A Brief History
Iptables based on netfilter framework has become the default for firewall software in Linux for nearly two decades. Netfilter/iptables framework is a kernel module supported since the 2.3 version, developed by Rusty Russel back on 1999. Here you can check his personal blog: https://rusty.ozlabs.org
A Strong Security Solution
Iptables is a very reliable and secure software, and it is remarkable that is not used only as a local machine firewall. Linux OS, together with iptables, installed on a machine can be used as a hardware router/firewall solution also. In addition to that there are even some open source software appliances used as a router/firewall based on Linux and iptables.
Netfilter Architecture
The Netfilter architecture is divided in the three following layers:Tables-Chains-Rules, see picture below
At the lower level we have the tables, which represent the type of packet processing that is happening through the firewall. The basic tables that are frequently used are the following:
- Filter: Table for packet filtering.
- NAT: Table for NAT rules.
- Mangle: Table for mangling packets.
At the next layer there are the Chains, which are simply lists of rules associated with each particular table. And finally, at the top there are the actual firewall rules controlling the access to the system.
Iptables in use
So let's try to see if we have any iptables rules loaded in our system:
give
#iptables -L
and you'll get something like this:
Chain INPUT (policy ACCEPT)
target prot opt source destination
KUBE-FIREWALL all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
DOCKER-ISOLATION all -- anywhere anywhere
DOCKER all -- anywhere anywhere
ACCEPT all -- any where anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
KUBE-FIREWALL all -- anywhere anywhere
Chain DOCKER (1 references)
target prot opt source destination
Chain DOCKER-ISOLATION (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain KUBE-FIREWALL (2 references)
target prot opt source destination
DROP all -- anywhere anywhere
On this particular host there are some rules generated from Docker and Kubernetes deployment.
First column is the Chain. Second column (prot) describes the protocol involved with the rule, third column (opt) is the ip options. Finally source and destination represents the source/destination IP or subnet involved with the rule.
Now lets say we need to blacklist an IP address so that our host is blocking every incoming and outgoing packet to this particular IP
#iptables -A INPUT -s <ipaddress to block> -j DROP
In that rule the firewall simply drops every incoming packet from the blacklisted ip address. The rule is categorized under the FILTER table, and under the INPUT chain. The -s switch is used to filter the source ip address.
#iptables -A OUTPUT -d <ipaddress to block> -j DROP
In that rule the firewall drops every outgoing packet with destination IP same to the IP address that is blacklisted. This rule is categorized under the FILTER table as well, but this time is under the OUTPUT chain. Now instead of source , we have destination ip address, thus the -d switch.
In some other occasion we may need to allow ssh connections to our host
#iptables -A INPUT -p tcp --dport 22 -j ACCEPT
or block ping requests
#iptables -A INPUT -p icmp --icmp-type echo-request -j DROP
So you get the idea how this works.
Iptables as a router.
In that case it is possible to use a Linux box as a gateway to route LAN traffic to internet. For this operation you can utilize chains PREROUTING and POSTROUTING .
PREROUTING chain controls the incoming network packets from the LAN to the Linux box. So in practice you use PREROUTING for port forwarding in most cases
for example:
#iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to 192.168.1.10:80
this rule is allowing a web server to operate , by simply redirecting HTTP traffic from outside the LAN (internet) to the port 80 of the web servers IP (192.168.1.10).
POSTROUTING chain controls the outgoing network packets from the Linux box to the internet and is the chain which routes all the LAN traffic outside , so here we talking about the NAT process, so the rule goes
#iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
Based on that you can create your own firewall appliance just by using a single PC with a couple of network interfaces.
Iptables based on netfilter framework has become the default for firewall software in Linux for nearly two decades. Netfilter/iptables framework is a kernel module supported since the 2.3 version, developed by Rusty Russel back on 1999. Here you can check his personal blog: https://rusty.ozlabs.org
A Strong Security Solution
Iptables is a very reliable and secure software, and it is remarkable that is not used only as a local machine firewall. Linux OS, together with iptables, installed on a machine can be used as a hardware router/firewall solution also. In addition to that there are even some open source software appliances used as a router/firewall based on Linux and iptables.
Netfilter Architecture
The Netfilter architecture is divided in the three following layers:Tables-Chains-Rules, see picture below
At the lower level we have the tables, which represent the type of packet processing that is happening through the firewall. The basic tables that are frequently used are the following:
- Filter: Table for packet filtering.
- NAT: Table for NAT rules.
- Mangle: Table for mangling packets.
At the next layer there are the Chains, which are simply lists of rules associated with each particular table. And finally, at the top there are the actual firewall rules controlling the access to the system.
Iptables in use
So let's try to see if we have any iptables rules loaded in our system:
give
#iptables -L
and you'll get something like this:
Chain INPUT (policy ACCEPT)
target prot opt source destination
KUBE-FIREWALL all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
DOCKER-ISOLATION all -- anywhere anywhere
DOCKER all -- anywhere anywhere
ACCEPT all -- any where anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
KUBE-FIREWALL all -- anywhere anywhere
Chain DOCKER (1 references)
target prot opt source destination
Chain DOCKER-ISOLATION (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain KUBE-FIREWALL (2 references)
target prot opt source destination
DROP all -- anywhere anywhere
On this particular host there are some rules generated from Docker and Kubernetes deployment.
First column is the Chain. Second column (prot) describes the protocol involved with the rule, third column (opt) is the ip options. Finally source and destination represents the source/destination IP or subnet involved with the rule.
Now lets say we need to blacklist an IP address so that our host is blocking every incoming and outgoing packet to this particular IP
#iptables -A INPUT -s <ipaddress to block> -j DROP
In that rule the firewall simply drops every incoming packet from the blacklisted ip address. The rule is categorized under the FILTER table, and under the INPUT chain. The -s switch is used to filter the source ip address.
#iptables -A OUTPUT -d <ipaddress to block> -j DROP
In that rule the firewall drops every outgoing packet with destination IP same to the IP address that is blacklisted. This rule is categorized under the FILTER table as well, but this time is under the OUTPUT chain. Now instead of source , we have destination ip address, thus the -d switch.
In some other occasion we may need to allow ssh connections to our host
#iptables -A INPUT -p tcp --dport 22 -j ACCEPT
or block ping requests
#iptables -A INPUT -p icmp --icmp-type echo-request -j DROP
So you get the idea how this works.
Iptables as a router.
In that case it is possible to use a Linux box as a gateway to route LAN traffic to internet. For this operation you can utilize chains PREROUTING and POSTROUTING .
PREROUTING chain controls the incoming network packets from the LAN to the Linux box. So in practice you use PREROUTING for port forwarding in most cases
for example:
#iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to 192.168.1.10:80
this rule is allowing a web server to operate , by simply redirecting HTTP traffic from outside the LAN (internet) to the port 80 of the web servers IP (192.168.1.10).
POSTROUTING chain controls the outgoing network packets from the Linux box to the internet and is the chain which routes all the LAN traffic outside , so here we talking about the NAT process, so the rule goes
#iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
Based on that you can create your own firewall appliance just by using a single PC with a couple of network interfaces.
