Where *nix and security meet the general public
IPTables Explained : Part 1 (a tutorial to UNDERSTANDING and CREATING your own rules)
You can get this also in pdf or plain text 
Ok, so you have Linux installed and maybe a few services running like FTP, WWW etc. Now you want to share your Internet connection. Not the easiest but the most efficient way to do so is to use the Linux machine as a firewall/server. Linux comes with a very powerful firewall built in. It is totally scriptable but its not the easiest to understand. What follows is (hopefully) a good yet simple guide to WHAT iptables does and HOW it works.
What we need to understand is how iptables works before we can start scripting. Once we get it down, scripting is easy, its a simple shell script that can be written by anyone. IPTables is and Netfilter are the same, iptables is the program you use to administrate the actual firewall. For simplicity we will call it iptables, but keep in mind the actual name of the software is netfilter.
UNDERSTANDING:
iptables is a IP filtering firewall that is based on matching IP traffic based on rules that you specify. The objective is that you match traffic with specific groups of rules, called chains. You can have as many chains as you want but notice that performance might get a hit on slow machines if you have a lot of complex filters.
We always want to start with defining the policies in IPTables. The policies are the default rules that are applied in case your traffic does NOT match any filters you have set. So if you want to allow only certain things in or out of your network and the default policies are set to DENY, any traffic that is not allowed by any of your filters will be denied. This is called rules matching. The 3 policies that need to be set are: INPUT, FORWARD and OUTPUT.
The policies define the default action for the DEFAULT CHAINS, INPUT (traffic COMING TO the machine directly), OUTPUT (traffic GOING FROM the machine directly) and FORWARD (traffic COMING FROM or GOING TO a networked machine on the other side of the firewall). The 2 actions you can set in these policies are ACCEPT and DROP.
You can also define variables, which in this case means just a collection of ports or protocols, so that you don’t have to write a new rule for each port you want to allow. In case of a web/ftp-server you could make a variable which contains ports, 21,22,80 and 443 and refer to that variable instead of writing 5 lines. These variables can then be used later in a single line.
In order for you to direct traffic to pass through a certain filter/set you have to create the filter-set first THEN direct the traffic. This makes sense as you cannot direct something to some place that does not exist. So basically the main part in your script is detailing the filters and creating new chains (since the packets go through the rules as if they were following a chain) and in the end you direct the traffic from the default chains to your filter-set. You can be VERY granular as to what traffic you want to direct where but be careful with complex scripts, it can get confusing. A good way is to first visualize what you are trying to do. As you can see in the picture, its a simple diagram of a normal IPTables flow.
So to summarize to setup a IPTables script we must follow this structure:
- create the variables first
- set the default policies second
- write your filter chains third
- point your traffic to the chains
Popularity: 15% [?]
Pages: 1 2
[…] IPTABLES explained : Part 2 ( or a how for iptables to about efficient rule design) So , in the last post or tutorial (here) we went through how itables works and how to start writing your own script. […]
[…] IPTABLES Explained Part 4: IPTables and Portsentry, the dynamic duo (how to dynamically block IPs and unblock automagically) IMPORTANT: This tutorial is oriented for Fedora, but shouldn’t be hard to adapt to Debian/Ubuntu. If someone knows the startup scripts well, mail me or please leave a comment with the changes needed. Ok, as we saw in the previous chapters of this tutorial series, iptables is an amazingly flexible and powerful tool. By now you should have a good grasp of what iptables can do. It is time to bring in the sidekick: Portsentry. Due to the fact that portsentry has no pre-built packages (to my knowledge) for any distributions, you will have to download it from here:[Sourceforge] ; and build it. The process is very easy BUT (yes there is always a but) it requires you to edit one file. More on that a bit down the road. First, what does Portsentry do? Well, you see Portsentry is a nifty little program that listens on your Linux (or any Unix, but for now Linux) box on a set of defined (by you) ports. That way, when someone port scans you to find open ports, say for example ssh or web or any other open port that they could attack, Portsentry will notice this and take an appropriate action (also defined by you!). […]
[…] IPTables Explained : Part 1 (a tutorial to UNDERSTANDING and CREATING your own rules) […]
this was definitely very helpful in explaining iptables. per your script, though, how does iptables know what ports you’re wanting to mess with?