Rules control packet filtering by providing the firewall with instructions on what to do with packets from a source, to a destination, or to a specific protocol type. By using the special commands provided by the Netfilter/iptables system iptables, these rules are established and added to the chain within the specific packet filtering table of the kernel space. The general syntax for the command to add/remove/edit rules is as follows:
The code is as follows:
$ iptables [t table] command [match] [target]
Tables (table)
The [-t table] option allows you to use any table other than the standard table. A table is a packet filter table that contains rules and chains that handle only specific types of packets. There are three of available table options: Filter, Nat, and mangle. This option is not required, and if not specified, filter is used as the default table.
The filter table is used for general packet filtering, which contains INPUT, OUTPUT, and FORWARD chains. The NAT table is used for packets to be forwarded, which contains prerouting, OUTPUT, and postrouting chains. If any changes are made within the packet and its headers, the mangle table is used. The table contains rules to mark packets for advanced routing, which contains prerouting and OUTPUT chains.
Note: The prerouting chain consists of rules that change them as soon as the specified packet arrives at the firewall, and the postrouting chain consists of rules that specify the proper packets to change as they leave the firewall.
Commands (command)
The mandatory command section of the above commands is the most important part of the iptables command. It tells Iptables what to do, such as inserting a rule, adding a rule to the end of a chain, or deleting a rule. Here are some of the most commonly used commands:
-A or –append: This command attaches a rule to the end of the chain.
Example:
The code is as follows:
$ iptables-a input-s 205.168.0.1-j ACCEPT
The example command attaches a rule to the end of the INPUT chain and determines that the packet from the source address 205.168.0.1 can be ACCEPT.
-D or –delete: This command deletes the rule from the chain by specifying the rule to match by using-D or by specifying the position number of the rule in the chain. The following example shows both of these methods.
Example:
The code is as follows:
$ iptables-d input–dport 80-j DROP
$ iptables-d OUTPUT 3
The first command deletes the rule from the INPUT chain, which specifies the packet to which the DROP is going to port 80. The second command simply deletes the rule number 3 from the OUTPUT chain.
-P or –policy: This command sets the default target for the chain, which is the policy. All packets that do not match any of the rules in the chain will be forced to use the policy of this chain.
Example:
The code is as follows:
$ iptables-p INPUT DROP
This command specifies the default target for the INPUT chain as DROP. This means that all packets that do not match any of the rules in the INPUT chain will be discarded.
-N or –new-chain: Creates a new chain with the name specified in the command.
Example:
The code is as follows:
$ iptables-n Allowed-chain
-F or –flush: If you specify a chain name, the command deletes all the rules in the chain, and if you do not specify a chain name, the command deletes all the rules in all chains. This parameter is used for quick cleanup.
Example:
The code is as follows:
$ iptables-f FORWARD
$ iptables-f
-L or –list: Lists all the rules in the specified chain.
Example:
The code is as follows:
$ iptables-l Allowed-chain
Matching (match)
The optional Match section of the iptables command specifies the characteristics (such as source and destination address, protocol, and so on) that the information packet should have to match the rule. The matching is divided into two main categories: a universal match and a protocol-specific match. Here, I'll look at generic matches for packets that can be used with any protocol. Here are some important and commonly used generic matches and their examples and descriptions:
-P or –protocol: This generic protocol match is used to check for certain protocols. Examples of protocols are TCP, UDP, ICMP, a comma-delimited list of all three Protocols, and all (for all protocols). All is the default match. can use! Symbol that indicates that the item is not matched.
Example:
The code is as follows:
$ iptables-a input-p TCP, UDP
$ iptables-a input-p! Icmp
In the example above, all two commands perform the same task-they specify that all TCP and UDP packets will match the rule. By specifying! ICMP, we intend to allow all other protocols (in this case TCP and UDP) to exclude ICMP.
-S or –source: This source match is used to match the source IP address of the packet. This match also allows for a range of IP addresses to match, you can use! Symbol that does not match the item. The default source match matches all IP addresses.
Example:
The code is as follows:
$ iptables-a output-s 192.168.1.1
$ iptables-a output-s 192.168.0.0/24
$ iptables-a output-s! 203.16.1.89
The second command specifies that the rule matches all packets from the IP address range from 192.168.0.0 to 192.168.0.24. The third command specifies that the rule will match any packets except 203.16.1.89 from the source address.
-D or –destination: The destination match is used to match the destination IP address of the packet. This match also allows for a range of IP addresses to match, you can use! Symbol that does not match the item.
Example:
The code is as follows:
$ iptables-a input-d 192.168.1.1
$ iptables-a input-d 192.168.0.0/24
$ iptables-a output-d! 203.16.1.89
Goal (target)
As we already know, the target is the action specified by the rule, which performs these actions on packets that match those rules. In addition to allowing user-defined targets, there are a number of target options available. Here are some common goals and their examples and descriptions:
ACCEPT: When an information packet exactly matches a rule that has a ACCEPT target, it is accepted (allowing it to go to the destination), and it stops traversing the chain (although the packet may traverse other chains in another table and may be discarded there). The target is specified as-j ACCEPT.
DROP: When an information packet exactly matches a rule that has a DROP target, the packet is blocked and is not processed further. The target is specified as-j DROP.
REJECT: The target works the same way as the drop target, but it is better than drop. Unlike DROP, REJECT does not leave dead sockets on both the server and the client. In addition, REJECT sends the error message back to the sender of the packet. The target is specified as-j REJECT.
Example:
The code is as follows:
$ iptables-a forward-p tcp–dport 22-j REJECT
Return: The return target set in the rule lets the packet that matches the rule stop traversing the chain that contains the rule. If the chain is a master chain such as INPUT, the packet is processed using the default policy for that chain. It is specified as-jump return. Example:
The code is as follows:
$ iptables-a forward-d 203.16.1.89-jump return
There are also many other goals for building advanced rules, such as LOG, REDIRECT, MARK, MIRROR, and Masquerade.
Save Rule
Now you've learned how to build basic rules and chains and how to add or remove them from the packet filtering table. However, you should keep in mind that the rules established with the above methods are saved to the kernel and will be lost when you reboot the system. So, if you add a valid rule set without errors to the packet filtering table and you want to use the rules again after rebooting, you must save the rule set in the file. You can do this by using the Iptables-save command:
The code is as follows:
$ iptables-save > Iptables-script
All the rules in the Packet filtering table are now saved in the file Iptables-script. Whenever you boot the system again, you can use the Iptables-restore command to restore the rule set from the script file to the Packet filtering table, as follows:
The code is as follows:
$ iptables-rest