Friday, July 10, 2015

Intro to Packet Filtering and Iptables


iptables is an interface to Netfilter, which is kernel-level Linux firewall, allowing the administrator to add, remove, or modify packet filtering and NAT rules. These rules govern how different types of data are treated by the server, whether to accept, drop, and so on. Understanding how to setup and configure iptables is the first step to managing your Linux firewall.

The basic flow of a data packet hitting a Linux firewall is as follows:

Prerequisites: It helps to know a little bit about TCP/IP and Subnets and to ready my introductory guide to iptables. Also, since we're going to be setting up a local virtual machine, you should be familiar with Virtualbox and Vagrant. This guide was written for Mac OS X and Linux users.


  • Deny-everything-by-default-policy
  • Accept-everything-by-default-policy

As a safe practice, you should implement a "deny-everything-by-default" policy[1], meaning all incoming packets should ultimately be denied, unless they meet a condition set by one of your Rules. The caveat is that each service and related protocol transaction will need to be enabled explicitly. You also make it easier to fall victim to a denial of service attack, unless you set limits on the number of connections you allow over a certain interval.Accept-everything-by-default policies, on the other hand, open you up to malicious packets coming through so the punishment for not writing thorough rules is more severe.

With the right rules in place, we can circumvent certain attacks (Denial of Service, ping floods), source address spoofing, malformed broadcast packets used to identify UNIX systems, access to private LAN services, and accommodate for human error that could impact remote sites.

Basic Iptables Syntax

# flush all the firewall rules in the kernal
iptables --flush

# append to the input chain that is monitoring...
# ...all packets entering the network
iptables -A INPUT -i lo -j ACCEPT

# append to the input chain that is monitoring...
# ...all packets entering the network
iptables -A OUTPUT -o lo -j ACCEPT

# default-deny-everything
iptables --policy INPUT DROP

# deny everything going out
iptables --policy OUTPUT DROP

# drop packets being forwarded from one network interface card to another
iptables --policy FORWARD DROP

Let's break down one of these commands in order to gain a better understanding.

iptables    # tell iptables
-A INPUT    # to append to the input chain
-i lo       # all incoming packets on loopback
-j ACCEPT   # and accept by setting the target to ACCEPT

Take a look at the man page for iptables if you'd like to get a better understanding of all of these flags.


A Chain is zero or more rules that that a packet is sequentially checked against. Iptable's default Filter table comes with the following built-in chains:

  • INPUT - Packets coming into the server
  • OUTPUT - Packets generated locally, going out of the server
  • FORWARD - Packets routed through the local server for another NIC

You should also read into the NAT, Mangle, and Raw tables, and their built-in chains.


A target is simply a final policy decision for a packet. Let's recap on some of the targets we've just learned about, in addition to learning about some new ones.

  • ACCEPT - Allow the packet to go through
  • DROP - Drop the packet, silently
  • QUEUE - Pass the packet to the userspace
  • RETURN - Stop executing the next set of rules in the current chain for the packet and return control to the calline chain
  • REJECT - Drop the packet and return an icmp-port-unreachable error


No comments:

Post a Comment