fozu
on
Sep 7, 20212021-09-07T00:00:00+08:00
Updated
Jan 30, 20232023-01-30T10:26:58+08:00
7 min read
- Controlling Network Traffic with iptables - A Tutorial
iptables is an application that allows users to configure specific rules that will be enforced by the kernel’s
netfilter
framework. It acts as a packet filter and firewall that examines and directs traffic based on port, protocol and other criteria. This guide will focus on the configuration and application of iptables rulesets and will provide examples of ways they are commonly used.
Basic iptables Parameters and Syntax
1
| iptables -I INPUT -s 198.51.100.0 -j DROP
|
Default tables
Tables
are made up of built-in
chains and may also contain user-defined
chains. The built-in tables will depend on the kernel
configuration and the installed modules
.
The default
tables
are as follows:
Filter
- This is the default table.
Its built-in
chains
are:
Input
: packets going to local sockets
Forward
: packets routed through the server
Output
: locally generated packets
Nat
- When a packet creates a new connection, this table is used.\
Its built-in
chains
are:
Prerouting
: designating packets when they come in
Output
: locally generated packets before routing takes place
Postrouting
: altering packets on the way out
Mangle
- Used for special altering of packets.
Its chains
are:
Prerouting
: incoming packets
Postrouting
: outgoing packets
Output
: locally generated packets that are being altered
Input
: packets coming directly into the server
Forward
: packets being routed through the server
Raw
- Primarily used for configuring exemptions from connection tracking.
The built-in
chains
are:
Prerouting
: packets that arrive by the network interface
Output
: processes that are locally generated
Security
- Used for Mandatory Access Control (MAC) rules. After the filter table, the security table is accessed next.
The built-in
chains
are:
Input
: packets entering the server
Output
: locally generated packets
Forward
: packets passing through the server
Basic iptables Options
-A
--append
// Add one or more rules to the end of the selected chain.
-C
--check
// Check for a rule matching the specifications in the selected chain.
-D
--delete
// Delete one or more rules from the selected chain.
-F
--flush
// Delete all the rules one-by-one.
-I
--insert
// Insert one or more rules into the selected chain as the given rule number.
-L
--list
// Display the rules in the selected chain.
-n
--numeric
//Display the IP address or hostname and post number in numeric format.
-N
--new-chain
name // Create a new user-defined chain.
-v
--verbose
// Provide more information when used with the list option.
-X
--delete-chain
name // Delete the user-defined chain.
iptables config
I-tables for CentOS
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
| # stop and disable firewalld
sudo systemctl stop firewalld.service && sudo systemctl disable firewalld.service
# install iptables
sudo yum install iptables-services
sudo systemctl enable iptables && sudo systemctl enable ip6tables
sudo systemctl start iptables && sudo systemctl start ip6tables
sudo iptables-restore < /tmp/v4
sudo ip6tables-restore < /tmp/v6
# The changes that you make to your iptables rules will be scrapped the next time that the iptables service gets restarted unless you execute a command to save the changes.
# save changes
sudo service iptables save
sudo service ip6tables save
# removef temp files
sudo rm /tmp/{v4,v6}
ip6tables -L
iptables -L
|
File: /tmp/v4
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
| *filter
# Allow all loopback (lo0) traffic and reject traffic
# to localhost that does not originate from lo0.
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -s 127.0.0.0/8 -j REJECT
# Allow ping.
-A INPUT -p icmp -m state --state NEW --icmp-type 8 -j ACCEPT
# Allow SSH connections.
-A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT
## rule related to FTP command (port 21)
-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
## rule related to FTP data (port 20)
-A INPUT -p tcp -m tcp --dport 20 -j ACCEPT
# Allow HTTP and HTTPS connections from anywhere
# (the normal ports for web servers).
-A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
-A INPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT
# Allow inbound traffic from established connections.
# This includes ICMP error returns.
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Log what was incoming but denied (optional but useful).
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables_INPUT_denied: " --log-level 7
# Reject all other inbound.
-A INPUT -j REJECT
# Log any traffic that was sent to you
# for forwarding (optional but useful).
-A FORWARD -m limit --limit 5/min -j LOG --log-prefix "iptables_FORWARD_denied: " --log-level 7
# Reject all traffic forwarding.
-A FORWARD -j REJECT
COMMIT
|
File: /tmp/v6
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
| *filter
# Allow all loopback (lo0) traffic and reject traffic
# to localhost that does not originate from lo0.
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -s ::1/128 -j REJECT
# Allow ICMP
-A INPUT -p icmpv6 -j ACCEPT
# Allow HTTP and HTTPS connections from anywhere
# (the normal ports for web servers).
-A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
-A INPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT
# Allow inbound traffic from established connections.
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Log what was incoming but denied (optional but useful).
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "ip6tables_INPUT_denied: " --log-level 7
# Reject all other inbound.
-A INPUT -j REJECT
# Log any traffic that was sent to you
# for forwarding (optional but useful).
-A FORWARD -m limit --limit 5/min -j LOG --log-prefix "ip6tables_FORWARD_denied: " --log-level 7
# Reject all traffic forwarding.
-A FORWARD -j REJECT
COMMIT
|
config
/etc/sysconfig/
1
2
3
| # Allow control connections initiated by the client to port 21, as follows
iptables -A INPUT -p tcp -m tcp --dport 21 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT -m comment --comment "Allow ftp connections on port 21"
iptables -A OUTPUT -p tcp -m tcp --sport 21 -m conntrack --ctstate ESTABLISHED -j ACCEPT -m comment --comment "Allow ftp connections on port 21"
|
1
2
3
| # For active mode, allow data connections initiated by the server from port 20, as follows
iptables -A OUTPUT -p tcp -m tcp --sport 20 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -m comment --comment "Allow ftp connections on port 20"
iptables -A INPUT -p tcp -m tcp --dport 20 -m conntrack --ctstate ESTABLISHED -j ACCEPT -m comment --comment "Allow ftp connections on port 20"
|
1
2
3
| # For passive mode, allow data connections initiated by the client on unprivileged ports
iptables -A INPUT -p tcp -m tcp --sport 1024: --dport 1024: -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -m comment --comment "Allow passive inbound connections"
iptables -A OUTPUT -p tcp -m tcp --sport 1024: --dport 1024: -m conntrack --ctstate ESTABLISHED -j ACCEPT -m comment --comment "Allow passive inbound connections"
|
References