Professional Documents
Culture Documents
Configuring
Linux Packet
Filtering
an Networking eBook
Using and Configuring Linux Packet Filtering
1 Using and Configuring Linux Packet Filtering, an Internet.com Networking eBook. Copyright 2006, Jupitermedia Corp.
Using and Configuring Linux Packet Filtering
2 Using and Configuring Linux Packet Filtering, an Internet.com Networking eBook. Copyright 2006, Jupitermedia Corp.
Using and Configuring Linux Packet Filtering
3 Using and Configuring Linux Packet Filtering, an Internet.com Networking eBook. Copyright 2006, Jupitermedia Corp.
Using and Configuring Linux Packet Filtering
# iptables -L INPUT
Chain INPUT (policy ACCEPT)
target prot opt source destination
In both of these examples, you'll notice that each rule chain that has been defined has a default policy. This policy
defines what the system should do with packets that are not matched by any of the rules that are currently defined
on the system. The default policy, ACCEPT, indicates that the system should simply accept any packets that are not
addressed by any rule(s).
The rules within any iptables chain are evaluated in the order that they are listed using the iptables -L command.
Evaluation within a chain ceases when the end of a chain is reached and the default policy is applied, or when a rule
accepts the packet using the ACCEPT target, returns control to any other calling chain by using the RETURN target,
or transfers a packet to another chain for processing.
After executing this command, the iptables -L INPUT command shows that the new rule has been created in the
input chain:
# iptables -L INPUT
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP icmp -- anywhere anywhere
DROP is a target action that is built into iptables. Other built-in targets are ACCEPT (accept the packet), QUEUE
(accept the packet and move it to a specific network queue for subsequent processing), and RETURN (stop pro-
cessing the packet in the current rule chain and resume processing the packet in the next rule in any parent chain).
You can use the iptables command's -D option to delete a single rule from an existing rule chain, identifying the rule
that you want to delete by number or by its contents. (Identifying a rule by number is much simpler.) Though rules
within a chain are not explicitly numbered in iptables output, rule numbering within a chain begins with 1. For exam-
4 Using and Configuring Linux Packet Filtering, an Internet.com Networking eBook. Copyright 2006, Jupitermedia Corp.
Using and Configuring Linux Packet Filtering
ple, the following two commands are equivalent ways of deleting the ICMP filtering rule that was created in the pre-
vious section:
If you wanted to prevent your users from attempting to use the telnet command to connect to remote systems, you
could write an equivalent rule for the OUTPUT chain, as in the following example:
Using the DROP target causes the packets to be dropped without notifying the user-space telnet command that the
user executed. When preventing connections to specific ports, a more user-friendly approach is to use the REJECT
target, which causes the netfilter framework to reject the packets and send an ICMP rejection message, which the
user-space telnet application will notice. These rules are identical to the previous rules except for the target, as in the
following example. Note that you must first delete the existing rule, or your new rule would be added after the exist-
ing rule and would therefore never be reached:
# iptables -L OUTPUT
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DROP tcp -- anywhere anywhere tcp dpt:telnet
# iptables -D OUTPUT 1
# iptables -L OUTPUT
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
# iptables -A OUTPUT -p TCP --destination-port telnet -j REJECT
# iptables -L OUTPUT
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
REJECT tcp -- anywhere anywhere tcp dpt:telnet reject-with
icmp-port-unreachable
After adding these rules, users attempting to use the telnet command from your system to connect to a remote sys-
tem would get a more familiar rejection message:
# telnet testhost
Trying 192.168.6.64...
telnet: connect to address 192.168.6.64: Connection refused
5 Using and Configuring Linux Packet Filtering, an Internet.com Networking eBook. Copyright 2006, Jupitermedia Corp.
Using and Configuring Linux Packet Filtering
You can specify more than one destination port in a single rule. For example, to extend the previous rule to disable
FTP, a similarly insecure protocol for file transfer, change the rule to the following:
Continuing with this example, suppose that you were willing to allow incoming telnet connections from hosts on your
internal network. To do this, you would first delete the general rule that was defined in the previous section and then
add a new rule to explicitly allow connections from certain addresses. Assuming that hosts on your internal network
all have addresses in the non-routable IP address family 192.168.0.0, you could do this with the following rule:
This rule allows incoming telnet connections from any hosts with IP addresses in the 192.168.0.0 family.
Unfortunately, this rule doesn't reject telnet connections from other IP addresses. To reject incoming connections
from other networks, you would need to add a rule like the following:
This command uses standard Linux/Unix regular expression syntax in the argument to the -s option to identify hosts
whose addresses are not (!) in the 192.168.0.0 family. After executing these commands, your rules for the INPUT
chain would look like the following:
# iptables -L INPUT
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- 198.168.0.0 anywhere tcp dpt:telnet
REJECT tcp -- !198.168.0.0 anywhere tcp dpt:telnet reject-with
icmp-port-unreachable
Similarly, you can block connections that are sent to specific destination addresses by using the iptables com-
mand's -d option and specifying a particular IP address or range of IP addresses as an argument.
Continuing with the previous example, you might want to add a rule to the OUTPUT chain that rejects outgoing tel-
net packets that are not from IP addresses in the 192.168.0.0 family, as in the following example:
6 Using and Configuring Linux Packet Filtering, an Internet.com Networking eBook. Copyright 2006, Jupitermedia Corp.
Using and Configuring Linux Packet Filtering
framework's support for NAT is provided by a nat module, which uses its own table for recording and looking up IP
address information.
In order to use NAT or any other IP address forwarding technique, the system that you are configuring must have
two Ethernet interfaces, either network adaptors or serial-over-Ethernet connections such as that used by the Point-
To-Point (PPP) protocol. You must also configure this system, known as a gateway system, to perform IP forwarding
by doing the following:
The /proc filesystem is an in-memory filesystem that is recreated each time you boot the gateway device. For this
reason, this command must be placed in one of your gateway system's start-up files so that it is done each time
that you restart that system.
After executing this command, the iptables commands to do NAT are quite simple. On a system where the Ethernet
interface connected to the Internet is eth0 and the internal LAN is connected to the Ethernet interface eth1:
The first of these commands flushes any existing rules in the nat table. The second command appends a rule to the
nat table's POSTROUTING chain, which tells the netfilter framework that multiple IP addresses will be using the sin-
gle outbound (-o) Ethernet interface. The third iptables command appends a rule to the standard iptables packet fil-
tering table that accepts all incoming traffic from eth1 and forwards it for internal processing through the nat table.
Summary
This eBook provides a firm foundation for understanding the Linux network stack and how packet filtering and relat-
ed packet processing tasks are supported by the Linux kernel's netfilter framework and iptables command. This
eBook will help you understand any existing packet filtering and processing commands that are part of your sys-
tem's start-up mechanism. A short eBook such as this can only scratch the surface of the power of the netfilter
framework and iptables command on Linux system, but should help you add other commands or fine-tune existing
ones to reflect your system's network environment.
This guide was written by Bill von Hagen. Copyright 2006, Jupitermedia Corp.
JupiterWeb eBooks bring together the best in technical information, ideas and coverage of important IT trends
that help technology professionals build their knowledge and shape the future of their IT organizations. For more
information and resources on networking, visit any of our category-leading sites:
www.enterprisenetworkingplanet.com
www.instantmessagingplanet.com
www.opticallynetworked.com
www.practicallynetworked.com
www.voipplanet.com
www.wi-fiplanet.com
www.opennetworkstoday.com
For the latest live and on-demand Webcasts on networking, visit: www.jupiterwebcasts.com/networking/
7 Using and Configuring Linux Packet Filtering, an Internet.com Networking eBook. Copyright 2006, Jupitermedia Corp.