Friday, August 2, 2013

Linux Firewall Tutorial: IPTables Tables, Chains, Rules Fundamentals


Linux Firewall Tutorial: IPTables Tables, Chains, Rules Fundamentals


This page has been shared 61 times. View these Tweets.
iptables firewall is used to manage packet filtering and NAT rules. IPTables comes with all Linux distributions. Understanding how to setup and configure iptables will help you manage your Linux firewall effectively.
iptables tool is used to manage the Linux firewall rules. At a first look, iptables might look complex (or even confusing). But, once you understand the basics of how iptables work and how it is structured, reading and writing iptables firewall rules will be easy.
This article is part of an ongoing iptables tutorial series. This is the 1st article in that series.
This article explains how iptables is structured, and explains the fundamentals about iptables tables, chains and rules.
On a high-level iptables might contain multiple tables. Tables might contain multiple chains. Chains can be built-in or user-defined. Chains might contain multiple rules. Rules are defined for the packets.
So, the structure is: iptables -> Tables -> Chains -> Rules. This is defined in the following diagram.


Fig: IPTables Table, Chain, and Rule Structure

Just to re-iterate, tables are bunch of chains, and chains are bunch of firewall rules.

I. IPTABLES TABLES and CHAINS

IPTables has the following 4 built-in tables.

1. Filter Table

Filter is default table for iptables. So, if you don't define you own table, you'll be using filter table. Iptables's filter table has the following built-in chains.
방화벽의 가장 핵심적인 테이블로써 특정 룰에 따라 패킷을 필터링하거나 허용하는 역할을 함

  • INPUT chain – Incoming to firewall. For packets coming to the local server. 외부에서 방화벽 자체로 향하는 패킷에 대한 필터링을 담당
  • OUTPUT chain – Outgoing from firewall. For packets generated locally and going out of the local server. 방화벽 자체에서 외부로 나가는 패킷에 대한 필터링
  • FORWARD chain – Packet for another NIC on the local server. For packets routed through the local server. 방화벽을 통과하여 방화벽이 보호하는 다른 서버 등으로 향하는 경우, 내부의 다른 서버에서 방화벽을 통해 외부로 나가는 패킷에 대한 필터링

2. NAT table


Iptable's NAT table has the following built-in chains. 
패킷을 필터링하는 기능은 없음. 방화벽으로 향하는 패킷을 방화벽이 보호하는 내부 네트워크의 다른 주소로 포워딩, 방화벽 내부 네트워크에서 방화벽을 통해 외부 네트워크로 나갈 때 다른 ip 주소로 변환하는 역할을 함.

  • PREROUTING chain – Alters packets before routing. 주로 외부에서 방화벽 내부 서버로 향하는 패킷을 방화벽이 보호하는 내부 서버로 포워딩할 때 사용. 사설 ip로 서버를 운영하면서 외부로 서비스를 하고자 할 때 사용. This is used for DNAT (destination NAT).
  • POSTROUTING chain – alters packets after routing. 내부 네트워크에서 방화벽을 통해 외부로 나갈 때 사용. 사무실 등에서 사설 ip를 사용하면서 하나의 공인 ip로 인터넷을 공유하고자 할 때 즉, 공유기의 용도로 사용할 수 있음. This is used for SNAT (source NAT).
  • OUTPUT chain – NAT for locally generated packets on the firewall.

3. Mangle table

Iptables's Mangle table is for specialized packet alteration. This alters QOS bits in the TCP header. Mangle table has the following built-in chains.
  • PREROUTING chain
  • OUTPUT chain
  • FORWARD chain
  • INPUT chain
  • POSTROUTING chain

4. Raw table

Iptable's Raw table is for configuration excemptions. Raw table has the following built-in chains.
  • PREROUTING chain
  • OUTPUT chain
The following diagram shows the three important tables in iptables.

Fig: IPTables built-in tables

II. IPTABLES RULES

Following are the key points to remember for the iptables rules.
  • Rules contain a criteria and a target.
  • If the criteria is matched, it goes to the rules specified in the target (or) executes the special values mentioned in the target.
  • If the criteria is not matached, it moves on to the next rule.

Target Values

Following are the possible special values that you can specify in the target.
  • ACCEPT – Firewall will accept the packet.
  • DROP – Firewall will drop the packet.
  • QUEUE – Firewall will pass the packet to the userspace.
  • RETURN – Firewall will stop executing the next set of rules in the current chain for this packet. The control will be returned to the calling chain.
If you do iptables –list (or) service iptables status, you'll see all the available firewall rules on your system. The following iptable example shows that there are no firewall rules defined on this system. As you see, it displays the default input table, with the default input chain, forward chain, and output chain.

# iptables -t filter --list
Chain INPUT (policy ACCEPT)  
target     prot opt source               destination       


Chain FORWARD (policy ACCEPT)  


target     prot opt source               destination       




Chain OUTPUT (policy ACCEPT)


target     prot opt source               destination  







Do the following to view the mangle table.


# iptables -t mangle --list  







Do the following to view the nat table.


# iptables -t nat --list  







Do the following to view the raw table.


# iptables -t raw --list  





Note: If you don't specify the -t option, it will display the default filter table. So, both of the following commands are the same.






# iptables -t filter --list


(or)


# iptables --list  





The following iptable example shows that there are some rules defined in the input, forward, and output chain of the filter table.






# iptables --list  


Chain INPUT (policy ACCEPT)  


num  target     prot opt source               destination


1    RH-Firewall-1-INPUT  all  --  0.0.0.0/0   0.0.0.0/0    






Chain FORWARD (policy ACCEPT)


num  target     prot opt source               destination 


1    RH-Firewall-1-INPUT  all  --  0.0.0.0/0   0.0.0.0/0    






Chain OUTPUT (policy ACCEPT)


num  target     prot opt source               destination  








Chain RH-Firewall-1-INPUT (2 references)  


num  target     prot opt source               destination  


1    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0  


2    ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0 icmp type 255


3    ACCEPT     esp  --  0.0.0.0/0            0.0.0.0/0  


4    ACCEPT     ah   --  0.0.0.0/0            0.0.0.0/0  


5    ACCEPT     udp  --  0.0.0.0/0            224.0.0.251 udp dpt:5353


6    ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0 udp dpt:631  


7    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0 tcp dpt:631  


8    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0 state RELATED,ESTABLISHED  


9    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0 state NEW tcp dpt:22  


10   REJECT     all  --  0.0.0.0/0            0.0.0.0/0 reject-with icmp-host-prohibited  







The rules in the iptables –list command output contains the following fields:


    

  • num – Rule number within the particular chain
    • 

  • target – Special target variable that we discussed above
    • 

  • prot – Protocols. tcp, udp, icmp, etc.,
    • 

  • opt – Special options for that specific rule.
    • 

  • source – Source ip-address of the packet
    • 

  • destination – Destination ip-address for the packet
    • 












#추가 - iptables의 룰은 시스템을 재부팅하면 초기화 되므로 룰을 정할때마다 그것을 기억해 둘 필요가 있다. 



Resolution

In order to avoid losing rules during an iptables restart, you need to save them before the restart.



txt파일에 저장해 두고



# iptables-save > iptables_save.txt



If using this method, you will need to restore the rules after the restart: 재부팅 한 다음에 불러오기



# iptables-restore <iptables_save.txt






























at






















Labels:
,
,
,
,
,
,


















No comments:















Post a Comment


















        

      









Subscribe to:
Post Comments (Atom)





















뉴라이트의 기본적인 개념과 특징 



   뉴라이트     한국에서 자칭 신우익을 이르는 말. 영어의 신(new) + 우익(right)의 합성어이다.    옛날 종북주의자 시절의 파시즘과 전체주의적 사상을 간직한 채 친일반민족 행위 옹호로 돌아선 사람들이다.    우파를 가장한 짝퉁 우파...