Linux Box Admin
 Trusted Remote Administration
logo

Tilde
What's new
Articles
Micro HowTos
About
Contact







Index arrow Micro HowTos

index of all micro how-tos
arrow System Administration

Iptables
(1 vote)
Wednesday, 07 March 2007
  Iptables

Iptables is used to set up, maintain, and inspect the tables of IP packet filter rules in the Linux kernel.

If any routing or forwarding is to be done with iptables, set the ip_forward kernel value:
echo "1" > /proc/sys/net/ipv4/ip_forward

Here is the general syntax for iptables commands:
iptables -t table -[ADC] chain rule-specification [options]

The -ADC is for append, delete, or change the rule. The -t table can be either filter (default), nat, or mangle.

Rules are processed in order until they match, then they are either sent to another chain or are handled immediately through one of four targets (ACCEPT, DROP, QUEUE, or RETURN). The jump (-j) option at the end of a rule determines the fate of a packet.

Meaning of targets:

  • ACCEPT means to let the packet through.
  • DROP means to drop the packet on the floor.
  • QUEUE means to pass the packet to userspace (if supported by the kernel).
  • RETURN means stop traversing this chain and resume at the next rule in the previous (calling) chain.

Each of the main kernel tables has a fixed number of chains where rules can be applied:

  1. filter (default)
    1. INPUT (for packets destined for the box itself)
    2. FORWARD (for packets being routed through the box)
    3. OUTPUT (for locally-generated packets)
  2. nat (masquerading)
    1. PREROUTING (for altering packets as soon as they come in)
    2. OUTPUT (for altering locally-generated packets before routing)
    3. POSTROUTING (for altering packets as they are about to go out)
  3. mangle (special processing)
    1. PREROUTING (for altering incoming packets before routing)
    2. OUTPUT (for altering locally-generated packets before routing)
    3. INPUT (kernel >= 2.4.18)
    4. FORWARD (kernel >= 2.4.18)
    5. POSTROUTING (kernel >= 2.4.18)

To save the current iptables rules to a file:

iptables-save > firewall-rules.txt

To restore saved iptables rules from a file:

iptables-restore < firewall-rules.txt

To clear (flush) all rules for the filter table:

iptables -F -t filter

To list all rules currently in effect for the filter table:

iptables -L

To list all rules currently in effect for the nat table:

iptables -t nat -L

To blacklist an IP (drop all incoming packets from that IP):

iptables -t filter -A INPUT -i eth0 --source 1.2.3.4 -j DROP

To port forward SMTP to an internal IP:

iptables -t nat -A PREROUTING --destination 64.14.241.55 -p tcp --dport 25 -j DNAT --to-destination 10.0.1.9

To masquerade outbound traffic from the internal network (traditional NAT):

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

To delete rule 4 from the PREROUTING chain of the nat table:

iptables -t nat -D PREROUTING 4
 
[ Back ]



Copyright © 2006,2007 Linux Box Admin.

 
My NHL fan blog