iptables
Firewalling and Packet-Filtering Quick Start
Guide
Iptables is a powerful packet-filtering tool available on ImageStream
routers with Enterprise Linux version 4.0 or later. This document will provide
examples on how to use Iptables to add basic firewalling, port forwarding and
network address translation (NAT) capabilities to your ImageStream router. More
in-depth information is available in the iptables HOWTO linked to the Other On-line Resources
page on this site. Iptables Basics Iptables
is a utility used to set up, maintain, and inspect the packet filtering rules
in Enterprise Linux. Iptables handles packets in one of two ways: chains and tables.
A chain is a set of rules that tells iptables how to manipulate a packet that
matches a given rule. Even with no user-defined iptables statements on your router,
each packet passing through the router will flow through at least one of the three
predefined chains in the operating system:
_____
/ \
IN -->[Routing ]--->|FORWARD|-------> OUT
[Decision] \_____/ ^
| |
v ____
___ / \
/ \ |OUTPUT|
|INPUT| \____/
\___/ ^
| |
----> Local Process ----
When packets enter the router, iptables makes a "Routing Decision." The router
will decide if the packet needs to be forwarded, or if it is destined for a local
interface on the router. If the router needs to forward the packet, iptables will
add it to the FORWARD chain. If the packet is destined for a local interface on
the router, iptables will add it to the INPUT chain. If a local process on the
router is generating a packet it will pass through the OUTPUT chain. By default,
each of the chains will accept any packet.
Iptables
Firewall Setup This section will provide an example of a basic firewall
setup using Iptables. We will start with defining a new "firewall" chain.
iptables -N FIREWALL
This creates a new chain named FIREWALL. Next, we will add some
rules to this firewall chain.
iptables -A FIREWALL -i eth1 -s 192.168.0.0/16 -j DROP
This adds a new rule to the firewall chain. The " -A" option (add)
tells Iptables to add this rule to the FIREWALL chain. The "-i" (interface) option
tells Iptables to apply this rule only to incoming packets on the eth1 interface.
The "-s" option ensures that only packets with a source address of 192.168.0.0/16
(Class B) will match this rule. The "-j" option instructs iptables what to do
if the packet matches the rule. In this example, iptables will drop the packet.
When taken as a whole, this command will drop all incoming packets on eth1 with
a source ip address of 192.168.0.0/16. Other valid commands and options
are listed in the iptables HOWTO linked to the Other On-line Resources
page on this site. Here are several common example chain commands:
iptables -A FIREWALL -s 128.211.243.16 -d 128.211.245.156 -j ACCEPT
This command
will accept all traffic from 128.211.243.16 to 128.211.245.156.
iptables -A FIREWALL -i eth1 -d 128.211.245.156 -p tcp --dport 21 \
-j DROP
This
command will drop all incoming traffic on eth1 for the ftp port (port 21) where
the destination is 128.211.245.156. You can add any number of rules
to a chain. After all of the processing rules have been added to the FIREWALL
chain, we need to send incoming packets (packets passing through the INPUT or
FORWARD chains, as described above) to our user-defined FIREWALL chain.
iptables -A INPUT -j FIREWALL
iptables -A FORWARD -j FIREWALL
These two
commands tell the all packets that are in the INPUT and FORWARD chains to also
pass through the FIREWALL chain. Below is a complete example of a simple firewall.
In this example, the incoming interface is eth1 and eth0 is being firewalled.
# begin example
# setup the firewall chain
iptables -N FIREWALL
# add rules to the chain
iptables -A FIREWALL -i eth1 -s 192.168.0.0/16 -j DROP
iptables -A FIREWALL -i eth1 -s 205.159.243.0/24 -d 128.211.245.156 \
-j ACCEPT
iptables -A FIREWALL -i eth1 -s 216.117.0.0/16 -p tcp --dport 21 \
-j ACCEPT
iptables -A FIREWALL -i eth1 -d 128.211.245.156 -p tcp --dport 21 \
-j DROP
# insert the FIREWALL chain into the INPUT and FORWARD chains
iptables -A INPUT -j FIREWALL
iptables -A FORWARD -j FIREWALL
# end example
Iptables
- Tables There are three available tables within iptables: filter, nat and
mangle. You can add chains to each table by invoking the "-t" (table) option in
iptables. This option specifies the packet-matching table on which the command
should operate. The "filter" table is the default table. It contains
the built-in chains discussed above: INPUT (for packets coming into the box itself),
FORWARD (for packets being routed through the box), and OUTPUT (for locally generated
packets). The second, and frequently used, table is the "nat" (network
address translation) table. This table is consulted when the router encounters
a packet creating a new connection. . The nat table contains of three built-in
chains: PREROUTING (Destination NAT, for altering packets as soon as they come
in), OUTPUT (for altering locally-generated packets before routing), and POSTROUTING
(Source NAT, for altering packets as they are about to go out). The
third table, "mangle," is used for specialized packet alteration. It has two built-in
chains: PREROUTING (for altering incoming packets before routing) and OUTPUT (for
altering locally-generated packets before routing). Iptables
NAT and Port forwarding The Network Address Translation table is most frequently
used for firewalls. You create NAT rules that tell the kernel what connections
to change, and how to change them. To do this, we tell iptables to alter the NAT
table by specifying the "-t nat" option. There are two types of Network
Address Translation that Iptables supports: source NAT and destination NAT. Source
NAT is used to change the apparent source of a packet. Source NAT is
done in the POSTROUTING chain, just before a packet is finally sent out. This
is an important detail, since it means that anything else on the router itself
(routing, packet filtering) will see the packet unchanged. It also means that
the "-o" (outgoing interface) option can be used. This can be used to put an entire
network behind a single outbound machine. Destination NAT is done in
the PREROUTING chain, just as the packet comes in; this means that anything else
on the Linux box itself (routing, packet filtering) will see the packet going
to its "real" destination. It also means that the "-i" (incoming interface) option
can be used. Destination NAT is sometimes called port forwarding, and can also
be used to redirect packets. Iptables NAT examples Below
is an source NAT example where all traffic from 192.168.0.0/24 that is outgoing
on eth1 will get it's source changed to 1.2.3.4. This example will would allow
all of the machines in the 192.168.0.0 network talk to the 1.2.3.0 network.
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth1 \
-j SNAT -to 1.2.3.4
Source
NAT is specified using `-j SNAT', and the `--to-source' option specifies an IP
address, a range of IP addresses, and an optional port or range of ports (for
UDP and TCP protocols only).
## Change source addresses to 1.2.3.4.
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 1.2.3.4
## Change source addresses to 1.2.3.4, 1.2.3.5 or 1.2.3.6
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 1.2.3.4-1.2.3.6
## Change source addresses to 1.2.3.4, ports 1-1023
iptables -t nat -A POSTROUTING -p tcp -o eth0 -j SNAT \
--to 1.2.3.4:1-1023
Destination
NAT is specified using `-j DNAT', and the `--to-destination' option specifies
an IP address, a range of IP addresses, and an optional port or range of ports
(for UDP and TCP protocols only).
## Change destination addresses to 5.6.7.8
iptables -t nat -A PREROUTING -i eth0 -j DNAT --to 5.6.7.8
## Change destination addresses to 5.6.7.8, 5.6.7.9 or 5.6.7.10.
iptables -t nat -A PREROUTING -i eth0 -j DNAT --to 5.6.7.8-5.6.7.10
## Change destination addresses of web traffic to 5.6.7.8, port 8080.
iptables -t nat -A PREROUTING -p tcp --dport 80 -i eth0 \
-j DNAT --to 5.6.7.8:8080
Redirection There
is a specialized case of Destination NAT called redirection: it is a simple convenience
which is exactly equivalent to doing DNAT to the address of the incoming interface.
## Send incoming port-80 web traffic to our squid (transparent) proxy
# iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 \
-j REDIRECT --to-port 3128
(Note that squid needs to be configured to know it's a transparent
proxy!) Below is an destination NAT example that will send all incoming
ftp connections (port 21) to a machine at 1.2.3.4
iptables -t nat -A PREROUTING
-p tcp --dport 21 -i eth1 -j DNAT \ --to 1.2.3.4
|