Netfilter : The actual filtering in a Linux box is done using Netfilter.
Iptables : is the tool used to create this filters.
Iptables maintain state-full firewall.
Ipchains does not maintain state-full firewall
The module ip_contract is needed to make iptables state-full. This modules get loaded automatically when certain arguments susch as -t nat, etc are used.
# modprobe ip_conntrack
This command manually add the module.
The file that maintains the session related date is /proc/net/ip_conntrack
The package to be installed to run iptables is iptables-xxxx.rpm
Linux host as a router
A linux host with two or more NICs, with iptables running on it can be used as a router. Refer figure on right.
If your host have two nic cards data will not be forwarded from one to another if the following is not done:
Enable IP forwarding permanently by editing the following in /etc/sysctl.conf
net.ipv4.ip_forward = 1
The command sysctl -p will reload sysctl.conf without rebooting the system.
Based on the above diagram, before ip_forward is enabled, the 192..168.0.x network will be able to ping only till 220.127.116.11. But later they will be able to ping the entire range of 80.0.x.x network
FORWARD chain: This is a filter that is used in a router that connects two networks so that packets could be filtered
INPUT chain: This filter will affect packets destined to itself.
OUTPUT chain: This filter will affect packets going out of itself.
# iptables -t filter -A FORWARD -s 192.168.0.0./24 -j DROP
By running this command the linux router will drop any packets that is coming from 192.168.0.x network
# iptables -t filter -L -n
This command lists the rules in iptables
# iptables -t filter -D FORWARD -s 192.168.0.0./24 -j DROP
The linux router will delete the previous entry.
# Iptables -t filter -F
Delete all entries in the tables table
# service iptables save
Save the iptables created
# iptables -t filter -A FORWARD -s 192.168.0.0/24 -d 18.104.22.168 -j DROP
Drop all the packets traveling from 192.168.0.x network to 22.214.171.124
# iptables -t filter -A FORWARD -s 192.168.0.0/24 -p tcp -j DROP
Drop all tcp packets from 192.168.0.x network
# iptables -t filter -A FORWARD -s 126.96.36.199/24 -p tcp -dport 23 -j REJECT
Reject all telnet packets from 192.168.0.0.24. Since the argument is REJECT, a message will be send to the source.
Order of entries in iptable
The order of entries in iptable matters a lot. When a packets passes through the firewall, it will be checked against the entries in firewall from top to bottom.
# iptables -t filter -I FORWARD 2 -s 192.168.0.10 -j DROP
Insert the rule as the second one in the list.
# iptables -t filter -L -n -line-numbers
To views the filters and their line number.
Click here to view notes on creatinging just the required IPTABLES rules from scratch
Network Adress Transulation (NAT)
There are two types of natting:
(a) SNAT : Source Network Address translation.
(b) DNAT : Destination Network Address translation.
SNAT is typically used in a proxy environment.
If the client 192.168.0.4 want to ping 188.8.131.52, its IP address should be nat�d to a public IP. Else 184.108.40.206 will not be able to send the acknowledgement back to 192.168.0.4
Once 192.168.0.4 tries to ping 220.127.116.11, the linux box will store few information in a separate table including the source port number (eg333) from 192.168.0.4 and its IP address.
Lets say 192.168.0.3 is also tries to ping 18.104.22.168 the same time. Here the source port used is 555.
The table stored in the linux box will look like
When the requests leaves the linux box the source IPs will be changed from their private to 22.214.171.124. Once the replies are on the way back, the linux box it will check the destination port number and from the above table it will find the correct destination.
In SNAT the address translation happens after the packets leave the linux box.
# iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -j SNAT -to-source 126.96.36.199
All the IPs in the 192.168.0.x network will get translated to 188.8.131.52 once the packets leave the linux box
# iptables -t nat -A PREROUTING -- tcp -dport 80 -j DNAT -to-destination 192.168.0.2 Here if 184.108.40.206 tries http://220.127.116.11, the signal will reach 18.104.22.168