Explanation of IP Tables in Red hat Linux or CentOS ?
IPTables is a user-space utility or executable binary used to manage the firewall tables provided by Linux kernel firewall module.
iptables command applies to IPv4, and ip6tables command is available to manage IPv6 packets.
Iptables perform the same function what a firewall does, i.e. filters the packets based on a variety of options like source IP address, destination IP address, MAC address, header information, etc. We will look at all the tables to understand these options.
a. Netfilter: Iptables Kernel Module
The first thing that need to be checked in iptables firewall is whether we have netfilter module loaded on our system or not.
### If the module name comes in lsmod command, it means the module is loaded, ### else we need to load the module using modprobe command. [root@nglinux ~]# lsmod | grep -i ip_tables ip_tables 9599 1 iptable_filter [root@nglinux ~]# [root@nglinux ~]# modinfo ip_tables filename: /lib/modules/2.6.32-754.el6.i686/kernel/net/ipv4/netfilter/ip_tables.ko description: IPv4 packet filter author: Netfilter Core Team <coreteam@netfilter.org> license: GPL retpoline: Y srcversion: D97231A516F24FDE3206537 depends: vermagic: 2.6.32-754.el6.i686 SMP mod_unload modversions 686
b. Iptables user space utility
### Verify if iptable utility exists on the system. ### iptables command resides in /usr/sbin [root@nglinux ~]# which iptables /sbin/iptables ### Verify package status of both iptables and iptables v6 [root@nglinux ~]# rpm -qa | grep -i iptables iptables-ipv6-1.4.7-16.el6.i686 iptables-1.4.7-16.el6.i686 [root@nglinux ~]#
The successor of iptables is “nftables” utility, which is merged into the Linux 3.13 kernel mainline.
c. Working with IPTABLES.
1. See all Iptable rules
[root@nglinux ~]# iptables -nvL --line-numbers Chain INPUT (policy ACCEPT 43104 packets, 3348K bytes) num pkts bytes target prot opt in out source destination 1 0 0 DROP all -- * * 192.168.0.5 0.0.0.0/0 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 20598 packets, 2886K bytes) num pkts bytes target prot opt in out source destination [root@nglinux ~]# OR, [root@nglinux ~]# service iptables status Table: filter Chain INPUT (policy ACCEPT) num target prot opt source destination 1 DROP all -- 192.168.0.5 0.0.0.0/0 Chain FORWARD (policy ACCEPT) num target prot opt source destination Chain OUTPUT (policy ACCEPT) num target prot opt source destination [root@nglinux ~]#
2. Flush all rules
# iptables -F
3. Saving iptable rules.
[root@nglinux ~]# service iptables save iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]
4. Save rules to a file.
[root@nglinux ~]# iptables-save > ./rules [root@nglinux ~]# cat rules # Generated by iptables-save v1.4.7 on Thu Dec 20 20:34:26 2018 *filter :INPUT ACCEPT [43299:3363044] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [20696:2896148] -A INPUT -s 192.168.0.5/32 -j DROP COMMIT # Completed on Thu Dec 20 20:34:26 2018 [root@nglinux ~]#
5. Restore rules back to system.
[root@nglinux ~]# iptables -F [root@nglinux ~]# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination [root@nglinux ~]# iptables-restore < rules [root@nglinux ~]# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination DROP all -- 192.168.0.5 anywhere Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination [root@nglinux ~]#
6. Block a specific network or IP address.
### Blocking a single IP address # iptables -A INPUT -s 192.168.5.110 -j DROP Or, ### Block a complete network. # iptables -A INPUT -s 192.168.5.0/24 -j DROP
7. Block a particular site.
# iptables -A OUTPUT -p tcp -d www.gmail.com -j DROP # iptables -A OUTPUT -p tcp -d gmail.com -j DROP
8. Port Forwarding
### To forward packets from 192.168.5.110:410 to 192.168.0.110:22. # iptables -t nat -A PREROUTING -p tcp -d 192.168.5.110 --dport 410 -j DNAT --to 192.168.0.110:22
9. Allow/Block ping requests.
### From outside to localhost # iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT # iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT ### To externel sites # iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT # iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT ### To block the requests you can do vice versa i.e. ### in place of ACCEPT, we can write "REJECT/DENY".
10. Allow/Block HTTP traffic
To allow HTTP traffic, we can add below rules. # iptables -A INPUT -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT # iptables -A OUTPUT -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT ### To block the requests you can do vice versa i.e. ### in place of ACCEPT, we can write "REJECT/DENY". ### We can change the port from 80 to any other ### to block/allow any other service.
d. Understanding IP Tables: How they work ?
1. NetFilter Hooks
Whenever a packets comes/leaves the system, it triggers and attach to a hook in the kernel.
The respective hook performs the action defined in various iptable chains.
There are five types of hooks present in Netfilter iptable kernel module and hence there are five chains present.
a. NF_IP_PRE_ROUTING: This hook is triggered by the incoming traffic as soon as it enters the network stack. It is processed before any routing decisions have been made.
b. NF_IP_LOCAL_IN: It is triggered after incoming packet has been routed if the packet is destined for the local system.
c. NF_IP_FORWARD: It is triggered after incoming packet has been routed if the packet is forwarded to remote host.
d. NF_IP_LOCAL_OUT: This hook is called for the outbound traffic as soon as it hits the network stack.
e. NF_IP_POST_ROUTING: It is triggered after routing has taken place before the traffic is put on wire and applies to the outgoing or forwarded traffic.
There is a priority number associated with each rule which determines which hook calls which rule at what number.
Now we know how hooks are called in netfilter kernel module using IPTables user space utility.
2. IPtables and chains
The second thing is to understand how iptables userspace utility works.
The IPtables uerspace binary consists several rule tables and each table has 1 or more chains(some tables has all 5 chains) that in turn call the respective hooks discussed above.
Let us discuss these 5 built-in chains which in turn calls the netfilter hooks they are associated with:
Chains
a. PREROUTING: Triggers NF_IP_PRE_ROUTING hook.
b. INPUT: Triggers NF_IP_LOCAL_IN hook.
c. FORWARD: Triggers NF_IP_FORWARD hook.
d. OUTPUT: Triggers NF_IP_LOCAL_OUT hook.
e. POSTROUTING: Triggers NF_IP_POST_ROUTING hook.
Tables
Each table has one or more chains and the tables are divided based on: whether the packet needs network address translation, or need to filter out, or to change IP header, etc similar separate functions to be carried by individual table.
Every table calls one or more chains depending on the task it performs.
Lets discuss the various default tables available with IPtables.
a. NAT Table
Useful for Network address translation i.e. to change source/destination address.
b. Filter Table
Used to filter out some packets based on some criteria. It is most widely used table which decides whether to accept/reject/deny the packet.
c. Mangle Table
Used to alter the IP header(s) of the packet in various ways. For example:- To adjust the TTL value (Time to Live) of a packet, or increasing or decreasing the number of valid hops a packet can travel, etc.
d. Raw Table
Used only to provide a mechanism for marking packets to opt-out of connection tracking.
e. Security Table
Sets/changes internal SELinux security context on packets, which will affect how SELinux interpret the packets further.
3. Which chains are used in different IPtables ?
Tables↓/Chains→ | PREROUTING | INPUT | FORWARD | OUTPUT | POSTROUTING |
raw | * | * | |||
mangle | * | * | * | * | * |
filter | * | * | * | ||
security | * | * | * |
NAT Table
Tables↓/Chains→ | PREROUTING | INPUT | FORWARD | OUTPUT | POSTROUTING |
nat (DNAT) | * | * | |||
nat (SNAT) | * | * |
4. How packets are evaluated by chains ?
Incoming packets with destination of local system: PREROUTING -> INPUT
Incoming packets destined to other network host: PREROUTING -> FORWARD -> POSTROUTING
Packets generated by Local System: OUTPUT -> POSTROUTING
[root@nglinux ~]# iptables -nvL -t nat Chain PREROUTING (policy ACCEPT 9 packets, 950 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 1 packets, 556 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 1 packets, 556 bytes) pkts bytes target prot opt in out source destination [root@nglinux ~]# iptables -nvL -t filter Chain INPUT (policy ACCEPT 18019 packets, 1694K bytes) pkts bytes target prot opt in out source destination 0 0 DROP all -- * * 192.168.0.5 0.0.0.0/0 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 7053 packets, 873K bytes) pkts bytes target prot opt in out source destination [root@nglinux ~]# [root@nglinux ~]# iptables -nvL -t security Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination [root@nglinux ~]# iptables -nvL -t mangle Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination [root@nglinux ~]# iptables -nvL -t raw Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination [root@nglinux ~]#