$ man iptables iptables- administration tool for IPv4/IPv6 packet filtering and NAT
Yep! This post is a learning note and some basic usage for iptables. Basically, iptables received network packets on the machine and decide what to do with these packets, based on the rules we set.
TL;DR
I found this awesome iptables cheat sheet. 😂
Incoming packets destined for the local system: PREROUTING -> INPUT
Incoming packets destined to another host: PREROUTING -> FORWARD -> POSTROUTING
Locally generated packets: OUTPUT -> POSTROUTINGTables
Each table contains a number of built-in chains and may also contain user-defined chains. Each chain is a list of rules which can match a set of packets.
Filter (default table)
Filter table is the default table for iptables and it is responsible for packet filtering. We can see the built-in chain in the following section
$ sudo iptables -L (option: -t filter)Chain INPUT (policy ACCEPT)
target prot opt source destinationChain FORWARD (policy ACCEPT)
target prot opt source destinationChain OUTPUT (policy ACCEPT)
target prot opt source destination
- INPUT: the rules in this chain will control the received packet.
// Allow incoming SSH connection request
-i: interface that receives the packet
-p: protocol
-dport: destination port
-m: we use the 'state' module in this example
--state: specifying state
-j: target for rule$ iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
- OUTPUT: controls the packet for outbound traffic.
// Allow established SSH connection response
--sport: source port$ iptables -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
- FORWARD: controls the packet that is routed through this server.
NAT
NAT table is responsible for Network Address Translation. The following is the built-in chain:
- PREROUTING: the first hand for altering packets.
// All packets arriving at 10.10.20.123 will depart from the router with the destination of 10.10.14.2$ iptables -t nat -A PREROUTING -p tcp -d 10.10.20.123 --dport 80 -j DNAT --to-destination 10.10.14.2
- POSTROUTING: altering packets before they are being sent out.
// MASQUERADE is a unique target for POSTROUTING. If we have a static external IP for the current machine, under that premise, we specify the source IP address(SNAT) for the packet.$ iptables -t nat -A POSTROUTING -s 192.168.1.5 -o eth0 -j MASQUERADE
- OUTPUT: altering locally-generated packets before routing
Mangle
Mangle is used to modify or mark packets: Mark is on the skbuf(socket buffer, I think skbuf is a structure that holds the packet data)and not on the packet itself. So this is workable within the same Linux machine.
There are still other raw and security tables, but I don’t think I will be using these two in the short term, I’ll just leave it for now. 🤟
Reference
[1] https://www.thegeekstuff.com/2011/03/iptables-inbound-and-outbound-rules/
[2] https://www.systutorials.com/port-forwarding-using-iptables/
[3] https://linux.die.net/man/8/iptables
[4] https://www.systutorials.com/setting-up-gateway-using-iptables-and-route-on-linux/
