JIYIK CN >

The iptables firewall is used to manage packet filtering and NAT rules. iptables comes with all Linux distributions. Knowing how to set up and configure iptables will help us manage the Linux firewall effectively.

The iptables tool is used to manage Linux firewall rules. At first glance, iptables may seem complex (even confusing). However, once you understand the basics of how iptables works and its structure, reading and writing iptables firewall rules becomes easy.

This article is part of an ongoing iptables tutorial series. This is the first article in the series.

This article explains the structure of iptables and explains the basics about iptables tables, chains, and rules.

At a high level iptables may contain multiple tables. Tables may contain multiple chains. Chains may be built-in or user defined. Chains may contain multiple rules. Define rules for packets.

So, the structure is: iptables -> Tables -> Chains -> Rules . This is defined in the following diagram.

To reiterate, a table is a bunch of chains, and a chain is a bunch of firewall rules .

IPTABLES Tables and Chains

IPTables has the following 4 built-in tables.

1. Filter table

Filter is the default table of iptables. So if we don't define our own table, we will use the Filter table. The Filter table of iptables has the following built-in chains.

• INPUT chain – Entering the firewall. For packets arriving at the local server.
• OUTPUT chain – Outgoing from the firewall. For packets generated locally and outgoing from the local server.
• FORWARD chain - packets from another NIC on the local server. For packets routed through the local server.

2. NAT Table

The iptables NAT table has the following built-in chains.

• PREROUTING chain - alters packets before they are routed. That is, packet translation occurs immediately after the packet reaches the system (and before it is routed). This helps translate the destination IP address of the packet to something that matches a route on the local server. This is used for DNAT (Destination NAT).
• POSTROUTING chain - alters packets after routing. That is, packet translation occurs when the packet leaves the system. This helps translate the source IP address of the packet to something that may match a route on the destination server. This is used for SNAT (Source NAT).
• OUTPUT chain - NAT of locally generated packets on the firewall.

3. Mangle table

The Mangle table of iptables is used for specialized packet modification. This changes the QOS bits in the TCP header. The Mangle table has the following built-in chains.

• PREROUTING CHAIN
• OUTPUT Chain
• FORWARD CHAIN
• INPUT Chain
• POSTROUTING Chain

4. Raw Table

The raw table of iptables is used to configure exceptions. The raw table has the following built-in chains.

• PREROUTING CHAIN
• OUTPUT Chain

The following figure shows the three important tables in iptables.

IPTABLES Rules

The following are the key points to remember about iptables rules.

• Rules contain standards and objectives.
• If the condition matches, it will go to the rule specified in the target (or) execute the special value mentioned in the target.
• If the condition does not match, execution continues to the next rule.

Target value

Following are the possible special values ​​that we can specify in target.

• ACCEPT – The firewall will accept the packet.
• DROP – The firewall will drop the packet.
• QUEUE – The firewall passes the packet to user space.
• RETURN – The firewall will stop executing the next set of rules in the current chain for this packet. Control will return to the calling chain.

If we execute iptables –list(or) service iptables status, we will see all the firewall rules available on the system. The following iptables example shows that there are no firewall rules defined on this system. As you can see, it shows the default input table, including the default input chain, forward chain, and output chain.

$ iptables -t filter --list
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Execute the following to view the mangle table.

$ iptables -t mangle --list

Execute the following to view the NAT table.

$ iptables -t nat --list

Execute the following to view the raw table.

$ iptables -t raw --list

注意: If you do not specify -tthe -filter option, it will display the default filter table. Therefore, the following two commands are identical.

$ iptables -t filter --list
(or)
$ iptables --list

The following iptable example shows that some rules are defined in the input, forward, and output chains of the Filter table.

$ iptables --list
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https
DROP       tcp  --  anywhere             anywhere             tcp dpt:mysql
ACCEPT     icmp --  anywhere             anywhere             icmp echo-request

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

iptables –listThe rules in the command output contain the following fields:

• num – the rule number within a particular chain
• target - the special target variable we discussed above
• prot - protocol. TCP, UDP, ICMP, etc.
• opt - Special options for this particular rule.
• source – the source IP address of the packet
• destination - the destination IP address of the packet