my contribution to iptables docs (for what it's worth)

my contribution to iptables docs (for what it's worth)

[Robert P. J. Day]

   (the following is the first part of a writeup i'm working
on to document iptables for a larger courseware manual i'm writing
on linux networking and security.  it's deliberately terse, and
it's not finished yet -- nothing yet on mangle or nat stuff.
the funny "****" format means it was written in emacs outline mode
if you want to look at it that way.  i'm always interested in 
feedback.  the whole point of this writeup was to present a logical
flow of iptables concepts, starting simple and getting progressively
more complex.)


*** iptables
**** Overview
The basic features of iptables:

- filtering of packets based on things like source and destination
  addresses, protocols, port numbers and so on
- stateful firewalling and connection tracking
- SNAT and DNAT (source NAT and destination NAT, for address
  translation into and out of your LAN)
- packet mangling, a more advanced feature for mangling certain
  fields in packets as you see them
- limit matching, to put a limit on packets with certain
  properties
- cumulative statistics with packet and byte counts
 
Netfilter home page: www.netfilter.org
**** Software install and kernel config
I'm going to assume you have the software already installed,
ideally via RPM.  See Appendix A for kernel config instructions 
to build iptables support into your kernel.
**** The tables and chains
Rules are defined against a combination of tables and chains

The tables: filter (the default), nat, mangle
The chains: INPUT, OUTPUT, FORWARD, PREROUTING, POSTROUTING

The actual combinations:

filter:
	INPUT
	OUTPUT
	FORWARD
nat:
	PREROUTING
	POSTROUTING
	OUTPUT
mangle:
	INPUT
	OUTPUT
	FORWARD
	PREROUTING
	POSTROUTING

(Incorporate very handy diagram from Oskar's tutorial here, which
shows flow of packets.)

  With almost all iptables commands, if you don't specify a table,
the filter table is assumed by default.

  You can also create your own "user-defined" chains in any one
of the three tables, but we'll leave that until later.
**** Basic iptables admin
  (A *very* brief, and non-detailed overview, of what is covered in
much more detail later.)

The files:
    
    /etc/init.d/iptables:	the admin start/stop script
    /etc/sysconfig/iptables:	where rules are stored when you save
				your current setup
    /proc/net/ip_tables_names:	the currently-loaded tables
    
How to add rules to your current config (more on this later):

  # iptables [-t <table>] command [match] [target\jump]

Controlling the iptables service:

  # service iptables 
	        start: start filtering based on your saved rules
		stop:  turn off all filtering
		status: list the current chain rules
		save: save the current config in /etc/sysconfig/iptables
		panic: drop all packets

Saving and restoring your rule sets:

  Once you establish a set of filtering rules, you can save them and
restore them with:

  # /sbin/iptables-save > /etc/sysconcfig/iptables
  # /sbin/iptables-restore < /etc/sysconfig/iptables

Listing the currently-loaded tables:

  # cat /proc/net/ip_tables_names
  TABLES=$(cat /proc/net/ip_tables_names)	# for ruleset scripts
**** Out with ipchains, in with iptables
  If you first have to move ipchains out of the way and bring
in iptables:

# chkconfig --level 0123456 ipchains off
# service ipchains stop
# modprobe -r ipchains	# if necessary

# chkconfig iptables on
# modprobe ip_tables
# service iptables start
# iptables -L		# just to confirm that it seems to work
**** Listing and additional options
  How to list the current rules that are in operation (again,
if you don't specify a table, the filter table is assumed by
default):

  # iptables {-L|--list} [-t <table>] [chain]

  Options that are available, not just for listing, but for some
of the other functions as well:

	-t, --table        specify table (filter table by default)
	-v, --verbose	   verbose (show byte and packet counters)
	-n, --numeric	   numeric output
	-x, --exact	   expand numbers
	--line[-numbers]   display line numbers of rule set
**** Establishing simple filtering
***** Overview
  For now, restrict ourselves to setting up simple rule sets for
filtering input/output to a single host.  Issues regarding nat,
mangle, forwarding and so on will be covered later.
***** Setting the policy
  First, set the default policy for all three chains in the filter
table (the default table, remember?)

iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT (ok, ok, i'm being lazy, you could say DROP)
iptables -P FORWARD DROP
***** Basic rule format
  The basic format of a rule

  # iptables [-t <table>] command [match] [target\jump]

  As a reasonably self-explanatory example (which drops packets coming in
from anyone on the 192.168.0.0/24 network using TCP going to port 80):

  # iptables -A INPUT --source 192.168.0.0/24 -p tcp --dport 80 --jump DROP

  The basics for modifying rulesets (all of which use the "filter"
table as a default if you don't specify otherwise):

-A, --append <chain> <rule>
-D, --delete <chain> <rule>|<rulenum>
-I, --insert <chain> [<rulenum>] <rule>
-R, --replace <chain> <rulenum> <rule>

-Z, --zero [chain]    # zero counters in chain or all chains in table
-F, --flush [chain]   # flush the chain or all chains in the table

  For now, stick with the two targets DROP and ACCEPT.

(sample script here, with comments)
***** Simple filtering criteria
****** Types of matches
generic: available any time
implicit: once you've selected a protocol?
explicit: a bit later (using -m)

  In most of the matches, the use of a "!" means to negate
the meaning of the match, as you'll see shortly.
****** IP addresses
General form (stick with numbers, don't count on DNS)
	{-s,--src,--source} [!] address[/mask]
	{-d,--dst,--destination} [!] address[/mask]

Examples:
	-s 192.168.1.1
	-s 192.168.0.0/255.255.255.0
	-s ! 192.168.0.0/24

Legal, but thoroughly redundant:
	-s 0/0
	-d 0/0
****** Interfaces
Only for INPUT, OUTPUT and PREROUTING chains:

  {-i,--in-interface} [!] eth0
  {-o,--out-interface} [!] eth0

  Also, putting a "+" at the end allows any matching, 
as in "eth+".
****** Protocols
Filter on any combination of protocols from /etc/protocols, 
  either by name or number:

-p, --protocol [!]
    udp
    tcp
    icmp
    udp,tcp		# specify a combination of protocols
    6,17		# same here
    255 (RAW IP)
    ALL (or 0)		# the default
****** Ports (TCP and UDP)
  Only *after* you've selected a TCP or UDP protocol can you select
a port or port range to filter on (an implicit match)

  {--sport,--source-port} [!]
  {--dport,--destination-port} [!]

	 23
	 23:80
	 :1023		# starts at zero
	 1024:		# goes to 65535

  You can also use service names, like ftp, telnet and so on, from 
/etc/services.
****** ICMP matches
  After specifying "-p icmp" you can filter ICMP types, most
frequently type 8 (echo request or ping) and type 0 (echo reply
or pong):

  --icmp-type [!] {0|8}
***** The most common targets
  Once you selected all your filtering criteria for a rule, you can
finally jump to one of the most common targets:

  ACCEPT
  DROP
  REJECT (more on this later)
***** Saving and restoring your chains
  Once you manually establish your filtering rule set, you can
save it, and restore it later with one of:

  # iptables-save
	[{-t|--table} <tablename>]	# save only this table
	[{-c|--counters}]		# save byte/packet counters, too
	> /etc/sysconfig/iptables

  # iptables-restore
	[{-c|--counters}]		# restore byte/packet counters
	< /etc/sysconfig/iptables

  If you look at the admin script /etc/init.d/iptables, the above
are equivalent to:

  # service iptables save
  # service iptables restore 
**** Flushing/clearing/resetting your tables or chains
  Occasionally, you might want to completely clear/reset/dump
your rule set.  (Keep in mind that you will still have default
policies of DROP or ACCEPT on your chains.)

  First, you can flush all of the rules from one chain of a
selected table (default filter) or all chains of that table:

  # iptables -t filter -F INPUT	       # flush INPUT chain of filter table
  # iptables -F INPUT		       # same as above
  # iptables -F			       # flush all chains in filter table

  To flush all rules from all built-in chains from all tables:

  # iptables -F
  # iptables -F nat
  # iptables -F mangle

  For efficiency, you can flush just the tables you know are currently
being used or are loaded:

  for table in $(cat /proc/net/ip_tables_names) ; do
    iptables -t $table -F
  done

  Note that, once you do this, you're back to the default chain 
policies, so you can, if you want, turn off filtering altogether
by following all of this up with:

  # iptables -P INPUT ACCEPT
  # iptables -P OUTPUT ACCEPT
  # iptables -P FORWARD ACCEPT

or you can shut down all traffic by doing the opposite with:

  # iptables -P INPUT DROP
  # iptables -P OUTPUT DROP
  # iptables -P FORWARD DROP

The first option is equivalent to running:

  # service iptables stop	  # don't do *any* filtering

while the second is equivalent to:

  # service iptables panic	  # we've been hacked!  shut down!
**** Explicit matches
***** How explicit matches work
  Explicit matches are added to a rule with the syntax:

  {-m|--match} <module name>  ... more specific stuff here

We'll cover only some of the explicit matches, and even these
might be more specific than you need.
***** Multiport matching

  As an example, 

  -m multiport  {--sport|--dport} 21,23,80

Sadly, you can't use both standard and multiport matching at the 
same time in the same rule.
***** MAC address matching
  Match a specific MAC source address (or its negation):

  -m mac --mac-source [!] <MAC address>
***** TTL match
  -m ttl --ttl 60
***** TOS match
  Type of service matching, fairly advanced:

  -m tos --tos 0x16
***** Limit match
  (I definitely have to expand on this.)

-m [!] limit ##/{second|minute|hour|day}
-m limit --limit-burst 5
***** Owner match
-m owner
	--uid-owner <uid>
	--gid-owner <gid>
	--pid-owner <pid>
	--sid-owner <sid>
**** More fancy filtering and connection tracking
***** Filtering on TCP flags
  An implicit match, based on that you've already selected TCP protocol

flags:

SYN ACK FIN RST URG PSH ALL NONE

--tcp-flags [!] SYN,ACK,RST ACK
--syn == SYN, but not ACK or RST
***** Connection tracking and the state machine
stateful firewall
states: NEW, ESTABLISHED, RELATED, INVALID

  iptables -A INPUT -m state --state RELATED,ESTABLISHED
**** Working with packet and byte counters
  All rules count the number of matching bytes and packets,
which you can examine and manipulate.
 
# iptables
	{-L|--list}		# just list the rules
	{-v|--verbose}		# list the counters as well
	{-x|--exact}		# list exact counts, not K or M
	{-Z|--zero}		# list, then zero the counters
	[chain]			# by default, all chains in table

You can also just zero any of the chains (or all chains in a table):

# iptables -Z [chain]

  When inserting, appending or replacing a rule in a chain, you
can initialize its counters to particular values:
	
# iptables ...  {-c|--set-counters} <pkts> <bytes> 

  Finally, when saving and restoring rules, you can choose to
save and restore the byte and packet counters to the file
/etc/sysconfig/iptables:

  # iptables-save {-c|--counters} [-t <table>} > /etc/sysconfig/iptables
  # iptables-restore {-c|--counters} < /etc/sysconfig/iptables
**** More on targets
***** Types of targets
  So far, all targets have just had the final targets ACCEPT and
DROP.  But there are other choices, and targets fall into one of
two categories: terminating (end of processing) and non-terminating
(where processing continues so the same rule can have more targets).

  Different targets will also be discussed when we cover 
user-defined chains shortly.
***** ACCEPT and DROP targets
Been there, done that.
***** REJECT
  Equivalent to DROP, but you can also send an error message back to
the sending host:

-j REJECT --reject-with
	icmp-net-unreachable
	icmp-host-unreachable
	icmp-port-unreachable (the default)
	icmp-proto-unreachable
	icmp-net-prohibited
	icmp-host-prohibited

	tcp-reset (sends TCP RST packet)
***** LOG
  LOG is a non-terminating target, so you can use a LOG target
and continue processing similar packets (for instance, you might
have a LOG rule, immediately followed by an identical DROP rule).  
LOG is based on the syslog facility, and automatically logs through 
the "kern" facility.  (If you have no idea what this means, you
should read up on the syslog utility.)

  -j LOG

     --log-level {debug|info|...}
     --log-prefix "Up to 29 characters of prefix: "
     
     --log-tcp-sequence
     --log-tcp-options
     --log-ip-options
***** MIRROR
  An experimental and demonstration target, which inverts the source
and destination fields, effectively returning the packet to the sender.
***** Omitted targets
  If you omit the target from a rule, all this means is that no 
filtering will be done, but you will still be keeping track of
packet and byte counters for that rule.
**** User-defined chains
  Define new chains within the same table (again, "filter" being 
the default table) -- you can jump to user-defined chains only
within the same table.  User-defined chains are useful for
breaking a large, sequential rule set into a hierarchical rule
set for processing, among other things.

  In addition to the regular chain operations such as adding,
inserting, replacing and flushing rules from a chain, you have
the following operations for user-defined chains:

  # iptables

    {-N|--new-chain} <chain>		# define a new chain in this table
    {-E|--rename-chain} <oldname> <newname>
    {-X|--delete-chain} [chain]		# delete a user-defined chain or all
					  user-defined chains in table

  Appropriate targets for rules in a user-defined chain include:

    DROP,ACCEPT		  # self-explanatory terminating targets
    LOG			 
    RETURN		  # stop processing, return to calling chain
    another user-defined chain

  You can't delete a user-defined chain until you flush it, which 
explains why you see code like the following to completely flush
your entire rule set:

    iptables -F
    iptables -t nat -F
    iptables -t mangle -F

    iptables -X
    iptables -t nat -X
    iptables -t mangle -X







rday

Re: my contribution to iptables docs (for what it's worth)

[Simon Kowallik]

Hello,
perhaps this is usefull too: 
http://offlineprovider.de/site/netfilter/netfilter.php

Regards,
Simon

Re: my contribution to iptables docs (for what it's worth)

[Rodrigo Senra]

 On Thu, 31 Oct 2002 21:23:33 +0100
 Simon Kowallik <sub@offlineprovider.de> wrote
 about Re: my contribution to iptables docs (for what it's worth):
 --------------------------------------------
 | Hello,
 | perhaps this is usefull too: 
 | http://offlineprovider.de/site/netfilter/netfilter.php
 | 
 | Regards,
 | Simon
 |

 Thank you Simom. This is an excellent diagram!
 regards
 Senra
-- 
Rodrigo Senra
MSc Computer Engineer   rodsenra@gpr.com.br  
GPr Sistemas Ltda       http://www.gpr.com.br