Basics of IPTables

1
Basics of IPTables

• Sriram Srinivasan

2
What is IPTables?

• IPTables are building blocks of a framework
  within the Linux 2.4.x and 2.6.x kernels.
• It is the successor of IPChains (2.2.x) and
  ipfwadm (2.0.x)
• This framework enables packet filtering, network
  addresss and port translation (NAPT).
• Also allows packet mangling.

3
Contd.

• It works by creating a generic table structure of
  rulesets.
• As in IPChains, each rule in an IPTable consists
  of a set of classifiers (IPTable matches) and a
  corresponding action (IPTable target).
• IPTables, along with NetFilter, Connection
  Tracking, and the NAT Subsystem make up the
  entire framework.

4
Salient Features

• Stateless Packet Filtering (IPv4 and IPv6)
• Packet Filtering with states (as in IPv4)
• All types of network address and port translation
  (NAT/NAPT)
• Multiple layers of API's for 3rd party extensions
• Large number of plugins and modules kept in a
  repository.

5
What can be done with IPTables?

• Build internet firewalls based on packet
  filtering, with or without specifying states.
• Use NAT and masquerading for sharing internet
  access if you don't have enough public IP
  addresses.
• Do further packet manipulation (mangling), such
  as altering the TOS (Type of Service) bits of the
  IP header

6
Kernel Setup

• Commands required to begin use
• CONFIG_PACKET - This option allows applications
  and utilities that to directly access network
  devices. Examples of such utilities are tcpdump
  or snort.
• CONFIG_NETFILTER - This option is required if
  you're going to use your computer as a firewall
  or gateway to the Internet. In our case, this is
  a necessity.
• Note To use this functionality, the proper
  interface drivers must be added. Simply adding
  the framework is of no use.
• CONFIG_IP_NF_IPTABLES - This option is required
  to do any kind of filtering, masquerading or NAT.
  It adds the whole IPTables identification
  framework to the kernel. Without this you won't
  be able to do anything at all with iptables.

7
Contd.

• Other options include
• CONFIG_IP_NF_FTP In conjunction with Connection
  tracking, this allows tracking on FTP
  connections.
• CONFIG_IP_NF_MATCH_MARK It uses the MARK
  target. Thus, depending on whether or not a
  packet carries a mark from a previous table, we
  may determine if it matches a specified rule.
• CONFIG_IP_NF_MATCH_TOS - With this match we can
  match packets based on their TOS field.
• CONFIG_IP_NF_MATCH_STATE Using this, packets
  may be matched based on a state assigned to them.
  For example, if traffic has been seen in both
  directions in a TCP connection, then this packet
  will be assigned the state of Established.

8
Installation

• The first step is to disable IPChains.
• chkconfig --level 0123456 ipchains off
• service ipchains stop
• The first command kills all soft links to the
  IPChains scripts. The second actually stops the
  entire package from running.
• Once IPChains has been stopped, we may begin
  initializing IPTables.
• chkconfig --level 235 iptables on
• service iptables start
• The first command specifies the run-levels the
  user wants (in this case 2,3,5). The second
  actually starts the package running.

9
Table Chain Relationships

• When a packet enters the firewall, it goes
  through a series of steps before being routed to
  the appropriate application (locally), or being
  forwarded to another host.
• Assuming the local host is the intended target
• Both the MANGLE and NAT tables will link to
  the PREROUTING chain before the packet is
  delivered to its destination application on the
  local host.
• Once the destination application is determined,
  then the MANGLE and NAT tables both link to
  the INPUT chain, before the packet gets relayed
  there.

10
Contd.

• If the source is the local host, then the
  MANGLE and NAT tables both link to the
  OUTPUT and POSTROUTING chains before the
  packet is sent out. There is also the additional
  step of using the FILTER table, which filters
  packets leaving the local host.
• If a packet is intended to be forwarded to
  another host, then a similar process is followed
  where the tables access the FORWARD chain
  before the Postrouting step.

11
Traversal through IPTables
12
The Mangle Table

• This is used to Edit/Manipulate (mangle)
  packets that pass through it.
• Targets for this table are limited to TOS (Type
  of Service), TTL (Time To Live), and MARK (set a
  mark on a packet which passes through it).
• No type of NAT or Masquerading will work on this
  table.

13
The NAT Table

• This packet can only be used to translate a
  packets source or destination fields.
• Valid targets include
• DNAT (mainly used in cases where you have a
  public IP and want to redirect accesses to the
  firewall to some other host (on a DMZ for
  example). In other words, we change the
  destination address of the packet and reroute it
  to the host.

14
Contd.

• SNAT (mainly used for changing the source address
  of packets ). A very good example would be that
  of a firewall of which we know outside IP
  address, but need to substitute our local
  network's IP numbers with that of our firewall.
  With this target the firewall will automatically
  SNAT and De-SNAT the packets, hence making it
  possible to make connections from the LAN to the
  Internet.

15
The Filter Table

• We can match packets and filter them in whatever
  way we want. This is the place that we actually
  take action against packets and look at what they
  contain and DROP or /ACCEPT them, depending on
  their content. Of course we may also do prior
  filtering however, this particular table, is the
  place for which filtering was designed. Almost
  all targets are usable in this chain.