Introduction to the Iptables Firewall Program for Linux

This page gives a quick introduction to the Iptables firewall software for Linux. More details will follow later...

How Iptables Works

The term “iptables” is often used to refer to either the software firewall which is integrated with the Linux OS kernel (and is actually called “netfilter”) — or (more correctly) “iptables” refers to the command-line interface through which the kernel firewall can be configured.

The firewall is built into the Linux kernel in recent versions of Linux, and does not need to run as a separate daemon. It does not appear in the list shown by

sudo service --status-all

Iptables (like any firewall) will block or allow certain types of network traffic, based on sets of pre-configured rules.

The main essential concepts in Iptables are tables, chains, and rules.

Tables

There are 5 main tables in iptables. These are: filter, nat, mangle, raw, and security. The first three are used more often than the other two, and the first table (“filter”) is the most elementary one of them all.

filter is the usual (and default) table which is used for ordinary firewall tasks with no other specialised features that may require one of the other tables. The filter table provides most of the functionality that people think of when considering firewalls.

nat is used for Network Address Translation (NAT) rules, which is where the IP addresses are changed for a NAT system (i.e. where a local network has it’s own set of IP addresses hidden from the main internet, which usually only sees the entire network as one visible IP address).

mangle is used to make changes to packets, when this is required.

raw is used to mark packets for connection tracking.

security is used for SELinux to tag packets, for its functionality.

Chains

Chains are basically points in the route of a packet (through the system) where rules can be applied. There are 5 chains in iptables: PREROUTING, INPUT, FORWARD, OUTPUT, and POSTROUTING. All chains are not applicable to all tables.

PREROUTING is the first one in the order of the packet arrival, etc. The list above is in order from arrival to leaving the machine. All five chains do not apply to all packets, e.g. incoming packets from the outside to the machine itself go through PREROUTING and INPUT (in that order) only. Incoming packets from the outside to another host on the local network go through PREROUTING → FORWARD → POSTROUTING. And locally generated packets leaving the machine go through OUTPUT and then POSTROUTING.

The default table “filter” has three chains available: INPUT, FORWARD, and OUTPUT.

So, the standard order of Iptables chains is INPUT → FORWARD → OUTPUT.

And the full set of all five chains, in order, is PREROUTING → INPUT → FORWARD → OUTPUT → POSTROUTING. Only the mangle table has all five of these chains present.

Basic Essentials

Ipchains can seem quite complex and confusing if you haven't seen or used it before. For basic firewall tasks, start with learning just the filter table and the three chains that it has.

The chains used will also depend on whether the packets are being sent, recieved, or forwarded by the system that Ipchains is running on. This is shown below:

• Incoming packets destined for the local system go through PREROUTING → INPUT.
• Incoming packets destined to go to another host go through PREROUTING → FORWARD → POSTROUTING.
• Locally generated outgoing packets go through OUTPUT → POSTROUTING.

Rules

These are just user-defined commands (literally, they are “rules”) for what the firewall should do with certain classes of packets (as defined in the rule).

Each rule has 2 basic components: (a) the matching component, i.e. what packets will this rule apply to; and (b) the target component, i.e. what will happen to the packet (e.g. to be dropped/blocked or allowed through the firewall).

How a Computer System Could be Secured Using the Iptables Firewall

At the most basic/summary level, a firewall helps to secure a computer system by placing limits on what traffic can enter and exit. This can be utilised in very many ways to improve security.

For example, an incoming firewall can block all requests from a blacklist of IP addresses which have malicious activity. Or from ranges. Or from various protocols which are regarded as dangerous. An outgoing firewall can be set up to only allow traffic from whitelisted sources, such as allowed executables. This means that if a malicious program is installed on a machine, it won’t be able to connect to the internet (unless it happens somehow to be on the whitelist, e.g. by over-writing (replacing) an allowed program.

Firewalls can also be set to log various types of activity (or even all activity, though this is generally excessive, and would generate an unwieldly log size). The logs can then be used for determining if there are threats which may not be otherwise detected, and also for analysing any attacks which have been found by other means (either successful or unsuccessful attacks).

Firewalls which can inspect packets are more “intelligent” than older, simpler firewall technology which would blindly accept or reject packets based on very simple rules. Packet inspecting is often called “SPI” for Stateful Packet Inspection – though this is a broad term and can mean a wide range of different abilities to fine tune what gets accepted or rejected based on the “inspection” that the firewall does of the data packets as the pass through it. Iptables is an example of an SPI type of firewall.

The “stateful” in SPI is the other possibility to “stateless”. A stateless firewall only considers each packet on its own, independently of the other packets in the data stream. A stateful firewall (such as iptables) can take into consideration the packet within its broader context of the other packets in the stream, which gives additional information that can be used to determine how the firewall should act on those packets. This means that it’s more useful for security, as a broader and more complex set of threats can be blocked, and also detected and reported to the system administrator(s).

Another feature which some firewalls can do is “sandboxing”, where certain types of network traffic are sent to a “sandbox” which is a separated-off environment which is kept from access to the rest of the system, and therefore any malicious code or activity can only get as far as the sandbox, without affecting the rest of the system.

Examples of Using the Iptables Firewall

Here are some examples of using Iptables in Kali Linux:

To check the existing rules, the command is

sudo iptables –L –n –v

The first part of this screenshot shows the output of this command on a freshly installed system with nothing extra set up in Iptables:

Examples of using Iptables in Kali Linux.

Using the IPtables Firewall to Block a Specific IP Address

The command below can be used to block a specific IP address. You can see it being used in the middle of the screenshot above (note that the first attempt to add a rule to Iptables in the screenshot fails because I forgot to type sudo first — you need root permissions to do this):

(The -A option will append the new rule to whatever is already there in the selected chain.)

sudo iptables -A INPUT -s 100.100.100.100 -j DROP

where 100.100.100.100 is the IP address you want to drop all packets from.

The lower part of the above screenshot shows the Iptables rules after adding a rule to block everything from 100.100.100.100.

Using the IPtables Firewall to Block a Specific IP Address and Protocol

To block a specfic protocol only, the -p option can be used, like this:

sudo iptables -A INPUT -p tcp -s 100.100.100.100 -j DROP

This can be seen at the top of the screenshot below, along with the new list of rules. Note that the rule we added just before (to block everything from 100.100.100.100 is still there).

Example 2 of using Iptables in Kali Linux.

The -D option can be used to delete a rule which is no longer wanted (e.g. the first rule above to block everything from 100.100.100.100, which would not be wanted if we only want to block TCP traffic from 100.100.100.100 and not everything). This can be seen in the middle of the screenshot above. The bottom of the screenshot above shows the new confuguration of the Iptables rules after deleting the first rule.

Using the IPtables Firewall to Block Outgoing Connections On a Specific Port

To block outgoing (rather than incoming) connections, the OUTPUT chain is used. This command will block outgoing TCP connections on port 22:

sudo iptables -A OUTPUT -p tcp --dport 22 -j DROP

The new Iptables rules after this command are shown at the top of the screenshot below:

Example 3 of using Iptables in Kali Linux.

Using the IPtables Firewall to Block Outgoing Connections On a Specific Port

To explicitly allow a certain type of connection, make a new rule for it. For example, this rule will allow incoming TCP connections on port 22:

sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT

This command and the new set of Iptables firewall rules can be seen in the lower part of the screenshot above.

Cover image by Shutterstock

Share This Page

If you liked this page, please share it with others! You can use the links to share on Facebook, Twitter, LinkedIn, Pinterest, and Email. Ther is also an RSS feed to get updates for the website.