Firewalling with netfilter/iptables
By Barry O'Donovan
iptables is Linux's firewall which has been a part of the kernel since version 2.4. It is often referred to as a packet filter as it examines each packet transferred in every network connection to, from and within your computer. iptables replaced ipchains in the 2.4 kernel and added many new features including connection tracking (also known as stateful packet filtering). In this article we will use iptables to build simple but effective firewalls for the following scenarios using allow/disallow rules based on IP addresses, ports and states:
Rules, Targets, Chains, Tables, States and all that jazz
iptables makes decisions on what to do with a packet based on rules that the system administrator creates. Data is passed through the internet in the form of packets of information;
connecting from your computer to a website will cause many packets to
be exchanged in both directions. A rule specifies the criteria
necessary for a packet to match it. A decision is known as a
Rules are grouped into chains which in turn are contained in tables. There are three default tables which the packets may traverse; we are only concerned with one of these right now: the
The two other tables available by default are the
As I mentioned in the introduction, iptables is capable of stateful packet filtering. This means that we can create rules not only based on IPs and ports but also on whether a packet exists in any of the following states:
Creating and Storing Rules
Rules can be appended to the chains directly by using the
$ iptables -A INPUT -s 0/0 -d 22.214.171.124 -m state --state NEW -p tcp --dport 80 -i eth0 -j ACCEPTwhere:
Note that in all of the following examples I am assuming that your
computer is connected to the internet through an ethernet card. Change
Obviously we do not want to set up the firewall manually everytime we
boot the computer. Most Linux distributions will give you the option of
having these rules loaded automatically at boot from a file; in fact
most distributions will come with a preconfigured firewall as standard.
The location of this file will vary from distribution to distribution
but it should be easily found by executing '
The essential elements of this file are:
1 # Firewall configuration 2 *filter 3 :INPUT <target> [0:0] 4 :FORWARD <target> [0:0] 5 :OUTPUT <target> [0:0] 6 7 # your rules here 8 9 COMMITListing 1 - The essential elements of an iptables file
Line 2 of this file tells iptables that the following rules apply to the
Each packet traverses the rules of the appropriate chain from the first to the last. If a packet matches a rule then it stops traversing the chain at that rule and its fate is decided by that rule's target. If the packet does not match any rule then its fate is the default target of its chain.
I would recommend using the following skeleton configuration for all your firewalls:
1 *filter 2 :INPUT DROP [0:0] 3 :FORWARD DROP [0:0] 4 :OUTPUT ACCEPT [0:0] 5 6 # allow local loopback connections 7 -A INPUT -i lo -j ACCEPT 8 9 # drop INVALID connections 10 -A INPUT -m state --state INVALID -j DROP 11 -A OUTPUT -m state --state INVALID -j DROP 12 -A FORWARD -m state --state INVALID -j DROP 13 14 # allow all established and related 15 -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT 16 17 # add anymore rules here 18 19 COMMITListing 2 - Reccommended skeleton configuration
I've set the default target for the
Line 7 tells iptables to allow all connections originating from
the local loopback network interface. This is used by many applications
to connect to local services and you must permit these connections.
Lines 10-12 drop all connections with a state of
Line 15 should be self explanatory - it allows all incoming established
or related connections through the firewall. For a connection to become
established or related it must first have had a state of
Scenario 1: Standard Home Computer
For the standard user using his/her home computer for internet browsing, e-mail, etc then the above firewall is all that is needed as it allows all connections out while preventing any connections that are not related.
For a more paranoid user that wants to control and log all outgoing connections we might use a firewall configuration such as the following:
1 *filter 2 :INPUT DROP [0:0] 3 :FORWARD DROP [0:0] 4 :OUTPUT DROP [0:0] 5 6 # allow local loopback connections 7 -A INPUT -i lo -j ACCEPT 8 9 # drop INVALID connections 10 -A INPUT -m state --state INVALID -j DROP 11 -A OUTPUT -m state --state INVALID -j DROP 12 -A FORWARD -m state --state INVALID -j DROP 13 14 # allow all established and related 15 -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT 16 -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT 17 18 # allow connections to my ISP's DNS servers 19 -A OUTPUT -d 126.96.36.199 -m state --state NEW -p udp --dport 53 -o eth0 -j ACCEPT 20 -A OUTPUT -d 188.8.131.52 -m state --state NEW -p udp --dport 53 -o eth0 -j ACCEPT 21 22 # allow outgoing connections to web servers 23 -A OUTPUT -d 0/0 -m state --state NEW -p tcp --dport http -o eth0 -j ACCEPT 24 -A OUTPUT -m state --state NEW -p tcp --dport https -o eth0 -j ACCEPT 25 26 # allow outgoing mail connections to my ISP's SMTP and POP3 server only 27 -A OUTPUT -d 184.108.40.206 -m state --state NEW -p tcp --dport smtp -o eth0 -j ACCEPT 28 -A OUTPUT -d 220.127.116.11 -m state --state NEW -p tcp --dport pop3 -o eth0 -j ACCEPT 29 30 # log all other attempted out going connections 31 -A OUTPUT -o eth0 -j LOG 32 # default is to DROP out-going connections 33 34 COMMITListing 3 - Paranoid home user
This configuration denies all connections by
default and only allows those we explicitly define rules for. Line 16
adds a second rule based on the established or related rules for
outgoing connections. Just as with line 15, this is necessary as the
default rule of the
The first rules we have added (lines 19 and 20) are to allow outgoing
connections to your ISP's DNS server; I am assuming your ISP has a
primary and a secondary DNS server with IPs
The next two rules (lines 23 and 24) allow your internet
browser to connect to any website using both the normal and the
encrypted protocols. You'll notice that I have used http and https to
specify the ports here instead of 80 and 443. This makes the rules more
readable and you can substitute the service name for any port so long
as it appears in the file
Another standard operation that a home computer would be used for is
e-mailing. E-mailing requires two services: SMTP to send mail and POP3
(or IMAP in some cases) to receive mail. I have added a rule for each
of these (lines 27 and 28) where I am assuming that your ISP uses the
same server for both (
The final rule has a target we have not come across yet: the
If you use any other services, such as Jabber, IRC, file sharing
clients, etc, you will have to add rules for these also. Just follow
the above example. If you don't know what ports to open and you can't
find it in
Scenario 2: Home Network with a Single Connection
Most home users and small offices connect to the internet via a single dial-up, ISDN or broadband (DSL) connection. This scenario covers the problem: "I only have a single network connection, but I would like all my computers to have internet access. How is this possible?" The examples in this scenario will enable you to set up a home or office network using your networked computer as a gateway for your other computers.
My own situation is depicted in Figure 1; I have a single broadband connection with a static IP address (
The first issue is that every computer on the internet needs to be uniquely identifiable by an IP address. Irrespective of whether you have a dial-up or a broadband connection, you will only have been assigned one IP address. This can either be static (some broadband ISPs will allocate you a single IP that will not change) or dynamic (you will be assigned different IPs every time you reconnect to the network). When you send out a packet it includes the destination address and the source address. Although we can send a packet with any source address, only replies to ones with your source address will return to you.
Now we must assign an IP to every network interface on the network. In the case of
Let's begin with the firewall configuration:
1 *filter 2 :INPUT DROP [0:0] 3 :FORWARD DROP [0:0] 4 :OUTPUT DROP [0:0] 5 6 # allow local loopback connections 7 -A INPUT -i lo -j ACCEPT 8 9 # drop INVALID connections 10 -A INPUT -m state --state INVALID -j DROP 11 -A OUTPUT -m state --state INVALID -j DROP 12 -A FORWARD -m state --state INVALID -j DROP 13 14 # allow all established and related 15 -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT 16 -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT 17 -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT 18 19 # allow connections to my ISP's DNS servers 20 -A OUTPUT -d 18.104.22.168 -m state --state NEW -p udp --dport 53 -o eth0 -j ACCEPT 21 -A OUTPUT -d 22.214.171.124 -m state --state NEW -p udp --dport 53 -o eth0 -j ACCEPT 22 -A FORWARD -d 126.96.36.199 -m state --state NEW -p udp --dport 53 -i eth1 -o eth0 -j ACCEPT 23 -A FORWARD -d 188.8.131.52 -m state --state NEW -p udp --dport 53 -i eth1 -o eth0 -j ACCEPT 24 25 # allow outgoing connections to web servers 26 -A OUTPUT -d 0/0 -m state --state NEW -p tcp -m multiport --dport http,https -o eth0 -j ACCEPT 27 -A FORWARD -d 0/0 -m state --state NEW -p tcp -m multiport --dport http,https -o eth0 -i eth1 -j ACCEPT 28 29 # allow outgoing mail connections to my ISP's SMTP and POP3 server only 30 -A OUTPUT -d mail.my-isp.com -m state --state NEW -p tcp -m multiport --dport smtp,pop3 -o eth0 -j ACCEPT 31 -A FORWARD -d mail.my-isp.com -m state --state NEW -p tcp -m multiport --dport smtp,pop3 -o eth0 -j ACCEPT 32 33 # log all other attempted out going connections 34 -A OUTPUT -o eth0 -j LOG 35 -A FORWARD -j LOG 36 # default is to DROP out-going connections 37 38 COMMIT 39 40 *nat 41 42 # set up IP forwarding and nat 43 -A POSTROUTING -o eth0 -j SNAT --to 184.108.40.206 44 45 COMMITListing 4 - Home/office network with NAT
As well as demonstrating NAT, this example also introduces the use of the
Similarly, on lines 22,23,27,31 and 35, I have added in lines to allow
the same connections we were allowing previously to come from the
The iptables NAT-ing magic happens in the
What if you are using a dynamic IP? Simply change line 43 to:
Using the wireless network as depicted will also require setting the
This scenario will work just as well if your set-up is a more typical small office set-up as depicted in Figure 2.
In this case the networked computer is connected to a port on the switch or hub through
Required network settings for this configuration
To be able to access the internet using NAT a number of network
configuration settings are required by each computer; the DNS server(s)
IP address(es), the gateway IP, subnet mask and an IP address. For the
networked computer these will all be supplied by the ISP; let's assume
that the ISP provided the following:
The settings for each of the computers using NAT will then be:
Note that the gateway for the NAT-ed computers is the second network interface of the networked computer.
Scenario 3: Port forwarding
For the last scenario, let us imagine that instead of hosting your
web server on the firewall machine you want to host it on one of the
There are two types of NAT; source NAT (SNAT) and destination NAT (DNAT). Scenario 2 used SNAT where we altered the source address of the packets coming from our internal network. This scenario will use DNAT to change the destination address of packets coming into our networked machine from the internet.
This can be accomplished by adding one simple line (44) to our firewall:
40 *nat 41 42 # set up IP forwarding and nat 43 -A POSTROUTING -o eth0 -j SNAT --to 220.127.116.11 44 -A PREROUTING -i eth0 -p tcp -d 18.104.22.168 --dport 80 -j DNAT --to 192.168.0.3:8080 45 46 COMMITListing 5 - Port forwarding
Ensure you have enabled the kernel's IP forwarding when using the
One type of connection we did not cover was 'pings'. If you are running
a server it is generally a good idea to allow echo-requests pings
through the firewall using the following rule:
Lastly, a common misconception among many people is that a firewall is "the last line of defence". It is not. It is only the first line of defense in what should be a properly secured, configured and up-to-date machine.
This article is intended as introduction to iptables with practical and useful examples. It is nothing more and nothing less.
The best place for reading more on iptables and firewalling is the
iptables homepage. It contains many how-to documents and tutorials:
If you found this article interesting then you might be interested in looking up some of the other features of iptables:
Barry O'Donovan graduated from the National University of Ireland, Galway with a B.Sc. (Hons) in computer science and mathematics. He is currently completing a Ph.D. in computer science with the Information Hiding Laboratory, University College Dublin, Ireland in the area of audio watermarking.
Barry has been using Linux since 1997 and his current flavor of choice is Fedora Core. He is a member of the Irish Linux Users Group. Whenever he's not doing his Ph.D. he can usually be found in the local pub with friends or running in his local park.
Copyright © 2004, Barry
O'Donovan. Copying license http://www.opencontent.org/openpub/