Main iptables Settings

By | June 6, 2009

Iptables represents the firewall and packet filtering replacement for Ipchains that had a number of shortcomings. In addition to the fact that Iptables in comparison with Ipchains has much more features, its structure is more sensible and understandable. That’s why Iptables being considered as a faster and more secure alternative to Ipchains has become the default firewall package for different Linux versions.

Before we move on let me mention some distinct features of Iptables:

  • Better integration with the Linux kernel with the capability of loading iptables-specific kernel modules designed for improved speed and reliability.
  • A clean separation of packet filtering and network address translation (NAT).
  • Stateful packet inspection, i.e. the firewall keeps track of each connection passing through it and in certain cases will view the contents of data flows in an attempt to anticipate the next action of certain protocols. This is an important feature in the support of active FTP and DNS, as well as many other network services.
  • Better network address translation (NAT).
  • Rate-limited connection and logging capability.
  • The ability to conduct packet filtering by TCP flags and TCP options, MAC addresses, and even by time of day.

How to determine the status of iptables?

To determine if iptables is running use service iptables status command.

# service iptables status
#Firewall is stopped.

How to start iptables?

To start, stop or restart iptables after booting use the following commands:

# service iptables start

# service iptables stop

# service iptables restart

Use the chkconfig command, if you want iptables to start at boot:

# chkconfig iptables on

Packet Processing In iptables

A packet represents a singular unit sent over a network, containing a header and a data portion. Packets inspected by iptables pass through a sequence of built-in tables (queues) for processing. Each of these queues is dedicated to a particular type of packet activity and is controlled by an associated packet transformation/filtering chain.

Altogether there are three tables…

The first one is the mangle table which is responsible for the alteration of quality of service bits in the TCP header. Generally it is hardly used in a SOHO environment.

The second table is the filter queue which is responsible for packet filtering. It has three built-in chains in which you can place your firewall policy rules:

  • FORWARD – Filters packets to servers protected by the firewall.
  • INPUT – Filters packets destined for the firewall.
  • OUTPUT – Filters packets originating from the firewall.

The third table is the NAT queue which is responsible for network address translation. It has three built-in chains:

  • PREROUTING – NATs packets when the destination address of the packet needs to be changed.
  • POSTROUTING – NATs packets when the source address of the packet needs to be changed.
  • OUTPUT – Network address translation for packets generated by the firewall. (Rarely used in SOHO environments).

You are to specify the table and the chain for each firewall rule you create. However there is an exception – most rules are related to filtering, so iptables assumes that any chain that’s defined without an associated table will be a part of the filter table. Thus the filter table is the default one.

Now let’s take a closer look at some common scripts you can use to make iptables working.

Basic Operating System Defense

Linux operating system has a number of built-in protection mechanisms that you should activate by modifying the system kernel parameters in the /proc filesystem via the /etc/sysctl.conf file.

Here is a sample configuration:

# File: /etc/sysctl.conf

#---------------------------------------------------------------
# Disable routing triangulation. Respond to queries out
# the same interface, not another. Helps to maintain state
# Also protects against IP spoofing
#---------------------------------------------------------------

net/ipv4/conf/all/rp_filter = 1

#---------------------------------------------------------------
# Enable logging of packets with malformed IP addresses
#---------------------------------------------------------------

net/ipv4/conf/all/log_martians = 1

#---------------------------------------------------------------
# Disable redirects
#---------------------------------------------------------------

net/ipv4/conf/all/send_redirects = 0

#---------------------------------------------------------------
# Disable source routed packets
#---------------------------------------------------------------

net/ipv4/conf/all/accept_source_route = 0

#---------------------------------------------------------------
# Disable acceptance of ICMP redirects
#---------------------------------------------------------------

net/ipv4/conf/all/accept_redirects = 0

#---------------------------------------------------------------
# Turn on protection from Denial of Service (DOS) attacks
#---------------------------------------------------------------

net/ipv4/tcp_syncookies = 1

#---------------------------------------------------------------
# Disable responding to ping broadcasts
#---------------------------------------------------------------

net/ipv4/icmp_echo_ignore_broadcasts = 1

#---------------------------------------------------------------
# Enable IP routing. Required if your firewall is protecting a
# network, NAT included

pre>#—————————————————————

 
net/ipv4/ip_forward = 1

Allowing DNS Access To Your Firewall

You’ll almost certainly want your firewall to make DNS queries to the Internet. This is not because it is required for the basic functionality of the firewall, but because of Fedora Linux’s yum RPM updater which will help to keep the server up to date with the latest security patches. The following statements will apply not only for firewalls acting as DNS clients but also for firewalls working in a caching or regular DNS server role.

#---------------------------------------------------------------
# Allow outbound DNS queries from the FW and the replies too
#
# - Interface eth0 is the internet interface
#
# Zone transfers use TCP and not UDP. Most home networks
# / websites using a single DNS server won't require TCP statements
#
#---------------------------------------------------------------

iptables -A OUTPUT -p udp -o eth0 --dport 53 --sport 1024:65535 
         -j ACCEPT

iptables -A INPUT -p udp -i eth0 --sport 53 --dport 1024:65535 
         -j ACCEPT

Allowing WWW And SSH Access To Your Firewall

This sample snippet is for a firewall that doubles as a web server that is managed remotely by its system administrator via secure shell (SSH) sessions. Inbound packets destined for ports 80 and 22 are allowed thereby making the first steps in establishing a connection. It isn’t necessary to specify these ports for the return leg as outbound packets for all established connections are allowed. Connections initiated by persons logged into the Web server will be denied as outbound NEW connection packets aren’t allowed.

#---------------------------------------------------------------
# Allow previously established connections
# - Interface eth0 is the internet interface
#---------------------------------------------------------------
 
iptables -A OUTPUT -o eth0 -m state --state ESTABLISHED,RELATED 
  -j ACCEPT
 
#---------------------------------------------------------------
# Allow port 80 (www) and 22 (SSH) connections to the firewall
#---------------------------------------------------------------
 
iptables -A INPUT -p tcp -i eth0 --dport 22 --sport 1024:65535 
  -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp -i eth0 --dport 80 --sport 1024:65535 
  -m state --state NEW -j ACCEPT

Allowing Your Firewall To Access The Internet

This iptables script enables a user on the firewall to use a Web browser to surf the Internet. HTTP traffic uses TCP port 80, and HTTPS uses port 443.

Note: HTTPS (secure HTTP) is used for credit card transactions frequently, as well as by RedHat Linux servers running up2date. FTP and HTTP are frequently used with yum.

#---------------------------------------------------------------
# Allow port 80 (www) and 443 (https) connections from the firewall
#---------------------------------------------------------------
 
iptables -A OUTPUT -j ACCEPT -m state 
  --state NEW,ESTABLISHED,RELATED -o eth0 -p tcp 
  -m multiport --dports 80,443 --sport 1024:65535

#---------------------------------------------------------------
# Allow previously established connections
# - Interface eth0 is the internet interface
#---------------------------------------------------------------
 
iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED  
-i eth0 -p tcp

If you want all TCP traffic originating from the firewall to be accepted, then remove the line:

-m multiport --dports 80,443 --sport 1024:65535

Allow Your Home Network To Access The Firewall

In this example, eth1 is directly connected to a home network using IP addresses from the 192.168.1.0 network. All traffic between this network and the firewall is simplistically assumed to be trusted and allowed.

Further rules will be needed for the interface connected to the Internet to allow only specific ports, types of connections and possibly even remote servers to have access to your firewall and home network.

#---------------------------------------------------------------
# Allow all bidirectional traffic from your firewall to the
# protected network
# - Interface eth1 is the private network interface
#---------------------------------------------------------------
 
iptables -A INPUT   -j ACCEPT -p all -s 192.168.1.0/24 -i eth1
iptables -A OUTPUT  -j ACCEPT -p all -d 192.168.1.0/24 -o eth1

Masquerading (Many to One NAT)

Masquerading (“many to one NAT”) represents the traffic from all devices on one or more protected networks will appear as if it originated from a single IP address on the Internet side of the firewall.

Note: The masquerade IP address always defaults to the IP address of the firewall’s main interface. The advantage of this is that you never have to specify the NAT IP address. This makes it much easier to configure iptables NAT with DHCP.

You can configure “many to one NAT” to an IP alias, using the POSTROUTING and not the MASQUERADE statement. An example of this can be seen in the static NAT section that follows.

Note: If you configure your firewall to do masquerading, then it should be the used as the default gateway for all your servers on the network.

Keep in mind that iptables requires the iptables_nat module to be loaded with the modprobe command for the masquerade feature to work. Masquerading also depends on the Linux operating system being configured to support routing between the internet and private network interfaces of the firewall. This is done by enabling IP forwarding or routing by giving the file /proc/sys/net/ipv4/ip_forward the value 1 as opposed to the default disabled value of 0.

Once masquerading has been achieved using the POSTROUTING chain of the nat table, you will have to configure iptables to allow packets to flow between the two interfaces. To do this, use the FORWARD chain of the filter table. More specifically, packets related to NEW and ESTABLISHED connections will be allowed outbound to the Internet, but only packets related to ESTABLISHED connections will be allowed inbound. This helps to protect the home network from anyone trying to initiate connections from the Internet:

#---------------------------------------------------------------
# Load the NAT module
#
# Note: It is best to use the /etc/rc.local example in this
#       chapter. This value will not be retained in the
#       /etc/sysconfig/iptables file. Included only as a reminder.
#---------------------------------------------------------------

modprobe iptable_nat
 
#---------------------------------------------------------------
# Enable routing by modifying the ip_forward /proc filesystem file
#
# Note: It is best to use the /etc/sysctl.conf example in this
#       chapter. This value will not be retained in the
#       /etc/sysconfig/iptables file. Included only as a reminder.
#---------------------------------------------------------------

echo 1 > /proc/sys/net/ipv4/ip_forward

#---------------------------------------------------------------
# Allow masquerading
# - Interface eth0 is the internet interface
# - Interface eth1 is the private network interface
#---------------------------------------------------------------

iptables -A POSTROUTING -t nat -o eth0 -s 192.168.1.0/24 -d 0/0 
         -j MASQUERADE

#---------------------------------------------------------------
# Prior to masquerading, the packets are routed via the filter
# table's FORWARD chain.
# Allowed outbound: New, established and related connections
# Allowed inbound : Established and related connections
#---------------------------------------------------------------

iptables -A FORWARD -t filter -o eth0 -m state 
         --state NEW,ESTABLISHED,RELATED -j ACCEPT

iptables -A FORWARD -t filter -i eth0 -m state 
         --state ESTABLISHED,RELATED -j ACCEPT

Static NAT

In this example, all traffic to a particular public IP address, not just to a particular port, is translated to a single server on the protected subnet. Because the firewall has more than one IP address, it’s not recommended to MASQUERADE; it will force masquerading as the IP address of the primary interface and not as any of the alias IP addresses the firewall may have. Instead, use SNAT to specify the alias IP address to be used for connections initiated by all other servers in the protected network.

Note: Although the nat table NATs all traffic to the target servers (192.168.1.100 to 102), only connections on ports 80,443 and 22 are allowed through by the FORWARD chain. Also notice how you have to specify a separate -m multiport option whenever you need to match multiple non-sequential ports for both source and destination.

In this example the firewall:

  • Uses one to one NAT to make the server 192.168.1.100 on your home network appear on the Internet as IP addresses 97.158.253.26.
  • Creates a many to one NAT for the 192.168.1.0 home network in which all the servers appear on the Internet as IP address 97.158.253.29. This is different from masquerading.

You will have to create alias IP addresses for each of these Internet IPs for one to one NAT to work.

#---------------------------------------------------------------
# Load the NAT module
#
# Note: It is best to use the /etc/rc.local example in this
#       chapter. This value will not be retained in the
#       /etc/sysconfig/iptables file. Included only as a reminder.
#---------------------------------------------------------------

modprobe iptable_nat

#---------------------------------------------------------------
# Enable routing by modifying the ip_forward /proc filesystem file
#
# Note: It is best to use the /etc/sysctl.conf example in this
#       chapter. This value will not be retained in the
#       /etc/sysconfig/iptables file. Included only as a reminder.
#---------------------------------------------------------------

echo 1 > /proc/sys/net/ipv4/ip_forward

#---------------------------------------------------------------
# NAT ALL traffic:
###########
# REMEMBER to create aliases for all the internet IP addresses below
###########
#
# TO:             FROM:           MAP TO SERVER:
# 97.158.253.26    Anywhere        192.168.1.100 (1:1 NAT - Inbound)
# Anywhere        192.168.1.100   97.158.253.26 (1:1 NAT - Outbound)
# Anywhere        192.168.1.0/24  97.158.253.29 (FW IP)
#
# SNAT is used to NAT all other outbound connections initiated
# from the protected network to appear to come from
# IP address 97.158.253.29
#
# POSTROUTING:
#   NATs source IP addresses. Frequently used to NAT connections from
#   your home network to the Internet
#
# PREROUTING:
#   NATs destination IP addresses. Frequently used to NAT
#   connections from the Internet to your home network
#
# - Interface eth0 is the internet interface
# - Interface eth1 is the private network interface
#---------------------------------------------------------------

# PREROUTING statements for 1:1 NAT
# (Connections originating from the Internet)
 
iptables -t nat -A PREROUTING -d 97.158.253.26 -i eth0 
        -j DNAT --to-destination 192.168.1.100
 
# POSTROUTING statements for 1:1 NAT
# (Connections originating from the home network servers)
 
iptables -t nat -A POSTROUTING -s 192.168.1.100 -o eth0 
         -j SNAT --to-source 97.158.253.26

# POSTROUTING statements for Many:1 NAT
# (Connections originating from the entire home network)
 
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 
         -j SNAT -o eth0 --to-source 97.158.253.29
 
# Allow forwarding to each of the servers configured for 1:1 NAT
# (For connections originating from the Internet. Notice how you
# use the real IP addresses here)

iptables -A FORWARD -p tcp -i eth0 -o eth1 -d 192.168.1.100 
    -m multiport --dports 80,443,22 
    -m state --state NEW -j ACCEPT

# Allow forwarding for all New and Established SNAT connections
# originating on the home network AND already established
# DNAT connections

iptables -A FORWARD -t filter -o eth0 -m state 
         --state NEW,ESTABLISHED,RELATED -j ACCEPT

# Allow forwarding for all 1:1 NAT connections originating on
# the Internet that have already passed through the NEW forwarding
# statements above

iptables -A FORWARD -t filter -i eth0 -m state 
         --state ESTABLISHED,RELATED -j ACCEPT

If you feel the necessity to get even more detailed info about this topic, please visit this page and read this tutorial.

4 thoughts on “Main iptables Settings

  1. james@router

    Does my mac adresse change if I upgrade my computer with some other hardware? For example change the graphic card?

    1. Vladimir Usenco

      No, your MAC address depends on your Ethernet or any other kind of network card, not on CPU, graphic card, etc

  2. Sam

    I need to block certain IP addresses on my network to access internet but allow them to update windows updates and antivirus updates only.

    Best regards

    Sam

    1. Vladimir Usenco

      Are you sure this task is related to iptables? :)

Comments are closed.