Pages

Monday, March 6, 2017

A Clear explanation about IPTables, Rules and Chains

Iptables is a linux based firewall. In initial it may look complex and even confusing. But, once you understand the basics of iptables it will be easy. Hope i will be able to make you understand the concepts of Iptables.

 List of Topics

1) What is Iptables
2) Structure of Iptables and types of Tables
3) List of Chains
4) What is default chain policy
5) How it Works 
6) Flusing/Deleting Individual Rules
7) Moving Iptables Rules position
8) How to Backup and Restore

1) What is IPTables

IPTables is a linux based firewall to manage port number based  filtering, and NAT based on rules.  is a daemon which manages internet based connectivity.  It is more secure than inetd. 

Chains - Each chain is a list of rules which can match a set of packets. Each rule specifies what to do with a packet that matches. This is called a `target', which may be a jump to a user-defined chain in the same table.

2) Structure of Iptables and Types of Tables

Iptables -> Tables -> Chains -> Rules:

IPTABLES - TABLES 

IPTables has the following 4 built-in tables.

 a) Filter Table
b) NAT table
c) Mangle table
d).Raw table

Filter Table 

 Filter table is the default table for iptables. So, if you don’t define any table, you’ll be using filter table. Filter table has the following built-in chains.

 (a) INPUT chain 
(b) OUTPUT chain
(c) FORWARD chain 

To List the rules in Filter table, Execute below command

 #Iptables -L

 No Need to mention the table name as iptables by default refer's Filter table.

 NAT table

 Iptables NAT table has the following built-in chains.

(a) OUTPUT chain
(b) PREROUTING chain
(c) POSTROUTING chain

 To List the rules in Filter table, Execute following command #iptables -L -t nat

 Mangle table

 Mangle table is for specialized packet alteration. This alters QOS bits in the TCP header. Mangle table has the following built-in chains.

(a) INPUT chain
(b) OUTPUT chain
(c) FORWARD chain
(d) PREROUTING  chain
(e) POSTROUTING chain

To list the rules in Mangle table. Execute, #iptables -L -t Mangle

Raw table

 Iptable’s Raw table is for configuration excemptions. Raw table has the following built-in chains.

(a) PREROUTING chain
(b) OUTPUT  chain

3)  List of Chains

 (a) INPUT chain –  For packets coming to the local server. Incoming to firewall
(b) OUTPUT chain –For packets generated locally and going out of the local server.
(c) FORWARD chain – Packet for another NIC on the local server. For packets routed through the local server.
(d) PREROUTING chain – Alters packets before routing. i.e Packet translation happens immediately after the packet comes to the system (and before routing). This helps to translate the destination ip address of the packets to something that matches the routing on the local server. This is used for DNAT (destination NAT).
(e) POSTROUTING chain – Alters packets after routing. i.e Packet translation happens when the packets are leaving the system. This helps to translate the source ip address of the packets to something that might match the routing on the desintation server. This is used for SNAT (source NAT).

4) Default Chain policy

 The Default linux iptables chain policy is ACCEPT for all INPUT, FORWARD and OUTPUT policies. To Check the default policy just execute iptables –L.

[XXXX@server2 ~]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

 After the chain name in the bracket you can see (policy ACCEPT) which means the default policy for the chain is ACCEPT. This can be changed by the below command.

 iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

 The above command will change the default policy only for filter table. If you to change for other tables also you need to add "-t" and mention the policy name.

 eg: iptables -P OUTPUT DROP -t mangle

 Note: Default policy of NAT table can't be set to DROP as NAT table is not for filtering.

 5) How it Works

Iptables will start checking one by one rule. Least number rule will get more preference compared to the other rules. So Once you’ve specified your custom rules to accept packets, you should also have a default rule to drop any other packets. This should be your last rule in the INPUT chain.

To drop all incoming packets, do the following.

iptables -A INPUT -j DROP

For Eg: if we have two consecutive rules for an ssh process like below then DROP rule will take more precedence and get execute.

-A INPUT -p tcp -m tcp --dport 22 -j DROP

-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT

Note: The big difference between REJECT and DROP is that 
REJECT - results in an ICMP error being returned. 
DROP - Prohibit a packet from passing. Send no response.

6) Flusing/Deleting Individual Rules

a) Flusing Iptables 

 Flusing Iptables means clearing all the all the rules of a table, which can be done by executing the below command
          
 #iptables -F

b) Deleting the specific Iptables rules 

 Deleting the specific Iptables rules can be done in two ways

Method 1 : Before deleting the specific rule please see the output of -S option which will show the output like  command how we have added.  If no chain is selected, all chains are printed. Like every other iptables command, it applies to the specified table(filter is the default).

here output looks just like the commands that we used to create but without the preceding iptables command

[XXXX@server2 ~]# iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -j DROP

Then to delete the rule instead of -A just use -D and execute the command
eg 1): iptables -D INPUT -p tcp -m tcp --dport 22 -j ACCEPT
eg 2):  iptables -D INPUT -j DROP

 Method 2 : Delete the rules by using Line numbers

[XXXX@server2 ~]# iptables -nL --line-numbers
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination
1    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:22
2    DROP       all  --  0.0.0.0/0            0.0.0.0/0

Then to delete the 2nd Rule just execute below command

[XXXX@server2 ~]# iptables -D INPUT 2
[XXXX@server2 ~]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh
##

7) Backup And Restore

 Note: To perform backup and restore operation you must login as root
To take the backup of iptables,use the iptables-save command.
# iptables-save > /iptables.backup
(Destination File can be anything)

And to restore we need to use iptables-restore command.

# iptables-restore < /iptables.backup
8) Moving Iptables Rules position

 As of now there is no direct method to move the position of the rule. But can be done suing the following procedure.

(i)  Write the output of iptables-save to a file: iptables-save > /iptables_rules.txt
(ii) Edit this file with a text editor, move the line whichever you want.
(iii) Reload the file: iptables-restore < /tmp/iptables_rules.txt

 9) FAQ's 
a) We have an Ubuntu 12.04 server with httpd on port 80 and we want to limit:
the maximum connections per IP address to httpd to 10
the maximum new connections per second to httpd to 150

 How can we do this with iptables?
iptables -A INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 15 --connlimit-mask 32 -j REJECT --reject-with tcp-reset 

This will reject connections above 15 from one source IP.

 iptables -A INPUT -m state --state RELATED,ESTABLISHED -m limit --limit 150/second --limit-burst 160 -j ACCEPT
iptables -A INPUT -p tcp --syn -m connlimit --connlimit-above <your limit number> --connlimit-mask 0 -j DROP

iptables -A OUTPUT -p tcp --syn -m connlimit --connlimit-above <your limit number> --connlimit-mask 0 -j DROP
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)