Iptables

Infobox_Software
name = iptables



caption =
author = Rusty Russell
developer = Netfilter Core Team
released = 1998
latest_release_version = 1.4.1.1
latest_release_date = June 17, 2008
programming language = C
operating_system = Linux
genre = Packet filtering
license = GNU General Public License
website = [http://www.netfilter.org/ www.netfilter.org]

iptables is a user space application program that allows a system administrator to configure the tables provided by Xtables (which in turn uses Netfilter) and the chains and rules it stores. Because iptables requires elevated privileges to operate, it must be executed by user root, otherwise it fails to function. On most Linux systems, iptables is installed as /usr/sbin/iptables and documented in its man page [http://dev.medozas.de/files/xtables/iptables.html] , which can be opened using "man iptables" when installed. "iptables" is also commonly used to inclusively refer to the kernel-level component Xtables that does the actual table traversal and provides an API for kernel-level extensions.

iptables works with Linux kernels 2.4 and 2.6. Older Linux kernels use ipchains (Linux 2.2) and ipfwadm (Linux 2.0).

Operational summary

The Xtables framework, used by ip_tables, ip6_tables and arp_tables, allows the system administrator to define "tables" containing "chains" of "rules" for the treatment of packets. Each table is associated with a different kind of packet processing. Packets are processed by traversing the chains. A rule in a chain can send a packet to another chain, and this can be repeated to whatever level of nesting is desired. Every network packet arriving at or leaving from the computer traverses at least one chain.

The source of the packet determines which chain it traverses initially. There are three "predefined chains" (INPUT, OUTPUT, and FORWARD) in the "filter" table. Predefined chains have a "policy", for example DROP, which is applied to the packet if it reaches the end of the chain. The system administrator can create as many other chains as desired. These chains have no policy; if a packet reaches the end of the chain it is returned to the chain which called it. A chain may be empty.

Each rule in a chain contains the specification of which packets it matches. It may also contain a "target". As a packet traverses a chain, each rule in turn examines it. If a rule does not match the packet, the packet is passed to the next rule. If a rule does match the packet, the rule takes the action indicated by the target, which may result in the packet being allowed to continue along the chain or it may not.

The packet continues to traverse the chain until either (1) a rule matches the packet and decides the ultimate fate of the packet (for example by calling one of the ACCEPT or DROP targets); or (2) a rule calls the RETURN target, in which case processing returns to the calling chain; or (3) the end of the chain is reached.

Example

This example shows an already-configured workstation firewall. The command "iptables -L" is executed by user root to display the firewall configuration.

# iptables -L Chain INPUT (policy DROP) target prot opt source destination ACCEPT all -- localhost.localdomain localhost.localdomain ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED REJECT all -- anywhere anywhere Chain FORWARD (policy DROP) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination

RELATED, ESTABLISHED rule uses statefullness so that most client programs (web browser, ssh...) work.

$ w3m http://en.wikipedia.org/wiki/Main_Page

(The main Wikipedia web page opens)

Computer does not respond to ping and no services are offered. Connections are rejected (REJECT) or timeout (with DROP) when ports are being scanned.

$ ping -c 1 10.0.0.1 PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data. --- 62.78.243.6 ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms

Trying to connect to HTTP port (TCP 80)

$ telnet 10.0.0.1 80 Trying 10.0.0.1... telnet: connect to address 10.0.0.1: Connection refused

Redirection example

This simple example of its use illustrates how to redirect all traffic on the default HTTP port, port 80, to port 8080, allowing the HTTP daemon to run as a non-privileged user, unable to listen on port numbers below 1024. iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080Note: if you launch this command on your computer it will only work for external IP addresses connecting to your machine. Connections from localhost do not traverse the PREROUTING chain in the "nat" table. If you also want this feature to work, use the following rule: iptables -t nat -A OUTPUT -o lo -p tcp --dport 80 -j REDIRECT --to-port 8080which reroutes packets on the loopback (lo) interface from port 80 to port 8080.

Front-ends

*GUI for ufw, a GUI utility for Ubuntu
* [http://www.nufw.org/ NuFW] an authenticating firewall using Netfilter
* [http://www.fwbuilder.org/ Firewall Builder]
* [http://dag.wieers.com/home-made/dwall/ dwall] All-purpose firewall generator
*Firestarter, a graphical firewall frontend which uses the Netfilter framework
* [http://www.softpedia.com/get/Security/Firewall/Solsoft-NetfilterOne.shtml NetfilterOne] A free graphical tool for managing Netfilter's security policy (This software is no longer available directly from Solsoft)
* [http://kmyfirewall.sourceforge.net/ KMyFirewall] KDE/QT based configuration tool
* [http://developer.berlios.de/projects/abyle/ Abyle] a simple iptables script in Python
* [http://rocky.eld.leidenuniv.nl/ arno-iptables-firewall] Easy to Set-up & Configure Firewall Script for iptables

ee also

*Netfilter, the underlying framework for iptables and Xtables
*FireHOL, a GUI-less bash script based firewall which uses a plain text configuration file
*NuFW, a userspace extension to Netfilter
*Shorewall, software to more easily manage iptables
*Untangle, open source software to more easily manage iptables plus many other open source apps like spam blocker, virus blocker, webfilter, & others

External links

* [http://www.netfilter.org/ The netfilter/iptables project Web page]
* [http://www.netfilter.org/documentation/index.html The netfilter/iptables documentation page]
* [http://myy.helia.fi/~karte/iptables_firewall.html A simple iptables firewall script]
* [http://blog.2blocksaway.com/2007/01/03/iptables-explained-get-started-with-iptables-and-tame-the-monster-of-all-firewalls/ Iptables explained in simple terms (Multipart and very extensive)]
* [http://easyfwgen.morizot.net/gen/iptables-info.html Iptables in the Linux 2.4 kernel]
* [http://freshmeat.net/projects/iptables/ Freshmeat project page]
* [http://www.cipherdyne.org/fwsnort/ Translate Snort rules into iptables rules with fwsnort]
* [http://www.cipherdyne.org/psad/ Detect port scans via iptables log messages]

Diagrams

To better understand how a packet traverses the kernel Xtables tables/chains you may find the following diagrams useful:
*http://jengelh.medozas.de/images/nf-packet-flow.png*http://ornellas.apanela.com/dokuwiki/pub:firewall_and_adv_routing#data_flow_diagram
*http://xkr47.outerspace.dyndns.org/netfilter/packet_flow/packet_flow9.png*http://www.shorewall.net/images/Netfilter.png*http://dmiessler.com/images/DM_NF.png