Wednesday, 7 March 2012

iptables/Netfilter - Command line overview

Most distributions of linux have an inbuilt firewall, commonly refered to as iptables. In actuality and more accuratly, it is iptables/netfilter. iptables sits in user space where the user can interact and manage rulesets. Netfilter is a kernal module, built into the kernal, that actually does the filtering

iptables is used to set up, maintain, and inspect the tables of IPv4 packet filter rules in the Linux kernel. IPv6 addresses can be managed with ip6tables.

A number of GUIs can be used to manage the process, but often lack the flexibility of the command line. Lets take a look at the process in more detail...

With a new installation, three pre-defined chains exist (INPUT, OUTPUT and FORWARD)... You can add new chains, remove them and rename them. They simply serve as a container for holding rules. You will refer to the name of your chain when making new rules and managing existing ones.

Let's assume we stuck with the pre-defined chains...

INPUT - All packets destined for the host computer (I.e. keeping people/processes out!)
OUTPUT - All packets originating from the host computer.
FORWARD - All packets neither destined for nor originating from the host computer, but passing through (routed by) the host computer. This chain is used if you are using your computer as a router.

The ordering of rules in a chain does matter. A packet is checked against each rule in turn. Once a packet matches a specific rule (Starting at rule 1), then the action is taken on that packet (ACCEPT, DROP etc..), all other rules below this are ignored. If a packet makes it all the way down the rule chain with no matches, then the default action for that chain is taken. This is referred to as the default policy and may be set to either ACCEPT or DROP the packet.

Let's see a live example...

To display a list of current rules, execute the following command:
Code Snippet
  1. iptables --list
End of Code Snippet

This will display the following...

Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT esp -- anywhere anywhere
ACCEPT ah -- anywhere anywhere
ACCEPT udp -- anywhere udp dpt:mdns
ACCEPT udp -- anywhere anywhere udp dpt:ipp
ACCEPT tcp -- anywhere anywhere tcp dpt:ipp
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

You can see that the default policy is to REJECT the packet on all protocols, from any source and to any destination.

You can view all of the commands for iptables by executing the following command:

Code Snippet
  1. iptables --help
End of Code Snippet

In the examples section below, I have listed some common commands for managing firewall rules. Below each, discusses the parameters used. I have used a range of commands which allow me to explain the majority of the accepted values in detail...


List all IP chains with line numbers

Code Snippet
  1. iptables --list --line-numbers
End of Code Snippet

- Lists all rules for all chains, also echo's line numbers top the left (This allows us to insert rules at certain positions)

Insert a rule at position 13 (Chain: INPUT, Protocol: TCP, Port 115)
Code Snippet
  1. iptables --insert INPUT 13 -m state --state NEW -p tcp --dport 115 -j ACCEPT
End of Code Snippet

- Here we're using the -m switch to load a module (state). The state module is able to examine the state of a packet and determine if it is NEW, ESTABLISHED or RELATED
- NEW refers to incoming packets that are new incoming connections that weren't initiated by the host system.
- ESTABLISHED and RELATED refers to incoming packets that are part of an already established connection or related to and already established connection.

-j (jump) to the target action for packets matching the rule - in this case ACCEPT.

Append a rule to the bottom of a chosen chain (In this case the INPUT chain) for an interface [localhost])
Code Snippet
  1. iptables --append INPUT -i lo -j ACCEPT
End of Code Snippet

- 'lo' represents localhost ( This is generally required as many software applications expect to be able to communicate with the localhost adaptor.

Remove all rules in all chains
Code Snippet
  1. iptables --flush
End of Code Snippet

Remove all rules in a chain
Code Snippet
  1. iptables --flush [Chain Name]
End of Code Snippet

Remove a rule (Remove a rule at position 13)
Code Snippet
  1. iptables --delete INPUT 13
End of Code Snippet

Saving Rules (Persisting changing on system reboot)

Firewall changes need to be saved in order to be persisted on system reboot. We can achieve this by using the following command...

Code Snippet
  1. service iptables save
End of Code Snippet

Saving firewall rules to /etc/sysconfig/iptables: [ OK ]

This executes the iptables init script, which runs /sbin/iptables-save and writes the current iptables configuration to /etc/sysconfig/iptables. Upon reboot, the iptables init script reapplies the rules saved in /etc/sysconfig/iptables by using the /sbin/iptables-restore command.

References and more info

No comments: