IPTables & Mitigation

IPTable tables, chains, rules & Fundamentals

~~~~~~~~~~~~~~~~~

This article is part of an ongoing iptables tutorials

References :

http://en.wikipedia.org/wiki/Iptables

http://en.wikipedia.org/wiki/Netfilter

http://linux.die.net/man/8/iptables

~~~~~~~~~~~~~~~~~

iptables is an application program that allows us to configure the tables provided by the Linux Kernel Firewall(Netfilter) and the chains and rules it stores.

Iptables requires elevated privileges to operate and must be executed by user root.  Iptables is modular. It is used to manage Packet Filtering & Network Address Translation (NAT)

It is enabled in all Linux kernels by default. One way to check the version and availability is using this below commands.

# grep CONFIG_NETFILTER= /boot/config-`uname -r`

CONFIG_NETFILTER=y

# rpm -qa | grep iptables
iptables-1.4.7-5.1.el6_2.x86_64
iptables-ipv6-1.4.7-5.1.el6_2.x86_64

# iptables -V
iptables v1.4.7

 

Iptables contains multiple tables. Tables contains multiple chains. Chains contains multiple rules. Rules are defined for the packets.

So, the structure is: Iptables -> Tables -> Chains -> Rules

Iptables can be started/stopped as a daemon

# /etc/init.d/iptables –help
Usage: iptables {start|stop|restart|condrestart|status|panic|save}

Below is the Iptables configuration file and few configuration options. Depends on the configuration the rules are automatically saved in file ‘/etc/sysconfig/iptables’ with iptables restart/stop.

# grep IPTABLES /etc/sysconfig/iptables-config
IPTABLES_MODULES=””
IPTABLES_MODULES_UNLOAD=”yes”
IPTABLES_SAVE_ON_STOP=”no”
IPTABLES_SAVE_ON_RESTART=”no”
IPTABLES_SAVE_COUNTER=”no”
IPTABLES_STATUS_NUMERIC=”yes”
IPTABLES_STATUS_VERBOSE=”no”
IPTABLES_STATUS_LINENUMBERS=”yes”

IPTables has the following 4 built-in tables. The tables are as follows:

filter: This is the default table (if no -t option is passed). It contains the built-in chains INPUT (for packets destined to local sockets), FORWARD (for packets being routed through the box), and OUTPUT (for locally-generated packets).

nat: This table is consulted when a packet that creates a new connection is encountered. It consists of three built-ins:PREROUTING (for altering packets as soon as they come in), OUTPUT (for altering locally-generated packets before routing), and POSTROUTING (for altering packets as they are about to go out).

mangle: This table is used for specialized packet alteration. Until kernel 2.4.17 it had two built-in chains: PREROUTING (for altering incoming packets before routing) and OUTPUT (for altering locally-generated packets before routing). Since kernel 2.4.18, three other built-in chains are also supported: INPUT (for packets coming into the box itself), FORWARD(for altering packets being routed through the box), and POSTROUTING (for altering packets as they are about to go out).

raw: This table is used mainly for configuring exemptions from connection tracking in combination with the NOTRACK target. It registers at the netfilter hooks with higher priority and is thus called before ip_conntrack, or any other IP tables. It provides the following built-in chains: PREROUTING (for packets arriving via any network interface) OUTPUT (for packets generated by local processes)

How Iptable Work’s:

Chains are processed from top to bottom. Each packet checks to see if it matches each rule, if it does, then it follows the specified target (-j) and is finished processing through the chain, if not then it goes on to the next rule. If it reaches the bottom then the packet follows the default policy of that chain. Built-in chains have a default policy of ACCEPT, and custom chains have an implicit policy of RETURN which cannot be changed.

General Tip:

Adding too many rules willl increase CPU usage, Mainly to Input chain.  Every rule that a packet has to process through is more overhead. Be as specific as possible when creating rules and create as few as possible. There is no specific limit on the number of rules that can go into a chain, This will vary between server and circumstances, but the general idea is that more rules = more overhead.

Do the following to view the filter table

# iptables -t filter –list
(or)
# iptables –list (If you don’t specify the -t option, it will display the default filter table. So, both of the following commands are the same.)
Do the following to view the mangle table.

# iptables -t mangle –list

Do the following to view the nat table.

# iptables -t nat –list

Do the following to view the raw table.

# iptables -t raw –list

General Tip:
For some reasons we may need to create too many rules, It is better to create new chain and only forward relevant traffic to that chain.

Do the following to create a custom chain:

 # iptables -N Sin-Check

Create rules in Sin-Check chain

 #

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s