iptables

iptables is a command-line firewall utility that uses policy chains to allow or block traffic.

iptables almost always comes pre-installed on any Linux distribution. To update/install it, just retrieve the iptables package:

sudo apt-get install iptables

How iptables Works

The iptables firewall operates by comparing network traffic against a set of rules. The rules define the characteristics that a packet must have to match the rule, and the action that should be taken for matching packets.

There are many options to establish which packets match a specific rule. You can match the packet protocol type, the source or destination address or port, the interface that is being used, its relation to previous packets, etc.

When the defined pattern matches, the action that takes place is called a target. A target can be a final policy decision for the packet, such as ACCEPT, DROP, QUEUE or RETURN. It can also be move the packet to a different user-defined chain for processing, or simply log the encounter.

• ACCEPT means to let the packet through.
• DROP means to drop the packet on the floor.
• QUEUE means to pass the packet to userspace.
• RETURN means stop traversing this chain and resume at the next rule in the previous (calling) chain.

These rules are organized into groups called chains. A chain is a set of rules that a packet is checked against sequentially. When the packet matches one of the rules, it executes the associated action and is not checked against the remaining rules in the chain.

A user can create chains as needed. There are three chains defined by default. They are:

INPUT: This chain handles all packets that are addressed to your server. OUTPUT: This chain contains rules for traffic created by your server. FORWARD: This chain is used to deal with traffic destined for other servers that are not created on your server. This chain is basically a way to configure your server to route requests to other machines. Each chain can contain zero or more rules, and has a default policy. The policy determines what happens when a packet drops through all of the rules in the chain and does not match any rule. You can either drop the packet or accept the packet if no rules match.

iptables CLI

Lists iptables rules with verbosity:

sudo iptables -L -v 

Let's go over of what each row means:

1. TARGET: What to do with the traffic and/or other chains of rules to test traffic against
2. PROT: Protocol, usually “tcp”, “udp” or “all”.
3. OPT: Optional items, such as checking against fragmented packets of data
4. IN: Network interface accepting traffic, such as lo, eth0, eth1.
5. OUT: Network interface the traffic goes out
6. SOURCE: The source of some traffic, such an a hostname, ip address or range of addresses
7. DESTINATION: The destination address of the traffic

These rules are followed in order. The first rule that matches the traffic type will determine what happens to the data.

We can use sudo iptables -S to get a list of the current rules given as commands.

sudo iptables -S

Resources and further reading:

• How the iptables firewall-works
• iptables man page