What is Iptables & How to Implement on Linux

How To Start iptables

You can start, stop, and restart iptables after booting by using the commands:

[root@bigboy tmp]# service iptables start

[root@bigboy tmp]# service iptables stop

[root@bigboy tmp]# service iptables restart

To get iptables configured to start at boot, use the chkconfig command:.

[root@bigboy tmp]# chkconfig iptables on

Determining The Status of iptables

You can determine whether iptables is running or not via the service iptables status command. Fedora Core will give a simple status message. For example

[root@bigboy tmp]# service iptables status

Firewall is stopped.

[root@bigboy tmp]#

Table 14-1 Processing For Packets Routed By The Firewall

Queue Type	Queue Function	Packet Transformation Chain in Queue	Chain Function
Filter	Packet filtering	FORWARD	Filters packets to servers accessible by another NIC on the firewall.
		INPUT	Filters packets destined to the firewall.
		OUTPUT	Filters packets originating from the firewall
Nat	Network Address Translation	PREROUTING	Address translation occurs before routing. Facilitates the transformation of the destination IP address to be compatible with the firewall's routing table. Used with NAT of the destination IP address, also known as destination NAT or DNAT.
		POSTROUTING	Address translation occurs after routing. This implies that there was no need to modify the destination IP address of the packet as in pre-routing. Used with NAT of the source IP address using either one-to-one or many-to-one NAT. This is known as source NAT, or SNAT.
		OUTPUT	Network address translation for packets generated by the firewall. (Rarely used in SOHO environments)
Mangle	TCP header modification	PREROUTING POSTROUTING OUTPUT INPUT FORWARD	Modification of the TCP packet quality of service bits before routing occurs. (Rarely used in SOHO environments)

Targets And Jumps

target	Desciption	Most Common Options
ACCEPT	iptables stops further processing. The packet is handed over to the end application or the operating system for processing	N/A
DROP	iptables stops further processing. The packet is blocked	N/A
LOG	The packet information is sent to the syslog daemon for logging iptables continues processing with the next rule in the table As you can't log and drop at the same time, it is common to have two similar rules in sequence. The first will log the packet, the second will drop it.	--log-prefix "string" Tells iptables to prefix all log messages with a user defined string. Frequently used to tell why the logged packet was dropped
REJECT	Works like the DROP target, but will also return an error message to the host sending the packet that the packet was blocked	--reject-with qualifier The qualifier tells what type of reject message is returned. Qualifiers include: icmp-port-unreachable (default) icmp-net-unreachable icmp-host-unreachable icmp-proto-unreachable icmp-net-prohibited icmp-host-prohibited tcp-reset echo-reply
DNAT	Used to do destination network address translation. ie. rewriting the destination IP address of the packet	--to-destination ipaddress Tells iptables what the destination IP address should be
SNAT	Used to do source network address translation rewriting the source IP address of the packet The source IP address is user defined	--to-source <address>[-<address>][:<port>-<port>] Specifies the source IP address and ports to be used by SNAT.
MASQUERADE	Used to do Source Network Address Translation. By default the source IP address is the same as that used by the firewall's interface	[--to-ports <port>[-<port>]] Specifies the range of source ports to which the original source port can be mapped.

Table 14-2 General Iptables Match Criteria

iptables command Switch	Desciption
-t <-table->	If you don't specify a table, then the filter table is assumed. As discussed before, the possible built-in tables include: filter, nat, mangle
-j <target>	Jump to the specified target chain when the packet matches the current rule.
-A	Append rule to end of a chain
-F	Flush. Deletes all the rules in the selected table
-p <protocol-type>	Match protocol. Types include, icmp, tcp, udp, and all
-s <ip-address>	Match source IP address
-d <ip-address>	Match destination IP address
-i <interface-name>	Match "input" interface on which the packet enters.
-o <interface-name>	Match "output" interface on which the packet exits

In this command switches example

iptables -A INPUT -s 0/0 -i eth0 -d 192.168.1.1 -p TCP -j ACCEPT

iptables is being configured to allow the firewall to accept TCP packets coming in on interface eth0 from any IP address destined for the firewall's IP address of 192.168.1.1. The 0/0 representation of an IP address means any.

In this example:

iptables -A FORWARD -s 0/0 -i eth0 -d 192.168.1.58 -o eth1 -p TCP \

In this example:

iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT

iptables -A INPUT -p tcp --syn -m limit --limit 5/s -i eth0 -j ACCEPT

This is an expansion on the previous example:

iptables -A FORWARD -s 0/0 -i eth0 -d 192.168.1.58 -o eth1 -p TCP \ --sport 1024:65535 -m multiport --dports 80,443 -j ACCEPT iptables -A FORWARD -d 0/0 -o eth0 -s 192.168.1.58 -i eth1 -p TCP \ -m state --state ESTABLISHED -j ACCEPT

Using User Defined Chains

iptables -A INPUT -i eth0 -d 206.229.110.2 -j fast-input-queue

iptables -A OUTPUT -o eth0 -s 206.229.110.2 -j fast-output-queue

iptables -A fast-input-queue -p icmp -j icmp-queue-in

iptables -A fast-output-queue -p icmp -j icmp-queue-out

iptables -A icmp-queue-out -p icmp --icmp-type echo-request \

-m state --state NEW -j ACCEPT

Custom Queues Example Listing

Chain	Desciption
INPUT	The regular built-in INPUT chain in iptables
OUTPUT	The regular built-in OUTPUT chain in iptables
fast-input-queue	Input chain dedicated to identifying specific protocols and shunting the packets to protocol specific chains.
fast-output-queue	Output chain dedicated to identifying specific protocols and shunting the packets to protocol specific chains.
icmp-queue-out	Output queue dedicated to ICMP
icmp-queue-in	Input queue dedicated to ICMP

Saving Your iptables Scripts

[root@bigboy tmp]# cat /etc/sysconfig/iptables

# Generated by iptables-save v1.2.9 on Mon Nov 8 11:00:07 2004

*filter

:INPUT ACCEPT [0:0]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [144:12748]

:RH-Firewall-1-INPUT - [0:0]

-A INPUT -j RH-Firewall-1-INPUT

-A FORWARD -j RH-Firewall-1-INPUT

-A RH-Firewall-1-INPUT -i lo -j ACCEPT

-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type 255 -j ACCEPT

-A RH-Firewall-1-INPUT -p esp -j ACCEPT

-A RH-Firewall-1-INPUT -p ah -j ACCEPT

-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT

-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited

COMMIT

# Completed on Mon Nov 8 11:00:07 2004

This example exports the iptables-save output to a text file named firewall-config.

[root@bigboy tmp]# iptables-save > firewall-config 
[root@bigboy tmp]# cat firewall-config 
                              # Generated by iptables-save v1.2.9 on Mon Nov 8 11:00:07 2004 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [144:12748] :RH-Firewall-1-INPUT - [0:0] -A INPUT -j RH-Firewall-1-INPUT -A FORWARD -j RH-Firewall-1-INPUT -A RH-Firewall-1-INPUT -i lo -j ACCEPT -A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type 255 -j ACCEPT -A RH-Firewall-1-INPUT -p esp -j ACCEPT -A RH-Firewall-1-INPUT -p ah -j ACCEPT -A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited COMMIT 

[root@bigboy tmp]# iptables-restore < firewall-config

Finally, you should permanently save the active configuration so that it will be loaded automatically when the system reboots:

[root@bigboy tmp]# service iptables save

Loading Kernel Modules Needed By iptables

# File: /etc/rc.local

# Module to track the state of connections

modprobe ip_conntrack

# Load the iptables active FTP module, requires ip_conntrack

modprobe ip_conntrack_ftp

# Load iptables NAT module when required

modprobe iptable_nat

# Module required for active an FTP server using NAT

Allowing DNS Access To Your Firewall

You'll almost certainly want your firewall to make DNS queries to the Internet. This is not because it is required for the basic functionality of the firewall, but because of Fedora Linux's yum RPM updater which will help to keep the server up to date with the latest security patches. The following statements will apply not only for firewalls acting as DNS clients but also for firewalls working in a caching or regular DNS server role.

#---------------------------------------------------------------

# Allow outbound DNS queries from the FW and the replies too

#

# - Interface eth0 is the internet interface

#

# Zone transfers use TCP and not UDP. Most home networks

# / websites using a single DNS server won't require TCP statements

#

#---------------------------------------------------------------

iptables -A OUTPUT -p udp -o eth0 --dport 53 --sport 1024:65535 \

-j ACCEPT

iptables -A INPUT -p udp -i eth0 --sport 53 --dport 1024:65535 \

Allowing WWW And SSH Access To Your Firewall

This sample snippet is for a firewall that doubles as a web server that is managed remotely by its system administrator via secure shell (SSH) sessions. Inbound packets destined for ports 80 and 22 are allowed thereby making the first steps in establishing a connection. It isn't necessary to specify these ports for the return leg as outbound packets for all established connections are allowed. Connections initiated by persons logged into the Web server will be denied as outbound NEW connection packets aren't allowed.

#--------------------------------------------------------------- # Allow previously established connections # - Interface eth0 is the internet interface #--------------------------------------------------------------- iptables -A OUTPUT -o eth0 -m state --state ESTABLISHED,RELATED \ -j ACCEPT #--------------------------------------------------------------- # Allow port 80 (www) and 22 (SSH) connections to the firewall #--------------------------------------------------------------- iptables -A INPUT -p tcp -i eth0 --dport 22 --sport 1024:65535 \ -m state --state NEW -j ACCEPT iptables -A INPUT -p tcp -i eth0 --dport 80 --sport 1024:65535 \ -m state --state NEW -j ACCEPT

Allowing Your Firewall To Access The Internet

This iptables script enables a user on the firewall to use a Web browser to surf the Internet. HTTP traffic uses TCP port 80, and HTTPS uses port 443.

Note: HTTPS (secure HTTP) is used for credit card transactions frequently, as well as by RedHat Linux servers running up2date. FTP and HTTP are frequently used with yum.

#--------------------------------------------------------------- # Allow port 80 (www) and 443 (https) connections from the firewall #--------------------------------------------------------------- iptables -A OUTPUT -j ACCEPT -m state \ --state NEW,ESTABLISHED,RELATED -o eth0 -p tcp \ -m multiport --dports 80,443 --sport 1024:65535 #--------------------------------------------------------------- # Allow previously established connections # - Interface eth0 is the internet interface #--------------------------------------------------------------- iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED \ -i eth0 -p tcp

If you want all TCP traffic originating from the firewall to be accepted, then remove the line:

-m multiport --dports 80,443 --sport 1024:65535

Allow Your Home Network To Access The Firewall

In this example, eth1 is directly connected to a home network using IP addresses from the 192.168.1.0 network. All traffic between this network and the firewall is simplistically assumed to be trusted and allowed.

Further rules will be needed for the interface connected to the Internet to allow only specific ports, types of connections and possibly even remote servers to have access to your firewall and home network.

#--------------------------------------------------------------- # Allow all bidirectional traffic from your firewall to the # protected network # - Interface eth1 is the private network interface #--------------------------------------------------------------- iptables -A INPUT -j ACCEPT -p all -s 192.168.1.0/24 -i eth1 iptables -A OUTPUT -j ACCEPT -p all -d 192.168.1.0/24 -o eth1

Checking The Firewall Logs

#---------------------------------------------------------------

# Log and drop all other packets to file /var/log/messages

# Without this we could be crawling around in the dark

#---------------------------------------------------------------

iptables -A OUTPUT -j LOG

iptables -A INPUT -j LOG

iptables -A FORWARD -j LOG

iptables -A OUTPUT -j DROP

iptables -A INPUT -j DROP

iptables -A FORWARD -j DROP

iptables Won't Start

oot@bigboy tmp]# service iptables start

[root@bigboy tmp]#

[root@bigboy tmp]# touch /etc/sysconfig/iptables

[root@bigboy tmp]# chmod 600 /etc/sysconfig/iptables

[root@bigboy tmp]# service iptables start

Applying iptables firewall rules: [ OK ]

[root@bigboy tmp]#

Here are some examples of the output of this file:

• Firewall denies replies to DNS queries (UDP port 53) destined to server 192.168.1.102 on the home network.

Feb 23 20:33:50 bigboy kernel: IN=wlan0 OUT= MAC=00:06:25:09:69:80:00:a0:c5:e1:3e:88:08:00 SRC=192.42.93.30 DST=192.168.1.102 LEN=220 TOS=0x00 PREC=0x00 TTL=54 ID=30485 PROTO=UDP SPT=53 DPT=32820 LEN=200

• Firewall denies Windows NetBIOS traffic (UDP port 138)

Feb 23 20:43:08 bigboy kernel: IN=wlan0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:06:25:09:6a:b5:08:00 SRC=192.168.1.100 DST=192.168.1.255 LEN=241 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=138 DPT=138 LEN=221

• Firewall denies Network Time Protocol (NTP UDP port 123)

Feb 23 20:58:48 bigboy kernel: IN= OUT=wlan0 SRC=192.168.1.102 DST=207.200.81.113 LEN=76 TOS=0x10 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=123 DPT=123 LEN=56

-j ACCEPT

modprobe ip_nat_ftp

[root@bigboy tmp]#

iptables -A icmp-queue-in -p icmp --icmp-type echo-reply -j ACCEPT

iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT

iptables is being configured to allow the firewall to send ICMP echo-requests (pings) and in turn, accept the expected ICMP echo-replies.

Consider another example

iptables -A INPUT -p icmp --icmp-type echo-request \ -m limit --limit 1/s -i eth0 -j ACCEPT

--sport 1024:65535 --dport 80 -j ACCEPT

###IPTables###
Features:
 1. Firewall for Linux
 2. Interface to Netfilter, which is loaded by the kernel
 3. Operates primarily @ layers 3 & 4 of the OSI model
 4. Modular
 5. Provides Network Address Translation (NAT)
 6. IPTables can also access other layers (2, 5-7), with modules

1. grep -i config_netfilter /boot/config*

Note: Save rules in: /etc/sysconfig/iptables so that when IPTables is restarted, the rules will be applied OR, update /etc/sysconfig/iptables-config to save the rules automatically

/sbin/iptables - primary ACL modifier utility
/sbin/iptables-restore - restores rules to current IPTables instance
/sbin/iptables-save - saves rules to STDOUT, by default, or to a file


IPTables includes 3 default tables, which you cannot remove:
 1. NAT
 2. Mangle
 3. Filter (Default) - filters inbound/outbound traffic

Note: Each table, includes chains, which include Access Control Entries (ACEs)

Usage:
 1. iptables -L

Note: The Filter table includes 3 chains:
 1. INPUT - applies to traffic destined to a service that our system is bound to

 2. FORWARD - applies to traffic being routed through the system

 3. OUTPUT - applies to traffic sourced from our system, heading outbound


Tasks:
 1. Filter inbound traffic to remote RH5 system to SSH
  a. iptables -A INPUT -p tcp --dport 22 -j ACCEPT
  b. iptables -A INPUT -j DROP

 2. Filter outbound traffic to ANY remote SSH port
  a. iptables -A OUTPUT -p tcp --dport 22 -j DROP

 3. Flush ALL rules from OUTPUT chain of the Filter table 
  a. iptables -F OUTPUT

 4. Save rules to file, then flush rules
  a. iptables-save > iptables.rules.1

 5. Reinstate flushed rules
  a. iptables-restore iptables.rules.1


###IPv6 IPTables###
Features:
 1. Firewall for IPv6

/etc/rc.d/init.d/ip6tables - run-script
/etc/sysconfig/ip6tables-config - system-wide config file

/sbin/ip6tables - primary tool for administering IP6Tables
/sbin/ip6tables-restore
/sbin/ip6tables-save

 2. Maintains 3 default tables:
  a. Filter - matches IPTables(IPv4)
  b. Mangle - matches IPTables(IPv4)
  c. Raw

 
Usage:
 1. ip6tables -L

Note: IPv6 firewall rules are administered independently of IPv4 rules

Tasks:
1. Filter inbound traffic to remote RH5 system to SSH
  a. ip6tables -A INPUT -p tcp --dport 22 -j ACCEPT
  b. ip6tables -A INPUT -j DROP

 2. Filter outbound traffic to ANY remote SSH port
  a. ip6tables -A OUTPUT -p tcp --dport 22 -j DROP

 3. Flush ALL rules from OUTPUT chain of the Filter table 
  a. ip6tables -F OUTPUT

 4. Save rules to file, then flush rules
  a. ip6tables-save > ip6tables.rules.1

 5. Reinstate flushed rules
  a. ip6tables-restore ip6tables.rules.1

Thanking you
Hope U Like it.......

Fedora 20 in Virtual box

Roboform in linux

Ubuntu server 12.04

Nagios 4.0.7

Oracle Linux 7

Free BSD 10