What is IPTables? By definition it is a packet selection system that has been built on top of the Netfilter framework, so essentially IPTables is just a front end to the very powerful Netfilter. All IPTables does is allow you to make use of the Netfilter framework without having to do your own Kernel hacking – it lets you insert, update, list rules and create chains, etc. Essentially its a user friendly way of creating firewall rulesets by inserting kernel modules that perform certain actions on packets based on whether the packets meet certain criteria.
Netfilter on the other hand is the power behind IPTables. Netfilter framework is compiled into the kernel, and essentially it inserts a bunch of hooks in the kernel protocol stacks for IPv4, IPv6 and DECNET. That way when a packet passes through the Kernel, the Netfilter hook always gets called, and then actions can be taken if need be.
A table is an IPTables construct that delineates broad categories of functionality, such as packet filtering or Network Address Translation. There are four tables: filter, nat, mangle and raw.
Filtering rules are applied to the filter table, NAT rules are applied to the nat table, specialized rules that alter packet data are applied to the mangle table, and rules that should function independently of the Netfilter connection-tracking subsystem are applied to the raw table.
Each table has its own set of built in chains, but user-defined chains can also be created so that the user can build a set of rules that is related by a common tag. The most important built-in chains as far as I’m concerned are the INPUT, OUTPUT, and FORWARD chains in the filter table.
- The INPUT chain is traversed by packets that are destined for the local linux system after a routing calculation is made within the kernel(ie. Packet destined for the local socket).
- The OUTPUT chain is reserved for packets that are generated by the linux system itself.
- The FORWARD chain governs packets that are routed through the linux system.
Two additional chains that are important for any serious iptables deployment are the PREROUTING and POSTROUTING chains in the nat table, which are used to modify packet headers before and after an IP routing calculation is made within the kernel.
An iptables match is a condition that must be met by a packet in order for iptables to process the packet according to the action specified by the rule target. For example, to apply a rule only to TCP packets, you can use the –protocol match.
iptables supports a set of targets that trigger an action when a packet matches a rule. The most important targets I use are:
ACCEPT – Allows a packet through the firewall
DROP – Discards packet as though it was never received
LOG – Logs packet to syslog
REJECT – This drops a packet but then sends a response back to the source(eg. RST)
RETURN – Continues processing the packet so that it can be matched to other rules within the chain.
More IPTables coming soon!