User Tools

Site Tools



IPTables what is it ?

In linux, the filtrate of packages is controlled at level of kernel. Exist modules for the kernel that allow to define a system of rules to accept or to reject the packages or the communications that transfer through the system. These systems of rules conform what it is known like firewall or fire-resistant;

In other systems the firewall can be implemented in software and to be broken ties with the operating system, but in the case of linux, firewall can be mounted at level of kernel and it is not necessary to install an additional software that to be more exact software comes with reprogramacidores that create to holes.

In the previous versions of kernel 2.4.x, 2.2.x have existed another one module of security called IPCHAINS to be able to load firewalls counted on the same functions that now count the module IPTABLES. The difference of IPTABLES it has been reinforced with a different declaration when denying accesses to the server.

But IPChains do not exist anymore in the news versions of the Kernel.


Declares the rules to be able that firewalll has a greater exactitude in his ports of services that it wants to offer or to deny.

In order to begin we will clarify, definitions of commands, and definitions of interface.

INPUT   \_________   Inputs from 
OUTPUT  /            the rules.

Aplication in command:

 | DROP   | ACCEPT     | <Declaration of the rules. OBSERVATION: In some old versions the Kernel 2.4 have used IPCHAINS
 | REJECT | MASQUERADE | for Denying, was declared as: [ DENY ]  
 | LOG    |            | Today that does not exist, now will define in IPTABLES as DROP.


 eth0 \___ Interface of Net Board "etho" The Main, "eth1" Secondary.               \
 eth1 /                                                                             \_____ Interfazes de Internet.
 ppp0 \___ Interface of Modem dialup(Telephone) "ppp0" Principal "ppp1" Secondary.  /
 ppp1 /                                                                            /


 :: -A  ->> Add a Rule          ::  
 :: -L  ->> List of the Rules   ::  
 :: -F  ->> Flush of the Rules  ::  
 :: -D  ->> Delete the Rules    ::  

Rule Input's:

.: -i (A)   ->> Interface of connections to Internet. like (eth0,ppp0,etc.)                                              :.
.: -s       ->> Access to Address of IP. ( <- These IP define the access to whatever remote IP to your server. :.
.: -p       ->> Type of port (TCP ó UDP) Preference (TCP) <- The port of access to your protocol to Internet.            :.
.: -j       ->> Declaration of Rules ex. (-j ACCEPT) <- Accept the rule that you are declaring.                          :.
.: --dport  ->> Number or Name of port from destiny. <- These define because port you could filtrate to the Server.      :.      
.: --sport  ->> Number or Name of port from origin. <- These define because port your offer your remote service.         :.

 : -i ->> In-Interface. example. " -i eth0 "                   :
 : -o ->> Out-Interface. example. " -o eth0 "                  :
 : Note:                                                       :
 : -i ->> It is used with the rules Input and FORWARD.         :
 : -o ->> It is used with the rules Output and FORWARD.        :

These are the Declarations of IPTABLES, Interface of Internet.

I believe that if some doubt has left here we will remove them remarkably, With the following examples where we will apply, the Declarations of the Rules of IPTABLES and the Interfaces of Internet.

Analyzing the syntax

//Offering 80, Apache Server (http):
 /sbin/iptables -A INPUT -i eth0 -p tcp --sport 80 -j ACCEPT
      |             |        |       |        |         |
 /sbin/iptables -A OUTPUT -i eth0 -p tcp --dport 80 -j ACCEPT
      |             |        |       |        |         |------------ Declaration of the rule. (In this case "Accept").
      |             |        |       |        |---------------------- Numer of port. --sport(de Origin), 
      |             |        |       |        |                       --dport(Destiny), 80 (Apache Server)
      |             |        |       |------------------------------- Type of port. (TCP <- Potocol of Internet)
      |             |        |--------------------------------------- Type of interface. (Net Board) ( -i <- Input )
      |             |------------------------------------------------ Added rule of input. (INPUT),(OUTPUT)
      |-------------------------------------------------------------- Iptable command.
      |             |        |       
      |             |        |       
      |             |        |       
 /sbin/iptables -A INPUT -i eth0 -s -p TCP --dport 25 -j ACCEPT
      |             |                      |            |      |         |
 /sbin/iptables -A INPUT -i eth0 -s       -p TCP --dport 25 -j DROP
 ^                                         |            |      |         |---------- Declaration of the rule. (In this case DROP.
 |                                         |            |      |                     whatever IP.)
 |                                         |            |      |-------------------- Destiny of port, 25 (Sendmail)
 |                                         |            |--------------------------- Type of protocol.
 |                                         |---------------------------------------- IP Numeric of the server from destiny.
 |                                         |-Restricts. whaever any user. ( -s ) Specific Ip.
 |//Access port to 25, Send mail (smtp)           

Will deny port 80 and save the log:

/sbin/iptables -A INPUT -i eth0 -s -p TCP --dport www -j LOG --log-prefix "IPTablesFW>" 
                                                                     |    |- Save the log.
                                                                     |------ Declaration of the Log.

/sbin/iptables -A INPUT -i eth0 -s -p TCP --dport www -j DROP
                                                                     |------ Declaration denying.

Acces to port 22, Secure Shell (ssh):

/sbin/iptables -A INPUT -i eth0 -s -p tcp --dport 22 -j ACCEPT

/sbin/iptables -A INPUT -i eth0 -s -p tcp --sport 22 -j ACCEPT

Offering FTP - To be able acces to users.

/sbin/iptables -A INPUT -i eth0 -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
/sbin/iptables -A OUTPUT -o eth0 -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT

Ftp active.

/sbin/iptables -A INPUT -i eth0 -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT

/sbin/iptables -A OUTPUT -o eth0 -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT

Ftp pasive

/sbin/iptables -A INPUT -i eth0 -p tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
                                                 |               |                  |        |                   
/sbin/iptables -A OUTPUT -o eth0 -p tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
                                                 |               |                 |         |                          |--- Accept
                                                 |               |                 |         |----- Etablished and uptade
                                                 |               |                 |----- Declare stable
                                                 |               |- Defined ports, of Origin and Destiny.
                                                 |-- Port defined of Input and Output.


Will to save log of all the forward

/sbin/iptables -A FORWARD -j LOG

We should load a module to the Forward

 modprobe ip_nat_ftp

General norm of FORWARDS

/sbin/ptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

/sbin/iptables -t nat -A POSTROUTING -o eth1 -s -j MASQUERADE

IPTables is an application very used by the users of GNU/Linux, with own knowledge since this application this constituted with the intention of which the operator of the system, assures his servant with his trustworthiness and ample knowledge on ports, protocols and devices of network.

After the operator has these applied conociemientos affluent, he will be able to leak, to deny, to offer, to close, to redirect, to record all its ports of entered and exit of the servant. in absence of these knowledge the operator will have to resort to the famous calls firewalls and netfilters, to be able to control to if his servant on a basica barrier of security in the system.


Port 8080 –> 80 –>

iptables -t nat -A OUTPUT -d -p tcp --dport 80 -j REDIRECT --to-ports 8080
iptables -t nat -A PREROUTING -d -p tcp --dport 80 -j REDIRECT --to-ports 8080


These handbook it is made with examples verified in Debian GNU/Linux.

Jesus Lugo 2005/11/17 10:09

handbook/handbook/iptables.txt · Last modified: 2010/04/15 21:18 (external edit)