Understanding iptables in Linux

Understanding iptables in Linux

Click the blue text above to follow me!

Understanding iptables in LinuxOverviewTechnically speaking, iptables is not a firewall; the real firewall is netfilter, which runs in the system kernel. iptables is merely a representative of netfilter, primarily functioning to interact with users, obtaining their requests and converting them into information that netfilter can accept.iptables mainly operates at the network layer.The core processing mechanism of a firewall is filtering, and when it comes to filtering, there are two key elements: “condition-action”.The target of the firewall’s processing is network traffic, and for network traffic, the most important information identifying the traffic is the five-tuple, which includes the source IP address, destination IP address, source port, destination port, and upper-layer protocol.1.Basic syntax format of iptables

iptables [-t table_name] command_options [chain_name] [condition_match] [-j target_action_or_jump]

Description:

table_name and chain_name are used to specify the table and chain that iptables will operate on;

command_options are used to specify how to manage iptables rules (e.g., insert, add, delete, view, etc.);

condition_match is used to specify the conditions under which packets will be processed;

target_action_or_jump is used to specify how packets will be handled, such as allowing, rejecting, dropping, or jumping to other chains for processing.

2. Four Tables and Five Chains1. Chains

  • INPUT: Processes incoming packets, matching packets with the destination IP as the local machine.
  • OUTPUT: Processes outgoing packets, generally no configuration is done on this chain.
  • FORWARD: Processes forwarded packets, matching packets that pass through the local machine.
  • PREROUTING: Processes packets before routing decisions are made, used to modify destination addresses, for DNAT. Equivalent to mapping port 80 in the internal network to the external port of the router.
  • POSTROUTING: Processes packets after routing decisions are made, used to modify source addresses, for SNAT. Equivalent to allowing internal hosts to access the internet through a public IP address via the router’s NAT conversion function.

2. Chain Matching OrderHost-based firewall:

  • Incoming data (packets from the outside, with the target address being the firewall’s local machine) PREROUTING –> INPUT –> local application;
  • Outgoing data (packets sent from the firewall’s local machine to external addresses) local application –> OUTPUT –> POSTROUTING.

Network-based firewall:

  • Forwarded data (packets that need to be forwarded through the firewall) PREROUTING –> FORWARD –> POSTROUTING

Matching order within the rule chain:

  • Checked sequentially from top to bottom, stopping when a matching rule is found (except for LOG policy, which indicates logging related information)
  • If no matching rule is found in the chain, the default policy for that chain is applied (by default, the policy is to allow)

3. Four Tables

  • raw table: Determines whether to track the state of the packet. Contains two rule chains, OUTPUT, PREROUTING.
  • mangle table: Modifies packet content, used for traffic shaping, setting packet marks. Contains five rule chains, INPUT, OUTPUT, FORWARD, PREROUTING, POSTROUTING.
  • nat table: Responsible for network address translation, used to modify source, destination IP addresses or ports in packets. Contains three rule chains, OUTPUT, PREROUTING, POSTROUTING.
  • filter table: Responsible for filtering packets, determining whether to allow the packet (filtering). Contains three rule chains, INPUT, FORWARD, OUTPUT.

Among the four rule tables in iptables, the applications of the mangle table and raw table are relatively reduced.Command ParametersSelect Table

  • -t # Operate on the specified table (must be one of raw, nat, filter, mangle. If not specified, defaults to the filter table)

Rule Management

  • -A # Add a new rule at the end of the specified rule chain
  • -I # Add a new rule at the beginning of the specified rule chain (default adds to the first line)
  • -D # Delete a rule from the specified chain (can delete by rule number and content)
  • -R # Modify or replace a specific rule in the specified chain (can replace by rule number and content)

Chain Management

  • -P # Set the default policy for the specified chain
  • -N # Create a user-defined rule chain
  • -X # Delete a user-defined rule chain from the specified table
  • -E # Rename a user-defined chain (does not change the chain itself)
  • -Z # Zero out the byte and packet counters for all chains in all tables

Rule Chains

  • INPUT # Processes incoming packets
  • OUTPUT # Processes outgoing packets
  • FORWARD # Processes forwarded packets
  • PREROUTING # Processes incoming routing rules
  • POSTROUTING # Processes outgoing routing rules

Matching

  • (Adding an exclamation mark “!” indicates that this target is excluded (after the exclamation mark, a space must be added before adding the matching item))
  • -s # Match source address IP/MASK
  • -d # Match destination address
  • -i # Network card name (matches data flowing in from this network card)
  • -o # Network card name (matches data flowing out from this network card)
  • -m # Use extended modules
  • -p # Match protocol (e.g., tcp, udp, icmp)
  • tcp # Extended option: –source-port (extended options can be viewed with iptables -p tcp -h)
  • udp # Extended option: –source-port (extended options can be viewed with iptables -p icmp -h)
  • icmp # Available extension: –icmp-type (available extensions can be viewed with iptables -p icmp -h)
  • –dport 80 # Match destination port 80
  • –sport 81 # Match source port 81

Specify Action Type-j # Specify action type

  • ACCEPT # Allow packets to pass
  • REJECT # Reject packets (will send a response if necessary)
  • DROP # Directly discard (no response given)
  • QUEUE # Interrupt the filter program, placing the packet in a queue for other programs to process
  • RETURN # Stop subsequent rules in the current chain and return to the calling chain
  • REDIRECT # Perform port mapping on the local machine
  • DNAT # Change the destination address of the packet
  • SNAT # Change the source address of the packet
  • MASQUERADE # A special form of SNAT, suitable for dynamic, temporary IPs (can only be used on the POSTROUTING chain of the nat table)
  • LOG # Log information in the /var/log/messages file, then pass the packet to the next rule

View/Clear Rules

  • -L # List all rules in the specified chain
  • -n # IP addresses and ports will be printed in numeric form
  • -v # Detailed output
  • -F # Clear the rule chain

Examplesiptables -L # List all rulesiptables -L -nv # View detailed information (IP and port will be displayed in numeric form)iptables -t nat -L # List all rules in the nat tableiptables -t nat -L -nv # View detailed information (IP and port will be displayed in numeric form)iptables -F # Clear all rules (if no table is specified, the default table is filter)iptables -t nat -D INPUT 1 # Delete the first rule in the INPUT chain of the nat tableiptables -A INPUT -p all -s 192.168.1.0/24 -j ACCEPT# Allow hosts in the 192.168.1.0/24 subnet to accessiptables -A INPUT -p all -s 192.168.2.0/24 –dport 80 -j ACCEPT# Allow hosts in the 192.168.2.0/24 subnet to access port 80 on the local machineiptables -A INPUT -p icmp -j DROP# Disable Pingiptables -A INPUT -m mac –mac-source 00:11:22:33:44:55 -j DROPBlock access from the host with MAC address 00:11:22:33:44:55Understanding iptables in LinuxUnderstanding iptables in Linux

Related posts

  1. Linux Experiment 3: Directory Operations – Questions and Answers

Leave a Comment