Linux 101 : A short overview of iptables
The iptables firewall has four functions or modes represented by the four below tables - FILTER, NAT, MANGLE, RAW -:
- filter function or table : as the name suggests it is used for packet filtering of the packet going through a Linux machine.
- nat function or table : this one is used for Network Packet Translation.
- mangle function or table : used for modifying the data in the IP packets according to the "mangle" rules - in the mangle table -.
- raw function or table : used to turn off the connection tracking option for packets.
The iptables firewall labels packets according to the way they behave. These packet types are called chains.
Below are the types - chains - of packets:
- INPUT : incoming packets.
- FORWARD : packets that just "pass through" the machine, but are intended for another machine.
- OUTPUT : outgoing packets
- PREROUTING : intended for NAT, for modified packets when they arrive
- POSTROUTING : intended for NAT, for modified packets before they leave the machine.
Below is a short list of tables - firewall functions/modes - and their associated packet types - chains - :
- The filter table : handles the INPUT, FORWARD, OUTPUT packet types or chains.
- The nat tables : handles the PREROUTING, OUTPUT, POSTROUTING packet types or chains.
- The mangle table : handles the INPUT, FORWARD, PREROUTING, OUTPUT, POSTROUTING packet types or chains.
- The raw table : handles the PREROUTING, OUTPUT packet types or chains.
For each packet type or chain, iptables has a set of actions or rules called targets.
Packets can be categorized by many parameters - their source IP address, their destination IP address, their protocol, their ports, ... -
If no rule/policy is defined for a packet, a default policy is applied to it.
The action or target is what iptables does with a packet once it matches certain criteria - IP address, protocol, ports, ... -.
Below is the list of iptables targets :
- ACCEPT : the packet is accepted.
- REJECT : the packet is dropped and a notification is sent to the sender.
- DROP : the packet is dropped but the sender is not notified.
To be able to display the iptables policies on a machine, we use the below command:
Below are some example of the iptables commands.
The drop - target or rule - is applied to the filter table on the INPUT packet - chain - in the below command:
The below command sets the default rule for the INPUT packets. It is used when a packet matches no other rule.
The filter table is the default table when no other table is mentioned.
The below command appends a rule to the INPUT packets in the filter table - incoming packets with a destination IP "10.11.61.12" are rejected -
If the INPUT packet matches the rule - source of the input packet is 10.11.61.12 - iptables execute the target/action -ACCEPT -.
If the INPUT packet matches the rule - protocol is ICMP - iptables execute the target/action - DROP -
If the OUTPUT packet matches the rule - protocol is UDP and the source port is 80 - iptables execute the target/action - ACCEPT -:
Before doing any manipulations, we could save our iptables settings into a file as below:
If we want to drop the new changes and go back to our earlier settings, we could flush the tables as below:
Then restore the tables from our backup using the following command: