IPtables basics

1. Overview:

Iptables firewall is used to manage packet filtering and NAT rules. Iptables comes with all Linux distributions.

On a high-level iptables might contain multiple tables. Tables might contain multiple chains. Chains can be built-in or user-defined. Chains might contain multiple rules. Rules are defined for the packets. So, the structure is: iptables -> Tables -> Chains -> Rules.

2. IPTABLES TABLES and CHAINS

IPtables has the following 4 built-in tables.

2.1. Filter Table:

Filter is default table for iptables. So, if you don’t define you own table, you’ll be using filter table. IPtables’s filter table has the following built-in chains:

• INPUT chain – Incoming to firewall. For packets coming to the local server.
• OUTPUT chain – Outgoing from firewall. For packets generated locally and going out of the local server.
• FORWARD chain – Packet for another NIC on the local server. For packets routed through the local server.

2.2. NAT table:

Iptable’s NAT table has the following built-in chains.

• PREROUTING chain – Alters packets before routing. i.e Packet translation happens immediately after the packet comes to the system (and before routing). This helps to translate the destination ip address of the packets to something that matches the routing on the local server. This is used for DNAT (destination NAT).
• POSTROUTING chain – Alters packets after routing. i.e Packet translation happens when the packets are leaving the system. This helps to translate the source ip address of the packets to something that might match the routing on the desintation server. This is used for SNAT (source NAT).
• OUTPUT chain – NAT for locally generated packets on the firewall.

2.3. Mangle table:

Iptables’s Mangle table is for specialized packet alteration. This alters QOS bits in the TCP header. Mangle table has the following built-in chains.

• PREROUTING chain
• OUTPUT chain
• FORWARD chain
• INPUT chain
• POSTROUTING chain

2.4. Raw table:

Iptable’s Raw table is for configuration excemptions. Raw table has the following built-in chains.

• PREROUTING chain
• OUTPUT chain

3. IPTABLES RULES:

Following are the key points to remember for the iptables rules:

• Rules contain a criteria and a target.
• If the criteria is matched, it goes to the rules specified in the target (or) executes the special values mentioned in the target.
• If the criteria is not matched, it moves on to the next rule.

3.1 Target Values

Following are the possible special values that you can specify in the target.

• ACCEPT – Firewall will accept the packet.
• DROP – Firewall will drop the packet.
• QUEUE – Firewall will pass the packet to the userspace.
• RETURN – Firewall will stop executing the next set of rules in the current chain for this packet. The control will be returned to the calling chain.
• REJECT – it will discard the package but will send a acknowledgement package back to sender.

3.2 Firewall Rule Parameters:

The following parameters are available for all kinds of firewall rules.

-p is for protocol:

• Indicates the protocol for the rule.
• Possible values are tcp, udp, icmp
• Use “all” to allow all protocols. When you don’t specify -p, by default “all” protocols will be used. It is not a good practice to use “all”, and always specify a protocol.
• Use either the name (for example: tcp), or the number (for example: 6 for tcp) for protocol.
• /etc/protocols file contains all allowed protocol name and number.
• You can also use –protocol

-s is for source:

• Indicates the source of the packet.
• This can be ip address, or network address, or hostname
• For example: -s 192.168.1.101 indicates a specific ip address
• For network mask use /mask. For example: “-s 192.168.1.0/24″ represents a network mask of 255.255.255.0 for that network. This matches 192.168.1.x network.
• When you don’t specify a source, it matches all source.
• You can also use –src or –source

-d is for destination:

• Indicates the destination of the packet.
• This is same as “-s” (except this represents destination host, or ip-address, or network)
• You can also use –dst or –destination

-j is target:

• j stands for “jump to target”
• This specifies what needs to happen to the packet that matches this firewall rule.
• Possible values are ACCEPT, DROP, QUEUE, RETURN
• You can also specify other user defined chain as target value.

-i is for in interface:

• i stands for “input interface”
• You might over look this and assume that “-i” is for interface. Please note that both -i and -o are for interfaces. However, -i for input interface and -o for output interface.
• Indicates the interface through which the incoming packets are coming through the INPUT, FORWARD, and PREROUTING chain.
• For example: -i eth0 indicates that this rule should consider the incoming packets coming through the interface eth0.
• If you don’t specify -i option, all available interfaces on the system will be considered for input packets.
• You can also use –in-interface

-o is for out interface:

• o stands for “output interface”
• Indicates the interface through which the outgoing packets are sent through the INPUT, FORWARD, and PREROUTING chain.
• If you don’t specify -o option, all available interfaces on the system will be considered for output packets.
• You can also use –out-interface

--sport is for source port (for -p tcp, or -p udp):

• By default all source ports are matched.
• You can specify either the port number or the name. For example, to use SSH port in your firewall rule, use either “–sport 22″ or “–sport ssh”.
• /etc/services file contains all allowed port name and number.
• Using port number in the rule is better (for performance) than using port name.
• To match range of ports, use colon. For example, 22:100 matches port number from 22 until 100.
• You can also use –source-port

--dport is for destination port (for -p tcp, or -p udp):

• Everything is same as –sport, except this is for destination ports.
• You can also use –destination-port

4. Network Address Translation:

Network Address Translation (NAT) is the ability to change a data packets destination or source IP address on-the-fly, so the packet looks like it came from (or is going to) a different address than the original (also works on port numbers).

The iptables package also provides support for NAT and has a built-in nat table just for that purpose. Below is a listing of the default chains that are found in the nat table and an explanation of how they are applied.

Table Name	Chain Name	Chain Details
Nat	PREROUTING	For altering packets as they are entering the system (before filter INPUT)
	POSTROUTING	For altering packets as they are exiting the system (after filter OUTPUT)
	OUTPUT	For altering  packets before leaving the local system (before the routing table)

As the naming suggests, the PREROUTING and POSTROUTING chains are applied before or after any kernel routing decisions are made, so the packets can then be routed to match any new changes which have been made to the destination or source addresses.

 

SNATs and DNATs

Network Address Translation (NAT) occurs when one of the IP addresses in an IP packet header is changed. In a SNAT, the destination IP address is maintained and the source IP address is changed.

A SNAT allows a host on the “inside” of the NAT, to initiate a connection to a host on the “outside” of the NAT.

A DNAT, by way of contrast, occurs when the destination address is changed and the source IP address is maintained. A DNAT allows a host on the “outside” to connect to a host on the “inside”.

In both cases, the NAT has to maintain a connection table which tells the NAT where to route returning packets. An important difference between a SNAT and a DNAT is that a SNAT allows multiple hosts on the “inside” to get to any host on the “outside”. By way of contrast, a DNAT allows any host on the “outside” to get to a single host on the “inside”.

Source NAT:

Source NAT deals with changing the source address of any packets that pass through the NAT device, assuming they meet the criteria of the specified policies and chains. This allows workstations on a private network to send data packets through the NAT device which changes the source address in the packet's header before sending the packet onto the Internet. When the packet reaches its destination and is processed, the distant host returns the packet using the adjusted address as the new destination address, and delivers it back to the NAT device. The NAT device stores a list in memory of all the packets it adjusts, so when they are returned, the packets can be redirected to the real originator of the packets on the internal private network.
Source NAT can be written for inbound and outbound packets, but are more commonly used for outbound.

For a packet to be subject to SNAT, lets consider the following details:

• The packet has meet at least one rule in all three filter chains (INPUT, FORWARD, OUTPUT),
• The packet has been checked against the kernel routing table, and a decision on where to route has been made,
• As the packet leaves the NAT device, the source address is changed to the NATs external IP address,
• The NAT device remembers the real owner of the packet.

It all sounds rather confusing, so lets go straight to an example. Type the following rules at the command prompt and then display the contents of the filter and nat tables with the last command (typed as one line).

Examples:

# iptables -t nat -A POSTROUTING -o ppp0 -s 192.168.1.0/24 -j SNAT --to-source 123.123.123.2

 

Destination NAT:

Destination NAT deals with changing the destination address of any packets before they are subjected to any routing decisions. This allows specific traffic to be rewritten so it suits a particular rule and can then be redirected depending on the global policies and destinations required.

In its most typical application, DNAT is normally used to change incoming packets that are destined for a particular service or host, and it rewrites the destination addresses so the packets can pass to a different host located inside the private network, normally a DMZ.

When DNAT occurs, the original host (which is located external of the private network) is not aware the packets have been redirected and that the returning data is from a different server. It should be transparent to the originator.

The following commands can be typed at the command prompt, and the filter and nat tables displayed using the last command.

 

Example:

# iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 80 -j DNAT --to-destination 192.168.1.2:80

 

 

IP Masquerading

Put simply, masquerading is a form of SNAT which should be used for all dynamic interfaces where the IP address is likely to be different each time we connect. This is perfect for our dynamic IP broadband accounts, and saves having to rewrite large SNAT rules each time we connect to the Internet. SNAT remembers connection state information (to a degree) if a static connection was to drop, however using masquerading the connection state information is reset each time the interface is (de)activated. Masquerading automates SNAT for dynamic IP connections.

Because masquerading is so easy (true) we are going to use some state tracking attributes in our rules. Type the following rules at the command prompt and display a listing of the filter and nat

tables.

Example:

# iptables -t nat -A POSTROUTING -o ppp0 -s 192.168.1.0/24 -j MASQUERADE

Connection tracking:

Connection tracking is an essential security feature of Iptables. But, what is connection tracking?

It is the ability to maintain connection information in memory. This is new feature added in 2.4.xx Linux kernel. Eariler only commercial firewall has this feature but now it is part of Linux. It can remember connection states such as established & new connections along with protocol types, source and destination ip address. You can allow or deny access based upon state. Following are the states:

·         NEW – A Client requesting new connection via firewall host

·         ESTABLISHED – A connection that is part of already established connection

·         RELATED - A connection that is requesting a new request but is part of an existing connection.

·         INVALID - If none of the above three states can be referred or used then it is an INVAID state.

Understanding the states:

Take FTP example:

A) Connet to ftp server:
You have to use ftp command as follows:
$ ftp ftp.me.com
It opens NEW (STATE) connection at ftp server.

B) Download files
> get bigfile.tar.gz
When client download files from ftp server we call it ESTABLISHED connection.

C) Passive ftp connections
In A passive ftp connection, client connection port is 20, but the trasfer port can be any unused port 1024 or higher. To enable passive mode ftp client can send pass command:
ftp> pass
Passive mode on.

Examples:

Here is an example of SSH server, allow only new and established connection for SSH server IP 64.67.33.76

# iptables -A INPUT -p tcp -s 0/0 --sport 513:65535 -d 64.67.33.76 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT

# iptables -A OUTPUT -p tcp -s 64.67.33.76 --sport 22 -d 0/0 --dport 513:65535 -m state --state ESTABLISHED -j ACCEPT

Note:

It also works with stateless protocol such as UDP. The following example allows connection tracking to forward only the packets that are associated with an established connection:

iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ALLOW

Note: iptables can use extended packet matching modules. These are loaded in two ways: implicitly, when -p or --protocol is specified, or with the -m or --match options.

There are some modules that can be useful:

 

State: This module, when combined with connection tracking, allows access to the connection tracking state for this packet. States are Invalid, Established, New, Related.

 

String: This modules matches a given string by using some pattern matching strategy. It requires a linux kernel >= 2.6.14.

--algo {bm|kmp}

Select the pattern matching strategy. (bm = Boyer-Moore, kmp = Knuth-Pratt-Morris)

Example:

# iptables –A OUTPUT –p tcp –m string --string “facebook.com” –algo kmp –j DROP

Note: In the above example, -m string is going to match the string.

--string facebook.com is looking for facebook.com string.

To match the string it is using –algo kmp algo.

And finally –j DROP is dropping all the packets maching the criteria.

Time: This matches if the packet arrival time/date is within a given range. All options are optional, but are ANDed when specified.

Examples:

To match on weekends, use:

-m time --weekdays Sa,Su

Or, to match (once) on a national holiday block:

-m time --datestart 2007-12-24 --datestop 2007-12-27

Since the stop time is actually inclusive, you would need the following stop time to not match the first second of the new day:

-m time --datestart 2007-01-01T17:00 --datestop 2007-01-01T23:59:59

During lunch hour:

-m time --timestart 12:30 --timestop 13:30

The fourth Friday in the month:

-m time --weekdays Fr --monthdays 22,23,24,25,26,27,28

Note: You should create a file defining your all the required firewall rules in it. Later you can run this file and those rules will be applied after saving the firewall service.

Note: The reason you can't use iptables to block a URL is because iptables works at OSI Layer 3/4. It only deals with IP Addresses, Port Numbers, Protocol (TCP/UDP etc, not HTTP, FTP) etc

The URL is above that, so iptables never gets to 'see' the URL, only the IP Address that it resolves to. If you look at the rule you created in your test (iptables -nvL), you'll see only 1 IP Address was added as a rule.

Some scenario examples:

1. to block facebook:

# iptables –A OUTPUT –p tcp –m string --string “facebook.com” –algo kmp –j DROP

Note: iptables can use extended packet matching modules. These are loaded in two ways: implicitly, when -p or --protocol is specified, or with the -m or --match options.

2. to block SSH service to the host:

# iptables –A  INPUT –p tcp –s 192.168.1.0/255.255.255.0 –d 192.168.1.40 –dport 22 –j REJECT

Note: Here, by applying this rule the source network 192.168.1.0/255.255.255.0 can’t do SSH to the destination system IP 192.168.1.40. We blocked SSH by defining source and destination address and the port address.

3. to block SSH service BY the host:

# iptables –A  OUTPUT –p tcp –s 192.168.1.40 –d 192.168.1.0/255.255.255.0  –dport 22 –j REJECT

Note: Now, the host (192.168.1.40) can’t SSH to any system in the network.

5. Content based filtering

url based filtering

6. any GUI tool

7. send mail service block

8. To stop self pinging:

#iptables –A INPUT –i lo –j REJECT

Note: Here self pinging is blocked because we are rejecting all the packets coming to “lo” interface. No rule has been applied regarding ICMP packets. Therefor System will still be able to ping other systems.

9. To stop ICMP all packets that uses ICMP:

#iptables –A INPUT –p ICMP –j REJECT

Note: Here all ICMP packets have been rejected so pinging to other network as well as self pinging is blocked.

10. Reject all established and rejected packets

# iptables –A INPUT –m state –state ESTABLISHED,RELATED –j REJECT