Академический Документы
Профессиональный Документы
Культура Документы
com
https://www.suse.com/communities/blog/basic-iptables-tutorial/
Environment:
This article was tested on SUSE Linux Enterprise Server and SUSE Linux Enterprise Desktop.
Introduction to iptables
iptables provide a packet filtering framework for Linux that allows administrators and/or users to filter network traffic
that flows in and out of their server/workstation. iptables provide a rich set of features such as stateless/stateful
packet filtering, NAT (Network Address Translation) and PAT (Port Address Translation), packet manipulation and a
lot more. iptables also provides an extensive module selection, some of the modules that are available are listed in
Table 1.
Module
Description
Nth
This module allows you to match a particular Nth packet which has been received. This allows you to
turn youre machine into a balance loader.
Time
This module allows you to match a packet based on its arrival or departure timestamp.
String
Quota
linux-w2mu:~ #
Figure 1: Stopping SUSEs firewall.
When you stop the SuSEfirewall2_setup firewall the default rules that are applied are accept all, thus allowing all
inbound and outbound traffic. In this article we are going to be working with the SuSEfirewall2_setup firewall
turned off.
IPTable tables
iptables has four different tables; filter, mangle, nat and raw, Table 2 explains what each table does. In this article we
1/7
will be concentrating on the filter table to perform MAC filtering and restriction users network activities.
Table
Description
Filter
This is the default table (if no -t option is passed). It contains the built-in chains INPUT (for packets
destined to local sockets), FORWARD (for packets being routed through the box), and OUTPUT (for
locally-generated packets).
Mangle
This table is used for specialized packet alteration. Until kernel 2.4.17 it had two built-in chains:
PREROUTING (for altering incoming packets before routing) and OUTPUT (for altering locallygenerated packets before routing). Since kernel 2.4.18, three other built-in chains are also supported:
INPUT (for packets coming into the box itself), FORWARD (for altering packets being routed through the
box), and POSTROUTING (for altering packets as they are about to go out).
NAT
This table is consulted when a packet that creates a new connection is encountered. It consists of three
built-ins: PREROUTING (for altering packets as soon as they come in), OUTPUT (for altering locallygenerated packets before routing), and POSTROUTING (for altering packets as they are about to go
out).
RAW
This table is used mainly for configuring exemptions from connection tracking in combination with the
NOTRACK target. It registers at the netfilter hooks with higher priority and is thus called before
ip_conntrack, or any other IP tables. It provides the following built-in chains: PREROUTING (for packets
arriving via any network interface) OUTPUT (for packets generated by local processes)
IPTable Targets
When using iptables it is required that you specify a jump target, every rule has a jump target. Table 2.1 explains
what targets are available and what they do.
Table
Description
ACCEPT
This target grants the permission for the packet to travel through the machine.
REJECT
DROP
This target denies the packet and does not send and acknowledgment.
LOG
This target logs information about the packet to the /var/log/firewall log file.
iptables interface
iptables in SUSE can be configured via two different methods. The first method is using the YaST utility either via a
GUI (Graphical User Interface) or a curses based interface as shown in Figure 1.1. The second method is using the
iptables command which allows you to create much more complex rules and also fine tune your firewall. The only
possible disadvantage is that you need to write out each rule manually and make sure the ordering is correct set.
2/7
Click to view.
The GUI and curses based interface allows administrators to simply manage
their firewall without the need of knowing any IPTable commands however, the
YaST utility does not utilize all the features that are available with iptables.
Default policy
The default policy can be viewed by issuing the iptables -L command as shown in Figure 3.
linux-w2mu:~ # iptables -L
Chain INPUT (policy ACCEPT)
target
prot opt source
...
destination
3/7
...
Chain FORWARD (policy ACCEPT)
target
prot opt source
...
...
Chain OUTPUT (policy ACCEPT)
target
prot opt source
...
...
destination
destination
destination
4/7
Qualifier
Description
-A INPUT
This qualifier tells iptables that we are appending a new rule into the INPUT chain.
-p tcp
This qualifier tells iptables what protocol we are filter for, which is TCP.
dport 22
This qualifier tells iptables that we are looking for the destination port of 22.
-j DROP
This qualifier tells iptables what to do if we find a match for this rule.
Description
-A INPUT
This qualifier tells iptables that we are appending a new rule to the INPUT chain.
-s 192.168.0.1
This qualifier tells iptables to match against the source IP address of 192.168.0.1.
-p tcp
This qualifier tells iptables what protocol we are filter for which is TCP.
dport 22
This qualifier tells iptables that we are looking for the destination port of 22.
-j DROP
This qualifier tells iptables what to do if we find a match for this rule.
MAC filtering
Now that you have wrote some simple rules we can move onto a more complex example. This time we are going to
filter based on a MAC (Media Access Control) address. The rule we will write is to allow a specific MAC address
access to the SSH daemon and deny all other MAC addresses.
linux-w2mu:~ # iptables -A INPUT -m mac ! --mac-source 00:00:5A:9C:D1:73 -j DROP
Figure 5: Allow access to a specific MAC address.
The rule shown in Figure 5 introduces you to two new qualifier, -m and the logical explanation point(!). The rule
shown in Figure 5 is explain in Table 4.
Qualifier
Description
-A INPUT
This qualifier tells iptables that we are appending a rule to the INPUT chain.
-m mac
5/7
! mac-source
00:00:5A:9C:D1:73
This qualifier inverts the argument e.g. The MAC address is NOT
00:00:5A:9C:D1:73.
-j DROP
This qualifier tells iptables what to do if we find a match for this rule.
any
anywhere
destination
anywhere
Modules
When you are using modules in iptables and you forget or dont know what qualifiers a module takes you can use
the help qualifier. The help qualifier will provide a list of possible qualifiers as shown in Figure 7.
linux-w2mu:~ # iptables -A INPUT -m mac --help
iptables v1.3.8
...
...
MAC v1.3.8 options:
--mac-source [!] XX:XX:XX:XX:XX:XX
Match source MAC address
Figure 7: Retrieving a list of possible qualifiers for modules.
As you can see in Figure 7 the available options for the MAC module are mac-source.
Conclusion
6/7
This article has just touched the very basics of iptables, there is a lot more that I have not mentioned and can be
viewed via the man pages [1]. I would also recommend visiting the netfilter website [2] as you will be able to learn a
lot more about iptables and get a list of the latest modules.
Reference
1. /usr/share/man/man8/iptables.8.gz
2. http://www.netfilter.org/
7/7