Control Network Traffic with iptables
Packet filtering using network rules such as NAT (network address translation) can be accomplished by using iptables. Iptables utilize ports and protocols and may also be used as a firewall.
Using iptables for IPv4
By default, the iptables tool is included with your Linode supplied distribution. In order to use iptables, you will have to have root privileges to make changes. The location of the iptables files is in the /sbin
directory. However, you will make changes to these files by invoking commands, not with a text editor.
The iptables Command
There are a number of options that can be used with iptables. Before you begin, you need to understand how iptables work. As stated above, iptables are used to set the rules governing network traffic. You can define different tables to handle these rules. The table contains a variety of built-in chains, but you can add your own chains. A chain is a list of rules that match a set of packets.
Basic iptables Parameters
In order to start using iptables, you will need to understand some basics about the command syntax. For example:
iptables -I INPUT -s 12.34.56.78 -j DROP
In the sample above you are invoking iptables by its name. The -I
option is for insertion. Using a rule with the insertion option will add it at the beginning of a chain, it will also be the rule that is applied first. You may also use a number with -I
option to indicate its placement in the chain. The -s
parameter along with the IP address (12.34.56.78) indicates the source. Finally the -j
parameter is for jump. It specifies the target of the rule i.e. what action it is to perform if the packet is a match.
For example, the rule above is added to the beginning of the chain, and it will drop all packets from the address 12.34.56.78 received from anywhere.
Parameter | Description |
---|---|
-p, -- protocol | The rule, such as TCP, UDP, etc. |
-s, -- source | Can be an address, network name, hostname, etc. |
-d, -- destination | An address, hostname, network name, etc. |
-j, -- jump | Specifies the target of the rule; i.e. what to do if the packet matches. |
-g, --goto chain | Specifies that the processing will continue in a user specified chain. |
-i, --in-interface | Names the interface from where packets are received. |
-o, --out-interface | Name of the interface by which a packet is being sent. |
-f, --fragment | The rule will only be applied to the second and further fragments of fragmented packets. |
-c, --set-counters | Enables the admin to initialize the packet and byte counters of a rule. |
Default Tables
A root or sudo user can create tables. Tables are comprised of built-in chains and may also contain user-defined chains. The built-in tables present will depend on the kernel configuration and the installed modules. Below is a list of the tables available.
The default tables are as follows:
Filter
– this is the default table. Its built-in chains are:- Input – is for packets going to local sockets
- Forward – is for packets routed through the server
- Output – is for locally-generated packets
Nat
– when a packet creates a new connection this is the table that is used. Its built-in chains are Prerouting, Output, and Postrouting- Prerouting is for packets when they come in
- Output is for locally-generated packets before routing takes place
- Postrouting is for altering packets on the way out
Mangle
– is used for special altering of packets. Its chains are Pre/Post routing, Forward, Input, and Output- Prerouting is for incoming packets
- Postrouting is for packets going out
- Output is for locally generated packets that are being altered.
- Input is for packets coming directly into the server
- Forward is for packets being routed through the server
Raw
– is used primarily for configuring exemptions from connection tracking. The built-in chains are Prerouting and Output.- Prerouting is for packets that arrive by the network interface
- Output is for processes that are locally generated
Security
– is used for Mandatory Access Control (MAC) rules. After the filter table, the security table is accessed next. The built-in chains are Input, Output, and Forward.- Input pertains to packets entering the server
- Output is for locally-generated packets
- Forward is for packet passing through the server