You are on page 1of 18

Chapter – 18

Firewalling with iptables


At the end of this module, you would have

gained fair knowledge on:
•What is a Firewall
•Difference between IPCHAINS & IPTABLES
•Implementing a Firewall using IPTABLES
The Linux kernel contains advanced
tools for packet filtering, the process of controlling
network packets as they attempt to enter, move
through, and exit your system. Pre-2.4 kernels
contained the ability to manipulate packets using
ipchains, which used lists of rules that apply to
packets at each step of the filtering process.
The introduction of the 2.4 kernel
brought with it iptables, which is similar to
ipchains but greatly expands on the scope and
control available when filtering packets.
Packet Filtering
Traffic moves through a network in
packets, which are collections of data in
particular sizes. A file sent over a network
between two computers may be comprised of
many packets, each of which holds a small part
of the file data.
The sending computer takes the file
and breaks it into packets to be sent over the
network, using the rules of the particular network
protocol being utilized.
The other computer receives the
packets and, using the method specified by the
Every packet contains information, which helps it
navigate the network and move to its destination. The
packet can tell computers along the way, as well as the
destination machine, where it came from, where it is
going, and what type of packet it is, among other things
Most packets are designed to carry data, although
some protocols use packets in special ways.
Each packet may need be checked against many,
many rules before emerging at the end of the chain. The
structure and purpose of these rules may vary, but they
usually seek to identify a packet coming from or going to
a particular IP address or set of addresses when using a
particular protocol and network service .
If the rule specifies an ACCEPT
target for a matching packet, the packet
skips the rest of the rule checks and is
allowed to continue to its destination.
If a rule specifies a DROP target,
the packet is "dropped," meaning that the
packet is refused access to the system and
nothing is sent back to the host that sent the
If a rule specifies a REJECT
target, the packet is dropped, but an error
packet is sent to the packet's originator.
Every chain has a default policy to
ACCEPT, DROP, or REJECT the packet,
or possibly, QUEUE the packet to be
passed to userspace. If none of the rules in
the chain apply to the packet, then the
packet is dealt with in accordance with the
chain's default policy.

The iptables command allows you

to configure these rule lists, as well as set
up new chains and tables to be used for
your particular situation.
Differences between iptables and
Ipchains and iptables appear to be
quite similar. After all, both methods of packet
filtering use chains of rules operating within the
Linux kernel to decide not only which packets to
let in or out, but also what to do with packets that
match certain rules, however, iptables offer a
much more extensible way of filtering packets,
giving an administrator a finer grained level of
control without building too much complexity into
the entire system.
Differences between iptables and
• Under iptables, each filtered packet is only
processed using rules from one chain rather than
multiple chains.
• In other words, a FORWARD packet coming into
a system using ipchains would have to go through the
INPUT, FORWARD, and OUTPUT chains in order to
move along to its destination.
• However, iptables only sends packets to the INPUT
chain if they are destined for the local system and only
sends them to the OUTPUT chain if the local system
generated the packets
Differences between iptables and
The DENY target has been changed to
DROP. In ipchains, packets that matched a rule
in a chain could be directed to the DENY target,
which silently dropped the packet.
This target must be changed to DROP in
iptables to have the same effect.
Order matters when placing options in a
chain rule. Previously, with ipchains, it did not
matter very much, how you ordered the rule
options when typing the rule. The iptables
command is a bit fussier about where some
options may go.
Options Used in iptables
Rules that allow packets to be
filtered by the kernel are put into place by
running the iptables command with a number
of options after it that identify the types of
packets being filtered, the source or
destination of those packets, and what to do
with the packet if it matches the rule.
The options used with a particular
iptables rule must be grouped logically, based
on the purpose and conditions of the overall
rule, in order for the rule to be valid.
A powerful aspect of iptables is that multiple tables
can be used to decide the fate of a particular packet,
depending upon the type of packet being monitored and
what is to be done with the packet.
The default table, named filter, contains the
standard built-in INPUT, OUTPUT, and FORWARD
chains. This is somewhat similar to the standard chains
in use with ipchains
Each table contains default chains that perform
necessary tasks based on the purpose of the table, but
you can easily set up new chains in each of the tables
Many iptables commands take the following
iptables [-t <table-name>] <command> <chain-
name> <parameter-1> <option-1> <parameter-n>
When looking at the structure of an iptables
command, it is important to remember that, unlike
most other commands, the length and complexity of
an iptables command can change based on its
One way to think about iptables commands is to
recognize that some parameters and options used may
create the need to use other parameters and options to
further specify the previous option's request
• Type iptables -h to see a comprehensive list of
iptables command structures.
Commands tell iptables to perform a specific action, and
only one command is allowed per iptables command
string. Except for the help command, all commands
are written in upper-case characters.

-A — Appends the iptables rule to the end of the

specified chain. This is the command used to simply
add a rule when rule order in the chain does not
-C — Checks a particular rule before adding it to the
user-specified chain. This command can help you
construct complicated iptables rules by prompting you
D — Deletes a rule in a particular chain by number
-E — Renames a user-defined chain. This does not
affect the structure of the table at all.
-F — Flushes the selected chain, which effectively
deletes every rule in the the chain. If no chain is
specified, this command flushes every rule from every
-h — Provides a list of helpful command structures, as
well as a quick summary of command parameters and
-I — Inserts a rule in a chain at a particular point.
-L — Lists all of the rules in the chain specified after the
command. To list all rules in all chains in the default filter
table, do not specify a chain or table.
iptables -L <chain-name> -t <table-name>
-N — Creates a new chain with a user-specified
-P — Sets the default policy for a particular chain, so
that when packets traverse an entire chain
without matching a rule, they will be sent on to a
particular target, such as ACCEPT or DROP.
-R — Replaces a rule in a particular chain. You must
use a rule's number after the chain's name to
replace that rule.
-X — Deletes a user-specified chain. Deleting a built-
in chain for any table is not allowed.
-Z — Zeros the byte and packet counters in all
chains for a particular table.
Storing iptables Information

Rules created with the iptables command are only

stored in RAM. If you were to restart your system after
setting up various iptables rules, they would be lost and
you would need to retype them.
If you want particular rules to take effect whenever
your system boots, you need to save them to the
To do this, arrange your tables, chains, and
rules the way they should be the next time the system
boots or iptables is restarted, and type the /sbin/service
iptables save command as the root user.
This causes the iptables init script to run the /sbin/iptables-
save program and write the current iptables configuration to the
/etc/sysconfig/iptables file. This file should only be readable by
root, so your precise packet filtering rules are not viewable by
average users.
The next time the system boots, the iptables init script will
reapply the rules saved in /etc/sysconfig/iptables by using the
/sbin/iptables-restore command.

While it is always a good idea to test a new iptables rule

before committing it to the /etc/sysconfig/iptables file, it is possible
to copy iptables rules into this file from another system's version of
this file.

This allows you to quickly distribute sets of iptables rules to

many different machines at once.