iptables

iptables is a rule-based packet processing system that allows us to control how the network traffic is handled. It is built on top of linux Netfilter framework and commonly used for firewalling, NAT (Network Address Translation) and packet filtering.

When packets enter or leaves the linux machine, the packets flow through a series of checkpoints inside the kernel. Each checkpoint evaluates the packets against a list of predefined rules to decide what action should be taken. Those actions can include allowing packets to pass, dropping packets and modification of packets such as DNAT (Destination Network Address Translation), SNAT (Source Network Address Translation).

iptables organizes packet processing into different stages called chains which are parts of the specific table. For incoming traffic, the packetflow looks like this: The packets reach the PREROUTE where it can be modified before making the decision. Then, the system decides whether the packets are mearnt for the local machine or should be forwarded to the another machine. If the destination is to the local machine, the packets flow through the INPUT chain. If the destination is to the another machine, the packets flow through the FORWARD chain and reach the POSTROUTE before the packets are leaving. If the local traffic is generated, packets flow through the OUTPUT chain and then to the POSTROUTE if the destination is to the another machine or to the INPUT chain if the destination is to the local machine.

iptables uses different tables to organise the rules based on their purposes. The nat table is used to modify the packet such as DNAT and SNAT. The filter table is used to decide which packets are allowed or dropped. The mangle table is used for advanced packet modifications. The raw table is used to control connection tracking behaviour.

One important characteristic of iptables is that rules are processed sequentially. This means that each packet is checked against rules one by one until the match one is found. Because of this, ordering of rules is very important and the performance can degrade if the number of rules became large.

Command Options

-t = Table (Optional, Default is firewall) -A = Append -o = OUTPUT -p = Protocol —dport = Destination Port -j = Jump

INPUT = Input Chain ACCEPT,DROP = action to the packets PREROUTING = Append rules to the PREROUTING Chain POSTROUTING = Append rules to the POSTROUTING Chain eth0 = Network Interface MASQUERAGE = Machine’s IP

Allow Incoming Packets (Using Firewall Table)

iptables -A INPUT -p tcp —dport 22 -j ACCEPT This rule allows incoming ssh traffic to port 22.

Block Incoming Packets

iptables -A INPUT -p tcp —dport 80 -j DROP This rule blocks incoming traffics to port 80.

DNAT/SNAT (Using NAT Table)

iptables -t nat -A PREROUTING \
-p tcp —dport 80 \
-j DNAT —to-destination <<target_destination>>

This rule modifies the packets and redirect the incoming traffic targeted to destination port 80 to the destination of the predefined rule.

iptables -t nat -A POSTROUTING
-o eth0
-j MASQUERADE This rule modifies the source destination of the packets before leaving the machine. It is used combined with DNAT to response back from the redirected source to the machine that redirect the packets..