brown brick wall
Tue Dec 06

Understanding IPTables Concept

Firewall is one of the most vital features in any host with a network. It doesn’t matter whether you own MacOS, Windows or Linux, they all have it although the name could be different from one another.

A firewall is a security device that is monitoring the incoming or outgoing traffic and deciding whether to allow or block specific packets based on a pre-defined rules set.

Due to its function, it becomes an essential barrier between untrusted network like the internet and the trusted network like your local network. By using a firewall, the unwanted traffic and malicious traffic can be blocked before reaching the trusted network.

What is IPTables?

As mentioned before, different operating systems may have different firewall names. In Linux itself, the firewall may be different for each distribution. For example, the Debian-based distributions may have ufw (Uncomplicated Firewall) while RHEL-based distributions have firewalld by default. Both also have IPTables pre-compiled within.

So what is it? The IPTables is the interface that allows the user to configure the IP packet filtering by using a set of rules. Unlike ufw which is more simple, the IPTables requires a better understanding of networking to set and configure it properly. To give you a better picture of what it is as compared to ufw, the IPTables is the backend of ufw.

IPTables configuration won’t interfere with IPv6 traffic as it only works on IPv4 protocol. To set the rules of IPv6 protocol you need another one called IP6Tables which also has similar syntax. On the other hand, the ufw may use both.

There is another common confusion between IPTables and NFTables. The NFTables (will be covered in the next article) is a successor of IPTables which is basically a framework for filtering packets. NFTables also offers greater versatility as it also works on multiple networking levels protocols like Layer 3 (IPv4, IPv6) and Layer 2 (ARP). See more details about multiple networking levels [here](https://www.binaryte.com/blog/the-osi-model-layers- explained).

The Concept

Before going deeper into this, it is important to first understand these three terms: tables, chains, and rules. Let’s look at each one.

Table

There are four tables in total.

  • Filter

Filter table is the default one which will be used if you don’t specify the table to use. This table contains three chains: INPUT, FORWARD, OUTPUT. In most cases, this table will be the one you will be dealing with.

  • NAT

This table will be used when a packet creates a new connection which basically connects various devices together. This table contains three chains: PREROUTING, OUTPUT, POSTROUTING.

  • Mangle

This table specializes in altering the packets. It gives the user the ability to modify IP Header. Back then, the mangle table only had two builtin chains: PREROUTING ,OUTPUT. On the latest kernel, three more chains have been added: INPUT, FORWARD, POSTROUTING.

  • Raw

This table is used for connection tracking configuration. It contains two chains: PREROUTING, OUTPUT.

  • Security

This table is used for Mandatory Access Control (MAC) which is implemented by the Linux Security Module known as SELinux. It contains three built-in chains: INPUT, OUTPUT, FORWARD.

Chains

Chains are like a checkpoints of the packet when traversing over its route. Just by simply checking the above explanations, there are five chains in total.

  • PREROUTING

Handles the packet as soon as it receives before the routing decision is made.

  • INPUT

This chain handles the packet after it is received.

  • FORWARD

The packets being sent may not be intended for the current receiver but instead the other one within the same network.

  • OUTPUT

This is the point where the before the packet is going out.

  • POSTROUTING

You can still set certain rules before the packet leaves the network interface after a routing decision has been made.

Rules

On each point (chain), users can set certain rules to manipulate the network traffic behavior. The rules can be set based on the source and destination address, source and destination port, as well as the policy to be applied.

The Syntax

List table

To achieve this, you need the -L or --list flag. It also requires root access, so you need sudo. If you need more comprehensive output you can use -v or --verbose for verbose and -n or --numeric to set the address and port into numeric format. For explanation purposes, I will only use -L.

sudo iptables -L

You may get something like this.

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Let’s look forward to it.
Here, we get the filter table as we don’t specify. In any distributions, it won’t have any rules pre-defined on it, except on RHEL. As you can see, all traffic on all chains is by default set to ACCEPT means that it is going to allow any packet going through if no rules were set. Below the chains, there are also some arguments to set.

Adding rules

Say that we want to block ping into our Linux box.
First, we need to know what our local IP address is. You can check it with the ifconfig command. My PC uses 192.168.1.12, so we can do this using the command below.

sudo iptables -A INPUT -j DROP -p icmp -d 192.168.1.12

By checking the table list shown before, we do need some arguments. The above command uses -A or --append in order to define the chain we need to use. Because we want to use the input chain so we type INPUT afterward.

The next flag -j or --jump specifies the target which means what would happen if the packet matches our preset rule. defined as a target. We want to block the access into our Linux system, thus we use DROP as opposed to ACCEPT.

The next one -p or --protocol specifies the protocol we want to use. As ping command is based on ICMP protocol, we want to define it as icmp. There are some available other protocols such as tcp, udp, udplite, icmpv6, esp, ah, sctp, and mh.

The -d or --destination is the destination IP address. We want to block ping to our Linux box with the local IP address of 192.168.1.12 so we set it with this. The destination doesn’t have to be in the form of an IP address. For example, if you want to block a particular port 22 (SSH), you can set it to --dport 22 and set the protocol to tcp.

In some cases, you may also want to block the incoming packet from a particular IP. To do this, simply use -s or --source.

Removing rules

To delete a rule in a chain, you have to know its line number. You can check by adding --line-numbers while listing the table. For example, if you just add the above rule and no others, you can delete it with the command below.

sudo iptables -D INPUT 1

Conclusion

More experienced system administrators may use it for hardening the server security by setting up strict rules into it. At some point, it may even prevent DDOS attack by setting up the rate limiting connection into the server. In the end, IPTables is surely more complicated to deal with. Yet, it offers greater versatility as compared to Uncomplicated Firewall (ufw).

You might like

Linux Server Hardening Tips and Best Practices

Learn how to harden your Linux server with these tips and best practices. Find out how to secure SSH, enable firewall, encrypt network transmissions, and more.
YAML vs. JSON: What is the difference?

Learn about the key differences between YAML and JSON in terms of readability, complexity, compatibility, and use cases in this article. Also learn how both formats are used to represent data in a structured way. Click to read more.