A Deep Dive into Iptables: From Zero to Hero in One Blog Series

A Deep Dive into Iptables: From Zero to Hero in One Blog Series

What is iptables?

Iptables is a command-line utility for configuring the firewall rules of the kernel’s netfilter framework. It allows system administrators to filter and manipulate incoming, outgoing, and forwarded network packets based on various criteria such as IP addresses, ports, protocols, and packet states.

Iptables explained to a 5-year-old

Imagine that you have a toy box with different sections for different types of toys, like dolls in one section, cars in another, and blocks in a third.

Iptable chains are kind of like these different sections. When a new toy comes into your toy box, you look at it and decide which section it belongs in. Each section has its own set of rules for what toys are allowed in that section.

Iptables does the same thing for network traffic that comes into or leaves your computer. When a network packet comes in, iptables looks at it and decides which chain it belongs in. There are three default chains: INPUT (for incoming traffic), OUTPUT (for outgoing traffic), and FORWARD (for traffic that is just passing through).

Each chain has its own set of rules for which packets are allowed and which ones are blocked. If a packet meets the rules for a chain, it’s allowed to go through, but if it doesn’t meet the rules, iptables won’t let it pass.

So, iptables chains are like different sections in your toy box, each with its own set of rules for what toys are allowed. With iptables, you can set up rules to control which types of network traffic are allowed in or out of your computer, helping to keep it safe and secure.

Iptables Chains

Chains are sets of rules that are applied to network packets as they flow through the Linux kernel’s netfilter framework

The three default chains in iptables are:

  • PREROUTING: This chain is applied to incoming packets before they are routed to the destination, and is often used to modify the packets’ destination IP addresses or ports
  • INPUT: This chain applies to incoming packets that are destined for the Linux system itself.
  • OUTPUT: This chain applies to outgoing packets that originate from the Linux system.
  • POSTROUTING: This chain is applied to outgoing packets after they are routed, and is often used to modify the packets’ source IP addresses or ports.
  • FORWARD: This chain applies to packets that are being forwarded by the Linux system to another device on the network — basically this is for packets that reach your system somehow but were not sent to you directly.

Each chain contains a series of rules that determine what should be done with the packet. For example, a rule might specify that a packet with a certain source IP address should be dropped, or that a packet with a certain destination port should be allowed to pass through. The rules are evaluated in order, and the first rule that matches the packet determines what action should be taken.

Here’s a diagram that covers incoming and outgoing packet flow through various chains.

PREROUTING and POSTROUTING chains are not included in this diagram but

  • PREROUTING chain comes before the INPUT chain
  • POSTROUTING chain comes after the OUTPUT chain

Let's Dive right in

Now that we are clear on the theory part — let’s understand with some examples

Example: Block Incoming traffic from specific IP Address

sudo iptables -A INPUT -s 15.15.15.51 -j DROP

This appends a new rule to the end of the INPUT chain. The INPUT chain is used for incoming traffic to the local system.

This rule will block all incoming traffic coming from 15.15.15.51.

Example: Forward incoming traffic to another IP address:

sudo iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 192.168.1.10:80

This command adds a rule to the PREROUTING chain that forwards incoming traffic on TCP port 80 to the private IP address 192.168.1.10, which is hosting a web server. This is useful for making a web server accessible from the public internet.

Example: Block outgoing traffic to specific port

sudo iptables -A OUTPUT -p tcp --dport 25 -j DROP

This command adds a rule to the OUTPUT chain that blocks outgoing traffic on TCP port 25 (SMTP), which is commonly used for email traffic. This is useful for preventing malware or spam bots from sending email from the Linux system.

Example: Block all incoming traffic except Web and SSH

# Allow traffic on port 22,80 and 443
sudo iptables -A INPUT -p tcp -m multiport --dports 22,80,443 -j ACCEPT

# Drop all incoming traffic 
sudo iptables -A INPUT -j DROP

# Sequence matters. If you swap the rules then you won't receive any traffic
# at all

Iptables and NAT

Network Address Translation (NAT) is a technique used to allow multiple devices on a private network to share a single public IP address. NAT works by changing the source IP address of outgoing traffic to the public IP address of the router, and keeping track of the source IP address and port number of each incoming connection so that it can route the traffic back to the correct device on the private network.

By using iptables to implement NAT, you can configure your network to allow multiple devices on a private network to share a single public IP address, while also controlling incoming and outgoing traffic.