🌐 🇵🇱 Polski · 🇬🇧 EN
Iptables is a packet filtering control program used primarily as a firewall or for NAT. The project homepage is www.netfilter.org. Linux traditionally includes only a limited form of Network Address Translation (NAT), which is more accurately described as Port Address Translation (PAT). Instead of using ranges of IP addresses, as in a true NAT implementation, PAT forwards all connections to a single address. However, the details and differences are not of major importance here. The iptables program implements not only NAT, but also enables packet filtering. Earlier versions of Linux had this somewhat disorganized, but since the introduction of iptables, clearer distinctions have emerged between NAT and the packet filtering function.
Traditionally, a firewall is configured between a LAN and an external network such as the internet. However, security policies may require every system to have a firewall running. RHEL6 includes a firewall in every default configuration. The best firewall is at the layer where packets can be filtered, e.g., using the iptables tool. Packet traffic control covers their path from source to destination in a TCP network.
Linux uses the TCP/IP protocol for network communication. Different protocols use specific ports, and there are default protocols defined in the /etc/services file. To properly use the iptables tool, we must know which service listens on which port. Below is a list of commonly used services along with their listening ports. Remember that some of these ports may use one or more communication protocols such as TCP (Transmission Control Protocol), UDP (User Datagram Protocol), and ICMP (Internet Control Message Protocol). Information about which service is associated with which port can be found in the /etc/services file. For example, an FTP server can communicate in two ways, using both TCP and UDP.
ftp 21/tcp
ftp 21/udp
Basic services and their communication ports
- 21 - FTP
- 22 - Secure SHell (SSH)
- 23 - Telnet
- 25 - Simple Mail Transfer Protocol (SMTP) Postfix, Sendmail
- 53 - Domain Name Service servers
- 80 - Hypertext Transfer Protocol (HTTP)
- 88 - Kerberos
- 110 - Post Office Protocol, version 3 (POP3)
- 139 - NetBios
- 143 - Internet Mail Access Protocol (IMAP)
- 443 - HTTP, secure (HTTPS)
IPTABLES
The philosophy behind iptables is "chains," which contain sets of rules for every network packet to which they are assigned. Each rule does two things: it defines the conditions a packet must meet and the actions to be taken if the packet matches those conditions.
Iptables uses a simple command format:
iptables -t tabletype <action_direction> <packet_pattern> -j <what_to_do>
Let's analyze this command step by step. The first switch is -t tabletype. We have two basic tabletype options in iptables:
- filter Sets the rule for packet filtering
- nat Configures Network Address Translation
By default, filtering does not need to be specified in -t tabletype because iptables assumes the command contains a rule for a packet. Next, we have the <action_direction> where the four basic actions included in the iptables tool are found:
- -A (--append) Appends a rule to the end of the chain
- -D (--delete) Deletes a rule from the chain
- -L (--list) Lists currently configured rules in the chain
- -F (--flush) Flushes all rules in the current iptables chain
If we are adding or removing something from a chain, we should confirm the direction for data moving through the network using one of three guidelines:
- INPUT All incoming packets will be checked against the chain's rules
- OUTPUT All outgoing packets will be checked against the chain's rules
- FORWARD All packets to be forwarded to another host will be checked against the rules contained in iptables.
Usually, all these directives are the names of the given chains.
Next, we must configure the <packet_pattern>. All iptables firewalls check every packet against a pattern. A simple pattern can be an IP address:
- -s IP_address All packets will be checked for the address they were sent from
- -d IP_address All packets will be checked for the IP address they are heading to
The packet pattern can be more complex. In TCP/IP, packets are transmitted using TCP, UDP, or ICMP protocols. We can set the protocol with the -p switch for the destination port. For example: -p tcp --dport 80 is an extension affecting external network users trying to use the HTTP protocol.
If the iptables command matches a packet against a pattern and it is correct, we need to know what to do with such a packet. This constitutes the final option of the command -j <what_to_do>. The basic options are as follows:
- DROP The packet is dropped. No message is sent in response
- REJECT The packet is dropped. An error message is sent back.
- ACCEPT The packet is allowed to pass, performing the action -A: INPUT, OUTPUT, or FORWARD
Let's look at a few examples of how to configure a firewall using iptables commands. The first step is always to check the current configuration using the command:
# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ftp
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
If iptables has been correctly configured, we should see chains in three different categories: INPUT, FORWARD, and OUTPUT.
![]() |
| Iptables operation diagram - source Redhat.com |
Keeping the firewall running.
The Linux firewall is based on the iptables tool and a service of the same name. By reviewing the current rules we displayed with the # iptables -L command, we can infer that a clean, empty list of rules looks like this:
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
If the iptables service is not running, you should ensure it can be started and that it will start after a system reboot. The following commands will be useful:
# /etc/init.d/iptables start
# chkconfig iptables on
The rules the firewall in RedHat is based on are located in the /etc/sysconfig/iptables file.
# cat /etc/sysconfig/iptables
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth+ -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -p icmp -j ACCEPT
-A FORWARD -i lo -j ACCEPT
-A FORWARD -i eth+ -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT
Default firewall settings in RHEL 6
We previously displayed the default settings using the # iptables -L command, and we know that firewall rules are divided into three categories (INPUT, FORWARD, OUTPUT). The information is in six columns containing iptables tool options. What we displayed is based on the rule chains saved in the /etc/sysconfig/iptables file. The first line indicates that these are filtering rules. Alternatively, they could be rules defining NAT.
*filter
Next, network traffic to the local system intended to be forwarded is normally accepted, which is set by the ACCEPT option.
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
Some professional security guidelines from the U.S. National Security Agency suggest changing the ACCEPT option to DROP for the INPUT and FORWARD lines. This configuration method applies to the RedHat Enterprise Security Network level in the RH333 course; here we are dealing with RHCE.
[0:0] is a byte and packet counter, and the starting position in this case is 0. These lines allow for the entry of iptables commands. Each option and switch is also described on the system's man pages.
The following lines keep current network communication running. The ESTABLISHED option continues to accept packets for an existing connection. The RELATED option accepts packets for transmission through a network such as FTP.
-A INPUT -m state --state ESTABLISHED, RELATED -j ACCEPT
Next, we accept packets traveling via the ICMP protocol.
-A INPUT -p icmp -j ACCEPT
Then we configure acceptance for connections via the loopback interface and eth interfaces
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth+ -j ACCEPT
The following lines define matching for packets sent via a new connection using the TCP protocol to the destination port number 22. Packets meeting all criteria will be accepted.
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
The last two rules for all other packets send the information contained in icmp-host-prohibited:
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
The end of the rule chain entries closes with the COMMIT tag
Popular services and their ports requiring iptables firewall configuration
Amanda Backup Client
The client included in the Advanced Maryland Automatic Network Disc Archiver (AMANDA) requires UDP protocol configuration on port 10080
Bacula
The Open Source backup server requires TCP configuration on ports 9101, 9102, and 9103
Bacula Client
The Bacula backup server client requires TCP port 9102 configuration
DNS
The Domain Name Service requires UDP and TCP protocol configuration on port 53
FTP
The File Transfer Protocol server uses TCP port 21 for operation
IMAP
IMAP without SSL usually uses TCP port 993
IPsec
UDP port 500
Mail (SMTP)
Simple Mail Transport Protocol - sendmail, postfix requires TCP 25
Multicast DNS (mDNS)
UDP port 5353
NFS4
TCP port 2049
Network Printing Client
By default, the print client requires UDP port 631
Network Printing Server
The print server is usually configured on TCP and UDP 631
Open VPN
Virtual Private Network (Open source) UDP port 1194
POP3 without SSL
Usually, TCP port 995 is used here
RADIUS
UDP port 1812 and 1813
RedHat Cluster Suite
TCP port 11111 and 21064, UDP 5404 and 5405
Samba
Communication protocol used for communicating with Microsoft networks configured on TCP port 139 and 445, and UDP 137 and 138
Samba Client
Client for communicating with Microsoft networks, UDP protocol ports 137 and 138
Secure WWW (HTTPS)
Communication with a secure web server, TCP port 443
SSH
The SSH server uses TCP port 22
TFTP server and client
Communication with the Trivial File Transfer Protocol takes place via TCP port 69
Virtual Machine Management (KVM)
Remote access takes place using TCP port 16509
WWW (HTTP)
Standard web server port, TCP port 80
Graphical configuration tools for the network firewall
In RedHat, we also have tools with a graphical interface available for configuring the iptables network firewall. To launch them from the console, we issue the command:
system-config-firewall-tui
The tool allows for easily enabling or disabling the firewall for a given service or setting up Forward.
LINKS
- http://www.sebool.net/index.php/firewall-iptables.html
- http://wiki.centos.org/HowTos/Network/IPTables
- http://www.linuxhomenetworking.com/ - using iptables
- Linux - RHCE - SSH - Access control




Comments