IPTABLES: An Introduction

Posted by admin in Uncategorized Nov 11th, 2009 | no responses

This is a brief introduction to the Iptables. In the most basic terms, iptables can be thought of as a firewall.
Basically, there are two components in an iptable:

Chains
Rules

The incoming packets are flown through Chains. You can define many chains as you like and then connect the chains together so the packets are flown continuously. For the normal use, we can do without defining additional chains but I will show one with a chain to grasp the idea. First of all, there are few (among many) keywords that are of importance to learn.

INPUT: All the incoming data packets come to this chain
OUTPUT: All the outgoing data packets come to this chain
-N: Define a New chain
-P: Defines the default Policy of a chain
-A: Appends a rule to a chain
ACCEPT: Accept the packet
DROP: Drop the packet

For other keywords please refer to the man.

Here is an example Iptable:

# Defining the default policy for the chains
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT

# Create a chain called FIREWALL
iptables -N FIREWALL

# Then we send all packets entering INPUT to our FIREWALL chain
iptables -A INPUT -j FIREWALL

# First we allowing ESTABLISHED and RELATED data packets to be accepted (no harm in this because they have been screened)
iptables -A FIREWALL -i eth0 -m state –state ESTABLISHED,RELATED -j ACCEPT
# And we reject packets identified as invalid
iptables -A FIREWALL -m state –state INVALID -j DROP
# Allow loopback traffic
iptables -A FIREWALL -i lo -j ACCEPT

# We drop FORWARD packets (assuming the connection is not shared)
iptables -A FORWARD -j DROP

# Now we define our custom rules
iptables -A INPUT -i eth0 -p tcp -m tcp –dport 80 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m tcp –dport 22 –source abc.xyz.0.0/16 -j ACCEPT
iptables -A INPUT -i eth0 -p icmp –icmp-type echo-request -m limit –limit 10/second -j ACCEPT

Few important execution rules about chains:

Once a rule is matched the execution stops there (and starts for the next packet)
If the current rule is not matched, the packet is passed to the next rule
When all the rules for a particular chain is traversed (and not matched) the packet is sent to the next chain or (if no other chain)
it is sent back to the chain is came from
If there are no matches and no chain (up or down) to send the packet to, the default policy (defined by -P) is executed

Brief explanation of the custom rules:
First custom rule accepts incoming packets with the destination port 80. This is needed if you have a server running.
Second rule accpets SSH connections (port 22) only from a specified range of addresses (we talked about thisin securing SSH column).
Third rule accepts ping requests but put a limit of 10 packets per second to avoid flooding of icmp packets.

To add these rules to the iptable, save the above file (preferably in /etc) and execute it. The keyword iptables performs the defined function.

It is good practice to flush the existing iptable before creating the new rules, becasue otherwise the new rules and chains will be appended to the existing iptable and it will not function as you would expect. To flush the existing iptable, just include the following lines to the beginning of the above script.