (on some old versions of linux, it will not work with -F but with --flush, because of some bugs):
iptables --flush

Saving / Restoring iptables rules:
iptables-save >rules.txt
iptables-restore <rules.txt

(If iptables is not in your path, you can use absolute paths: /sbin/iptables-save, and /sbin/iptables-restore).
Running iptables-save will output rules on standard output (usualy this is screen, so because of that you must use redirections).

4. Chain policy
As I said previously, each chain have a default policy that can be ACCEPT or DROP and by default all CHAIN have ACCEPT policy.
To change chain policy use:

iptables -P INPUT DROP

Note 1: If you are logged to your machine remotely via SSH (and you are not at console) be careful when you change default policy to drop, to not lock you out. Usualy when sysadmins tests firewall remotely it is a good practice to add to your CRON service a rule that will open the firewall, and you enable that script to run every half an hour or 15 minutes, so if you will lock out of your box, after 15 minutes the firewall will be opened.

Note 2: When you design firewall rules to allo access to your machine and block everything else, take in consideration that traffic goes both ways. If you allow traffic on INPUT chaing but your OUTPUT chain block everything, your rule will not work. Usualy is a good practice when you protect your machine to allow everything on OUTPUT ( you want to be able from your machine to do anything), and block everything on INPUT (incoming) for connections that are not initiated from your machine. If your machine run public services, like for example a web server, or a mail server then you must allow connections from outside on INPUT only on ports used by those services (for example allow incoming on port 80 - http, port 25 - smtp, port 110 - pop3 and 143 -imap, mail services.) So as a conclusion when you design your firewall, setup your default policy on INPUT to drop all packets and on OUTPUT leave it default, to allow everything. And then design your firewall.

Note 3: If your machine is not only connected to Internet, but is also a router for your LAN clients, then you must also filter connections from LAN. It is recommended to change policy on FORWARD chain to DROP and then allow only IPs you want from LAN to be able to access Internet.