iptables summary

iptables is a user counterpart of Netfilter, which can filter, mangle packets it received. Some NAT gateway, stateless/stateful firewall, transparent proxy in Linux are implemented by iptables. Here are some items and properties of iptables.

 

 

1、Tables: for -t table.  NAT(SNAT, DNAT, MASQERADE etc), filter(default table), mangle.

SNAT: iptables modify source ip in outgoing packet as designated IP. In the view of receiver, the packets are from designated IP.

MASQERADE: For dial or DHCP network(by PPP or SLIP to access the Internet, the Internet IP is dynamic or we don't know the IP, it's the best choice), gateway modify the source IP of outgoing packets by the computer who sends them.  (实现router带LAN上网的方式)

DNAT: iptables modify dest IP of packets. For example, if you want to access A, but gateway modify dest IP as B, you think you are accessing A, but in fact you are accessing B. (将内网的服务端口映射到外网，从而可以被外部主机访问)

 

Since the route are selected by destination, DNAT =>PREROUTING(BEFORE the diamond in the figure), whil SNAT =>POSTROUTING.

SNAT example: iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -j SNAT --to-source 58.20.51.66

DNAT example: iptables -t nat -A PREROUTING -d 202.103.96.112 -j DNAT --to-destination 192.168.0.112

MASQUERADE example: iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

 

 

2、Hook points：for -A/-I/-R/-Z . PREROUTING, FORWARD, INPUT, OUTPUT, POSTROUTING in a chain.

Routing Decision: Whethrer the the dest IP is our local, if so, deliver the packet to INPUT, otherwise, FORWARD it.

3、Target：for -j target. (ACCEPT, DROP, RETURN etc)

4、Match：for -m match_option. Too much, have subcommand(IP, TCP, ICMP etc) .

 

Command examples:

1、List some table:

iptables -t nat -L -n -v

2、Stop it: /etc/init.d/iptables stop or service iptables stop

disable it when boot: chkconfig iptables off

3、config data locates in /etc/sysconfig/iptables.

if you want to save current iptables rules, run iptables save (it call iptables-save >/etc/sysconfig/iptables)

if you want to load external modules, modify in /etc/sysconfig/iptables-config

4、You should set all rules as ACCEPT first if you want to custom you firewall.

For example:

iptables -t nat -P OUTPUT ACCEPT
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT

5、"First-match" rule:

iptables -P INPUT ACCEPT
iptables -A INPUT -s 192.168.1.1 -j ACCEPT
iptables -A INPUT -s 192.168.1.0/24 -j DROP  <===allow 192.168.1.1 in 192.168.1.0/24.

is not the same as:

iptables -P INPUT ACCEPT
iptables -A INPUT -j ACCEPT <=== packets for other IP match this rule, they will not be passed to next.
iptables -A INPUT -s 192.168.1.0/24 -j DROP

 6、set rules for passive FTP:

modprobe ip_conntrack_ftp

iptables -P INPUT DROP
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p tcp --dport 21 -j ACCEPT

 7、iptables -A POSTROUTING -t nat -s 192.168.1.0/24 -j MASQUERADE

equal to

iptables -A POSTROUTING -t nat -s 192.168.1.0/24 -j SNAT --to 210.1.1.1

to some extent(know the Internet IP).

 

 

 

This is an URL about iptables:

http://linux.chinaunix.net/bbs/viewthread.php?tid=812400

iptables tutorial by Oskar Andreasson:

http://www.frozentux.net/iptables-tutorial/iptables-tutorial.html

and Chinese version:

http://www.frozentux.net/iptables-tutorial/cn/iptables-tutorial-cn-1.1.19.html

this article describe common use for a static FW:

http://linux.ccidnet.com/art/737/20060705/596613_1.html