Concept and usage of IPtables in Linux Firewall

A typical firewall configuration includes two NICs, One inbound and the other outbound. Iptables reads the headers of inbound and outbound packets, compares them with the planning set, and forwards acceptable packets from one network adapter to another. Rejected data packets can be discarded or processed as defined.
You can control the filtering of information packets by providing rules to the firewall about instructions to be performed on information packets from a source, to a destination, or with a specific protocol type. Use the Special Command iptables provided by the iptables system to create these rules and add them to the chain in the specific information package filtering table of the kernel space. The general syntax for adding, removing, and editing rules is as follows:
Iptables [-t table] command [match] [target]
In reality, we generally use this syntax to make it easier to read. Most rules are written in this syntax. Therefore, if you see rules written by others, you may find that this syntax is also used.
If you do not want to use a standard table, you must specify the table name in [table. Generally, you do not need to specify the table to use, because iptables uses the filter table by default to execute all the commands. There is no need to specify the table name here. In fact, you can specify the table name almost anywhere in the rule. Of course, putting the table name at the beginning is already a common standard. Although the command is always placed at the beginning or directly behind the table name, we should also consider where it is easy to read.
"Command" tells the program what to do, such as inserting a rule, adding a rule at the end of the chain, or deleting a rule. The following is a detailed description.
"Match" describes a specific feature of a package in detail to distinguish it from all other packages. Here, we can specify the package's source IP address, network interface, port, protocol type, or something else. Below we will see many different matches.
Finally, the target of the data packet is "target ". If the packet matches all the matches, the kernel uses the target to process it, or sends the packet to the target. For example, we can let the kernel send the package to other links in the current table, which may be created by ourselves), or discard the package without any processing, or return a special response to the sender. Next we will discuss these options one by one:
Table)
The [-t table] Option allows any table outside the standard table. A table is an information packet filtering table that contains rules and links that only process specific types of information packets. Three table options are available: filter, nat, and mangle. This option is not required. If not specified, the filter is used as the default table. The following describes the functions of each table.
Filter
The filter table is used to filter data packets. We can match and filter packets at any time. Here, we will DROP or ACCEPT the package based on the package content. Of course, we can also do some filtering in advance in other places, but this table is designed for filtering. Almost all targets can be used here.
Nat
Nat table is mainly used for Network Address Translation, that is, Network Address Translation, abbreviated as NAT. The address of the data packet that has done NAT operations is changed. Of course, this change is based on our rules. The package that belongs to a stream will only pass through this table once.
If the first package is allowed for NAT or Masqueraded, the remaining packages will be automatically operated the same way. That is to say, the rest of the packages will not be automatically completed through this table and will be NAT one by one. This is the main reason why we should not filter this table. The role of the PREROUTING chain is to change the destination address of a package when it reaches the firewall, if necessary. The OUTPUT chain changes the destination address of the locally generated package.
POSTROUTING chain changes its source address before the package leaves the firewall. This table is only used for NAT, that is, the source or target address of the conversion package. Note that only the first package of the stream will be matched by this link, and the subsequent package will be automatically processed in the same way. The actual operations are divided into the following types:
◆ DNAT
◆ SNAT
◆ MASQUERADE
DNAT operations are mainly used in such a situation. You have a valid IP address, and you need to redirect access to the firewall to another machine, such as DMZ ). That is to say, we changed the destination address so that the packet can be rerouted to a host.
SNAT changes the source address of the package, which can greatly hide your local network or DMZ. A good example is that we know the external address of the firewall, but we must replace the local network address with this address. With this operation, the firewall can automatically perform SNAT and De-SNAT (reverse SNAT) on the packet so that the LAN can be connected to the Internet.
If you use an address like 192.168.0.0/24, you will not receive any response from the Internet. Because IANA defines other networks) as private and can only be used within the LAN.
The role of MASQUERADE is exactly the same as that of MASQUERADE, but the computer load is a little more. For each matching packet, MASQUERADE needs to find available IP addresses, unlike the IP addresses used by SNAT. Of course, this also has the advantage that we can use addresses obtained through dialing such as PPP, PPPOE, and SLIP. These addresses are randomly allocated by the ISP's DHCP.
Mangle
This table is mainly used for mangle data packets. We can change the content of different packages and headers, such as TTL, TOS, or MARK. Note that MARK does not actually change the data packet. It only sets a flag for the package in the kernel space. Other rules or programs in the firewall, such as tc, can use this flag to filter packets or perform advanced routing. This table has five built-in links: PREROUTING, POSTROUTING, OUTPUT, INPUT, and FORWARD.
PREROUTING changes the packet after the packet enters the firewall and before the route judgment. POSTROUTING is performed after all the routes are determined. OUTPUT changes the data packet before determining the target of the package. After the INPUT package is routed to the local device, the package is changed before the user space program sees it. Note: the mangle table cannot be used for any NAT. It only changes the TTL, TOS, or MARK of the data packet, rather than the source destination address. NAT is operated in the nat table. The following are the only operations in the mangle table:
◆ TOS
◆ TTL
◆ MARK
The TOS operation is used to set or change the service type domain of data packets. This is often used to set policies such as how packets on the network are routed. Note that this operation is not complete, and sometimes it is not desirable. It is not available on the Internet, and many routers do not notice this domain value. In other words, do not set packets sent to the Internet unless you plan to rely on TOS for routing, such as using iproute2.
The TTL operation is used to change the TTL of a data packet. We can make all data packets have only one special TTL. There is a good reason for its existence, that is, we can cheat some ISPs. Why cheat them? Because they don't want us to share a connection.
The ISPs will look for whether a single computer uses different TTL values and use these to determine whether the connection is shared.
MARK is used to set a special MARK for the package. Iproute2 can identify these tags and decide different routes based on different or no tags. We can use these tags for bandwidth restrictions and request-based classification.
Command)
Command is the most important part of the iptables command. It tells the iptables command what to do, such as inserting rules, adding rules to the end of the chain, or deleting rules.
When iptables is used, if the required parameters are not input, press Enter. Then, it will provide some prompts to tell you which parameters are required. Iptables option-v is used to display the version of iptables.-h provides a brief description of the syntax.
Match)
The optional match part of the iptables command specifies the characteristics of information packets matching rules, such as source and destination addresses, and protocols ). They can be classified into five categories: the first category is the general match of generic matches), which applies to all rules. The second category is TCP matches, which can only be used for TCP packets as the name suggests; the third type is UDP matches. Of course, it can only be used in UDP packets. The fourth type is ICMP matches, which is for ICMP packets. The fifth type is special and is for status, the frequency limit of the owner and access. Here, we will only introduce general-purpose matching. If you are familiar with general-purpose matching, it is easier to understand other types of matching.
Target)
We know that the target is the operation specified by the rule, and the information packages matching the rule perform these operations. In addition to allowing users to define targets, there are also many available target options. It is used to create targets for advanced rules, such as LOG, REDIRECT, MARK, MIRROR, and MASQUERADE.
Status Mechanism
The status mechanism is a special part of iptables. In fact, it should not be called the status mechanism because it is only a connection tracking mechanism. However, many people recognize the status mechanism name. Connection Tracing allows netfilter to know the status of a specific connection. The firewall that runs Connection Tracing is called a firewall with a State mechanism. State firewall is safer than non-State firewall because it allows us to write more rigorous rules.
In iptables, a package is related to four different states of the tracked connection. They are NEW, ESTABLISHED, RELATED, and INVALID. With the -- state match operation, we can easily control "Who or what can initiate a new session ".
All connection traces made by the framework specified by netfilter in the kernel are called conntrack, which is the abbreviation of connection tracking ). Conntrack can be installed as a module or a part of the kernel. In most cases, we need more detailed connection tracking. Therefore, conntrack has many components used to process TCP, UDP, or ICMP protocols. These modules extract detailed and unique information from data packets, so they can keep track of each data stream. This information also informs the current status of the conntrack stream. For example, UDP streams are generally determined by their destination address, source address, destination port, and source port.
In the previous kernel, we can enable or disable the reorganization function. However, this option has been canceled since iptables and netfilter, especially Connection Tracing, are introduced to the kernel. Connection Tracing does not work properly because there is no package reorganization. Now the reorganization has been integrated into the conntrack and is automatically started when the conntrack starts. Do not disable the reorganization function unless you want to disable Connection Tracing.
Except for locally generated packets processed by the OUTPUT chain, all connection traces are processed in the PREROUTING chain, meaning iptables will re-calculate all the statuses in the PREROUTING chain. If we send the initialization package of a stream, the status will be set to NEW in the OUTPUT chain. When we receive the response packet, the status will be set to ESTABLISHED in the PREROUTING chain. If the first package is not generated locally, it will be set to NEW in the PREROUTING chain. In summary, all state changes and calculations are completed in the PREROUTING chain and OUTPUT chain in the nat table.
As mentioned above, the packet status varies according to the protocol included in the IP address, but there are only four States outside the kernel, that is, in the user space: NEW, ESTABLISHED, RELATED, and INVALID. They are mainly used together with status matching.
NEW
NEW indicates that this package is the first package we see. This is the first package of a connection seen by the conntrack module. It will be matched soon. For example, if we see a SYN packet, it is the first packet of the connection we pay attention to, and we need to match it. The first packet may not be a SYN packet, but it will still be considered as NEW.
ESTABLISHED
ESTABLISHED has noticed the data transmission in both directions and will continue to match the connected package. It is easy to understand connections in the ESTABLISHED state. As long as the request is sent and received, the connection is ESTABLISHED. To change a connection from NEW to ESTABLISHED, you only need to receive a response packet, whether it is sent to the firewall or forwarded by the firewall. ICMP errors, redirection, and other information packages are also considered as ESTABLISHED, as long as they are responses to the information we send.
RELATED
RELATED is a troublesome status. When a connection is RELATED to a connection already in the ESTABLISHED status, it is considered as a RELATED connection. In other words, to create a RELATED connection, you must first have an ESTABLISHED connection. This ESTABLISHED connection then generates a connection other than the primary connection. This new connection is RELATED, provided that the conntrack module can understand the RELATED. Ftp is a good example. The FTP-data connection is RELATED with FTP-control.
INVALID
INVALID indicates that the data packet cannot be identified as a connection or has no status. This may occur for several reasons, such as memory overflow, and the ICMP error message of the unknown connection. Generally, we DROP anything in this state.
These statuses can be used together to match data packets. This can make our firewall very strong and effective. In the past, we often opened all ports above 1024 to allow the response data. Now, with the state mechanism, you do not need to do this again. Because we can only open ports with response data, and other ports can be closed. This makes it much safer.