iptables is the userspace command line program used to configure the Linux 2.4.x and later IPv4 packet filtering ruleset. It is targeted towards system administrators. Since Network Address Translation is also configured from the packet filter ruleset, iptables is used for this, too.
iptables is the tables provided by the Linux kernel firewall (implemented as different Netfilter modules) and the chains and rules it stores. Different kernel modules and programs are currently used for different protocols
- iptables applies to IPv4
- ip6tables to IPv6
- arptables to ARP
- ebtables to Ethernet frames.
- List the rules in the chain(s)
- Accept inbound traffic
- Add rules
- Deleting Rules
- Inserting rules
- Relaying HTTP Port 80 Connections to 8080
- Blocking Incoming Traffic Based on Networks
- IP Range Match
- Whitelisting Incoming Traffic From specific IP addresses / Netetworks
- State Match
- conntrack match
- Filtering DNS
- Example iptables rules
List the rules in the chain(s)
Accept inbound traffic
Set default policy for INPUT (inbound traffic) to DROP (deny by default)
Allows HTTP and HTTPS connections from anywhere (the normal ports for websites)
NOTE: ALL -m tcp is OPTIONAL.
OR do the above at once (plus specify the interface => eth0)
Allow PPTP VPN on port 1723
Allow ping (ICMP)
Allow outbound traffic
The example allows all outbound traffic, change it if needed
Accepts all established inbound and outbound connections
IMPORTANT: add rules to the INPUT / OUTPUT chain which allows ESTABLISHED and RELATED packets
Reject all other inbound - default deny unless explicitly allowed policy
The loopback port is blocked. We could have written the drop rule for just eth0 by specifying -i eth0, but we could also add a rule for the loopback. If we append this rule, it will come too late - after all the traffic has been dropped. We need to insert this rule before that. Since this is a lot of traffic, we'll insert it as the first rule so it's processed first.
Flush the selected chain.
Flush the selected chain (all the chains in the table if none is given). This is equivalent to deleting all the rules one by one.
IMPORTANT: remember to change INPUT chain policy to ACCEPT before flushing if you are doing it via SSH!!!
List rules in a specified chain
Relaying HTTP Port 80 Connections to 8080
Check if both ports - 8080 and 80 are open in your iptables script.
Add a NAT rule on your iptables to redirect the default port 8080 to the destination port 80.
Relay port 80 TCP connections to Tomcat port 8080
NOTE: By default Tomcat listens on port 8080. To have the Tomcat server itself listen on HTTP port 80, Tomcat would have to run as root since only root can listen on ports below 1024 on *NIX. However, for security reasons this is NOT recommended.
- Relay port 80 TCP connections to port 8080 using Netfilter / iptables
- Use Apache or Nginx as reverse proxy in front of Tomcat
Blocking Incoming Traffic Based on Networks
Used to match package coming from specific IP or network
NOTE: This is the source match, which is used to match packets, based on their source IP address. The main form can be used to match single IP addresses, such as 192.168.1.1. It could also be used with a netmask in a CIDR "bit" form, by specifying the number of ones (1's) on the left side of the network mask. This means that we could for example add /24 to use a 255.255.255.0 netmask. We could then match whole IP ranges, such as our local networks or network segments behind the firewall. The line would then look something like 192.168.0.0/24. This would match all packets in the 192.168.0.x range. Another way is to do it with a regular netmask in the 255.255.255.255 form (i.e., 192.168.0.0/255.255.255.0). We could also invert the match with an ! just as before. If we were, in other words, to use a match in the form of --source ! 192.168.0.0/24, we would match all packets with a source address not coming from within the 192.168.0.x range. The default is to match all IP addresses.
- 255.255.255.0 => 11111111.11111111.11111111.00000000 => /24
- 255.255.255.255 => 11111111.11111111.11111111.11111111 => /32
- 255.255.0.0 => 11111111.11111111.00000000.00000000 => /16
- 255.0.0.0 => 11111111.00000000.00000000.00000000 => /8
- 255.255.252.0 => 11111111.11111111.11111100.00000000 /22
- 255.255.255.128 => 11111111.11111111.11111111.10000000 => /25
Use to match package going to specific IP or network
NOTE: The --destination match is used for packets based on their destination address or addresses. It works pretty much the same as the --source match and has the same syntax, except that the match is based on where the packets are going to. To match an IP range, we can add a netmask either in the exact netmask form, or in the number of ones (1's) counted from the left side of the netmask bits. Examples are: 192.168.0.0/255.255.255.0 and 192.168.0.0/24. Both of these are equivalent. We could also invert the whole match with an ! sign, just as before. --destination ! 192.168.0.1 would in other words match all packets except those destined to the 192.168.0.1 IP address.
IP Range Match
The IP range match is used to match IP ranges, just as the --source and --destination matches are able to do as well. However, this match adds a different kind of matching in the sense that it is able to match in the manner of from IP - to IP, which the --source and --destination matches are unable to. This may be needed in some specific network setups, and it is rather a bit more flexible. The IP range match is loaded by using the -m iprange keyword.
Block IP range 192.168.1.13-192.168.2.19
NOTE: This matches a range of source IP addresses. The range includes every single IP address from the first to the last, so the example above includes everything from 192.168.1.13 to 192.168.2.19. The match may also be inverted by adding an !.
Invert by using !
The above example would then look like -m iprange ! --src-range 192.168.1.13-192.168.2.19, which would match every single IP address, except the ones specified.
Matches packets destined to IP range.
NOTE: The --dst-range works exactly the same as the --src-range match, except that it matches destination IP's instead of source IP's.
Whitelisting Incoming Traffic From specific IP addresses / Netetworks
Add rules to INPUT chain and then change the default policy to DROP
NOTE: State match rule is very IMPORTANT!!! See below.
The state match extension is used in conjunction with the connection tracking code in the kernel. The state match accesses the connection tracking state of the packets from the conntracking machine. This allows us to know in what state the connection is, and works for pretty much all protocols, including stateless protocols such as ICMP and UDP. In all cases, there will be a default timeout for the connection and it will then be dropped from the connection tracking database. This match needs to be loaded explicitly by adding a -m state statement to the rule. You will then have access to one new match called state. The concept of state matching is covered more fully in the The state machine chapter, since it is such a large topic.
What does it mean!?
NOTE: This match option tells the state match what states the packets must be in to be matched.
There are currently 4 states that can be used
- INVALID - means that the packet is associated with no known stream or connection and that it may contain faulty data or headers.
- ESTABLISHED - means that the packet is part of an already established connection that has seen packets in both directions and is fully valid.
- NEW - means that the packet has or will start a new connection, or that it is associated with a connection that has not seen packets in both directions.
- RELATED - means that the packet is starting a new connection and is associated with an already established connection.
This could for example mean an FTP data transfer, or an ICMP error associated with a TCP or UDP connection. Note that the NEW state does not look for SYN bits in TCP packets trying to start a new connection and should, hence, not be used unmodified in cases where we have only one firewall and no load balancing between different firewalls. However, there may be times where this could be useful. For more information on how this could be used, read the The state machine chapter.
The conntrack match is an extended version of the state match, which makes it possible to match packets in a much more granular way. It let's you look at information directly available in the connection tracking system, without any "frontend" systems, such as in the state match. For more information about the connection tracking system, take a look at the The state machine chapter.
This match is used to match the state of a packet, according to the conntrack state. It is used to match pretty much the same states as in the original state match.
The valid entries for this match are
NOTE: The entries can be used together with each other separated by a comma. For example, -m conntrack --ctstate ESTABLISHED,RELATED. It can also be inverted by putting a ! in front of --ctstate. For example: -m conntrack ! --ctstate ESTABLISHED,RELATED, which matches all but the ESTABLISHED and RELATED states.
Filtering GFW DNS pollution
Example iptables rules
Example iptables rules on a Ubuntu Server
Example 2 (with comments)
Example 3 - clearing - iptables rules
Example 4 - script to start/reload/stop iptables rules
Load iptables rules on boot
Dump iptables rules - backup
Restore iptables rules from file
Write a script named iptables in /etc/network/if-pre-up.d instead of /etc/network/if-up.d
IMPORTANT: The pre-up configuration activates the iptables rules before the public interface (e.g. eth0) comes up. For security reasons (best practice) it's important that firewall rules are established before the network interfaces come up.
Make it executable
OR it can be done directly in /etc/network/interfaces - the network interface configuration for ifup and ifdown
NOTE: There exists for each of the above mentioned options a directory /etc/network/if-<option>.d/ the scripts in which are run (with no arguments) using run-parts after the option itself has been processed. Please note that as post-up and pre-down are aliases, NO files in the corresponding directories are processed. Use if-up.d and if-down.d directories instead.