How does IPtables work

H

There are two types of firewalls:

1. Filtering firewalls – which blocks specific packages.
2. Proxy Servers – Establishing network connections to the Internet from computers inside the LAN.

Linux kernels have had packet filters since the 1.1 series. The first generation of packet filters, based on ipfw, was ported by Alan Cox in 1994. Jos Vos and others upgraded it for the 2.0 kernels; a utility, ipfwadm, was also introduced to control kernel filtering rules. In 1998, Rusty Russell with Michael Neuling entered the ipchains service to control filtering rules in kernels 2.2. Finally, in 1999, Rusty Russell introduced the fourth generation of packet filtering utilities, namely iptables, for the 2.4 kernel.

Rusty Russell created it and kept almost entirely the ipchains philosophy, but it also offers many features (extensions) especially for modifying the fields of packages that go in or out through a Linux machine. Before installing the new features of iptables, I will list the small syntax differences of some features that have been passed from ipchains to iptables:

1. The built-in chain names are now written in capital letters in comparison to small letters in ipchains.
2. “-i” option now means incoming interface, the interface on which packages come, and only works for the INPUT and FORWARD chains. The FORWARD and OUTPUT rules using the -i option must now use the “-o”, outgoing interface.
3. TCP and UDP ports must now be specified with “-source-port / destination-port” or “-sport / dport” and must be placed after “-p tcp” or “-p udp” because they load TCP extensions, respectively UDP.
4. The “-y” flag is now “syn” and should appear only after “-p TCP”.
5. DENY is now replaced by DROP.
6. Chain deletion during listing works with iptables but not with ipchains.
7. Zeroing built-in chains also employ hollow counters.
8.REJECT and LOG are now expanded targets into separate modules.
9. The chain name can now have a maximum of 31 characters.
10. MASQ is now MASQUERADE and uses a different syntax.
11. The REDIRECT theme also underwent a syntax change.
12. Packages are sent to userspace (to be processed by the user) using the QUEUE target.

There has also been a change of structure in the transition from ipchains to iptables. Several firewall rule tables can be defined in iptables. Each table contains a number of built-in chains and can also contain user-defined chains. As with ipchains, each chain may contain more filtering rules. The target of an iptables rule can be either a user-defined chain or one of the special targets: ACCEPT, DROP, QUEUE, RETURN. ACCEPT lets the package go through. DROP ‘let the package fall’ (refuse the package). The QUEUE target transmits the package to the userspace if the kernel supports it to be processed by the user programs. RETURN makes the packet no longer cross the rules in the current chain but returns to the rules of the previous chain. If the end of a built-in chain or a RETURN target from a built-in chain is checked, the fate of the packet will be determined by the chain’s policy.
There are three independent firewall tables; which tables are in the kernel at a given time depends on the kernel configuration options and the modules that are loaded. The “-t, –table” option says the table on which the iptables command will work.

The three tables are:

FILTER, default table – is responsible for packet filtering.

It has 3 built-in chains in which you can declare firewall policy rules

Forward: Filter packages to firewall-protected servers.
Input: Filter the firewall packages.
Output: Filter the packages sent by the firewall.

NAT – is responsible for network address translation, translation of the network address.

MANGLE – is responsible for modifying the QoS bits in the TCP header.

Has 2 built-in chains:

Pre-routing makes NAT when the destination address of the package needs to be changed.
Post-routing does NAT when the source address of the package needs to be changed.

How does IPTABLES work?

For each firewall rule you create, you must specify the table and the chain to which it belongs.
There is one exception to this rule: Most rules are related to filtering, so iptables assumes that any defined chain without an associated table will be part of the filter table. The filter table is, therefore, the default.
Each firewall rule inspects IP packets and then tries to identify them as targets for a particular operation.

The most commonly used targets are:
1. ACCEPT – Iptables stops further processing; The package is sent to the application or operating system for processing.
2. DROP – Iptables stops further processing; The package is blocked.
3. LOG – Information is sent to the logon syslog daemon; Iptables continues processing the package.
4. REJECT – Works DROP, but will send an error message to the host who sent the packet as the package was blocked.
5. DNAT – Rewriting the destination IP address of the package.
6. SNAT – Rewriting the source IP address of the packet.
7. MASQUERADE – Used for SNAT; By default, the IP address is the same as the one used by the firewall interface.

Parameters for IPTABLES:

-t <-table->: If you do not specify a table, the filter table is assumed. As discussed before, the possible tables can be filter, NAT, Mangle.

-j <target>: Go to the target chain specified at the time of the packet matches the current rule.

-A or -append: Add a rule at the end of the chain

-F: Flush. Removes all rules in the selected table.

-p <protocol-type>: Matching with the ICMP, TCP, UDP or other protocols

-s <ip-address>: Match the source IP address

-d <ip-address>: Match the destination IP address

-i <interface-name>: Matching with the network interface through which the package enters

-o <interface-name>: Match with the network interface through which the package comes out

-m state <state>: ESTABLISHED, NEW, RELATED, INVALID

About the author

Ilias spiros
By Ilias spiros

Recent Posts

Archives

Categories