Module 0208: IPTABLES, the basics

Tak Auyeung, Ph.D.

1 About this module

Prerequisites:
Objectives: This module introduces the reader to the basics of IPTABLS, a versatile mechanism to control network filtering.

2 What is iptables

Iptables is a component of the Linux kernel (when it is compiled in, as in most distributions) that controls the flow of network packets.

3 What do you do with iptables?

``iptables'' is a versatile mechanism that is suitable for many purposes. For example, it can be used as a software ``firewall'' to stop unwanted traffic from reaching applications. However, it can also be used to implement network address transition (NAT) and other useful networking mechanism.

4 Iptable rules

We'll start with a construct that is neither at the top level nor the bottom level. A ``rule'' is essentially a conditional action. This means that a rule specifies a condition. If the condition is met, then the action takes place.

In the context of ``iptables'', a rule may specify something like ``if a connection is attempted from 10.0.2.200 to port 80 of 192.168.3.13, drop it''.

5 Iptable matches

A ``match'' is essentiall the condition of a rule. Iptables supports a variety of matches. Here is an example:

-p: this matches a particular protocol. Note that iptables does not only apply to TCP. Iptables also supports the filtering of IP and ICMP.
-s: this matches a source IP address (such as 10.0.2.105), or use the netmask notation to specify a range of IP addresses (such as 10.0.2.0/24).
-d: this matches a destination IP address. Same notation as -s.
-i: input interface, this specifies the symbolic name of the interface (such as eth0) that receives a packet.
-o: output interface, this specifies the symbolic name of the interface that sends a packet.
-sport: the source port of a TCP or UDP packet.
-dport: the destination port of a TCP of UDP packet.
--tcp-flags: this is a bit more advanced, it matches one of three flags of a TCP packet: SYN, FIN, ACK SYN.
--tcp-option: this is used to specify the TCP option of a TCP packet.
--icmp-type: this is used to specify the type of an ICMP packet.
--chunk-types: this is used to specify the chunk type of a SCTP packet.
--length: this matches the length of a packet. You can specify a range, such as 1000:2000 means from 1000 to 2000 bytes.
-limit: this is a rather interesting one. It can be used to specify a match rate. It is useful to specify rules that depend on the rate. For example, ``drop SMTP connections from a host if it occurs more frequently than 60 per hour''.
--limit-burst: this is even more interesting. It specifies a count-down value that is refilled every second. The value is decremented every time the associated condition matches. However, the ``target'' of the rule does not fire until the counter reaches zero.
--mac-source: this matches the MAC ID of the source of a packet.
--cmd-owner: this matches the name of the process sending a packet.
--uid-owner: this matches the user ID of the owner who runs the process that creates a packet.
--gid-owner: this matches the group ID of the owner who runs the process that creates a packet.
--pid-owner: this matches the process ID of the process that create a packet.

This is merely a small sample of all the possible matches of iptables.

6 Iptables targets

A target of a rule is the ``action'' of the rule, it specifies what to do when the condition (match) of a rule is met.

The following is a list of common targets:

ACCEPT: this means look no further, the firing of a rule with this target lets the packet through.
LOG: this means create a log entry, and continue to evaluate rules that follow.
REDIRECT: this means look no further, change the destination to the machine running iptables.
REJECT: this means look no further, the packet is not allowed to go through, but send a message back to the origin indicating so.
DROP: this means look no further, the packet is not allowed to go through, but do not send a message back to the origin (silent).
RETURN: this means look no further, but do not make any conclusion, defer the decision to ``something else''. We'll explain this one when we discuss chains.

7 Iptable chains

A chain consists one or more rules. Rules of chain are evaluated sequentially until one matches (the condition is met), then the associated target executes.

An exception is when a rule specifies no target, but rather a --jump action. This causes the the rule to jump to another chain (usually user defined) and start evaluating rules in that chain. Rules in the chain that is --jumped into can specify a RETURN target to continue evaluation in the original chain.

8 Iptables table

Each table is a container of chains. There are four tables: filter, nat, raw and mangle. Of these, the filter table is the easiest to understand. The filter table chains chains of rules that specifies what goes through and what gets blocked, mostly using ACCEPT and REJECT targets.

The filter table has two important chains. The INPUT chain is responsible to control the filtering of incoming packets, whereas the OUTPUT chain is responsible to control the filtering of outgoing packets.

The other three tables are a little more complicated, and they are out of the scope of this module.

9 More advanced iptables

As mentioned earlier, iptables is capable of specifying complex network ``tricks''. For instance, iptables can be used to implement network address translation. However, it can also be used to perform surgical operations, like altering the TTL (time-to-live) field of packets. It can also set the TOS (type-of-service) field of an IP packet header.

About this document ...

Module 0208: IPTABLES, the basics

This document was generated using the LaTeX2HTML translator Version 2008 (1.71)

The command line arguments were:
latex2html -split 0 -no_navigation module.latex

The translation was initiated by Tak Auyeung on 2010-01-07