Explanation of IP Tables in Red hat Linux or CentOS ?

IPTables is a user-space utility or executable binary used to manage the firewall tables provided by Linux kernel firewall module.
iptables command applies to IPv4, and ip6tables command is available to manage IPv6 packets.

Iptables perform the same function what a firewall does, i.e. filters the packets based on a variety of options like source IP address, destination IP address, MAC address, header information, etc. We will look at all the tables to understand these options.

a. Netfilter: Iptables Kernel Module
The first thing that need to be checked in iptables firewall is whether we have netfilter module loaded on our system or not.

### If the module name comes in lsmod command, it means the module is loaded, 
### else we need to load the module using modprobe command.
[root@nglinux ~]# lsmod | grep -i ip_tables
ip_tables               9599  1 iptable_filter
[root@nglinux ~]# 

[root@nglinux ~]# modinfo ip_tables
filename:       /lib/modules/2.6.32-754.el6.i686/kernel/net/ipv4/netfilter/ip_tables.ko
description:    IPv4 packet filter
author:         Netfilter Core Team <coreteam@netfilter.org>
license:        GPL
retpoline:      Y
srcversion:     D97231A516F24FDE3206537
depends:        
vermagic:       2.6.32-754.el6.i686 SMP mod_unload modversions 686 


b. Iptables user space utility

### Verify if iptable utility exists on the system.
### iptables command resides in /usr/sbin
[root@nglinux ~]# which iptables
/sbin/iptables

### Verify package status of both iptables and iptables v6
[root@nglinux ~]# rpm -qa | grep -i iptables
iptables-ipv6-1.4.7-16.el6.i686
iptables-1.4.7-16.el6.i686
[root@nglinux ~]# 

The successor of iptables is “nftables” utility, which is merged into the Linux 3.13 kernel mainline.


c. Working with IPTABLES.

1. See all Iptable rules

[root@nglinux ~]# iptables -nvL --line-numbers
Chain INPUT (policy ACCEPT 43104 packets, 3348K bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 DROP       all  --  *      *       192.168.0.5          0.0.0.0/0           

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 20598 packets, 2886K bytes)
num   pkts bytes target     prot opt in     out     source               destination         
[root@nglinux ~]# 

OR,

[root@nglinux ~]# service iptables status
Table: filter
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination         
1    DROP       all  --  192.168.0.5          0.0.0.0/0           

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination         

[root@nglinux ~]# 

2. Flush all rules

# iptables -F

3. Saving iptable rules.

[root@nglinux ~]# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[  OK  ]

4. Save rules to a file.

[root@nglinux ~]# iptables-save > ./rules

[root@nglinux ~]# cat rules 
# Generated by iptables-save v1.4.7 on Thu Dec 20 20:34:26 2018
*filter
:INPUT ACCEPT [43299:3363044]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [20696:2896148]
-A INPUT -s 192.168.0.5/32 -j DROP 
COMMIT
# Completed on Thu Dec 20 20:34:26 2018
[root@nglinux ~]# 

5. Restore rules back to system.

[root@nglinux ~]# iptables -F

[root@nglinux ~]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination       
  
[root@nglinux ~]# iptables-restore < rules 

[root@nglinux ~]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
DROP       all  --  192.168.0.5          anywhere            

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
[root@nglinux ~]# 

6. Block a specific network or IP address.

### Blocking a single IP address
# iptables -A INPUT -s 192.168.5.110 -j DROP

Or,

### Block a complete network.
# iptables -A INPUT -s 192.168.5.0/24 -j DROP

7. Block a particular site.

# iptables -A OUTPUT -p tcp -d www.gmail.com -j DROP
# iptables -A OUTPUT -p tcp -d gmail.com -j DROP

8. Port Forwarding

### To forward packets from 192.168.5.110:410 to 192.168.0.110:22.
# iptables -t nat -A PREROUTING -p tcp -d 192.168.5.110 --dport 410 -j DNAT --to 192.168.0.110:22

9. Allow/Block ping requests.

### From outside to localhost
# iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
# iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT

### To externel sites
# iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
# iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT

### To block the requests you can do vice versa i.e. 
### in place of ACCEPT, we can write "REJECT/DENY".

10. Allow/Block HTTP traffic

To allow HTTP traffic, we can add below rules.
# iptables -A INPUT -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
# iptables -A OUTPUT -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT

### To block the requests you can do vice versa i.e. 
### in place of ACCEPT, we can write "REJECT/DENY".

### We can change the port from 80 to any other 
### to block/allow any other service.


d. Understanding IP Tables: How they work ?

1. NetFilter Hooks
Whenever a packets comes/leaves the system, it triggers and attach to a hook in the kernel.
The respective hook performs the action defined in various iptable chains.

There are five types of hooks present in Netfilter iptable kernel module and hence there are five chains present.
a. NF_IP_PRE_ROUTING: This hook is triggered by the incoming traffic as soon as it enters the network stack. It is processed before any routing decisions have been made.

b. NF_IP_LOCAL_IN: It is triggered after incoming packet has been routed if the packet is destined for the local system.

c. NF_IP_FORWARD: It is triggered after incoming packet has been routed if the packet is forwarded to remote host.

d. NF_IP_LOCAL_OUT: This hook is called for the outbound traffic as soon as it hits the network stack.

e. NF_IP_POST_ROUTING: It is triggered after routing has taken place before the traffic is put on wire and applies to the outgoing or forwarded traffic.

There is a priority number associated with each rule which determines which hook calls which rule at what number.

Now we know how hooks are called in netfilter kernel module using IPTables user space utility.

2. IPtables and chains
The second thing is to understand how iptables userspace utility works.
The IPtables uerspace binary consists several rule tables and each table has 1 or more chains(some tables has all 5 chains) that in turn call the respective hooks discussed above.

Let us discuss these 5 built-in chains which in turn calls the netfilter hooks they are associated with:

Chains
a. PREROUTING: Triggers NF_IP_PRE_ROUTING hook.
b. INPUT: Triggers NF_IP_LOCAL_IN hook.
c. FORWARD: Triggers NF_IP_FORWARD hook.
d. OUTPUT: Triggers NF_IP_LOCAL_OUT hook.
e. POSTROUTING: Triggers NF_IP_POST_ROUTING hook.

Tables
Each table has one or more chains  and the tables are divided based on: whether the packet needs network address translation, or need to filter out, or to change IP header, etc similar separate functions to be carried by individual table.

Every table calls one or more chains depending on the task it performs.

Lets discuss the various default tables available with IPtables.
a. NAT Table
Useful for Network address translation i.e. to change source/destination address.
b. Filter Table
Used to filter out some packets based on some criteria. It is most widely used table which decides whether to accept/reject/deny the packet.
c. Mangle Table
Used to alter the IP header(s) of the packet in various ways. For example:- To adjust the TTL value (Time to Live) of a packet, or increasing or decreasing the number of valid hops a packet can travel, etc.
d. Raw Table
Used only to provide a mechanism for marking packets to opt-out of connection tracking.
e. Security Table 
Sets/changes internal SELinux security context on packets, which will affect how SELinux interpret the packets further.

3. Which chains are used in different IPtables ?

Tables↓/Chains→ PREROUTING INPUT FORWARD OUTPUT POSTROUTING
raw * *
mangle * * * * *
filter * * *
security * * *

 

NAT Table

Tables↓/Chains→ PREROUTING INPUT FORWARD OUTPUT POSTROUTING
nat (DNAT) * *
nat (SNAT) * *

 

4. How packets are evaluated by chains ?

Incoming packets with destination of local system: PREROUTING -> INPUT
Incoming packets destined to other network host: PREROUTING -> FORWARD -> POSTROUTING
Packets generated by Local System: OUTPUT -> POSTROUTING

[root@nglinux ~]# iptables -nvL -t nat
Chain PREROUTING (policy ACCEPT 9 packets, 950 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 1 packets, 556 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 1 packets, 556 bytes)
 pkts bytes target     prot opt in     out     source               destination         



[root@nglinux ~]# iptables -nvL -t filter
Chain INPUT (policy ACCEPT 18019 packets, 1694K bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  *      *       192.168.0.5          0.0.0.0/0           

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 7053 packets, 873K bytes)
 pkts bytes target     prot opt in     out     source               destination         
[root@nglinux ~]# 




[root@nglinux ~]# iptables -nvL -t security
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         



[root@nglinux ~]# iptables -nvL -t mangle
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         




[root@nglinux ~]# iptables -nvL -t raw
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
[root@nglinux ~]# 

When we simply do “iptables -nvL”, we see “filter” table by default. To see other tables, we need to mention the table name using “-t” option.

Leave a Reply

Your email address will not be published.