iptables
Used to configure the IP packet filter rules of the Linux kernel firewall.
iptables -> IPv4 ip6tables -> IPv6 arptables -> ARP ebtables -> Ethernet frames
iptables allows the system administrator to define tables containing chains of rules for the treatment of packets. A chain does not exist by itself; it belongs to a table. There are three tables: nat, filter, and mangle.
Commands to check the iptable rules :
Commands to accept/block certain type of connections :
Three different types of chains :
-> Input : used to control behavior of incoming connections. -> Forward : used for incoming connections that aren't actually being delivered locally. Think of a router - data is always being sent to it but rarely actually destined for the router itself; the data is just forwarded to its target. -> Output : used for outgoing connections.
Caveat :
Even though pinging an external host seems like something that would only need to traverse the output chain, keep in mind that to return the data, the input chain will be used as well. When using iptables to lock down your system, remember that a lot of protocols will require two-way communication, so both the input and output chains will need to be configured properly. SSH is a common protocol that people forget to allow on both chains. (Port 22)
Connection-specific responses :
-> Accept : allow the connection. -> Drop : drop the connection, act like it never happened. best if we don't want the source to realize that our system exists. -> Reject : don't allow the connection, send back an error. This is best if you don't want a particular source to connect to your system, but you want them to know that your firewall blocked them.
Connection States :
As we mentioned earlier, a lot of protocols are going to require two-way communication. For example, if you want to allow SSH connections to your system, the input and output chains are going to need a rule added to them. But, what if you only want SSH coming into your system to be allowed? Won't adding a rule to the output chain also allow outgoing SSH attempts?
That's where connection states come in, which give you the capability you'd need to allow two way communication but only allow one way connections to be established. Take a look at this example, where SSH connections FROM 10.10.10.10 are permitted, but SSH connections TO 10.10.10.10 are not. However, the system is permitted to send back information over SSH as long as the session has already been established, which makes SSH communication possible between these two hosts.
iptables -A INPUT -p tcp --dport ssh -s 10.10.10.10 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 22 -d 10.10.10.10 -m state --state ESTABLISHED -j ACCEPT
References :
Last updated