Revisiting firewalls – iptables

“iptables” is the default firewall that ships with all Linux operating systems. The original version was called ipchains which refers to the structure of the software which resembles a chain. The most secure firewall is one that lets nothing in. For iptables that would look like the following:

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

Packets that come from the network arrive first at the PREROUTING table which can contain a series of rules. The order of the rules in the table is important because the first rule that is matched will be used. The PREROUTING table rules can NAT or mangle packets before forwarding them on to you program or back out to the network. Each table has the ability to NAT or mangle packets. The following diagram shows the default tables that come with all iptables implementations. Additional tables can be defined and inserted anywhere in the diagram.

Network Address Translation (NAT) is the process of changing IP addresses in a packet. This is most commonly used to convert non-routable private network addresses for routable public addresses. To MANGLE a packet you change packet header information like QOS bits.

iptables -I INPUT -p tcp --dport 8080 -j ACCEPT

This command manually opens port 8080 in the firewall for inbound TCP traffic. Note that manually opening a port will mean that the next time the system is rebooted the port will no longer be open. This is actually ideal for testing. In the sections that follow I am going to explain some of the more useful commands.

iptables -L            //List the iptables rules
iptables -F            //Flush the rules or disable the firewall

The following example routes all traffic that comes to the port 442 to 22. This means that the incoming ssh connection can come from both port 22 and 422.

iptables -t nat -A PREROUTING -p tcp -d 
         --dport 422 -j DNAT --to

The following iptables rule will help you prevent the Denial of Service (DoS) attack on your webserver.

iptables -A INPUT -p tcp --dport 80 -m limit --limit 25/minute 
         --limit-burst 100 -j ACCEPT

In the above example:

  • -m limit: This uses the limit iptables extension
  • –limit 25/minute: This limits only maximum of 25 connection per minute. Change this value based on your specific requirement
  • –limit-burst 100: This value indicates that the limit/minute will be enforced only after the total number of connection have reached the limit-burst level.

You will be surprised how far just a couple of commands will get you with iptables. Start from the most secure firewall example and then add only the ports you need to run your site. Remember that local traffic will have no problems outbound and that alot of services use symmetrical ports. Once a port is open for outbound traffic, inbound traffic can be received on the same port. This does not have to be the case but it is generally true.


This entry was posted in General and tagged , , . Bookmark the permalink.

One Response to Revisiting firewalls – iptables

  1. PatBeirne says:

    That’s a great illustration. Much easier to understand than others that I’ve found in my surfing. Thanks.

    Ideas for future postings:
    SSD write endurance
    liveCD’s for system repair
    lua interpreter embedded in your project
    bringing up IPv6

Leave a Reply

Your email address will not be published. Required fields are marked *