Netfilter/iptables is an IP information packet filtering system integrated with the latest Linux kernel version 2.4.x. If the Linux system is connected to the Internet or LAN, server, or a proxy server connected to the LAN and Internet, the system facilitates better control of IP packet filtering and firewall configuration on the Linux system. Mugdha Vairagade will introduce the netfilter/iptables system, how it works, its advantages, installation and configuration, and how to use it to configure the firewall on the Linux system to filter IP information packets.
Note: At least having Intermediate knowledge of Linux OS and experience in Linux Kernel configuration will help you understand this article.
For this article, we will use iptables user space tool Version 1.2.6a and kernel version 2.4.9.
Linux security and Netfilter/iptables
Linux has become very popular in the IT industry because of its robustness, reliability, flexibility, and customization that seems unlimited. Linux has many built-in capabilities that allow developers to customize their tools, behaviors, and appearances based on their own needs, without the need for expensive third-party tools. If the Linux system is connected to the Internet or LAN, server, or proxy server connected to the LAN and Internet, a built-in capability is to configure the firewall for the Linux system on the network. This capability can be used with the help of the netfilter/iptables IP information package filtering system (which is integrated in the Linux Kernel of version 2.4.x.
In Linux information package filtering solutions such as ipfwadm and ipchains, the netfilter/iptables IP information package filtering system is the latest solution, it is also the first solution integrated into the Linux kernel. For Linux system administrators, network administrators, and home users (they want to configure the firewall according to their specific needs, save costs on the firewall solution, and have full control over IP information packet filtering, the netfilter/iptables system is ideal.
Understand firewall configuration and information packet filtering
For Linux systems connected to the network, the firewall is an essential defense mechanism. It only allows valid network traffic to access the system, and prohibits any other network traffic. To determine whether network traffic is valid, the firewall relies on a set of rules predefined by the network or system administrator. These rules tell the firewall whether a traffic is valid and what to do for network traffic from a source, to a destination, or with a certain protocol type. The term "Configure Firewall" refers to adding, modifying, and removing these rules. I will discuss these rules in detail later.
Network Traffic consists of IP information packets (or information packets), which are small pieces of data transmitted from the source system to the destination system in the form of streams. These information packages have headers, that is, some data bits attached to each package, which contain information about the source, destination, and protocol type of the information package. The firewall checks these headers according to a set of rules to determine which information package to accept and which information package to reject. This process is called information packet filtering.
Why do I need to configure my own firewall?
You need to configure the firewall according to specific requirements for various factors and reasons. Perhaps the most important reason is security.
Administrators may want their firewalls to prevent unauthorized sources from accessing their Linux systems, such as Telnet. They may also want to limit the network traffic in and out of their systems so that only traffic from the source can access their systems and only authorized traffic can go out. Home users may configure the firewall to a lower security level by allowing all outbound information packages to pass.
Another reason is that you can save bandwidth by blocking excessive traffic from sources such as ad sites.
Therefore, you can customize firewall configurations to meet any specific needs and any security level requirements. This is the use of the netfilter/iptables system.
How does the Netfilter/iptables system work?
The netfilter/iptables IP information packet filtering system is a powerful tool that can be used to add, edit, and remove rules. These rules are used for filtering and determining information packets, rules of the firewall. These rules are stored in a dedicated information packet filtering table, which is integrated into the Linux kernel. In the information packet filtering table, rules are grouped in a chain. I will discuss in detail these rules and how to create them and group them in the chain.
Although the netfilter/iptables IP information packet filtering system is called a single entity, it actually consists of two components: netfilter and iptables.
The netfilter component, also known as the kernel space (kernelspace), is a part of the kernel and consists of information packet filtering tables that contain the rule set used by the kernel to control information packet filtering.
The iptables component is a tool, also known as userspace, which makes it easy to insert, modify, and remove rules from the information package filter table. Unless you are using Red Hat Linux 7.1 or later, you need to download the tool from netfilter.org and install and use it.
By using user space, you can build custom rules that are stored in the information packet filtering table of the kernel space. These rules have goals that tell the kernel what to do with information packages from certain sources, to certain destinations, or with certain protocol types. If an information package matches the rule, use the target ACCEPT to allow the information package to pass through. You can also use the target DROP or REJECT to block and kill information packets. There are many other targets for other operations that can be performed on the information package.
Based on the type of information package processed by the rule, you can group the rule in the chain. Rules for processing the inbound information package are added to the INPUT chain. Rules for processing outbound information packets are added to the OUTPUT chain. Rules for processing information packets being forwarded are added to the FORWARD chain. These three links are the default main chains built in the basic information package filtering table. In addition, there are many other available chain types (such as PREROUTING and POSTROUTING) and user-defined chains. Each chain can have a policy that defines the "Default target", that is, the default operation to be executed. This operation is executed when the information package does not match any rule in the chain.
After creating rules and placing the chain in a proper position, you can start to perform real information packet filtering. At this time, the kernel space takes over the work from the user space. When the information package arrives at the firewall, the kernel first checks the header information of the information package, especially the destination of the information package. We call this process a route.
If the information package comes from outside and goes to the system, and the firewall is enabled, the kernel will pass it to the INPUT chain of the kernel space information package filtering table. If the information package is from another source inside the system or connected to the Intranet, and the information package is to be sent to another external system, the information package is transmitted to the OUTPUT chain. Similarly, information packages originating from external systems and sent to external systems are transmitted to the FORWARD chain.
Next, compare the header information of the information package with each rule passed to the chain to see if it exactly matches a rule. If the information package matches a rule, the kernel executes the operation specified by the rule's target on the information package. However, if the information package does not match this rule, it will be compared with the next rule in the chain. Finally, if the information package does not match any rule in the chain, the kernel will refer to the chain policy to determine how to process the information package. The ideal policy should tell the kernel to DROP the information package. Figure 1 shows the information package filtering process in graphs.
Figure 1. Information package filtering process
Because the netfilter component of netfilter/iptables is integrated with kernel 2.4.x, you only need to download and install the iptables user space tool.
The following are the requirements for installing the netfilter/iptables system:
Hardware: to use netfilter/iptables, you need a system that runs Linux OS and connects to the Internet, LAN, or WAN.
Software: any version of Linux OS with kernel 2.4 or later. You can download the latest kernel from the http://www.kernel.org. You also need to download the iptables user space tool from the http://www.netfilter.org because it is not part of the kernel. However, for RedHat Linux version 7.1 or later, you do not need to download this tool because it is included in standard installation in version 7.1 or later.
User: at least moderate understanding of Linux OS and experience in Linux Kernel configuration.
Preparations before installation
You must make some modifications to the system before installing the iptables user space tool. First, you need to use the make config command to configure the kernel options. During configuration, you must enable the CONFIG_NETFILTER and CONFIG_IP_NF_IPTABLES by setting the options to Y, because this is necessary for netfilter/iptables to work. The following are other options that may be enabled:
CONFIG_PACKET: This option is useful if you want applications and programs to directly use certain network devices.
CONFIG_IP_NF_MATCH_STATE: If you want to configure a stateful firewall, this option is very important and useful. Such firewalls will remember the previous decisions on information packet filtering and make new decisions based on them. I will further discuss this issue in the advantages section of the netfilter/iptables system.
CONFIG_IP_NF_FILTER: This option provides a basic information packet filtering framework. If this option is enabled, a basic filter table (with built-in INPUT, FORWARD, and OUTPUT chains) is added to the kernel space.
CONFIG_IP_NF_TARGET_REJECT: This option allows you to specify that ICMP error messages should be sent to respond to dropped inbound information packets, rather than simply killing them.
Now, you can prepare to install this user space tool.
Install the user space tool
You can start installation after downloading the source code of the iptables user space tool, which is similar to a iptables-1.2.6a.tar.bz2. You need to log on as root for installation. Listing 1 provides an example of the commands required to install the tool, the necessary order, and descriptions.
List 1. Examples of user space tool Installation
First, unpack the tool package into a directory:
# Bzip2-d iptables-1.2.6a.tar.bz2
# Tar-xvf iptables-1.2.6a.tar
This will unpack the tool source into a directory named iptables-1.2.6a.
Now change to the iptables-1.2.6a directory:
# Cd iptables-1.2.6a
The Install file in this directory contains a lot of useful information
On Compiling and installing this tool.
Now compile the userspace tool using the following command:
# Make kernel_dir =/usr/src/Linux/
Here the kernel_dir =/usr/src/Linux/specifies the path to the kernel's
Directory. If the directory of kernel happens to be different on some
Systems, the appropriate directory path shocould be substituted
Now install the source binaries using the following command:
# Make install kernel_dir =/usr/src/Linux/
Now the installation is complete.
Note: If you have RedHat Linux 7.1 or later, you do not need to perform the first two steps described here. As we know, the standard installation of the Linux distribution version (distribution) includes the iptables user space tool. However, by default, this tool is disabled. To run the tool, perform the following steps (listing 2 ):
Listing 2. Example of setting up a user space tool on the RedHat 7.1 system
First you'll have to turn off the old ipchains module (predecessor
Iptables) available in this OS package.
This can be done using the following command:
# Chkconfig -- level 0123456 ipchains off
Next, to completely stop the ipchains module from running, so that it
Doesn't conflict with the iptables tool, you will have to stop the ipchains
Service using the following command:
# Service ipchains stop
Now if you don't want to keep this old ipchains module on your system,
Uninstall it using the following command:
# Rpm-e ipchains
Now you can turn on the iptables userspace tool with the following command:
# Chkconfig -- level 235 iptables on
Finally, you'll have to activate the iptables service to make the userspace
Tool work by using this command:
# Service iptables start
Now the userspace tool is ready to work on a RedHat 7.1 or higher system.
Now everything is ready and the netfilter/iptables system should be running. Next, you need to set up rules and chains to filter information packets.
Establish rules and links
By providing a firewall with instructions on what to do for information packets from a source, to a destination, or with a specific protocol type, rules control the filtering of information packets. Use the Special Command iptables provided by the netfilter/iptables system to create these rules and add them to the chain in the specific information package filter table of the kernel space. The general syntax of the command for adding, removing, and editing rules is as follows:
$ Iptables [-t table] command [match] [target]
The [-t table] Option allows any table outside the standard table. A table is an information packet filtering table that contains rules and links that only process specific types of information packets. Three table options are available: filter, nat, and mangle. This option is not required. If not specified, the filter is used as the default table.
The filter table is used for filtering information packets. It contains the INPUT, OUTPUT, and FORWARD chains. The nat table is used to forward information packets. It contains PREROUTING, OUTPUT, and POSTROUTING chains. Use the mangle table if any changes are made to the information package and its header. This table contains rules to mark the information packages used for advanced routing. This table contains PREROUTING and OUTPUT chains.
Note: The PREROUTING chain is composed of rules that change a specified information package once it reaches the firewall, and the POSTROUTING chain is composed of rules that change a specified legitimate information package when it intends to leave the firewall.
The mandatory command section in the preceding command is the most important part of the iptables command. It tells the iptables command what to do, such as inserting rules, adding rules to the end of the chain, or deleting rules. The following are the most common commands:
-A or -- append: This command attaches A rule to the end of the chain.
$ Iptables-a input-s 220.127.116.11-j ACCEPT
The command in this example attaches a rule to the end of the INPUT chain, and determines that the information package from the source address 18.104.22.168 can be ACCEPT.
-D or -- delete: Use-D to specify the rule to be matched or specify the rule's position number in the chain. This command deletes the rule from the chain. The following example shows the two methods.
$ Iptables-d input -- dport 80-j DROP
$ Iptables-d output 3
The first command deletes the rule from the INPUT chain, which specifies to DROP the information packet to port 80. The second command only deletes the rule 3 from the OUTPUT chain.
-P or -- policy: This command sets the default target of the chain, that is, the policy. All information packages that do not match any rules in the chain will be forced to use the chain policy.
$ Iptables-P input drop
This command specifies the default target of the input chain as drop. This means that all information packets that do not match any rules in the input chain will be discarded.
-N or -- New-chain: Create a new chain with the name specified in the command.
$ Iptables-N allowed-chain
-F or -- flush: if the chain name is specified, this command deletes all rules in the chain. If the chain name is not specified, this command deletes all rules in all chains. This parameter is used for quick clearing.
$ Iptables-F forward
-L or -- list: Lists All rules in a specified chain.
$ Iptables-l allowed-chain
The optional match part of the iptables command specifies the characteristics (such as source and destination addresses, protocols, and so on) that the information package matches with the rule ). There are two types of matching: general matching and protocol-specific matching. Here, I will study generic matching that can be used for information packages that use any protocol. Below are some important and commonly used general-purpose matching examples and descriptions:
-P or -- protocol: This generic Protocol match is used to check certain protocols. The Protocol examples include a list of combinations of TCP, UDP, ICMP, and any three Protocols separated by commas (,) and all (for all protocols ). All is the default match. Available! Symbol, indicating that it does not match the item.
$ Iptables-A input-p tcp, UDP
$ Iptables-A input-P! ICMP
In the preceding example, both commands run the same task-they specify that all TCP and UDP packets will match the rule. By specifying! ICMP, we intend to allow all other protocols (in this case, TCP and UDP) and exclude ICMP.
-S or -- source: The source match is used to match the source IP address of the information package. This match can also be used to match IP addresses in a certain range! Symbol, indicating that it does not match this item. The default source match matches all IP addresses.
$ Iptables-a output-s 192.168.1.1
$ Iptables-a output-s 192.168.0.0/24
$ Iptables-a output-s! 22.214.171.124
The second command specifies that the rule matches all information packets from the IP address ranges of 192.168.0.0 to 192.168.0.24. The third command specifies that this rule will match any information package except the source address 126.96.36.199.
-D or -- destination: This destination match is used to match the destination IP address of the information package. This match can also be used to match IP addresses in a certain range! Symbol, indicating that it does not match this item.
$ Iptables-a input-d 192.168.1.1
$ Iptables-a input-d 192.168.0.0/24
$ Iptables-a output-d! 188.8.131.52
We already know that the target is the operation specified by the rule, and these operations are performed on the information packages that match those rules. In addition to allowing users to define targets, there are also many available target options. The following are common objectives, examples, and descriptions:
ACCEPT: when the information package exactly matches the rule with an ACCEPT target, it will be accepted (allow it to go to the destination ), and it will stop the traversal chain (although the information package may traverse other chains in another table and may be discarded there ). The target is specified as-j ACCEPT.
DROP: when the information package exactly matches the rule with the DROP target, the information package will be blocked and will not be further processed. The target is specified as-j DROP.
REJECT: The target works in the same way as the DROP target, but it is better than DROP. Unlike DROP, REJECT does not leave dead sockets on the server and client. In addition, the REJECT sends the error message back to the sender of the information package. The target is specified as-j REJECT.
$ Iptables-a forward-p TCP -- dport 22-j REJECT
RETURN: The RETURN target set in the rule allows the information package matching the rule to stop traversing the chain containing the rule. If a chain is a main chain such as INPUT, use the Default policy of the chain to process information packets. It is specified as-jump RETURN. Example:
$ Iptables-a forward-d 184.108.40.206-jump RETURN
There are also many other goals for establishing advanced rules, such as LOG, REDIRECT, MARK, MIRROR, and MASQUERADE.
Now you have learned how to create basic rules and links and how to add or delete them from the information packet filtering table. However, you should remember that the rules created using the above method will be saved to the kernel and will be lost when the system is rebooted. Therefore, if you add a rule set that is not correct and valid to the information packet filtering table and want to use these rules again after the reboot, the rule set must be saved in the file. You can use the iptables-save command to do this:
$ Iptables-save> iptables-script
Now, all the rules in the information packet filtering table are saved in the file iptables-script. You can use the iptables-restore command to restore the rule set from the script file to the information package filtering table at any time, as shown below:
$ Iptables-restore iptables-script
If you are willing to automatically restore the rule set every time you boot the system, you can put the command specified above in any initialization shell script.
Advantages of Netfilter/iptables
The biggest advantage of netfilter/iptables is that it can be configured with a stateful firewall, which is an important feature that previous tools such as ipfwadm and ipchains cannot provide. A stateful firewall can specify and remember the status of the Connection established for sending or receiving information packets. The firewall can obtain this information from the Connection Tracing status of the information package. When determining the filtering of new information packets, the status information used by the firewall can increase the efficiency and speed. There are four valid states: ESTABLISHED, INVALID, NEW, and RELATED.
Status ESTABLISHED indicates that the information package is a ESTABLISHED connection, which is used to send and receive information packets and is fully valid. The INVALID status indicates that the information package is not associated with any known stream or connection. It may contain incorrect data or headers. Status NEW indicates that the information package has or will start a NEW connection, or it is associated with a connection that has not been used to send or receive the information package. Finally, RELATED indicates that the information package is starting a new connection and is associated with the established connection.
Another important advantage of netfilter/iptables is that it allows users to fully control firewall configurations and information packet filtering. You can customize your own rules to meet your specific needs, so that only the network traffic you want can enter the system.
In addition, netfilter/iptables is free, which is ideal for those who want to save money. It can replace expensive firewall solutions.
The latest Linux kernel 2.4.x has a built-in IP information packet filtering tool such as Netfilter/iptables, which makes it cheaper and more convenient to configure firewall and information packet filtering. The Netfilter/iptables system allows users to fully control firewall configurations and information packet filtering. It allows you to create customizable rules for the firewall to control information packet filtering. It also allows you to configure stateful firewalls.
Obtain the latest information about the Netfilter/iptables system from the netfilter website and download the iptables user space tool.
Visit the Linux 2.4 packet filtering howto web page for quick reference on Netfilter/iptables.
Please refer to this detailed tutorial on Netfilter/iptables (iptables tutorial 1.1.9 ).
Obtain answers to any questions about Netfilter/iptables from the Netfilter/iptables FAQ.
About the author
Mugdha vairagade is a developer with experience working in multiple organizations. She has rich experience in wireless application development and is specialized in component architecture. She is particularly interested in the open source project and has participated in the Linux documentation project, Forum Nokia (WAP Developer Forum) and W3C work. She also compiled technical articles on Linux and XML technologies. You can contact mugdha via email@example.com.
Source: IBM: developerworks Chinese website