Home iptables
Post
Cancel

iptables

  • Controlling Network Traffic with iptables - A Tutorial iptables is an application that allows users to configure specific rules that will be enforced by the kernel’s netfilter framework. It acts as a packet filter and firewall that examines and directs traffic based on port, protocol and other criteria. This guide will focus on the configuration and application of iptables rulesets and will provide examples of ways they are commonly used.

Basic iptables Parameters and Syntax

1
iptables -I INPUT -s 198.51.100.0 -j DROP
  • -j parameter stands for jump

  • -p, --protocol
  • -s, --source //Can be an address, network name, hostname, etc.>
  • -d, --destination //An address, hostname, network name, etc.>
  • -j, --jump // Specifies the target of the rule; i.e. what to do if the packet matches.
  • -g, --goto chain // Specifies that the processing will continue in a user-specified chain.>
  • -i, --in-interface //Names the interface from where packets are received.>
  • -o, --out-interface //Name of the interface by which a packet is being sent.>
  • -f, --fragment // The rule will only be applied to the second and subsequent fragments of fragmented packets.>
  • -c, --set-counters // Enables the admin to initialize the packet and byte counters of a rule

Default tables

Tables are made up of built-in chains and may also contain user-defined chains. The built-in tables will depend on the kernel configuration and the installed modules.
The default tables are as follows:
Filter - This is the default table.
Its built-in chains are:

  • Input: packets going to local sockets
  • Forward: packets routed through the server
  • Output: locally generated packets

Nat - When a packet creates a new connection, this table is used.\ Its built-in chains are:

  • Prerouting: designating packets when they come in
  • Output: locally generated packets before routing takes place
  • Postrouting: altering packets on the way out

Mangle - Used for special altering of packets.
Its chains are:

  • Prerouting: incoming packets
  • Postrouting: outgoing packets
  • Output: locally generated packets that are being altered
  • Input: packets coming directly into the server
  • Forward: packets being routed through the server

Raw - Primarily used for configuring exemptions from connection tracking.
The built-in chains are:

  • Prerouting: packets that arrive by the network interface
  • Output: processes that are locally generated

Security - Used for Mandatory Access Control (MAC) rules. After the filter table, the security table is accessed next.
The built-in chains are:

  • Input: packets entering the server
  • Output: locally generated packets
  • Forward: packets passing through the server

Basic iptables Options

  • -A --append // Add one or more rules to the end of the selected chain.
  • -C --check // Check for a rule matching the specifications in the selected chain.
  • -D --delete // Delete one or more rules from the selected chain.
  • -F --flush // Delete all the rules one-by-one.
  • -I --insert // Insert one or more rules into the selected chain as the given rule number.
  • -L --list // Display the rules in the selected chain.
  • -n --numeric //Display the IP address or hostname and post number in numeric format.
  • -N --new-chain name // Create a new user-defined chain.
  • -v --verbose // Provide more information when used with the list option.
  • -X --delete-chain name // Delete the user-defined chain.

iptables config

I-tables for CentOS

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
# stop and disable firewalld
sudo systemctl stop firewalld.service && sudo systemctl disable firewalld.service

# install iptables
sudo yum install iptables-services
sudo systemctl enable iptables && sudo systemctl enable ip6tables
sudo systemctl start iptables && sudo systemctl start ip6tables

sudo iptables-restore < /tmp/v4
sudo ip6tables-restore < /tmp/v6

# The changes that you make to your iptables rules will be scrapped the next time that the iptables service gets restarted unless you execute a command to save the changes. 
# save changes
sudo service iptables save
sudo service ip6tables save

# removef temp files
sudo rm /tmp/{v4,v6}

ip6tables -L
iptables -L

File: /tmp/v4

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
*filter

# Allow all loopback (lo0) traffic and reject traffic
# to localhost that does not originate from lo0.
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -s 127.0.0.0/8 -j REJECT

# Allow ping.
-A INPUT -p icmp -m state --state NEW --icmp-type 8 -j ACCEPT

# Allow SSH connections.
-A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT

## rule related to FTP command (port 21)
-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT

 ## rule related to FTP data (port 20)
-A INPUT -p tcp -m tcp --dport 20 -j ACCEPT                       

# Allow HTTP and HTTPS connections from anywhere
# (the normal ports for web servers).
-A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
-A INPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT

# Allow inbound traffic from established connections.
# This includes ICMP error returns.
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Log what was incoming but denied (optional but useful).
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables_INPUT_denied: " --log-level 7

# Reject all other inbound.
-A INPUT -j REJECT

# Log any traffic that was sent to you
# for forwarding (optional but useful).
-A FORWARD -m limit --limit 5/min -j LOG --log-prefix "iptables_FORWARD_denied: " --log-level 7

# Reject all traffic forwarding.
-A FORWARD -j REJECT

COMMIT

File: /tmp/v6

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
*filter

# Allow all loopback (lo0) traffic and reject traffic
# to localhost that does not originate from lo0.
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -s ::1/128 -j REJECT

# Allow ICMP
-A INPUT -p icmpv6 -j ACCEPT

# Allow HTTP and HTTPS connections from anywhere
# (the normal ports for web servers).
-A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
-A INPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT

# Allow inbound traffic from established connections.
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Log what was incoming but denied (optional but useful).
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "ip6tables_INPUT_denied: " --log-level 7

# Reject all other inbound.
-A INPUT -j REJECT

# Log any traffic that was sent to you
# for forwarding (optional but useful).
-A FORWARD -m limit --limit 5/min -j LOG --log-prefix "ip6tables_FORWARD_denied: " --log-level 7

# Reject all traffic forwarding.
-A FORWARD -j REJECT

COMMIT

config

/etc/sysconfig/

ftp rules

1
2
3
# Allow control connections initiated by the client to port 21, as follows
iptables -A INPUT  -p tcp -m tcp --dport 21 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT -m comment --comment "Allow ftp connections on port 21"
iptables -A OUTPUT -p tcp -m tcp --sport 21 -m conntrack --ctstate ESTABLISHED -j ACCEPT -m comment --comment "Allow ftp connections on port 21"
1
2
3
# For active mode, allow data connections initiated by the server from port 20, as follows
iptables -A OUTPUT -p tcp -m tcp --sport 20 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -m comment --comment "Allow ftp connections on port 20"
iptables -A INPUT  -p tcp -m tcp --dport 20 -m conntrack --ctstate ESTABLISHED -j ACCEPT -m comment --comment "Allow ftp connections on port 20"
1
2
3
# For passive mode, allow data connections initiated by the client on unprivileged ports
iptables -A INPUT -p tcp -m tcp --sport 1024: --dport 1024: -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -m comment --comment "Allow passive inbound connections"
iptables -A OUTPUT -p tcp -m tcp --sport 1024: --dport 1024: -m conntrack --ctstate ESTABLISHED -j ACCEPT -m comment --comment "Allow passive inbound connections"

References

A Tutorial for Controlling Network Traffic with iptables

Appropriate iptables rules for an FTP server in active \ passive mode

The Beginner’s Guide to iptables, the Linux Firewall

This post is licensed under CC BY 4.0 by the author.