IPTables Network Filtering

CyberPunk System Administration

Introduction

Here we’re going to go through some short info on IPTables Network Filtering, Available Tables and Chains. Basic explanation how things work here.

When it comes to network security, iptables is a very usefull utility (provided by the Linux Kernel Firewall – kernel’s netfilter framework) that enables you to control what’s going on on the network. In order to work with iptables you’ll need elevated priviledges (root). Quick example before we continue :

# iptables [-t table] command [match pattern] [action] 
an example (drop packets with the specified source address): 
# iptables -t filter -I INPUT -s 192.168.1.66 -j DROP

Both IPv4 and IPv6 variants are available (iptables, ipv6tables).

IPTables Network Filtering (IPTables tables, chains & rules)

Tables we have consist of chains, basically a list of rules which are being followed in specified order. For instance, the default table (filter) has three built-in chains: INPUT, OUTPUT and FORWARD, activated at different points in IPTables network filtering. The default rule is to ACCEPT everything (no rules at all). Very insecure, so a better setup would be to DROP everything. Dropped package will not continue in any chain (no warning or errors are sent).

Filter table:

Default table, contains the built-in chains:

INPUT – Controls the behaviour for incoming connections/packets. IPTables will try to match connection IP & port with a rule in the input chain.
OUTPUT – Related to Outgoing connections/packets (generated locally, going out)
FORWARD – Controls the incoming connections/packets that are out to be routed through the local server. So, you’ll need these only in case of some type of routing (NAT).

# iptables -t filter --list
(or)
# iptables --list

NAT table:

Consulted when a packet that creates a new connection is encountered :

PREROUTING – Alters packets before routing (immediately on arrival)
POSTROUTING – Alter packets after routing (when they’re leaving the system)
OUTPUT – Altering locally-generated packets before routing

# iptables -t nat --list

Mangle table:

For specialized packet alteration, as special entries and alterations in packet header ( Type of Service, Time To Live,… ). Until kernel 2.4.17 it had two built-in chains: PREROUTING and OUTPUT. Since kernel 2.4.18, three other built-in chains are also supported (INPUT, FORWARD, POSTROUTING):

INPUT – packets coming into the box itself
OUTPUT – used for altering locally-generated packets before routing
FORWARD – altering packets being routed through the box
PREROUTING – changing incoming packets before routing
POSTROUTING – altering packets as they are about to go out

# iptables -t mangle --list

Raw Table:

Mainly used for configuring exemptions from connection tracking in combination with the NOTRACK target. It registers at the netfilter hooks(with higher priority), and is thus called before ip_conntrack, or any other IP tables:

PREROUTING – for packets arriving via any network interface
OUTPUT – for packets generated by local processes

# iptables -t raw --list

Security table:

Used for Mandatory Access Control netowrking rules (such as those enabled by the SECMARK and CONNSECMARK targets). Mandatory Access Control is implemented by Linux Security Modules such as SELinux. This table is called after the filter table, allowing any Discretionary Access Control (DAC) rules in the filter table to take effect before MAC rules

INPUT – altering packets coming into the box itself
FORWARD – for altering packets being routed through the box
OUTPUT – changing locally-generated packets before routing

As packets go through our networking system (incoming/outgoing), they’ll trigger these chain rules. Each rule has a matching & action segments:

Matching – conditions the packet must satisfy in order for rule to apply (by protocol type, destination/source address, destination/source port, destination/source network, input/output interface, headers, connection state,…)
Action (or target) – action taken when packet matches all conditions. Two types:
- Terminating: Perform an action which terminates evaluation within the chain
  - RETURN – Stops executing the next set of rules in the current chain for this packet. The control returns to the calling chain
  - REJECT (target extensions) – This is sending back an error packet in response to the matched
    packet. This target is only valid in the INPUT, FORWARD and OUTPUT chains, and user-defined chains which are only
    called from those chains
- Non-Terminating: Perform an action and continues evaluation within the chain.
  - ACCEPT – Accept the packet
  - DROP – Drop the packet
  - QUEUE – Pass the packet to the userspace
  - LOG (target extensions) – Turn on kernel logging of matching packets (dmesg or syslog).

For more details on actions/targets, check MAN pages for iptables and iptables-extensions.

IPTables List Info

# iptables --list

Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP all -- 192.168.1.66 anywhere

Column details:

num – Rule number within the particular chain
target – Special target variable that we discussed above
prot – Protocols. tcp, udp, icmp, etc.,
opt – Special options for that specific rule.
source – Source ip-address of the packet
destination – Destination ip-address for the packet

IPTables Parameters

-p / --protocol
- The protocol (TCP, UDP, ..)
-s / --source
- Can be an address, network name, hostname, etc.
-d / --destination
- An address, hostname, network name, etc.
-j / --jump
- Specified the target of the rule (what to do if the packet matches)
-g / --goto chain
- Specified that the processing will continue in user-specified chain
-i / --in-interface
- Names the interface from where packets are received
-o / --out-interface
- Name of the interface by which a packet is being sent
-f / --fragment
- The rule will onlyu be applied to the second and subsequent fragments of fragmented packets
-c / --set-counters
- Enables the admin to initialize the packet and byte counters of a rule

IPTables Options

-A / --append
- Add one or more rules to the end of the chain
-C / --check
- Check for a rule matching the specs in the selected chain
-D / --delete
- Delete one or more rules from selected chain
-F / --flush
- Delete all rules
-I / --insert
- Insert one or more rules into selected chain as the given rule number
-L / --list
- Display the rules in selected chain
-n / --numberic
- Display IP address/hostname and post number in numeric format
-N / --new-chain <name>
- Create new user-defined chain
-v / --verbose
- Provide more information when used with the list option
-X / --delete-chain <name>
- Delete the user-defined chain

Saving IPtables Network Filtering rules

In order yo save the rules (to survive a reboot) we must take certain steps.

Ubuntu

Relatively straightforward, use iptables-persistent package:

# sudo apt-get install iptables-persistent

During installation, you’ll have an option to save current rules:

If you update your rules later on, save those changes with (after Ubuntu 16.04):

# sudo netfilter-persistent save

Prior to 16.04, use:

# sudo invoke-rc.d iptables-persistent save

Placed in /etc/iptables/rules.v4 (also mentioned: /etc/iptables.firewall.rules, I didn’t check in details)

For restoring, try:

# iptables-restore < /etc/iptables/rules.v4

<= CentOS 6

On CentOS 6 and older you can use:

# sudo service iptables save

Rule path: /etc/sysconfig/iptables

CentOS 7 >=

CentOS 7 is using FirwallD. We’ll cover this later on

# firewall-cmd --zone=public --add-port=3000/tcp --permanent

to reload rules:

# firewall-cmd --reload

You could disable firewalld (and install/enable iptables):

# systemctl disable firewalld
# yum install iptables-services
# systemctl enable iptables 
# service iptables save

Things to work on:

Check nfttables. Newcomer, out to replace iptables/ebtables/arptables. Much simplex syntax.

Enough about IPTables Network Filtering in general, you can continue with some IPTables Rules Management (examples and frequently used rules).

centos firewall iptables linux packet filtering ubuntu