IPTables is a utility that manages firewalls in Linux. It is a powerful and convenient tool for protecting your network and unwanted connections. The whole process is in iptables rules that you can edit and view. More information is provided in the article.
History of creation
Before IPTables , Linux used the IPFW firewall, which was borrowed from BSD. Then, with the Linux kernel version 2.4, it came with the Netfilter firewall and the IPTables utility for managing it. In the methodology of her work, all aspects were preserved and a little expanded functionally.
Building and IPTables
Entering the firewall, the package passes several checks. This can be a checksum or any other analysis at the kernel level. Then comes the turn to go through the PREROUTING chain. Next, the routing table is checked , according to which there is a redirect to the next chain. If the packet does not have an address, as, for example, in TCP, then it is sent to the FORWARD chain. In cases where there is a specific address, the INPUT chain follows, and then to those daemons or services for which it is intended. The answer from them should also go through several chains, for example OUTPUT. The last link in this process is the POSTROUTING chain.
Now a little about chains. Each of them contains several tables. Their names can be repeated, but this does not affect the work, since they are not interconnected.
Tables, in turn, contain several rules. In fact, a rule is a certain condition that a checked packet must meet. Depending on the outcome, a certain action is performed on the package.
Thus, passing through all stages of the network, the packet sequentially visits all the chains and in each it is checked for compliance with the condition of a certain rule. If the table is not created by the user, then the default action is performed, mainly ACCEPT, which allows you to continue moving on or DROP, which stops the packet.
Predefined conversations come in the following categories:
- PREROUTING . Initial processing of all incoming packets.
- INPUT . This includes packages that are sent directly to the local computer.
- FORWARD It is used for “transit packets” that follow the routing table.
- OUTPUT . Used for outgoing packets.
- POSTROUTING . The last step in the outgoing packet through all the chains.
In addition to the built-in chains, users can create or delete their own.
View and manage IPTables rules
As mentioned earlier, all chains contain certain conditions for packages. To view and manage IPTables rules, the IPTables utility is used. Each individual rule is a line with a set of conditions for packages, as well as actions on them, depending on the outcome.
The format of the command is as follows: iptables [-t name of the table being processed] called command [criteria] [action to be taken].
Anything in square brackets? may be omitted. If this is a parameter indicating a table, then filter will be used. To apply a specific name, you need to add the -t switch. The called command allows you to call the necessary action, for example, add the IPTables rule or delete it. The “criteria” indicate the parameters by which the selection will take place. And in the “action” the action is applied, which must be performed if the condition is met.
Commands for Creating and Viewing IPTables Rules
The following are several utility commands:
- Append (-A). When using the command, the chain and table are indicated in which to add the necessary rule. The value of the team is what it does at the end of the list.
- Delete (-D). As the name implies, it removes the rule. As parameters, you can specify both the full name and the numbers assigned to them.
- Rename-chain (-E). Changes the name of the chain. The command indicates the old, then the new name.
- Flush (-F). Clearing absolutely all the rules of a particular table.
- Insert (-I). This command inserts the desired rule into the place indicated by the number.
- List (- L). View iptables rules. If no table is specified, then the default filter will be used.
- Policy (-P). The default policy for the specified chain is used.
- Replace (-R). Changes the rule with the specified number to the necessary one.
- Delete-chain (-X). This command deletes all created chains. Only the predefined ones will remain.
- Zero (-Z). Resets the counters of transmitted data in the specified chain.
A bit about packet selection options
They can be divided into three varieties:
- General criteria . They can be specified for any rules. They do not require the connection of special extensions and modules, and also do not depend on which protocol will be involved.
- Not general criteria. They become available using common criteria.
- Explicit. In order to use this type, you need to connect special plugins for netfilter. In addition, the command must use the -m switch.
It is worth a little talk about the frequently encountered parameters used in packet analysis:
- Protocol (-p). Indicates a protocol.
- Source (-s). This parameter defines the IP address of the source from which the packet came. It can be specified in several ways. A specific host, address or subnet.
- Destination (-d). The destination address of the packet. As well as the previous one, it can be described in several ways.
- In-interface (-i). Specifies the inbound interface of the package. It is mainly used for NAT or on systems with multiple interfaces.
- Out-interface (-o). Outgoing interface.
A few examples
To view IPTables nat? you need to use the command - "iptables -L -t nat". Find out the general status of the firewall - "iptables -L -n -v". In addition, this command allows you to see the IPTables rules that are available throughout the system. Insert the rule in a specific place in the table, for example, between the first and second row - “iptables -I INPUT 2 -s 202.54.1.2 -j DROP”. Then see if it has been added - “iptables -L INPUT -n --line-numbers”.
To block a specific address, for example, 12.12.12.12 - “iptables -A INPUT -s 12.12.12.12 -j DROP”.
The iptables help is “man iptables”. If you need information on a specific command - "iptables -j DROP -h".
Finally
Use IPTables commands with caution, as improper configuration (out of ignorance) can lead to network failures or its complete failure. Therefore, it is worthwhile to study in detail the manuals and instructions before configuration. In the right hands, IPTables can be turned into a reliable protector of network connections. System administrators actively use the utility to create connections isolated from unauthorized access.