IPTABLES

From Bauman National Library
This page was last modified on 27 June 2016, at 13:22.
Iptables
fraimed
Developer(s) Netfilter
Repository {{#property:P1324}}
Written in C
Operating system Linux
Type firewall settings interface
Website Netfilter

Iptables - is a command line tool, a standard interface control work firewall (firewall) Netfilter for Linux kernels since version 2.4. With its help administrators create and modify rules governing the filtering and forwarding packets. To use the IPv6 protocol family there is a separate version of the utility - Ip6tables. To use the utility Iptables you have to be superuser (root).

Basic Concepts

Key concepts iptables are:

  • Rule - is the criterion, actions and counter. If the packet matches the criteria it applies to the action, and it takes into account the counter. Criterion may not exist at all - then implicitly assumed criterion of "all packages". Specify the action, is not necessarily too - in the absence of action the rule will work only as a counter. The rules for each chain are activated in the order they appear, so the order is important.
    • Criteria - logical expression analyzing properties of the package and/or compounds, and determines whether the subject specific package by the current rule. Criterias are connected with logical "AND".
    • Action - a description of the action that needs to be done with the package and/or a compound in the case, if they fall within the scope of this rule. Actions will be more fully discussed below.
    • Counter - rule component that records the number of packets which come under the criteria of this rule. Also, the counter takes into account the total volume of such packets in bytes.
  • Chain - an ordered sequence of rules. Chains can be divided into basic and custom.
    • Basic chain - chain created by default during the initialization of the table. Each packet, depending on whether it is intended to the host is generated by him or transit, it must undergo a set of prescribed base chains of different tables. In addition, the basic chain is different from the user the presence of a "default action» (default policy). This action applies to those packages that have not been processed by other rules of this chain and due from her chains. The names of basic chains are always written in uppercase (PREROUTING, INPUT, FORWARD, OUTPUT, POSTROUTING).
    • Custom chain - chain created by the user. It can only be used within the limits of the table. It is recommended not to use such chains uppercase names, to avoid confusion with the basic chains and integrated actions.
  • Table - a set of basic and custom chains, united by a common functional purpose. Table names (as criteria modules) written in lower case, so in principle can not conflict with the user names chains. When you call the command iptables table specified in the format -t tablename . In the absence of explicit instructions, use a table filter.

Parsing:

 # Dump the filter rules table
 $ Sudo iptables-save -c -t filter
 # The filter table
 *filter
 Chains # INPUT, FORWARD, OUTPUT, their policies and counters
 :INPUT ACCEPT [19302: 9473669]
 :FORWARD ACCEPT [0: 0]
 :OUTPUT ACCEPT [5462736: 4247599532]
 Rule # "[17, 1020]" - meter rule, "-A INPUT" - a chain, "-i em1 -p tcp -m tcp --dport 22" - criteria, "-j ACCEPT" - action
 [17: 1020] -A INPUT -i em1 -p tcp -m tcp --dport 22 -j ACCEPT
 COMMIT

Architecture

The netfilter system packets are passed through the chain. The chain is an ordered list of rules, and each rule can contain criteria and the action or transition. When the packet passes through a chain, the system turns the netfilter checks whether the packet matches all the criteria of the next rule, and if so, performs an action (if the criteria in the rule is not, then the action is performed for all packets passing through the rule). The options of possible criteria very much. For example, the package meets the criterion of -source 192.168.1.1 if the packet header indicates that the sender - 192.168.1.1. The simplest type of transition, -jump, just forwards the packet to the beginning of another chain. Also with the help -jump can specify the action. Standard actions are available in all the chains - ACCEPT (skip), DROP (delete), QUEUE (pass on the analysis of external program) and RETURN (to return to the previous analysis of the chain). For example, the command

 iptables -A INPUT --source 192.168.1.1 --jump ACCEPT
 iptables -A INPUT --jump other_chain

means "add to the end of the INPUT chain of the following rules: skip packets from 192.168.1.1, and all that remains - to send for analysis to the chain other_chain".

Chains

There are 5 types of standard chains built into the system:

  • PREROUTING - for the initial processing of incoming packets.
  • INPUT - for incoming packets addressed directly to a local process (client or server).
  • FORWARD - for incoming packets routed to the output (note that forwards packets pass first PREROUTING chain, then FORWARD and POSTROUTING).
  • OUTPUT - for packets generated by local processes.
  • POSTROUTING - for the final processing of outgoing packets.

You can also create and destroy their own chain with the utility iptables.

Tables

Chains are organized in table 4:

  • Raw - can be seen to the packet transmission system of a particular state. Rarely used, for example, to package labeling, which should not be handled by the system of determining the conditions. To do this, in the rule specifies the action NOTRACK. Contains PREROUTING and OUTPUT chains.
  • Mangle - comprises rules modification (usually a header) IP-packets. Among other things, supports the actions of TTL (Time to live), TOS (Type of Service), and MARK (to change the TOS and TTL fields, and to change the package of markers). Rarely is necessary and can be dangerous. It contains all five standard chains.
  • Nat - scans only the packets that create a new connection (according to the system of determining the conditions). It supports actions DNAT, SNAT, MASQUERADE, REDIRECT. It contains chains PREROUTING, OUTPUT, and POSTROUTING.
  • Filter - the main table, the default table name if not specified. It contains chains INPUT, FORWARD, and OUTPUT.

Chains with the same name but in different tables - totally independent entities. For example, raw PREROUTING mangle PREROUTING and usually contain a different set of rules; packets must pass through a chain of raw PREROUTING, and then through the mangle PREROUTING.

Status

The netfilter system, each packet passing through the mechanism of determining the conditions, can be one of four possible states:

  • NEW - package opens a new session. A classic example - TCP packet with SYN flag.
  • ESTABLISHED - the package is part of an existing session.
  • RELATED - package opens a new session associated with a session is already open. For example, during a session of passive FTP, the client connects to the server port 21, the server informs the client of the second number, a random port, after which the client is connected to the second port to transfer files. In this case, the second session (file transfer to the second port) is associated with an existing session (initial connection to the port 21).
  • INVALID - all the other packages.

Basic Configuration

Below is an example iptables basic static configuration. When you save and load this configuration is necessary to take into account the possibility of making changes in it from other services, such as Fail2ban. Furthermore, when using IPv6-IPv6 address configuration to be performed regardless of IPv4.

IPv4

  • View the current configuration:
 sudo iptables-save
  • Create a script to dump the iptables rules:
 sudo nano /etc/network/if-up.d/iptables-rules
  • Copy the following code:
 #! / Sbin / iptables-restore
 # The filter table and its chain
 * filter
 :INPUT ACCEPT [0: 0]
 :FORWARD ACCEPT [0: 0]
 :OUTPUT ACCEPT [0: 0]
 # Allowed to establish a connection and related
 -A INPUT -m conntrack --ctstate RELATED, ESTABLISHED -j ACCEPT
 # Enable service icmp-traffic
 -A INPUT -p icmp -j ACCEPT
 # Allow trusted traffic to the loopback interface
 -A INPUT -i lo -j ACCEPT
 # It is possible to insert additional rules for the INPUT chain
 # Forbid everything else for INPUT
 -A INPUT -j REJECT --reject-with icmp-host-prohibited
 # The order and the meaning of the rules for the FORWARD chains INPUT and OUTPUT similar
 -A FORWARD -m conntrack --ctstate RELATED, ESTABLISHED -j ACCEPT
 -A FORWARD -p icmp -j ACCEPT
 -A FORWARD -j REJECT --reject-with icmp-host-prohibited
 # Filter OUTPUT chain is strongly discouraged
 # -A OUTPUT -m conntrack --ctstate RELATED, ESTABLISHED -j ACCEPT
 # -A OUTPUT -p icmp -j ACCEPT
 # -A OUTPUT -o lo -j ACCEPT
 # -A OUTPUT -j REJECT --reject-with icmp-host-prohibited
 COMMIT
  • Complement the necessary rules taking into account the iptables-save.
  • Save and close: Ctrl + O , Enter , Ctrl + X
  • Make the script executable and load the iptables rules:
 sudo chmod + x /etc/network/if-up.d/iptables-rules
 sudo /etc/network/if-up.d/iptables-rules

IPv6

  • View the current configuration:
 sudo ip6tables-save
  • Create a script to dump ip6tables rules:
 sudo nano /etc/network/if-up.d/ip6tables-rules
  • Copy the following code:
 #! / Sbin / ip6tables-restore
 # The filter table and its chain
 * filter
 :INPUT ACCEPT [0: 0]
 :FORWARD ACCEPT [0: 0]
 :OUTPUT ACCEPT [0: 0]
 # Allowed to establish a connection and related
 -A INPUT -m conntrack --ctstate RELATED, ESTABLISHED -j ACCEPT
 # Enable service icmp-traffic
 -A INPUT -p ipv6-icmp -j ACCEPT
 # Allow trusted traffic to the loopback interface
 -A INPUT -i lo -j ACCEPT
 # It is possible to insert additional rules for the INPUT chain
 # Forbid everything else for INPUT
 -A INPUT -j REJECT --reject-with icmp6-adm-prohibited
 # The order and the meaning of the rules for the FORWARD chains INPUT and OUTPUT similar
 -A FORWARD -m conntrack --ctstate RELATED, ESTABLISHED -j ACCEPT
 -A FORWARD -p ipv6-icmp -j ACCEPT
 -A FORWARD -j REJECT --reject-with icmp6-adm-prohibited
 # Filter OUTPUT chain is strongly discouraged
 # -A OUTPUT -m conntrack --ctstate RELATED, ESTABLISHED -j ACCEPT
 # -A OUTPUT -p ipv6-icmp -j ACCEPT
 # -A OUTPUT -o lo -j ACCEPT
 # -A OUTPUT -j REJECT --reject-with icmp6-adm-prohibited
 COMMIT
  • Complement the necessary rules taking into account the ip6tables-save.
  • Save and close: Ctrl + O, Enter, Ctrl + X
  • Make the script executable and load the iptables rules:
 sudo chmod + x /etc/network/if-up.d/ip6tables-rules
 sudo /etc/network/if-up.d/ip6tables-rules

Additional rules

  • Here are some relatively frequently used rules. INPUT / OUTPUT chains are used to filter local traffic. For transit traffic must use the FORWARD chain.

Remote access

 # remote.ssh
 -A INPUT -p tcp -m conntrack --ctstate NEW -m tcp --dport 22 -j ACCEPT
 # remote.rdp
 -A INPUT -p tcp -m conntrack --ctstate NEW -m tcp --dport 3389 -j ACCEPT
 # remote.vnc
 -A INPUT -p tcp -m conntrack --ctstate NEW -m tcp --dport 5900 -j ACCEPT

Web and file services

 # Web.http, web.https
 -A INPUT -p tcp -m conntrack --ctstate NEW -m multiport --dports 80,443 -j ACCEPT
 # Web.ftp + module must be downloaded nf_conntrack_ftp
 -A INPUT -p tcp -m conntrack --ctstate NEW -m tcp --dport 21 -j ACCEPT

E-mail and instant messages

 # Mail.pop3, mail.pop3s
 -A INPUT -p tcp -m conntrack --ctstate NEW -m multiport --dports 110,995 -j ACCEPT
 # Mail.imap, mail.imaps
 -A INPUT -p tcp -m conntrack --ctstate NEW -m multiport --dports 143,993 -j ACCEPT
 # Mail.smtp, mail.smtps
 -A INPUT -p tcp -m conntrack --ctstate NEW -m multiport --dports 25,465 -j ACCEPT
 # im.xmpp
 -A INPUT -p tcp -m conntrack --ctstate NEW -m multiport --dports 5222,5223 -j ACCEPT
 # im.icq.oscar
 -A INPUT -p tcp -m conntrack --ctstate NEW -m tcp --dport 5190 -j ACCEPT

Network Services

 # network.openvpn.vpn
 -A INPUT -p udp -m conntrack --ctstate NEW -m udp --dport 1194 -j ACCEPT
 # network.squid.proxy
 -A INPUT -p udp -m conntrack --ctstate NEW -m udp --dport 3128 -j ACCEPT
 # network.dns
 -A INPUT -p tcp -m conntrack --ctstate NEW -m tcp --dport 53 -j ACCEPT
 -A INPUT -p udp -m conntrack --ctstate NEW -m udp --dport 53 -j ACCEPT
 # network.ntp
 -A INPUT -p udp -m conntrack --ctstate NEW -m udp --dport 123 -j ACCEPT
 # Network.tftp + module must be downloaded nf_conntrack_tftp
 -A INPUT -p udp -m conntrack --ctstate NEW -m udp --dport 69 -j ACCEPT
 # Network.dhserver.dhcp.discover-request
 -A INPUT -p udp -m conntrack --ctstate NEW -m udp --sport 68 --dport 67 -j ACCEPT
 # Network.dhclient.dhcp.discover-request
 # -A OUTPUT -p udp -m conntrack --ctstate NEW -m udp --sport 68 --dport 67 -j ACCEPT
 # Network.dhserver.dhcp.offer-ack
 # -A OUTPUT -p udp -m conntrack --ctstate NEW -m udp --sport 67 --dport 68 -j ACCEPT

Testing and Debugging

  • View the current configuration for both IPv4 and IPv6:
 sudo iptables-save
 sudo ip6tables-save


Kernel modules

* View the loaded modules:
  lsmod | grep -E '^ ip | ^ nf' | sort
* To download additional modules is convenient to use autocompletion: '' 2xTab ''
  sudo modprobe nf
  sudo modprobe ip
* Frequently used modules: n''f_conntrack_ftp, nf_conntrack_pptp, nf_conntrack_tftp, nf_nat_pptp.
* Startup modules:
  man modules-load.d

Links

  1. Help.ubuntu.ru
  2. Opennet.ru