network iptables - ghdrako/doc_snipets GitHub Wiki

iptables is a powerful firewall utility in Linux that allows administrators to define rules for incoming and outgoing network packets, granting or denying access based on specified criteria.

The -t ACCEPT part of the command is used to specify the target of the rule, which, in this case, is to accept the packet.

Check the current iptables rules to understand the existing configuration

sudo iptables -L

To list all IPv4/IPv6 rules:

sudo iptables -S
sudo ip6tables -S

To list all tables rules:

sudo iptables -L -v -n | more

list all rules for INPUT tables:

sudo iptables -L INPUT -v -n
sudo iptables -S INPUT

Viewing all iptables rules in Linux

iptables -S
iptables --list
iptables -L
iptables -S TABLE_NAME
iptables --table NameHere --list
iptables -t NameHere -L -n -v --line-numbers

Print all rules in the selected chain

sudo iptables -S
sudo iptables -S INPUT
iptables -S OUTPUT

udo ip6tables -S
sudo ip6tables -S INPUT
ip6tables -S OUTPUT

List rules for given tables

iptables -L INPUT
iptables -L FORWARD
iptables -L OUTPUT
iptables -L
# Listing IPv6 rules #
ip6tables -L INPUT
ip6tables -L FORWARD
ip6tables -L OUTPUT
ip6tables -L

Add rule

iptables -A INPUT -s 192 -p tcp --dport 22 -j ACCEPT

add a rule to the INPUT chain of the iptables firewall, allowing incoming TCP traffic from the source IP address, 192.168.x.xxx, to the destination port, 22 (which is the default port for SSH), to be accepted and allowed through the firewall.

iptables is a user-space utility program that allows a system administrator to configure the IP packet filter rules of the Linux kernel firewall, implemented as different Netfilter modules. The filters are organized in different tables, which contain chains of rules for how to treat network traffic packets.

Każda z tabel służy do przetwarzania pakietów różnego rodzaju i zawiera kilka łańcuchów1(https://pl.wikipedia.org/wiki/Iptables#cite_note-1):

filter – domyślna tabela
    INPUT – pakiety przeznaczone dla lokalnego komputera
    FORWARD – pakiety routowane przez lokalny komputer
    OUTPUT – pakiety wygenerowane przez lokalny komputer
nat – pakiety nawiązujące nowe połączenia
    PREROUTING – dla zmian w pakietach zanim zostaną routowane
    OUTPUT – dla zmian w lokalnie wygenerowanych pakietach zanim zostaną routowane
    POSTROUTING – dla zmian w pakietach tuż przed ich wysłaniem
mangle – dla wyspecjalizowanych zmian w pakietach
    PREROUTING – dla zmian w pakietach przychodzących zanim zostaną routowane
    OUTPUT – dla zmian w lokalnie wygenerowanych pakietach, przed ich routowaniem
    INPUT – dla zmian w pakietach zmierzających do lokalnego komputera
    FORWARD – dla zmian w pakietach routowanych przez lokalny komputer
    POSTROUTING – dla zmian w pakietach po routingu, tuż przed ich wysłaniem
raw – do tej tabeli pakiety trafiają najpierw – ma ona najwyższy priorytet
    PREROUTING – pakiety przychodzące przez jakikolwiek interfejs sieciowy
    OUTPUT – pakiety generowane przez lokalne procesy

Każdy z tych predefiniowanych łańcuchów posiada sposób postępowania względem pakietów, które do niego trafiają, np. DROP (odrzucenie pakietu). Administrator może w razie potrzeby tworzyć swoje własne łańcuchy. Reguły pozwalają na podjęcie określonych działań z uwzględnieniem rodzaju i przeznaczenia pakietu, np. port, host, wykorzystany protokół, czas życia (TTL) itp.

Gdy pakiet trafia do łańcucha wędruje przez znajdujące się w nim reguły dopóki nie trafi na taką, która skierowuje go do określonego celu. Niektóre z nich to ACCEPT (zaakceptowanie pakietu), DROP (odrzucenie) i REJECT (odrzucenie z powiadomieniem nadawcy).

 # iptables -P FORWARD DROP
 # iptables -P INPUT DROP
 # iptables -A INPUT --protocol tcp --destination-port 22 -j ACCEPT
 # iptables -A INPUT --protocol tcp --destination-port 80 -j ACCEPT
-A FILTERS -i eth0 -m state --state INVALID -m limit --limit 1/sec       -j LOG --log-prefix "invalid: " --log-level 7
-A FILTERS -i eth0 -m state --state INVALID -j DROP
...
...
# Allow artifactory
-A FILTERS -s 192.168.artifactory/32 -j ACCEPT
...
-A FILTERS -j REJECT

Dobrze jest dodac -A FILTERS -i eth0 -m state --state INVALID -j DROP przed -A FILTERS -s 192.168.artifactory/32 -j ACCEPT

There are three tables we can use: filter, nat, and mangle.

The filter table is used to filter incoming and outgoing packets, the nat table is used for Network Address Translation (NAT), which we will get back to later, and the mangle table is used for advanced packet alteration. Each table contains a set of chains, which are used to organize the rules. The filter table, for example, contains three predefined chains: INPUT, OUTPUT, and FORWARD. The INPUT chain is used for incoming packets, the OUTPUT chain is used for outgoing packets, and the FORWARD chain is used for packets that are being forwarded through the network. Each chain contains a set of rules, which are used to match packets and decide what to do with them. Each rule has a match condition and an action. For example, a rule might match packets coming from a specific IP address and drop them, or it might match packets going to a specific port and accept them.

Each rule has a target, which is the action that should be taken when the rule’s match condition is met. The most common targets are ACCEPT, DROP, and REJECT. ACCEPT means to allow the packet through the firewall, DROP means to discard the packet without any feedback to the other end, and REJECT means to refuse the packet actively so that the remote end will know access is rejected to the said port. The default table of iptables will add rules to the filter table and by default, each chain (INPUT, OUTPUT, and FORWARD) has a default policy set to ACCEPT. You can also create additional tables and direct packets to this table for later processing. It’s a good practice to set at least the FORWARD and INPUT policies to DROP:

admin@myhome:~$ sudo iptables -P INPUT DROP
admin@myhome:~$ sudo iptables -P FORWARD DROP

At the same time, we can allow all loopback interface access to ACCEPT:

admin@myhome:~$ sudo iptables -A INPUT -i lo -j ACCEPT

Additionally, all packets that are in the ESTABLISHED or RELATED state should be accepted; otherwise, we will lose all established connections or connections that are in the process of being established:

admin@myhome:~$ sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

To allow HTTP and HTTPS traffic, we can do the following:

admin@myhome:~$ sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
admin@myhome:~$ sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT

It’s a good idea to allow SSH traffic so that we can remotely log into this machine:

admin@myhome:~$ sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT

Here are some other more commonly used options you can use in iptables:

  • -A or --append: Appends a rule to the end of a chain
  • -I or --insert: Inserts a rule at a specific position in a chain
  • -D or --delete: Deletes a rule from a chain
  • -P or --policy: Sets the default policy for a chain
  • -j or --jump: Specifies the target for a rule
  • -s or --source: Matches packets based on the source IP address or network
  • -d or --destination: Matches packets based on the destination IP address or network
  • -p or --protocol: Matches packets based on the protocol (for example, TCP, UDP, or ICMP)
  • -i or --in-interface: Matches packets based on the incoming interface
  • -o or --out-interface: Matches packets based on the outgoing interface
  • --sport or --source-port: Matches packets based on the source port
  • --dport or --destination-port: Matches packets based on the destination port
  • -m or --match: Adds a match extension, which allows you to match packets based on additional criteria such as connection state, packet length, and more