Playing with iptables in Ubuntu Terminal
I’ve been trying to figure out how to explain the iptables in a easy way. I’ve read so many articles about iptables but none of it mention to run iptables chain rules through command lines in Ubuntu console terminal.
I know the reason, because chain rules will be temporary. But, it’s not good for a begginer.
So, I try to discribe it in another way.
Hopefull, it will make you easier to understand the iptables’ chain rules.
Actually, the most popular firewall and NAT (Network Address Translation) in Linux was Ipchains.
After that, Netfilter Organization created a new product called Iptables and gave more features in it.
Compare to Ipchains, Iptables is better integration with the linux, Stateful packet inspection, Filtering packets based on MAC address and the values of the flags in packets, better network address translation, integration with Squid and block DoS (Denial of service) attacks.
I’ll divide my explanation into 4 parts.
-
practice with command line in Ubuntu terminal
-
sample rules which you can use for router, webserver, server etc.
-
masquerading (many to one NAT)
-
run iptables automatically (create a script and put it in runlevel mode).
I’ve just finished the first part (this posting). Hopefull, it will make you easier to understand the iptables.
Determining the status of iptables
You can check your current iptables rules with:
taufanlubis@zyrex:~$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
taufanlubis@zyrex:~$
option -L:
List all rules in the selected chain. If no chain is selected, all chains are listed. As every other iptables command, it applies to the specified table (filter is the default), so NAT rules get listed by iptables -t nat -n -L
Packet Processing in iptables
All packets inspected by iptables pass through a sequence of built-in tables (queues) for processing. Each of these queues is dedicated to a particular type of packet activity and is controlled by an associated packet transformation/filtering chain.
There are three tables in total:
-
Responsible for packet filtering.
-
Forward chain (filters packet to servers)
-
Input chain (filters packet destined to the firewall)
-
Output chain (filters packets originating from the firewall)
-
Responsible for the alteration of quality of service bits in the TCP header (Mangle).
-
Responsible for NAT (network address translation).
-
Pre-routing chain
-
Post-routing chain
I like to use Iptables because I can set my firewall to be what I want. I can set which packet of data that can go in to my machine, forwarded or go out from my machine. I can set which ports are opened or closed. But, need days, for me to understand how it works.
In this practice we will do all the setup from linux console.
First, open your linux console.
Applications>Accessories>Terminal or press Alt-F2 and type ‘xterm’.
Now, let’s try for practice. Check your iptables’s rules.
taufanlubis@zyrex:~$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
taufanlubis@zyrex:~$
If you see the rules as mentioned above, it means that there are no rules in your iptables firewall.
Task1 : Accept packet data (tcp) through ethernet card no.1 via port 80 (http)
taufanlubis@zyrex:~$ sudo iptables -A INPUT -p tcp -i eth0 –dport http -j ACCEPT
taufanlubis@zyrex:~$
Check again, our setting.
taufanlubis@zyrex:~$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp — anywhere anywhere tcp dpt:www
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
taufanlubis@zyrex:~$
Well, you got your first rule in your iptables. It says that accept only tcp packet data via http(port 80) from any ip address to any ip address.
Task 2: Do same rules as Task1 for ‘https’(port 443), ‘pop3′(port 110) and ‘smtp’(port 25)
Type again in your console.
taufanlubis@zyrex:~$ sudo iptables -A INPUT -p tcp -i eth0 –dport https -j ACCEPT
taufanlubis@zyrex:~$ sudo iptables -A INPUT -p tcp -i eth0 –dport pop3 -j ACCEPT
taufanlubis@zyrex:~$ sudo iptables -A INPUT -p tcp -i eth0 –dport smtp -j ACCEPT
Check again the rules.
taufanlubis@zyrex:~$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp — anywhere anywhere tcp dpt:www
ACCEPT tcp — anywhere anywhere tcp dpt:https
ACCEPT tcp — anywhere anywhere tcp dpt:pop3
ACCEPT tcp — anywhere anywhere tcp dpt:smtp
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
taufanlubis@zyrex:~$
Now, you’ve already setup the rules for ACCEPTed access.
Let us continue with the task 3.
Task 3: Drop all data that forwarded or output from your machine except the ports that we’ve set to be allowed.
taufanlubis@zyrex:~$ sudo iptables -A FORWARD -o eth0 -j DROP
taufanlubis@zyrex:~$ sudo iptables -A OUTPUT -o eth0 -j DROP
taufanlubis@zyrex:~$ sudo iptables -A INPUT -p tcp -i eth0 -j DROP
Check again, your iptables rules.
taufanlubis@zyrex:~$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp — anywhere anywhere tcp dpt:www
ACCEPT tcp — anywhere anywhere tcp dpt:https
ACCEPT tcp — anywhere anywhere tcp dpt:pop3
ACCEPT tcp — anywhere anywhere tcp dpt:smtp
DROP tcp — anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
DROP 0 — anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DROP 0 — anywhere anywhere
taufanlubis@zyrex:~$
Well, you see the same screen as above, mean you’ve just created iptables’ chain rules.
This setup is temporary. Mean, you will lost it after you shutdown or restart.
It’s ok. It’s only a practice. I just want to show how iptables works.
Seems your tutorial is written for people who know a bit about Linux.
Very good post. Hope to read even more great posts in the future.
I found this site from searching on Yahoo and just wanted to say thanks for this informative article on the lottery. Thank you again!