Iptables

From vpsget wiki
Jump to: navigation, search

Iptables is a Linux based packet filtering firewall. It is a service (daemon) /etc/init.d/iptables which is reading a rules stored in the file /etc/sysconfig/iptables. Rules are grouped into chains and chains are grouped into tables. There are three built in tables: filter, NAT, mangle.


filter

The filter table contains three chains: INPUT, OUTPUT, FORWARD and used to allow and block traffic.
INPUT chain is used to filter traffic destined to localhost.
OUTPUT chain is used to filter packets generated on localhost
FORWARD chain is used for forwarding packets across interfaces.

NAT

The nat table is used to mofify packets and also contains three chains: PREROUTING, POSTROUTING, and OUTPUT. PREROUTING is the chain where packets come to be processed by local routing table. POSTROUTING is the chain where packets goes after processing by local routing table.

Adding rules to iptables can be done with commands or manually append them to file /etc/sysconfig/iptables (not recommended).

iptables -A CHAIN -p tcp [options] -j ACTION

CHAIN is discribed above. "-A INPUT" means append the rule to INPUT chain.
"-p tcp" means apply the rule to tcp connections only. If you want apply it to udp connections you must enter "-p udp" instead.
"[options]" here you specify which packets are applicable to the rile.
"-j ACTION" tells what to do with packets which math the [options]. Action can be "-j DROP" to drop the package, "-j ACCEPT" to accept and "-j LOG" to log it.

Main commands:
View firewall status

iptables -L -n -v

-A: Add the rule a the end of the specified chain.

iptables -A INPUT ...

-D: Delete chain or rule.

iptables -D INPUT 1
iptables -D INPUT --dport 21 -j DROP

-R: Replace the chain.

iptables -R INPUT 1 -s 192.168.0.1 -j DROP

-I Insert the rule to a specific area of global chain.

iptables -I INPUT 1 --dport 21 -j ACCEPT

-L: list. Display the rules.

iptables -L # Display all the rules of the FILTER chains
iptables -L INPUT # Display all the INPUT rules (FILTER)

-F: flush. Delete all the rules of a chain.

iptables -F # Delete all the rules

iptables -F INPUT # Delete all the rules of the INPUT chain
iptables -F OUTPUT  # Delete all the rules of the OUTPUT chain
iptables -F FORWARD  # Delete all the rules of the FORWARD chain

Example to delete all rules include nat table:

iptables -F
iptables -t nat -F
iptables -t mangle -F

-N Create new chain

iptables -N LOG_DROP

-X Delete a chain

iptables -X LOG_DROP # Delete the LOG_DROP chain
iptables -X # Delete the chains

-P policy. Specify to the kernel the default policy of a chain ACCEPT, REJECT, DROP ...

iptables -P INPUT DROP

Rules are stored in /etc/sysconfig/iptables. After adding the rules those must be saved in that file with command:

iptables-save >/etc/sysconfig/iptables


IPTABLES EXAMPLES: http://wiki.vpsget.com/index.php/Iptables_example_block_all_except_specified

Ubuntu differ a little bit

you need to install iptables-persistent package for Ubuntu:

apt-get install iptables-persistent

After that you able to save/load configs from the next files:

 /etc/iptables/rules.v4 
 /etc/iptables/rules.v6 

Restart iptables:

service iptables-persistent restart

Stop iptables:

service iptables-persistent flush

Start iptables:

service iptables-persistent start

For example to save iptables rules under Ubuntu you need to performe the next command:

iptables-save > /etc/iptables/rules.v4 

Currently we noted strange bug that appear only on fer ubuntu versions (12.04 LTS) with MASQUERADE - you simply unable to add rule So here is the example of iptables config for Openvpn (with client ip change/masquarading):

# cat /etc/iptables/rules.v4 
# Generated by iptables-save v1.4.12 on Wed Mar  4 20:13:19 2015
*raw
:PREROUTING ACCEPT [1041:98190]
:OUTPUT ACCEPT [629:50218]
COMMIT
# Completed on Wed Mar  4 20:13:19 2015
# Generated by iptables-save v1.4.12 on Wed Mar  4 20:13:19 2015
*nat
:PREROUTING ACCEPT [3:144]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -s 10.8.0.0/24 -o venet0 -j MASQUERADE
COMMIT
# Completed on Wed Mar  4 20:13:19 2015
# Generated by iptables-save v1.4.12 on Wed Mar  4 20:13:19 2015
*mangle
:PREROUTING ACCEPT [1041:98190]
:INPUT ACCEPT [1041:98190]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [629:50218]
:POSTROUTING ACCEPT [629:50218]
COMMIT
# Completed on Wed Mar  4 20:13:19 2015
# Generated by iptables-save v1.4.12 on Wed Mar  4 20:13:19 2015
*filter
:INPUT ACCEPT [3:144]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [3:120] 
-A INPUT -i tun0 -p tcp -m tcp --dport 1194 -j ACCEPT
-A INPUT -i tun0 -p udp -m udp --dport 1194 -j ACCEPT
-A INPUT -i venet0 -p gre -j ACCEPT
-A FORWARD -i tun+ -o venet0 -j ACCEPT
-A FORWARD -i venet0 -o tun+ -j ACCEPT
COMMIT
# Completed on Wed Mar  4 20:13:19 2015 


""