LFCS - iptables

Jarret B

Well-Known Member
Staff member
Joined
May 22, 2017
Messages
340
Reaction score
367
Credits
11,754
We have covered using the Firewall Service, and now we will cover iptables. The ‘iptables’ are part of the Linux kernel and therefore is not a service.

When using ‘iptables’, the administrator can allow or deby packets based on a filter on a network.

Three Routing Table Chains

The Routing Tables are made up of three chains. The chains are:

  1. Input
  2. Output
  3. Forward
The Input Chain controls packets coming into the Server, while the Output Chain manages the packets leaving the Server. The Forward Chain determines what happens to packets that are passing through the Server from one network to another, when you configure the server as a router.

Keep these three chains in mind when you are creating rules for each chain.

All Linux systems should have ‘iptables’ since it is part of the kernel. You do not need to install ‘iptables’, but you need to disable and stop the firewall with:

sudo systemctl disable firewalld.service
sudo systemctl stop firewalld.service


If you do not disable and stop the service, then some commands we cover will not appear the same.

Viewing iptables

Your iptables should be empty and appear as:

Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination


The command to list the iptables is ‘sudo iptables -L’. You can see that all it set the chains to ‘ACCEPT’ everything. Since we specified no rules, the default is that it allows everything.

NOTE: I am using two VirtualBox machines, both Ubuntu, to used to test iptables. My Server1 has one network interface with the NAT Network (IP is 10.0.2.41). Server2 has two network interfaces, one is the NAT Network (IP is 10.0.2.42) and Host Only (IP is 192.168.1.156). Server2 is on my local network and can access the Internet. There is no port forwarding, so Server1 cannot access the Internet.

If you were to list the current iptables and there were entries, stop and disable the firewalld service. If that doesn’t fix the problem, then you can flush the rules from the iptables with the command ‘sudo iptables -F’.

Append a Rule to iptables

You need to keep in mind that the list of rules in a chain is processed from first to last. If there are two rules that act on the same packets, then the first of the two rules is used, and the second is skipped. Once a rule is found that the packet applies to in the list, the remaining rules are ignored.

Let’s try a little something as a test. Let’s tell Server2 to DROP all packets for the ICMP. This means that a system that will PING Server2 will not get a response. Server2 will DROP all ICMP packets that it receives. So, let’s run the following command on Server2:

sudo iptables -A INPUT -p ICMP -j DROP

The statement basically says, append a rule to the INPUT chain. The rule is for the ICMP port. Once a packet is received from the ICMP port, the server will then jump to DROP the packet. Basically, if you issue a PING command on Server1, there will be no response and Server1 will not even display that packets were not received back or lost.

NOTE: Issuing an iptables command requires elevated privileges. Either use ‘sudo’ before each command or ‘sudo -i’ to switch to Root user.

You can use the ‘-p’ port parameter to specify any TCP/UDP port or otherwise. If you need to specify a port number, then you can use the parameter ‘--dport #’ and specify the port number. You can then set the server to ‘DROP’ or ‘ACCEPT’ the specified packet.

Once you set a list of rules, you can either let the remaining packets that are not covered by the rules to be allowed by default. As a last rule, you could use:

iptables -A INPUT -j DROP

The command will cause any packet that is not handled by a rule to be dropped and ignored. The rule is a drop all that is not covered rule. If you were to drop all remaining packets not covered by a rule, then no rule can be placed after the DROP rule.

Insert a Rule to iptables

If you have a list of multiple rules and you want to place a new rule in a certain spot on the list, then you can do:

iptables -I INPUT 2 -p TCP --dport 22 -j ACCEPT

In the example command, we will insert (-I) a rule in position 2 that is for TCP Port 22 (SSH) and the packets will be accepted.

What happens if you want to remove a rule, either it doesn’t apply anymore or it was typed incorrectly?

Deleting a Rule from iptables

There are two ways that you can delete rules from a chain.

The first way is to retype the command as an append (-A), but replace the append parameter with a delete parameter (-D). So, if I wanted to remove the ICMP rule, I would enter the command:

sudo iptables -D INPUT -p ICMP -j DROP

The second way to remove a rule is to specify the number of the rule in a specified chain. If the second rule in the OUTPUT chain needed to be deleted, we can use:

iptables -D OUTPUT 2

Backup/Restore Rules

Sometimes keep a copy of the rules and being able to restore the rules, such as after a reboot. Rebooting the system will lose the rules since iptables in its current state are not persistent, but we’ll fix that soon.

If we add a few entries in iptables, we can create a backup to a file.

After you add some entries, you can back up the contents to a file named ‘iptablesbackup’. The filename can be any valid filename you want to use. The command is:

iptables-save > iptablesbackup

A new file should now be present. For an example, my file contains:

# Generated by iptables-save v1.6.1 on Sat Sep 3 02:23:39 2022
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [51:4544]
-A INPUT -p icmp -j DROP
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -j DROP
COMMIT
# Completed on Sat Sep 3 02:23:39 2022


You can edit the file and save multiple files as you need for different rule settings.

To reload the rules in the file back into iptables, use the command:

iptables-restore < iptablesbackup

The file name can be changed as you need. To make sure the proper rules are loaded, use the command ‘iptables -L’.

Make iptables Persistent

For Debian-based systems and Red Hat-based systems, this is the one area that differs when using iptables.

The next step adds an iptables service that will automatically save the rules.

For Debian, perform the command:

sudo apt install iptables-persistent -y

NOTE: During the installation, you’ll be asked if you want to save the current rules to be persistent. Select ‘Yesy’ or ‘No’ as you prefer.

For Red Hat (RPM) systems, execute:

sudo yum install iptables-services -y

Once the installation is completed, you can save the rules to a specific file that is loaded automatically.

For a Debian system, the files are:

/etc/iptables/rules.v4
/etc/iptables/rules.v6


For the RPM system, the file is located:

/etc/sysconfig/iptables

In CentOS, there is a configuration file ‘/etc/sysconfig/iptables-config’ that can be edited for auto-saving the rules. In the file, look for:

IPTABLES_SAVE_ON_RESTART
IPTABLES_SAVE_ON_STOP


Set them both to ‘yes’ at the end of the line instead of ‘no’. This will cause the iptables to be saved automatically when the service is stopped or restarted. When the service starts, it will load the rules from the file mentioned before.

For either Ubuntu or CentOS, you can save the rules yourself by the command:

iptables-save <persistent file>

The persistent file locations are:

Ubuntu: /etc/iptables/rules.v4
/etc/iptables/rules.v6
CentOS: /etc/sysconfig/iptables


Once the service is started and enabled to start when the system starts, the files are read by the service and the saved rules loaded.

Conclusion

The article should give you an understanding of iptables. If you plan on taking the certification exam, be sure to understand the concepts and be able to perform setting up rules.

Of course, understanding and performing the commands for each LFCS article is important for the certification exam.
 


Top