Day 38: Basic understanding iptables firewall

iptables

iptables no logo

This is a guide on the terms used in iptables.

I believe the major obstacle to using iptables is the lack of understanding of the terms.

Listing rules

[email protected]:~$ sudo iptables -L
[sudo] password for codax: 
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Listing rules is the most basic command to seeing the rules that are actually defined on iptables.

This is the first argument that you will be using most of the time.

Chain

As we see above, when we list rules, there are 3 chains that can be seen.

The INPUT, FORWARD and OUTPUT chains.

First of all, we’ll refer to the machine running iptables as the HOST.

Chains - INPUT

The INPUT chain, relates to all packets that are received by the HOST.

Let’s say we do not wish to allow other hosts to send a ping request to my HOST

#e.g.
#For simplicity, we want to block IP 192.168.1.188 from sending requests to my HOST
iptables -I INPUT -s 192.168.1.188 -p icmp -j DROP

Why do we make use of the INPUT chain ?

Because it refers to all packets that are send to my HOST OR all packets that are received by my HOST. (basically the same thing)

Let’s translate the command above in English.

iptables Insert a new rule to the INPUT chain; taking as source the IP 192.168.1.188; having protocol icmp; jump to the DROP target

More of the available target options here

Chains - OUTPUT

The OUTPUT chain, relates to all packets that are emitted/sent by my HOST.

This allows me to do stuff from my HOST to other servers.

#Say, I wish to be able to connect remotely to other servers using SSH from my HOST
iptables -A OUTPUT -o eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT

Translating the above command in English:

iptables Append a new rule to the OUTPUT chain; for out-interface eth0;having protocol tcp; destinationport 22; matching connection tracking state for NEW and ESTABLISHED connections; jump to the ACCEPT target.

Chains - FORWARD

The FORWARD chain is for packets that are neither emitted by the host nor directed to the host. They are the packets that the host is merely routing.

This is when the HOST is used as an actual firewall for filtering packets to a NETWORK to and from a network. 
[device on network] -->packets--> [HOST] -->packets--> [Destination]

e.g. We want to forward requests to our teamspeak server (running on port 8080) 
iptables -A FORWARD -p tcp -d 192.168.1.2 --dport 8080 -j ACCEPT

Translating to English:

iptables Append a new rule to the FORWARD chain; for packets having protocol tcp; to destination 192.168.1.2 (our TEAMSPEAK server); running on destinationport 8080, jump to the ACCEPT target.

-A v/s -I

Append adds the rules at the end of the ruleset, whereas Insert add the rules at the TOP of the ruleset or at a specific position in the ruleset.

When the position of the rule is not important, you will use -A but , when position/priority is important, you will use -I.

\ Codarren /

Credits

iptables questions

iptables jumps

iptable append and insert diff

iptables match

Written on February 7, 2021