In this article , We will see the introduction to iptables and how to write basic packet filtering rules along with the the glimpse at how iptables interact with netfilter hooks to carry out its functionality.
Iptables is a linux firewall administrative utility which helps in packet filtering and NAT ( Network Address Translation ) .
Iptables acts as an interface for an user to carry out the filtering ,mangling of packets and NAT functionality. operation mainly relies on netfilter hooks. ‘netfilter’ is mainly a series of hooks at various layers of kernal network protocol stack . whenever a packet arrives(or leaves) the interface , loaded kernal modules can register at these hooks and triggered accordingly based on the priority provided.
there are totally five hooks that a program can register with,to manipulate or verify the packet.
- NF_PRE_ROUTING : packet has just entered the network stack. will be triggered first , decision about the destination is made.
- NF_IP_FORWARD : This hook is triggered only when decision about the destination is not the local system but to forward to other.
- NF_IP_LOCAL_IN : This hook is triggered when the local system is the destination.
- NP_IP_LOCAL_OUT : This hook is triggered when the packet is originated from local system and is about to leave the network interface.
- NF_POST_ROUTING : This hook is triggered post NF_IP_FORWARD hook just before it leaves the network interface.
Note : each packet entering or leaving the network interface is stored as an instance of sk_buff structure. And the hooks are applied on sk_buff structure for packet filtering.
iptables consists of tables defined based on the functionality of the same.these tables consists of series of chains and in turn these chains consists of rules to be matched.
- Filter (default)
Different chains :
INPUT, OUTPUT, FORWARD , PREROUTING , POSTROUTING .
As said earlier , these chains of multiple table are triggered at five hooks with the priority defined and sequentially evaluated.
now lets focus on defining rules for Filter table. This table has mainly three chains namely INPUT , OUTPUT , FILTER.
each of these chains can have different rules in which will be applied to the packets in question.if none of the rules apply to the packet , the Default policy is triggered.You can set the default policy of each chain as follows,
iptables -t filter -P INPUT DROP
iptables -t filter -P OUTPUT ACCEPT
iptables -t filter -P FORWARD REJECT
> first rule specifies a default policy ( – p) for input chain as drop the packet by default if it does not match any rules in the chain.
> second rule specifies a default policy for output chain as accept the packet by default if it does not match any rules in the chain.
> third rule specifies a default policy for forward chain as reject( send an error response) the packet by default if it does not match any rules in the chain.
Now we can append the custom rules to each of the chain.
ex 1 : iptables -t filter -A INPUT -p tcp -s barriersec.com –dport 80 -j ACCEPT
here, this rule specifies that for filter table(-t) , append (-A) a rule to INPUT chain for protocol (-p) tcp and source of packet(-s) from barriersec.com to the destination port (–dport) 80 and ACCEPT the packet (-j).
ex 2 : iptables -t filter -A OUTPUT -p tcp -d barriersec.com –sport 80 -j DROP
here, this rule specifies that for filter table(-t) , append (-A) a rule to OUTPUT chain for protocol (-p) tcp and destination of the packet ( -d) to barriersec.com from the source port(–sport) 80 and DROP the packet(-j).
we can view the list of rules for each of the table using,
iptables -t [table name] -L
we can make use of conntrack to track the state of each tcp/udp connection.
ex : iptables -A INPUT -p tcp –dport 80 -s barriersec.com -m conntrack –cstate NEW -j ACCEPT
here, we are using conntack module to accept the packet only if the state is new. ( first packet of the new connection.)
furthermore, this feature helps in deciding which packet belongs to which session/connection.
only con with this is, with increase in magnitude of traffic , cost of maintaining state will be very high.
we can also enable logging and use it on a specific rule as shown below :
iptables -A INPUT -s barriersec.com -j LOG –log-level 4 –log-prefix “/Admin”
This would effectively enable logging for the input connections matching the rule in the chain.
for detailed information regarding netfilter architecture : visit https://www.netfilter.org/