packet filtering is defined as as the process of controlling network packets as they enter, move through & exit the network stack within the kernel.
In pre-2.4 Linux kernels, ipchains are used, in 2.4 & beyond, iptables are used which improved the scope & control network packet filtering. We can implement kernel level internet firewall on stateless & stateful packet filtering using iptables. It can be implemented in both IPv4 & IPv6. Its also used in NAT & masquerading for subneting purposes.
Iptables comes with all Ubuntu based distro & RedHat by default. Ubuntu 8.04 Comes with ufw - a program for managing the iptables firewall easily.
So, how to implement it.
The command associated with iptables have a basic structure.
Code:
#iptables -t tables [action] [direction] [packet pattern] -j [fate]
Table: filter (default)/nat/mangle
Actions (Actions taken on the iptable rules)
-A for appending new rules
-D for deleting rules
-L for listing all the rules
-F for flush (deleting) all the rules.
Packet Pattern: (indicates the origin of packet in the rules)
-s for Source IP address
-d for Destination IP address
Fate: (indicates the fate of packet after it matches with one of the rules)
Drop-packet is refused access to the system and nothing is sent back to the host that sent the packet
Accept-the packet skips the rest of the rule checks and is allowed to continue to its destination
Reject-the packet is dropped, but an error packet is sent to the packet's originator.
Queue-queue the packet to be passed to user-space
Explanation of table:
netfilter(iptables) has three built-in tables or rules lists.
filter — default table for filtering network packets.
nat — table used to alter packets that create a new connection.
mangle — table is used for specific types of packet alteration.
Each table has a group of built-in-chains (direction) which correspond to the action performed
The built-in chains for the filter table are as follows:
INPUT — applies to packets received via a network interface
OUTPUT — applies to packets sent out via the same network interface which received the packets.
FORWARD — applies to packets received on one network interface and sent out on another.
The built-in chains for the nat table are as follows:
PREROUTING — alters packets received via a network interface when they arrive.
OUTPUT — alters locally-generated packets before they are routed via a network interface.
POSTROUTING — alters packets before they are sent out via a network interface.
The built-in chains for the mangle table are as follows:
PREROUTING — alters packets received via a network interface before they are routed.
OUTPUT — alters locally-generated packets before they are routed via a network interface.
Some basic iptables commands.
Displaying rules:- #iptables -L
Saving iptables:- #iptables save
(file will be created at /etc/sysconfig/iptables (for RedHat))
Backup & restore iptables
#iptables-save > filemname
#iptables-restore < filename
Flush iptables (remove all rules):- #iptables -F
Listing iptables:- #iptables -L
#iptables -L -v
latter for greater details.
(for further specialization in these commands visit man pages for iptables or execute command #man iptables)
The tutorial is continued in the next post,
Nice iptables basics video from Youtube
No comments:
Post a Comment