What are Iptables in Linux?

In this article, you will learn what are iptables in Linux, and some terminology related to iptables like chain, rules, nat, filter, etc. We will look into how to start iptables and the different options used with iptables. In the end, you will also learn different firewall rules so that you can use them yourself.

What are iptables in Linux?

Iptables act as a firewall to your system. A firewall is just a way you can filter traffic. It is pretty much saying what traffic you want to allow and what traffic you want to block. You can set this up for your computer or an entire network.

Iptables make Linux even more secure as it gives you full control of what traffic you can block and allow. Iptables is a terminal interface used to maintain and set up tables for the Netfilter firewall for IPv4 included in the Linux kernel.

The reason iptables gets its name is because we create tables that allow and block different IP addresses.

Need of iptables in Linux

Linux-based operating systems are very secure by themselves. So secure that you don’t have to install an antivirus to protect your PC from malware and viruses as they ask for approval in the form of a password for every application and program to run.

However, in a world that revolves around the internet, with millions of cookies, trackers, spam emails, and phishing attempts, you must only learn to take better precautions. That is exactly what iptables is used for.

Using iptables, you can perform different tasks like blocking cookies from a specific website, stopping spam mail coming to your account, blocking a specific user, or a group of people over a network and so many more things to improve your security.

Understanding basic concepts of iptables

For the sake of simplicity and understandability, let us look into the basic concepts and terminologies that are related to iptables.

When talking about iptables, it is very important to understand the 3 terms:

1. Tables

2. Chains

3. Rules

Let us look at each of these terms one by one:

1. Tables in iptables

Iptables consist of 5 different types of tables, out of which 3 are main tables and each table has a different role. Let us take a look at the 5 different tables along with their roles:

a. Filter table:

The default and the main table used in iptables is the filter table. That means, that whenever you don’t specify a specific table, the rule will apply to the filter table. As the name suggests the rule of this table is filtering packets, which is to make decisions on whether to let a pocket continue to its intended destination or to deny its request.

The filter table provides the majority of functions of iptables, and for most occasions, this is the table that you would be dealing with.

b. NAT table

The second main table is the NAT table. As the name suggests, it is used to provide the network address translation rules. The rule in this table will determine whether to modify and how to modify the packet’s source or destination addresses to route the packet in the NAt setup. Where direct access is not possible.

c. Mangle table

The third main table is the Mangle table. This table is used to alter the IP headers of the packet. For instance, you can adjust the time to lift the TTL value of the packet, either lengthening or shortening the number of avoiding network hops that the packet can sustain. Now other IP headers can be altered in similar ways

These above-mentioned tables are the 3 main tables, now let us look at the other 2 tables:

d. RAW table

RAW table is used for connection tracking. It provides a mechanism for marking packets to view packets as a part of an ongoing connection or session.

e. Security table

Security table is used to send internal SELinux security content marks on packets which will affect how SELinux or other systems that can interpret SELinux security context handle these packets.

2. Chains in iptables

Chains are like points in the route of a packet, where you can apply rules. There are 5 chains in iptables, they are:

a. Pre routing

b. Input

c. Forward

d. Output

e. Post routing

All chains are not available for all tables. Each chain gives you the option to take action on the packets and that particular point in the packet route.

Let’s get a more clear picture of each of the chains.

a. Pre routing chain

Pre routing chain is applied to any incoming packet very soon after entering the network stack. This chain is processed before any routing decision have been made regarding where to send the packet.

b. Input chain

The input chain is a point post-re-routing when a packet enters a system.

c. Forward chain

Forward chain is applied to a packet that is forwarded through your system.

d. Output chain

Output chain is applied to the packet originating from your system and going out.

e. Post routing chain

Post routing is the opposite of pre routing, This is applied to outgoing or forwarded traffic after the routing decision has taken place and just before the packet is being put on the wire.

You must note that all the tables can not do all the chains. Here is a list of what chains the main 3 tables can handle:

a. Filter table: This default table can only handle the INPUT, OUTPUT, and FORWARDING chains.

b. NAT table: This table can handle only PREROUTING, OUTPOST, and POSTROUTING.

c. Mangle table: This table until recently supported only 2 chains. However, from version 2.4 this table supports all 5 chains: PREROUTING, INPUT, OUTPUT, OUTPOST, POSTROUTING, and FORWARDING.

3. Rules in iptables

Rules are the user-defined commands to manipulate the network traffic. As each chain is called, each rule is checked against the packet within the chain in order. If the packet does not match, the next rule in the chain is examined. If it does match, then the next rule is specified by the value of the target.

Each rule has 2 components:

a. Matching component

A matching component is different conditions available to define rules. You can match by protocol type, IP address, port address, interfaces headers, etc.

b. Target component

The target component is the action that is triggered when a packet meets the matching criteria of a rule. There are 2 types of targets:

i. Terminating targets

Terminating targets are actions that end the further traversal in that particular chain. Some examples of terminating targets are: Accept, Drop, Queue, Reject, Return

ii. Non terminating targets

In non-terminating targets, you perform an action and then continue evaluation within the chain.

How to open Iptables in linux?

Ip tables come pre-installed in all Linux distributions, so you can open iptable by typing the command: iptables – L

This command will show you the default filter table. In the table it will list out the rules you have already defined, else it will be a blank table.

Linux Iptables format

After staring or opening iptables, it is very important to understand the format of the table.

When you entered the command: iptables – L it listed the filter table by default. The filter table as discussed above consists of 3 chains: input, output, and forwarding.

By default policy of every chain in iptable is to accept all traffic. Then you have the packet byte counters and the row below shows the rule chain.

The iptable contains the following rows:

1. Table name

The row named “-t [table]’ represents the table name. You can give the name of any of the file available tables. The default table is filter table, so when you skip this part, the rule will be applied to the filter table.

2. Options

The row named “-OPTIONS [CHAIN]” deals with chains. Here you select the chain that you want the rule to apply. The available chain will depend on the table you have selected in the previous row. Let us look into the options used before proceeding further:

-A

This option appends the iptables rule to the end of the specific chain.

-C

This option checks a particular rule before adding it to the user-defined chain.

-D

This option deleted a particular chain

-E

This option renames the user-defined chain.

-F

This option flushes the selected chain. If no chain is selected the option deletes every rule from the table.

-h

This option provides a list of commands structures. It also provides a quick summary of command parameters and options.

-I

This command inserts a rule in a chain at a point specified by the user.

-L

This option lists all the rules in the chain specified after the command.

-N

This option created a new chain with a name specified by the user.

-P

This option sets the default policy for the specified chain.

-R

This option replaces a rule in the specified chain

-X

This option deleted a user-specified chain

-Z

This option zeroes the byte and packet counters in all the chains for a table.

3. Matching component

The row named “[matching options]” is where you give a condition. If the condition is true, it will take the action, else it will move to the next rule in the chain. This detail provides the main function to filter the firewall. There is a huge list of parameters used for matching. But, broadly speaking, the parameters are divided into 3 types:

a. Generic parameters

Generic parameters include:

• p – protocol
• s – Source IP
• d – Destination IP
• i – Input interface
• o – Output interface.

b. Implicit parameters

Implicit parameters include:

• TCP
• -sport
• -dport
• –tcp-flags

c. explicit parameters

Explicit parameters include:

• Match extensions
• -m
• Conntrack
• dscp
• ecn
• iprange

4. Actions

The row named “[Action component]” is where you specify the action to perform if the matching condition is true. In the case of iptables, the action to do is to jump to either a specific rule or a chain within the same table. Hence you use the -j option (for jump). the 2 basic targets to jump is accept, and drop some of the most common target used are:

a. ACCEPT – This target allows the connection

b. REJECT – This target blocks the connection

c. DROP – This target doesn’t allow the connection, but send back an error

d. RETURN

By default, policy of every chain in iptable is to accept all traffic. If at all you want to change the default setting of either input, output, or forward to drop (block the traffic) then you can use the commands:

iptables --policy INPUT DROP

iptables --policy OUTPUT DROP

iptables --policy FORWARD DROP

Examples of iptable rules

Now that we have seen the different terminologies, options, chains, parameters, and a lot more, let us see a few examples in action for a better understanding of the topic.

1. Blocking a specific IP address

To block a specific IP address use the command:

iptables -A INPUT -s 192.268.07.23 -j DROP

In the above command, the option ‘-A’ appends the rule at the end of the selected chain. The parameter ‘DROP’ blocks the matching parameter ‘192.268.07.23’ from the source(-s).

2. Accepting a specific IP address

To accept a specific IP address, use the command:

iptables -D INPUT -s 192.268.07.23 -j DROP

In the above command, the option ‘-D’ deletes the rule from the selected chain. The parameter ‘DROP’ blocks the matching parameter ‘192.268.07.23’ from the source (-s).

3. Blocking traffic from a specific port

To block outgoing connections on a specific port, use the command:

iptables -A OUTPUT -p tcp --dport 22 -j DROP

In the above command, the option ‘-A’ appends the rule at the end of of the selected chain. The matching component ‘-p tcp –dport 22’ matches the destination port 22 and the ‘DROP’ action blocks the traffic.

4. Accepting traffic from a specific port

To block outgoing connections on a specific port, use the command:

iptables -A OUTPUT -p tcp --dport 22 -j ACCEPT

In the above command, the option ‘-A’ appends the rule at the end of the selected chain. The matching component ‘-p tcp –dport 22’ matches the destination port 22 and the ‘ACCEPT’action accepts the traffic.

5. Disable outgoing mails

If you don’t want your system to be sending any emails, you can block the SMTP port by using the command:

iptables -A OUTPUT -p tcp --dport 25, 465, 587 -j REJECT

6. Limiting the number of concurrent connections

If you have too many concurrent connections established from a single IP address on a given port, you can limit them by using the command:

Iptables -A INPUT -p tcp --syn dport 22 -m connlimit --connlimit-above 3 -j REJECT

The above command will not allow more than 3 connections in the destination port 22. You can always change the value for –connlimit-above.

7. Blocking traffic from a specific port

To block outgoing connections on a specific port, use the command:

iptables -A OUTPUT -p tcp --dport 22 -j DROP

In the above command, the option ‘-A’ appends the rule at the end of the selected chain. The matching component ‘-p tcp –dport 22’ matches the destination port 22 and the ‘DROP’ action blocks the traffic.

8. Searching for an IP address

If you wish to search for an IP address within the iptable you can take the help of the grep command and pipe symbol, by using the following syntax:

iptables -L <table> -v -n | grep <Ip address>

For example, the command:

iptables -L INPUT -v -n | grep 192.168.08.190

Is a combination of 2 commands: “iptables -L INPUT -v -n” and “grep 192.168.08.190”, joined by a pipe symbol (|). The first command gives the list of the INPUT chain IP addresses as the input to the second command, which will search out the IP address 192.168.08.190.

9. Keeping a log of dropped networks

If you wish to keep track or a log of the dropped packets on the network interface, you can use the command:

iptables -A INPUT -i eth0 -j LOG --log-prefix “IPtables dropped packets:”

The above command will keep a log of the dropped packets of the eth0 network interface with the message “IPtables dropped packets:”. These messages are logged in “/var/log/messages”. You can search them by using the command:

grep “IPtables dropped packets:” /var/log/messages

10. Setting up port forwarding

If you want to forward someone’s service’s traffic to another port, you can do so by using the command:

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 25 -j REDIRECT --to port 2525

The above command will forward the prerouting network interface of eth0 from destination port 25 to 2525

Connection states

A lot of protocols of iptables require two-way connections. Connection states come into the picture when you need to allow two-way communications but only allow one-way connections to be established.

For example, let us the following commands:

“iptables -A INPUT -p tcp –dport ssh -s 10.10.1o.10 -m –state NEW, ESTABLISHED j ACCEPT” and

“iptables -A OUTPUT -p tcp –sport ssh -d 10.10.1o.10 -m –state NEW, ESTABLISHED j ACCEPT”

The above commands permit SSH connections from 10.10.10.10, but SSH connections to the same are not allowed. However, the system is allowed to send back information to SSH as long as the session has already been established.

Saving changes

You may think that the rules you make for filtering traffic will be saved in the iptables. However, this is not true. The rules you write in the iptables will get erased the next time you restart the service. Hence you must also learn how to save.

Here is the save command you can use in Debian based Linux distros:

sudo /sbin/iptables-save

Use this command to save in RHEL based Linux distros:

sbin/service iptables save

Summary

As you have seen, iptables is an extremely powerful firewall that you and your system can benefit from. You have learned the various terminologies, and how to read the iptables. You have also learned the different options. Matching parameters, which help in creating rules that filter traffic from different networks.