Hello readers, this blog will teach you about iptables and its use with some basic use cases.
What is Iptable?
Iptable is the built-in linux firewall which includes some conditions, known as rules, according to which the traffic is allowed on the machine. It monitors the incoming and outgoing traffic and filter it according to the specified rules.
The incoming and outgoing data is transferred in the form of packets. Linux provide an interface to filter these packets. Here, Iptables comes into picture, which is a command line tool to set-up and configure the firewall. Iptables contain tables to filter packets. These tables contain multiple chains which are nothing, but the set of rules.
Rules and targets in Iptables
The rules defines what to do with the packet if it matches any defined rule. If the rule is matched, it defines a target which can be another chain, or some special values mentioned below:
- ACCEPT: It means that the packet is allowed to pass through the firewall.
- DROP: It means that the packet is not allowed to pass through the firewall.
- RETURN: It means to skip the current rule and jump back to the chain from which it was called.
There are 5 built-in tables in iptables namely filter, nat, mangle, raw, security. For this tutorial, we are going to work only with the default table of iptables which is filter.
The filter table
The filter table is used for normal filter of traffic based on rules defined by the user. This table is very helpful in carrying out normal day to day blocking and filtering of packets. The filter table has three chains:
- INPUT: This chain is used to control the incoming traffic/packets to the server.
- FORWARD: This chain is used to filter packets that are incoming to the server but are to be forwarded somewhere else.
- OUTPUT: This chain is used to filter packets that are going out from the server.
Following is the diagram in reference to the filter table chain.
Going through the Iptables command
Starting from scratch, I’ll be covering almost every possible command with some basic use case.
iptables command installation by checking the version of iptables:
iptables is not installed, follow these steps:
sudo apt-get update sudo apt-get install iptables
To view the
filter table, which is actually the default table of
sudo iptables -L
This will bring out the following output which is basically an empty filter table:
Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination
Here, the INPUT, OUTPUT and FORWARD are the chains which include the rules for configuring the firewall. Every firewall’s has a default policy mentioned as
(policy ACCEPT). The default policy for a chain specify the default target of those packets which are not matching any rule of that chain. For example: The default policy for input chain is ACCEPT, which means every incoming packet will be accepted by the firewall.
In case you want to know only the default policy for the tables, you can use the following command:
sudo ifconfig [ -S/--list-rules ]
To change the
default policy of table, the command is as follows:
sudo iptables -P <chain> <target>
Here, for example, if we change the default policy of INPUT chain to DROP using the command
sudo iptables -P INPUT DROP, then no one will be able to communicate with us as all data packets will be dropped by the firewall.
Modifying rules in Iptable
To add a particular rule inside any chain. We’ll cover the command first, and then some use cases for the same.
sudo iptables [ -A|-S ] <chain> -t <table> -p <protocol> -s<source ip> -d<destination-ip> --sport <source-port> --dport<destination-port> -j<target> -i<input-interface> -o<output-interface>
In the above command, I’ve used multiple flags. I’ll explain each of them and when they are required.
-A: This flag is used to append a rule at the end of the table.
-S: This flag is used to insert a rule at specified position in the table. If position is not specified, it will add the rule to top-most position.
-t: This flag is used to give the table name. By default, it is filter table.
-p: This flag is used to specify the protocol. It can be tcp, udp, icmp or all
-s: This flag is used to specify the source from where the packets are coming. Mainly used for to apply a rule on INPUT chain for any specific source ip-address.
-d: This flag is used to specify the destination where packets are to be delivered. Mainly used for to apply a rule on OUTPUT chain for any specific destination ip-address.
--sport & --dport: This flag is used to specify the source and destination port respectively if the rule is applied on tcp protocol.
-j: This flag is used to specify the target to be applied on the matched rule. It can be ACCEPT, REJECT, DROP etc.
-i: Input-interface – This flag is used to specify the name of the interface via which a packet will be received.
-j: Output-interface – This flag is used to specify the name of the interface via which a packet will be sent.
Adding rules to iptables
1. To block a particular website, let’s say facebook, so that it can’t be accessed from your server.
sudo iptables -I INPUT -t filter -s www.facebook.com -j DROP
2. To block a web any packets from any ip-address, suppose 192.168.0.107
sudo iptables -I INPUT -t filter -s 192.168.0.107 -j DROP
3. To block the loopback address, i.e. your localhost
sudo iptables -A INPUT -i lo -j DROP
4. To disable any port of your, let’s suppose you don’t want to allow anyone to do ssh on your system, then you need to block the port 22, which can be done as follows:
sudo iptables -A INPUT -t filter -p tcp --dport 22 -j DROP
5. We can also set the target to ALLOW or DROP data packets from other ports, like for blocking http and https, we need to block the source port 80 and 443.
sudo iptables -A INPUT -t filter -p tcp --sport 80 -j DROP sudo iptables -A INPUT -t filter -p tcp --sport 443 -j DROP
Removing rules from iptables
1. To remove a particular rule by its line number.
sudo iptables -D <chain> <line-number>
2. To remove all the rules of a particular chain
sudo iptables -F <chain>
3. To remove all the rules from the iptables
sudo iptables -F/--flush
Now, to get the output of any command with more information, you can run it in verbose mode as:
sudo iptables -L -v
After going through the contents, now you’ll be familiar with iptables and how to add rules to the filter table. Still, if you have any queries, feel free to contact me at firstname.lastname@example.org.
Thank you for sticking to the end. If you like this blog, please do show your appreciation by giving thumbs ups and share this blog and give me suggestions on how I can improve my future posts to suit your needs. Follow me to get updates on different technologies