Iptables // The Moody Ninja

iptables operates in an ordered fashion, following rules and matches until a target is specified that causes the packet to be dropped, rejected, accepted, or directed toward the application queue.

iptables has three main tables: filter, nat, mangle (there is a raw table, but it’s not going to be covered here). The filter table is the default table, so if no table is specified, it is assumed that commands are operating on the filter table.

Each table is made up of chains that operate on traffic. These chains contain rules that identify a match of traffic based on data such as source and/or destination IP, source and/or destination port, packet size, source and/or destination interface.

###filter table

This table is where the rules that affect whether traffic is allowed are configured. There are three default chains in this table: INPUT, FORWARD, OUTPUT.

INPUT: Traffic that is destined for this host.

FORWARD:  Traffic that is passing through this host on its way to another host.

OUTPUT: Traffic that originates from this host.

###nat table

This table contains rules that determine if packets have either their source or destination IPs altered. The default chains are: PREROUTING, POSTROUTING, OUTPUT

PREROUTING: As the name implies, this chain operates on traffic before a routing decision is made. Rules in this chain often determine whether traffic should have its destination IP translated to a different IP.

POSTROUTING: As the name implies, this chain operates on traffic after a routing decision is made. Rules in this chain often determine whether traffic should have its source IP translated to a different IP.

OUTPUT: Traffic that originates from this host.

###mangle table

This table contains rules that modify packets (such as MSS/MTU). The default chains are PREROUTING, INPUT, FORWARD, OUTPUT, POSTROUTING.

###iptables on the command line:

==VIEWING RULES==

OPTIONS

-n – This option preserves IP address and any port number instead of resolving them via reverse DNS or common port assignment. This option takes no argument, so it can be stacked with other options. In most cases, this option is recommended, especially to avoid all the DNS lookup overhead that may result from longer rule sets.

-v – This option produces more verbose information, including packet and byte counts for each rule that matches traffic.  These counts start from the last time iptables was last loaded (usually after a reboot or restart of the service running iptables). This option takes no argument, so it can be stacked with other options.

-t – This option indicates which table (filter, nat, mangle, raw) to operate in. If not included, the default is the filter table. When used, this option must be followed by the table name.

-L – list all rules in a chain. This option may be followed by the name of a chain (e.g., INPUT). If no name is specified, then the default behavior is to list all rules in all chains of the indicated table.

--line-numbers – This option prepends a line number before each rule of a chain when the –L option is also used. Useful for determining where a rule should go within a chain when order is important.

-S – list all rules in a chain as they might appear when saved. This format will present the rules as they might be added during iptables start. This format can be useful as a template for new rules that might need to be applied.

EXAMPLES

List all chains’ rules in the filter table. The ‘-t filter’ option is not necessary, since filter is the default table. The additional options are used to avoid resolution of the IP and ports to hostnames and port names and to include packet and byte counts.

iptables -t filter -nvL 
iptables -n -v -L    # without the default filter table explicitly specified.

List all rules in the nat table. Here, ‘-t nat’ is required to access the nat table. As above, the additional options are used to avoid resolution of the IP and ports to hostnames and port names and to include packet and byte counts.

iptables -t nat -nvL

Show all rules in the filter table as they would be added when the iptables service is started. These rules are presented in large part as they might be added individually via iptables commands (see below for examples of adding iptables rules on the command line).

iptables -S     # Filter table
iptables -t nat -S    # NAT table

List all rules in the indicated chain only. As above, the additional options are used to avoid resolution of the IP and ports to hostnames and port names and to include packet and byte counts.

iptables -nvL INPUT    # List the rules in the filter table's INPUT chain
iptables -t nat -nvL web-nat   # List the rules in the nat table's web-nat chain

List all rules in the indicated chain only. As above, the additional options are used to avoid resolution of the IP and ports to hostnames and port names and to include packet and byte counts. In addition, this command also includes line numbers for this rules set.

iptables -nvL INPUT --line-numbers    # Enumerate rules in the INPUT chain of the filter table
iptables -t nat -nvL web-nat --line-numbers    # Enumerate rules in the web-nat chain of the nat table

==MODIFYING RULES==

OPTIONS

-A – Append. Place this rule at the end of the chain name that follows this option as an argument.

-I – Insert. Place this rule at the indicated line number of the chain name that follows this option as an argument. If no line number is specified, the rule is placed at the beginning of the chain.

-D – Delete. Remove the line number of the rule in the chain name that follows this option as an argument.

-R – Replace. Remove the existing line number and insert this rule in its place in the chain name that follows this option as an argument

-F – Flush. Remove all rules from the chain name that follows this option as an argument. If no chain name argument is provided, all chains in the table are removed.

-Z – Zero. Reset all counters for this chain to zero. If no chain name argument is provided, all counters in the table are set to zero. This only affects the counters visible when –v is used when listing rules. The rules themselves remain in place.

PARAMETERS

-s – Source IP address or subnet. Single host IP or CIDR notation.

-d – Destination IP address or subnet. Single host IP or CIDR notation.

-m - Match extension. Commonly used to match protocols as with ‘-p’ below

-p – Protocol. Commonly used to match to TCP, UDP, or ICMP.

-i – Inbound interface. This parameter indicates the interface that traffic arrives via (ingress).

-o – Outbound interface. This parameter indicates the interface that traffic will take on its way out (egress).

-j – Jump to target. This parameter indicates how iptables should handle a packet that matches the criteria of the preceding rule parameters. Common jump targets:

         ACCEPT - allow this packet and process no further chain rules.

         DROP - drop this packet (quietly) and process no further rules

         REJECT - drop this packet and send ICMP message back to sending indicating that this packet was not accepted

         NFQUEUE (QUEUE) - direct the packet to userspace for further evaluation. QUEUE is the CentOS 6 version of NFQUEUE (CentOS 7 and later).

         DNAT - Translate the destination IP address as indicated by the “--to-destination” argument

         SNAT - Translate the source IP address as indicated by the “--to-source” argument

EXAMPLES

Append (-A) to the end of the FORWARD chain a rule that selects traffic with a source address (-s) of 10.0.1.10 and allows it to pass.

iptables -A FORWARD -s 10.0.1.10/32 -j ACCEPT

Append to the end of the FORWARD chain a rule that selects traffic with a source address (-s) of 10. 0.1.20 and a destination address (-d) in the 10.100.0.0/24 range and drops it.

iptables -A FORWARD -s 10.0.1.20/32 -d 10.100.0.0/24 -j DROP

Append (-A) to the end of the INPUT chain a rule that matches traffic with a source IP in the 10.0.0.0/24 range, a destination of 10.10.10.15, and that is TCP traffic with a destination port of 22. This traffic would be accepted/allowed.

iptables -A INPUT -s 10.0.0.0/24 -d 10.10.10.15/32 -p tcp -m tcp --dport 22 -j ACCEPT

Insert at the beginning of the FORWARD chain a rule that matches traffic with a source IP in the 10.0.0.0/24 range and that is TCP traffic with a destination port of 80. This traffic would be allowed.

iptables -I FORWARD -s 10.0.0.0/24 -m tcp -p tcp --dport 80 -j ACCEPT

Insert this rule into the FORWARD chain at line number 10 (pushing the rule currently at line 10 to line 11). This rule matches traffic with a source IP of 10.0.0.201 and a destination in the 192.168.0.0/24 range, dropping it and sending an ICMP message back to the originating host.

iptables -I FORWARD 10 -s 10.0.0.201/32 -d 192.168.0.0/24 -j REJECT    # by default the reject is an ICMP port-unreachable message. Other types can be specified.