Not until recently, I was compelled to learn iptables when I was working with Firecracker VM. iptables is a tool to manipulate network packets.
Iptables is a powerful and versatile firewall tool that is used to protect and secure networks. It is an open-source program that is installed on Linux-based operating systems. Iptables works by inspecting and filtering network traffic based on a set of rules. These rules define what traffic is allowed and what is blocked, based on criteria such as the source and destination IP address, port number, and protocol.
Today I’ll show you how and what I have learned iptables to manipulate those packets.
Understanding the Jargon
There are 3 constructs which we should keep in mind while working with iptables. This will help later on when we are actually writing commands on the terminal. These constructs are:
Tables themselves are of 5 types. 3 of which are mostly used.
- Filter Table
This is the default tables. Meaning that if on command line if you don’t specify any table, program will assume filter table.
Role of this table is to filter packets based on criteria such as the source and destination IP addresses, port numbers, and protocols.
This table contains three built-in chains - Input, Forward, and Output - that are used to process incoming, forwarded, and outgoing packets, respectively.
- NAT Table
Role of this table is to modify destination or source headers in order to route packet in NAT setup where direct access is not possible. NAT Table is used to translate IP addresses and/or port numbers in packets as they pass through the firewall.
This table contains three built-in chains - PREROUTING, POSTROUTING, and OUTPUT - that are used to modify packets before and after routing.
- Mangle Table
The Mangle Table is used to modify packets in ways that are more complex than those allowed by the Filter and NAT Tables. This table can be used to alter packet header information, mark packets for special handling, and perform other advanced packet processing tasks.
The Mangle Table contains five built-in chains - PREROUTING, OUTPUT, INPUT, FORWARD, and POSTROUTING - that allow packets to be processed at various stages of their journey through the firewall.
- Raw Table
Used for connection tracking.
- Security Table
SELinux policy is applied on the packets.
The last two tables I have not studied deeply so I haven’t much to talk about it. You may explore more about it on your own.
Chains are like points in route of a packet where you can apply rules. There are 5 chains in iptables.
List of chains are as follows:
- Pre-routing Chain
Pre-routing chain is applied to any incoming packet very soon after entring the network. This chain is processed before any routing descision have been made regarding where to send the packet. It is typically used to modify the destination IP address of incoming packets, such as when implementing port forwarding.
- Input Chain
This chain comes after the pre-routing chain. The Input Chain is responsible for processing incoming packets that are destined for the local machine. This chain is typically used to enforce firewall rules that dictate which incoming packets should be accepted or rejected.
- Forward Chain
The Forward Chain is responsible for processing packets that are being forwarded from one network interface to another. This chain is typically used to enforce firewall rules that dictate which packets should be allowed to pass through the machine.
- Output Chain
Output chain is applied to packet originating or going out from the system. This chain is typically used to enforce firewall rules that dictate which packets should be allowed to leave the machine.
- Post-routing Chain
Opposite of pre-routing. The Post-routing Chain is responsible for performing any necessary modifications to outgoing packets after they have been routed. This chain is typically used to modify the source IP address of outgoing packets, such as when implementing network address translation (NAT).
Understanding the purpose of each chain is important for effectively configuring iptables to enforce the desired network security policies. By creating and configuring rules within each chain, network administrators can control how traffic flows through their networks and help to prevent security threats.
All chains are not available for all tables.
Rules is basically an entry of condition, when matches, a certain action is done. Suppose you can to DROP all the packets originating from say 184.108.40.206. You can have a rule in the filter table. Iptables rules define what traffic is allowed or blocked based on the source and destination IP address, port number, and protocol.
Each packet is checked against each rule.
Rules are basically row inside the tables we described above.
Basic iptables Command
The basic syntax for iptables commands is as follows:
iptables [options] <chain> <rule>
The “chain” argument specifies which chain the rule should be added to, and the “rule” argument specifies the rule to be added. Options can be used to modify the behavior of the command.
Examples of Basic iptables Commands
Here are some examples of basic iptables commands that you can use to manage your firewall rules:
- Add a Rule
To add a rule to a chain, use the “-A” option followed by the chain name and the rule. For example, to allow incoming traffic on port 80 (HTTP), you can use the following command:
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
This adds a rule to the “INPUT” chain that allows incoming traffic on port 80.
- Delete a Rule
To delete a rule from a chain, use the “-D” option followed by the chain name and the rule. For example, to delete the rule that we added in the previous example, you can use the following command:
iptables -D INPUT -p tcp --dport 80 -j ACCEPT
This removes the rule from the “INPUT” chain that allowed incoming traffic on port 80.
- List Rules
To list the rules in a chain, use the “-L” option followed by the chain name. For example, to list the rules in the “INPUT” chain, you can use the following command:
iptables -L INPUT
This lists the rules in the “INPUT” chain, including the rule we added in the previous example (if it is still present).
- Clear Rules
To clear all the rules from a chain, use the “-F” option followed by the chain name. For example, to clear all the rules from the “INPUT” chain, you can use the following command:
iptables -F INPUT
This removes all the rules from the “INPUT” chain, effectively disabling the firewall for incoming traffic.
- Save Rules
To save your iptables rules so that they persist across reboots, use the “iptables-save” command. For example, to save the current iptables rules to a file called “iptables-rules”, you can use the following command:
iptables-save > iptables-rules
This saves the current iptables rules to a file called “iptables-rules” in the current directory.
- Restore Rules
To restore your saved iptables rules, use the “iptables-restore” command. For example, to restore the iptables rules from the “iptables-rules” file that we created in the previous example, you can use the following command:
iptables-restore < iptables-rules
This restores the iptables rules from the “iptables-rules” file, effectively restoring your firewall configuration.
In today’s post we learned about what iptables is and why is it important.
We learned about basic jargons which will get us started with more advanced workflow with the tool.
At last, we did some hands-on with the iptables command.
In next post, we’ll talk about more advanced usecase of iptables along with some common pitfalls.