IPTables

System And Network Security

Introduction
• “iptables” is default firewall that comes with most modern
GNU/Linux distributions
• It also has the capability to block some type of Denial of
Service Attack.
• Also Filter based on MAC Address.
• IPTables perform Network Address Translation
Tables And Chains
Tables
• It has 4 Built in Tables
• Filter Table
• NAT Table
• Mangle Table
• Raw table
Filter Table
• Filter is default table for iptables
• Iptables’s filter table has the following built-in chains.
• INPUT chain
• Incoming to firewall. For packets coming to the local server.
• OUTPUT chain
• Outgoing from firewall. For packets generated locally and going out
of the local server.
• FORWARD chain
• Packet for another NIC on the local server. For packets routed
through the local server
NAT Table
• Iptable’s NAT table has the following built-in chains.
• PREROUTING chain
• Packet translation happens immediately after the packet comes to
the system ( before routing).
• Translate the destination ip address DNAT (destination NAT).
• POSTROUTING chain
• Packet translation happens when the packets are leaving the system.
• Translate the source ip address SNAT (source NAT).
• OUTPUT chain
• NAT for locally generated packets on the firewall
Mangle Table And Raw Table
• Iptables’s Mangle table is for specialized packet alteration.
• This alters QOS bits in the TCP header.
• Mangle table has the following built-in chains.
• PREROUTING chain
• OUTPUT chain
• FORWARD chain
• INPUT chain
• POSTROUTING chain
• Iptable’s Raw table is for configuration exceptions.
• Raw table has the following built-in chains.
• PREROUTING chain
• OUTPUT chain
IPTables Rules
• Rules contain a criteria and a target.
• If the criteria is matched, it goes to the rules specified in the
target (or) executes the special values mentioned in the
target.
• If the criteria is not matched, it moves on to the next rule.
• Some Target Values are:-
• ACCEPT
• DROP
• LOG
• REJECT
• MASQUERADE
Examples
• Syntax:
iptables –t <tablename> -A <chain> -j <target>
Example:
>>>iptables –F
>>>iptables -L
>>>iptables -A INPUT -p tcp -s 10.10.10.10 --dport 3306 -j ACCEPT
>>>iptables -A INPUT -p tcp -s 0/0 --sport 513:65535 -d 195.55.55.78 --
dport 22 -m state --state NEW,ESTABLISHED -j DROP
>>>iptables -A TCP_FLAGS -p tcp --tcp-flags ACK,FIN FIN -j REJECT
NAT
• DNAT
• Destination NAT is always done before routing.
• Done when the packet first comes off the wire.
• Port forwarding, load sharing, and transparent proxy are all forms
of DNAT.
• SNAT
• Source NAT is always done post-routing
• Done Just before the packet goes out onto the wire.
• Masquerading is a specialized form of SNAT.
Example SNAT
• iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
• MASQUERADE automatically chooses address
• MASQUERADE forgets old connections when interface goes down
• iptables -t nat -A POSTROUTING -p tcp -o eth0 -j SNAT --to-
source 194.236.50.155-194.236.50.160:1024-32000
Example DNAT
• iptables -t nat -A PREROUTING -d 10.10.20.99 -j DNAT --to-
destination 10.10.14.2

• iptables -t nat -A PREROUTING -p tcp -d 15.45.23.67 --dport 80

-j DNAT --to-destination 192.168.1.1-192.168.1.10
References
• http://www.linuxhomenetworking.com/wiki/index.php/Quick
_HOWTO_:_Ch14_:_Linux_Firewalls_Using_iptables#Targets_
And_Jumps
• http://www.cyberciti.biz/tips/linux-iptables-how-to-specify-a-
range-of-ip-addresses-or-ports.html
• http://www.billauer.co.il/ipmasq-html.html
• http://www.linuxtopia.org/Linux_Firewall_iptables/x3982.htm
l