Download And Install The Iptables Package

Before you begin, you need to make sure that the iptables software RPM is installed. (See Chapter 6, "Installing Linux Software",if you need a refresher.) When searching for the RPMs, remember thatthe filename usually starts with the software package name by a versionnumber, as in iptables-1.2.9-1.0.i386.rpm.

How To Start iptables

You can start, stop, and restart iptables after booting by using the commands:

[root@bigboy tmp]# service iptables start
 [root@bigboy tmp]# service iptables stop
 [root@bigboy tmp]# service iptables restart
 

To get iptables configured to start at boot, use the chkconfig command:.

[root@bigboy tmp]# chkconfig iptables on
 

Determining The Status of iptables

Youcan determine whether iptables is running or not via the serviceiptables status command. Fedora Core will give a simple status message.For example

[root@bigboy tmp]# service iptables status
 Firewall is stopped.
 [root@bigboy tmp]#
 

Packet Processing In iptables

Allpackets inspected by iptables pass through a sequence of built-intables (queues) for processing. Each of these queues is dedicated to aparticular type of packet activity and is controlled by an associatedpacket transformation/filtering chain.

Thereare three tables in total. The first is the mangle table which isresponsible for the alteration of quality of service bits in the TCPheader. This is hardly used in a home or SOHO environment.

Thesecond table is the filter queue which is responsible for packetfiltering. It has three built-in chains in which you can place yourfirewall policy rules. These are the:

• Forward chain: Filters packets to servers protected by the firewall.
• Input chain: Filters packets destined for the firewall.
• Output chain: Filters packets originating from the firewall.

The third table is the nat queue which is responsible for network address translation. It has two built-in chains; these are:

• Pre-routing chain: NATs packets when the destination address of the packet needs to be changed.
• Post-routing chain: NATs packets when the source address of the packet needs to be changed

Table 14-1 Processing For Packets Routed By The Firewall

Queue

Type

Queue

Function

Packet transformation chain in Queue

Chain Function

Filter

Packet filtering

FORWARD

Filters packets to servers accessible by another NIC on the firewall.

INPUT

Filters packets destined to the firewall.

OUTPUT

Filters packets originating from the firewall

Nat

Network Address Translation

PREROUTING

Addresstranslation occurs before routing. Facilitates the transformation ofthe destination IP address to be compatible with the firewall's routingtable. Used with NAT of the destination IP address, also known as destination NAT or DNAT.

POSTROUTING

Addresstranslation occurs after routing. This implies that there was no needto modify the destination IP address of the packet as in pre-routing.Used with NAT of the source IP address using either one-to-one ormany-to-one NAT. This is known as source NAT, or SNAT.

OUTPUT

Network address translation for packets generated by the firewall. (Rarely used in SOHO environments)

Mangle

TCP header modification

PREROUTING POSTROUTING OUTPUT INPUT FORWARD

Modification of the TCP packet quality of service bits before routing occurs

(Rarely used in SOHO environments)

Youneed to specify the table and the chain for each firewall rule youcreate. There is an exception: Most rules are related to filtering, soiptables assumes that any chain that's defined without an associatedtable will be a part of the filter table. The filter table is thereforethe default.

To help makethis clearer, take a look at the way packets are handled by iptables.In Figure 14.1 a TCP packet from the Internet arrives at the firewall'sinterface on Network A to create a data connection.

Thepacket is first examined by your rules in the mangle table's PREROUTINGchain, if any. It is then inspected by the rules in the nat table'sPREROUTING chain to see whether the packet requires DNAT. It is thenrouted.

If the packet isdestined for a protected network, then it is filtered by the rules inthe FORWARD chain of the filter table and, if necessary, the packetundergoes SNAT in the POSTROUTING chain before arriving at Network B.When the destination server decides to reply, the packet undergoes thesame sequence of steps. Both the FORWARD and POSTROUTING chains may beconfigured to implement quality of service (QoS) features in theirmangle tables, but this is not usually done in SOHO environments.

Ifthe packet is destined for the firewall itself, then it passes throughthe mangle table of the INPUT chain, if configured, before beingfiltered by the rules in the INPUT chain of the filter table before. Ifit successfully passes these tests then it is processed by the intendedapplication on the firewall.

Atsome point, the firewall needs to reply. This reply is routed andinspected by the rules in the OUTPUT chain of the mangle table, if any.Next, the rules in the OUTPUT chain of the nat table determine whetherDNAT is required and the rules in the OUTPUT chain of the filter tableare then inspected to help restrict unauthorized packets. Finally,before the packet is sent back to the Internet, SNAT and QoS manglingis done by the POSTROUTING chain

Figure 14-1 Iptables Packet Flow Diagram

It is now time to discuss the ways in which you add rules to these chains.

Targets And Jumps

Eachfirewall rule inspects each IP packet and then tries to identify it asthe target of some sort of operation. Once a target is identified, thepacket needs to jump over to it for further processing. Table 14.2lists the built-in targets that iptables uses.

Table 14-2 Descriptions Of The Most Commonly Used Targets

Target

Description

Most common options

ACCEPT

>iptables stops further processing.

>The packet is handed over to the end application or the operating system for processing

N/A

DROP

>iptables stops further processing.

>The packet is blocked

N/A

LOG

>The packet information is sent to the syslog daemon for logging

>iptables continues processing with the next rule in the table

>Asyou can't log and drop at the same time, it is common to have twosimilar rules in sequence. The first will log the packet, the secondwill drop it.

--log-prefix "string"

Tells iptables to prefix all log messages with a user defined string. Frequently used to tell why the logged packet was dropped