What is iptables
- iptables is a command-line firewall utility that uses policy chains to allow or block traffic.
- When a connection tries to establish itself on your system, iptables looks for a rule in its list to match it to. If it doesn’t find one, it resorts to the default action.
- Different kernel modules and programs are currently used for different protocols;
- iptables applies to IPv4, ip6tables to IPv6
- arptables to ARP, and ebtables to Ethernet frames.
Default tables are:
- Raw
- Mangle
- NAT
- Filter
Table with Chain:
- PREROUTING:
- used by raw, mangle and nat tables
- INPUT:
- used by mangle and filter tables
- FORWARD:
- used by mangle and filter tables
- OUTPUT:
- used by raw, mangle, nat and filter tables
- POSTROUTING:
- used by mangle and nat tables
Type of chains:
- Input :
- This chain is used to control the behavior for incoming connections
- Example, if a user attempts to SSH into your PC/server, iptables will attempt to match the IP address and port to a rule in the input chain.
- Other Def: Its for the packets meant for your own local machine. Reply of a http request made by your browser will go through INPUT chain.
- Forward:
- This chain is used for incoming connections that aren’t actually being delivered locally.
- Think of a router – data is always being sent to it but rarely actually destined for the router itself; the data is just forwarded to its target.
- OUTPUT:
- chain is for the packets going out of your machine. The http request made by your browser will go through this chain.
Some "target" which is executed when it is matched against a "criteria"
Following are the most common targets:
- ACCEPT:
- Packet is accepted and goes to the application for processing.
- DROP:
- Packet is dropped. No information regarding the drop is sent to the sender.
- REJECT:
- Packet is dropped and information (error) message is sent to the sender.
- LOG:
- Packet details are sent to syslogd for logging.
- DNAT:
- Rewrites the destination IP of the packet
- SNAT:
- Rewrites the source IP of the packet
First four are used in Filter tables a lot. Now let us discuss some of the common criteria:
- -p <protocol>:
- It matches protocols like tcp, udp, icmp and all
- -s <ip_addr>:
- It matches source IP address
- -d <ip_addr>:
- It matches destination IP address
- --sport <port>:
- It matches the source port
- --dport <port>:
- It matches the destination port
- -i <interface>:
- It matches the interface from which the packet entered
- -o <interface>:
- It matches the interface from which the packet exits
No comments:
Post a Comment