suse.

com

https://www.suse.com/communities/blog/basic-iptables-tutorial/

Basic iptables Tutorial

DamianMyerscough

Environment:
This article was tested on SUSE Linux Enterprise Server and SUSE Linux Enterprise Desktop.

Introduction to iptables
iptables provide a packet filtering framework for Linux that allows administrators and/or users to filter network traffic
that flows in and out of their server/workstation. iptables provide a rich set of features such as stateless/stateful
packet filtering, NAT (Network Address Translation) and PAT (Port Address Translation), packet manipulation and a
lot more. iptables also provides an extensive module selection, some of the modules that are available are listed in
Table 1.
Module

Description

Nth

This module allows you to match a particular Nth packet which has been received. This allows you to
turn youre machine into a balance loader.

Time

This module allows you to match a packet based on its arrival or departure timestamp.

String

This module allows you to match a string anywhere in the packet.

Quota

This module allows you to set a quota.

Table 1: iptables extension modules.

In SUSE Enterprise Linux there is a service called SuSEfirewall2_setup that controls the firewall settings that have
been configured with the YaST firewall utility. This service can be started, stopped and restarted using the service
command as shown in Figure 1.
linux-w2mu:~ # service SuSEfirewall2_setup stop
Shutting down the Firewall SuSEfirewall2: Warning: ip6tables does not support state
matching. Extended IPv6 support disabled.
done

linux-w2mu:~ #
Figure 1: Stopping SUSEs firewall.
When you stop the SuSEfirewall2_setup firewall the default rules that are applied are accept all, thus allowing all
inbound and outbound traffic. In this article we are going to be working with the SuSEfirewall2_setup firewall
turned off.

IPTable tables
iptables has four different tables; filter, mangle, nat and raw, Table 2 explains what each table does. In this article we

1/7

will be concentrating on the filter table to perform MAC filtering and restriction users network activities.
Table

Description

Filter

This is the default table (if no -t option is passed). It contains the built-in chains INPUT (for packets
destined to local sockets), FORWARD (for packets being routed through the box), and OUTPUT (for
locally-generated packets).

Mangle

This table is used for specialized packet alteration. Until kernel 2.4.17 it had two built-in chains:
PREROUTING (for altering incoming packets before routing) and OUTPUT (for altering locallygenerated packets before routing). Since kernel 2.4.18, three other built-in chains are also supported:
INPUT (for packets coming into the box itself), FORWARD (for altering packets being routed through the
box), and POSTROUTING (for altering packets as they are about to go out).

NAT

This table is consulted when a packet that creates a new connection is encountered. It consists of three
built-ins: PREROUTING (for altering packets as soon as they come in), OUTPUT (for altering locallygenerated packets before routing), and POSTROUTING (for altering packets as they are about to go
out).

RAW

This table is used mainly for configuring exemptions from connection tracking in combination with the
NOTRACK target. It registers at the netfilter hooks with higher priority and is thus called before
ip_conntrack, or any other IP tables. It provides the following built-in chains: PREROUTING (for packets
arriving via any network interface) OUTPUT (for packets generated by local processes)

Table 2: iptables man page (iptables, 2007).

IPTable Targets
When using iptables it is required that you specify a jump target, every rule has a jump target. Table 2.1 explains
what targets are available and what they do.
Table

Description

ACCEPT

This target grants the permission for the packet to travel through the machine.

REJECT

This target denies the packet thus sending a acknowledgment.

DROP

This target denies the packet and does not send and acknowledgment.

LOG

This target logs information about the packet to the /var/log/firewall log file.

Table 2.1: Jump targets.

iptables interface
iptables in SUSE can be configured via two different methods. The first method is using the YaST utility either via a
GUI (Graphical User Interface) or a curses based interface as shown in Figure 1.1. The second method is using the
iptables command which allows you to create much more complex rules and also fine tune your firewall. The only
possible disadvantage is that you need to write out each rule manually and make sure the ordering is correct set.

2/7

Click to view.
The GUI and curses based interface allows administrators to simply manage
their firewall without the need of knowing any IPTable commands however, the
YaST utility does not utilize all the features that are available with iptables.

Rule status and ordering

The ordering of iptables is very important as when a rule has been matched that action is performed and then no
other action is performed, for example if you wanted to deny a user from accessing the SSH daemon and also log
there actions you would need to perform the logging first otherwise the information would not be logged. Figure 2
shows the incorrect rule ordering and Figure 2.1 shows the correct ordering.
linux-w2mu # iptables -A INPUT -s 192.168.2.1 -p tcp --dport 22 -j DROP
linux-w2mu # iptables -A INPUT -p tcp dport 22 -j LOG log-prefix "Someone knocked
on port 22"
Figure 2: Incorrect order.
linux-w2mu # iptables -A INPUT -p tcp dport 22 -j LOG log-prefix "Someone knocked
on port 22"
linux-w2mu # iptables -A INPUT -s 192.168.2.1 -p tcp --dport 22 -j DROP
Figure 2.1: Correct order.
If you try the rules shown in Figure 2 and list the current rules with the verbose
qualifier "-v" turn on you should see something similar to Figure 2.2.
linux-w2mu:/home/damian # iptables -L INPUT -v
Chain INPUT (policy ACCEPT 2665 packets, 1254K bytes)
pkts bytes target
prot opt in
out
source
destination
23 1808 DROP
tcp
-- any
any
192.168.2.1
anywhere
tcp dpt:ssh
0
0 LOG
tcp
-- any
any
anywhere
anywhere
tcp dpt:ssh LOG level warning prefix `Someone knocked on port 22'
Figure 2.2: iptables status.
As you can see from Figure 2.2 the packet and byte count for the LOG rule is zero whereas the packet count for
the DROP rule is 23 and the byte count is 1808. This shows that once a rule has been matched no other rules are
processed.
When creating IPTable rules the best way to debug your rules is by supplying the verbose qualifier -v as shown in
Figure 2.2. The verbose qualifier allows you to see how may packets have hit a certain rule and how many bytes the
rule has dealt with.

Default policy
The default policy can be viewed by issuing the iptables -L command as shown in Figure 3.
linux-w2mu:~ # iptables -L
Chain INPUT (policy ACCEPT)
target
prot opt source
...

destination

3/7

...
Chain FORWARD (policy ACCEPT)
target
prot opt source
...
...
Chain OUTPUT (policy ACCEPT)
target
prot opt source
...
...

destination

destination

Figure 3: Default IPTable rules.

As you can see from Figure 3 the FORWARD, INPUT and OUTPUT chains have a default policy of accept. Having
a default policy of ACCEPT is considered insecure as it allows all traffic to flow in and out of youre machine. The
recommended default policy for the INPUT chain is DROP. The reason for this is because you dont have to worry
about forgetting to close any insecure services.
The default policy can be altered by using the iptables command with the -P qualifier followed by the chain you
would like to change and then the action you would like to perform, as shown in Figure 3.1.
linux-w2mu:~ # iptables -P INPUT DROP
Figure 3.1: Setting the default policy of the INPUT chain to drop.
The command shown in Figure 3.1 will change the default policy for the INPUT chain to DROP, so what this
means is if no rule has been matched the packet will be dropped. Once you have changed the default policy you can
issue the iptables -L INPUT command to check the new policy has been set as shown in Figure 3.2.
linux-w2mu:~ # iptables -L INPUT
Chain INPUT (policy DROP)
target
prot opt source
..
..

destination

Figure 3.2: Checking the default policy has successfully changed.

Once you have changed the INPUT change you will notice that all packets that travel through your machine will be
dropped, you may also notice that some program break as local sockets are also affected. I would recommend you
change the default policy back to accept until you get use to iptables because if you wanted a default policy of
DROP you would need to implement stateful packet filtering.

Your first rule

The first rule we are going to write is to simply block access to the SSH daemon. First we will block access to all
machines then we will block an individual IP address. Figure 4 shows the command used to block all SSH access.
linux-w2mu:~ # iptables -A INPUT -p tcp --dport 22 -j DROP
Figure 4: Block all access to the SSH daemon.
The rule shown in Figure 4 is very simple to understand, Table 3 explains what each qualifier does.

4/7

Qualifier

Description

-A INPUT

This qualifier tells iptables that we are appending a new rule into the INPUT chain.

-p tcp

This qualifier tells iptables what protocol we are filter for, which is TCP.

dport 22

This qualifier tells iptables that we are looking for the destination port of 22.

-j DROP

This qualifier tells iptables what to do if we find a match for this rule.

Table 3: Figure 4 command explained.

The next rule we will write will block a specific IP address. The IP address we will block is 192.168.0.1 and allow all
other IP addresses as shown in Figure 4.1.
linux-w2mu:~ # iptables -A INPUT -s 192.168.0.1 -p tcp --dport 22 -j DROP
Figure 4.1: Block 192.168.0.1 access to the SSH daemon.
The rule shown in Figure 4.1 looks very similar to Figure 4 with the addition of one extra qualifier -s. Table 3.1
explains what each qualifier does.
Qualifier

Description

-A INPUT

This qualifier tells iptables that we are appending a new rule to the INPUT chain.

-s 192.168.0.1

This qualifier tells iptables to match against the source IP address of 192.168.0.1.

-p tcp

This qualifier tells iptables what protocol we are filter for which is TCP.

dport 22

This qualifier tells iptables that we are looking for the destination port of 22.

-j DROP

This qualifier tells iptables what to do if we find a match for this rule.

Table 3.1: Figure 4.1 command explained.

MAC filtering
Now that you have wrote some simple rules we can move onto a more complex example. This time we are going to
filter based on a MAC (Media Access Control) address. The rule we will write is to allow a specific MAC address
access to the SSH daemon and deny all other MAC addresses.
linux-w2mu:~ # iptables -A INPUT -m mac ! --mac-source 00:00:5A:9C:D1:73 -j DROP
Figure 5: Allow access to a specific MAC address.
The rule shown in Figure 5 introduces you to two new qualifier, -m and the logical explanation point(!). The rule
shown in Figure 5 is explain in Table 4.
Qualifier

Description

-A INPUT

This qualifier tells iptables that we are appending a rule to the INPUT chain.

-m mac

This qualifier tells iptables to load the mac module.

5/7

! mac-source
00:00:5A:9C:D1:73

This qualifier inverts the argument e.g. The MAC address is NOT
00:00:5A:9C:D1:73.

-j DROP

This qualifier tells iptables what to do if we find a match for this rule.

Table 4: Figure 4 command explained.

UID and GID filtering

The next type of filtering we are going to perform is based on user IDs and group IDs. The chain that we will be
using for this example is OUTPUT. The rule that we will write is to deny users access to port 80 (HTTP) and 443
(HTTPS).
linux-w2mu:~ # iptables -A OUTPUT -m owner --uid-owner 1000 -p tcp --dport 80 -j
DROP
Figure 6: Block the user ID of 1000 from accessing port 80.
The IPTable rule shown in Figure 6 blocks the user ID of 1000 from accessing port 80 which is for web traffic. Once
you have applied this rule you should issue the iptables -L -v command to see the packet count and byte count
increment when the user attempts to access a website, as shown in Figure 6.1.
linux-w2mu:~ # iptables -L OUTPUT -v
Chain OUTPUT (policy ACCEPT 592 packets, 54866 bytes)
pkts bytes target
prot opt in
out
source
12
720 DROP
tcp -- any
OWNER UID match damian tcp dpt:http

any

anywhere

destination
anywhere

Figure 6.1: Checking the packet and byte count.

This shows that the user tried to connect to a website but was unable to establish a full connection as all 12 packets
were dropped.

Modules
When you are using modules in iptables and you forget or dont know what qualifiers a module takes you can use
the help qualifier. The help qualifier will provide a list of possible qualifiers as shown in Figure 7.
linux-w2mu:~ # iptables -A INPUT -m mac --help
iptables v1.3.8
...
...
MAC v1.3.8 options:
--mac-source [!] XX:XX:XX:XX:XX:XX
Match source MAC address
Figure 7: Retrieving a list of possible qualifiers for modules.
As you can see in Figure 7 the available options for the MAC module are mac-source.

Conclusion
6/7

This article has just touched the very basics of iptables, there is a lot more that I have not mentioned and can be
viewed via the man pages [1]. I would also recommend visiting the netfilter website [2] as you will be able to learn a
lot more about iptables and get a list of the latest modules.

Reference
1. /usr/share/man/man8/iptables.8.gz
2. http://www.netfilter.org/

7/7