iptables (original) (raw)

This is just my quick-reference for the kernel 2.4 "iptables" tool from
the netfilter framework.

Current set of default tables:

filter (default table): Starts with built-in chains:
INPUT: Arriving.
FORWARD: Being routed.
OUTPUT: Locally generated

nat (traffic that creates new connections): Starts with built-in chains:
PREROUTING: Arriving.
OUTPUT: Locally generated.
POSTROUTING: Exiting.

mangle (specialised packet alteration): Starts with built-in chains:
PREROUTING: Incoming, before routing.
OUTPUT: Locally generated.
INPUT: Arriving.
FORWARD: Being routed.
POSTROUTING: Exiting.

The admin can create/delete/rename additional chains for any target.

Each chain consists of a set of rules, consulted in order (thus the term
"chain") until one's conditions match. If none match, the default
policy applies, "-P" option. (Policies exist only for built-in chains.
Policy target may only be one of the four predefined rules.) Each rule has:
criterion: Which packets will be affected.
target: Which rule to consult next. (May optionally be one of the
predefined rules ACCEPT, DROP, QUEUE=userspace-handled, or
RETURN=policy.)
Each rule is assigned a rulenum, which can be used to refer to it in
iptables commands.

Since rulesets live in RAM, one can preserve them to disk or reload them
using iptables-save and iptables-restore, respectively.

Many of the more interesting features, such as stateful inspection, are
via dynamically-loaded helper modules (option "-m").

$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG
--log-level DEBUG --log-prefix "IPT FORWARD packet died: "

Spoofing:
IPTABLES−tnat−APREROUTING−iIPTABLES -t nat -A PREROUTING -i IPTABLES−tnat−APREROUTING−iINET_IFACE -s 192.168.0.0/16 -j DROP
IPTABLES−tnat−APREROUTING−iIPTABLES -t nat -A PREROUTING -i IPTABLES−tnat−APREROUTING−iINET_IFACE -s 10.0.0.0/8 -j DROP
IPTABLES−tnat−APREROUTING−iIPTABLES -t nat -A PREROUTING -i IPTABLES−tnat−APREROUTING−iINET_IFACE -s 172.16.0.0/12 -j DROP

## Create chain that blocks new connections, except if coming from inside.
# iptables -N block
# iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
# iptables -A block -m state --state NEW -i ! eth0 -j ACCEPT
# iptables -A block -j DROP
## Jump to that chain from INPUT and FORWARD chains.
# iptables -A INPUT -j block
# iptables -A FORWARD -j block

Type of Service (TOS) prioritisation: To maximize ssh response
while maintaining maximum file data transfer over HTTP connections:

# /sbin/iptables -A PREROUTING -t mangle -p tcp --sport ssh \
-j TOS --set-tos Minimize-Delay

# /sbin/iptables -A PREROUTING -t mangle -p tcp --sport http \
-j TOS --set-tos Maximize-Throughput

Netfilter architecture
Block diagram

--->PREROUTING-->[ROUTE]--->FORWARD---------->POSTROUTING------> Conntrack | Mangle ^ Mangle Mangle | Filter | NAT (Src) NAT (Dst) | | Conntrack (QDisc) | [ROUTE] v | INPUT Filter OUTPUT Conntrack | Conntrack ^ Mangle | Mangle | NAT (Dst) v | Filter >- local processes >--