iptables

What’s iptables!? Well, it’s a firewall command line utility that linux systems can use to determine what traffic we allow to the firewall, out the firewall and through the firewall. It's open source and is widely known. I'm just going to give you a brief explanation on how to use it.

Basic Syntax

You already know how to create firewall rules but there are some slight changes in the command when doing so through iptables on the command line. I’ll show you the basic syntax and you should be able to catch on from there.

Start with

iptables

Syntax

–A is for append. With this you choose the chain for the rule. The chain will describes the direction traffic is intended to go. You already know this but iptables has 3 chains. INPUT, OUPUT, and FORWARD.

–j as it will dictate the action to be taken whether it be accept or deny traffic

iptables –A __________ -s _______ -p ___ --dport _____ -j ___

(append) specify the chain:                 source ip         protocol                   port          action (accept/deny)

INPUT,OUTPUT,FORWARD

iptables -A FORWARD -s 151.186.136.126 -d 192.168.1.110 -p tcp --dport 80 -j ACCEPT

Once the rule looks something like the above you can put it into cli of the device you are working on. It should be noted that these rules will not stay on the box persistently.

Listing and Deleting

Commonly used

iptables –nvL FORWARD

iptables -nvL FORWARD | grep

Chain FORWARD (policy DROP 0 packets, 0 bytes)

 pkts bytes target     prot opt in     out     source               destination

    0     0         DROP       all  --      *      *       60.55.47.184         0.0.0.0/0

    0     0         DROP       all  --      *      *       60.55.47.184         0.0.0.0/0

    Let's go over what each header indicates:

• target: If a packet matches the rule, the target specifies what should be done with it. For example, a packet can be accepted, dropped, logged, or sent to another chain to be compared against more rules
• prot: The protocol, such as tcp, udp, icmp, or all
• opt: Rarely used, this column indicates IP options
• source: The source IP address or subnet of the traffic, or anywhere
• destination: The destination IP address or subnet of the traffic, or anywhere

Resets the packet and byte counters associated with each chain

    iptables –Z INPUT 1

Indicate rules by the num header

    iptables -L --line-numbers

Delete rule (Specify position in chain)

    

   iptables –D INPUT 5 

Flush a Single Chain

   

   iptables -F INPUT

Insert rule (Inserts rule at the top (first) position of the rule se)

   iptables –I INPUT 1 –p tcp –dport 80 –j ACCEPT 

Replace rule  (Rules may be specified to replace existing rules in the chain.)

   iptables –R INPUT 1 –p tcp  -s 192.168.0.0/24 –dport 80 –j ACCEPT

NAT

View nat table

iptables -nvL -t nat

Chain PREROUTING (policy ACCEPT 13M packets, 580M bytes)

 pkts bytes target     prot opt in     out     source               destination

    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            173.199.234.229     tcp dpt:80 to:173.199.234.229

The nat table contains the rules for Source and Destination Address and Port Translation. These rules are functionally distinct from the firewall filter rules. The built-in chains include these:

• PREROUTING (DNAT/REDIRECT)
• OUTPUT (DNAT/REDIRECT)
• POSTROUTING (SNAT/MASQUERADE)

Example:

iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

Explanation:

-t nat		Select table "nat" for configuration of NAT rules.
-A POSTROUTING		Append a rule to the POSTROUTING chain (-A stands for "append").
-o eth1		this rule is valid for packets that leave on the second network interface (-o stands for "output")
-j MASQUERADE		The action that should take place is to 'masquerade' packets, i.e. replacing the sender's address by the firewall’s address.