iptables

Page content

Concept of iptables

It is a realy rule table in which the IP communication rules are. There are groups of these rules, and it’s called “chain'.

iptables configuration

Configuration file

You can see the configurations in the file /etc/iptables/rule.v4. Here is a sample line in the file.

-A chain-outgoing-services -s 192.168.100.50/32 -d 1.2.3.4/32 -p tcp -m tcp --dport 22 -m comment --comment "This is a comment." -j ACCEPT

http://web.mit.edu/rhel-doc/4/RH-DOCS/rhel-rg-en-4/s1-iptables-options.html

  • -A chain-outgoing-services: Append the rule to chain chain-outgoing-services.
  • -s 192.168.100.50/32: The source IP is 192.168.100.50/32.
  • -d 1.2.3.4/32: The destination is 1.2.3.4/32
  • -p tcp: The protocol is TCP (tcp/udp).
  • -m tcp: Use extended packet matching modules named tcp.
  • --dport 22: Sets the destination port for the packet when -p tcp is set.
  • -m comment: comment modules named comment.
  • --comment "This is a comment.": Leave a cooment.
  • -j ACCEPT: If a packet matches to the conditions, jump to the rule, in this case ACCEPT (path through the packet). ACCEPT and DROP are used frequently.

Show the current iptables rules

iptables -L

Edit iptables rule

We don’t need to edit rule.v4 file manually. Instead, we use iptables command. The options are same as in `rule.v4``

Add a new rule (sample snippet)

iptables -A in02-accept -s 1.2.3.4/32 -p tcp -m tcp --dport 80 -m comment --comment "http from 1.2.3.4" -j ACCEPT

Practice

https://fedoraproject.org/wiki/How_to_edit_iptables_rules

Backup current policy

Before editing iptables, it is recommend to backup the current configuration. The backup file is a simple text file, and following command save the configuration to the file iptables.dump.

iptables-save > iptables.dump

Enabling the change

After adding rules with iptables command, you should enabling (Flush) it.

iptables -F in02-accept

It could takes a long time if we set a lot of rules.

Revert

iptables-restore < iptables.dump

Other operation

Edit /etc/iptables/rules.v4 and

service iptables-persistent reload #In case of Ubuntu 14
# or
service netfilter-persistent reload #In case of Ubuntu 16

Advanced: Type of tables

iptables is consists of three tables.

  • filter: Image a filtering firewall.
  • nat: NAT function.
  • mangle: Enable us to change IP packet.

https://www.digitalocean.com/community/tutorials/a-deep-dive-into-iptables-and-netfilter-architecture