Linux Firewalls - Michael Rash [10]
An iptables policy is built from an ordered set of rules, which describe to the kernel the actions that should be taken against certain classes of packets. Each iptables rule is applied to a chain within a table. An iptables chain is a collection of rules that are compared, in order, against packets that share a common characteristic (such as being routed to the Linux system, as opposed to away from it).
Tables
A table is an iptables construct that delineates broad categories of functionality, such as packet filtering or Network Address Translation (NAT). There are four tables: filter, nat, mangle, and raw. Filtering rules are applied to the filter table, NAT rules are applied to the nat table, specialized rules that alter packet data are applied to the mangle table, and rules that should function independently of the Netfilter connection-tracking subsystem are applied to the raw table.
Chains
Each table has its own set of built-in chains, but user-defined chains can also be created so that the user can build a set of rules that is related by a common tag such as INPUT_ESTABLISHED or DMZ_NETWORK. The most important built-in chains for our purposes are the INPUT, OUTPUT, and FORWARD chains in the filter table:
The INPUT chain is traversed by packets that are destined for the local Linux system after a routing calculation is made within the kernel (i.e., packets destined for a local socket).
The OUTPUT chain is reserved for packets that are generated by the Linux system itself.
The FORWARD chain governs packets that are routed through the Linux system (i.e., when the iptables firewall is used to connect one network to another and packets between the two networks must flow through the firewall).
Two additional chains that are important for any serious iptables deployment are the PREROUTING and POSTROUTING chains in the nat table, which are used to modify packet headers before and after an IP routing calculation is made within the kernel. Sample iptables commands illustrate the usage of the PREROUTING and POSTROUTING chains later in this chapter, but in the meantime, Figure 1-1 shows how packets flow through the nat and filter tables within the kernel.
Figure 1-1. iptables packet flow
Matches
Every iptables rule has a set of matches along with a target that tells iptables what to do with a packet that conforms to the rule. An iptables match is a condition that must be met by a packet in order for iptables to process the packet according to the action specified by the rule target. For example, to apply a rule only to TCP packets, you can use the --protocol match.
Each match is specified on the iptables command line. The most important iptables matches for this book are listed below. (You'll see more about matches in "Default iptables Policy" on page 20 when we discuss the default iptables policy used throughout this book.)
--source(-s)
Match on a source IP address or network
--destination(-d)
Match on a destination IP address or network
--protocol(-p)
Match on an IP value
--in-interface(-i)
Input interface (e.g., eth0)
--out-interface(-o)
Output interface
--state
Match on a set of connection states
--string
Match on a sequence of application layer data bytes
--comment
Associate up to 256 bytes of comment data with a rule within kernel memory
Targets
Finally, iptables supports a set of targets that trigger an action when a packet matches a rule.[3] The most important targets used in this book are as follows:
ACCEPT
Allows a packet to continue on its way.
DROP
Drops a packet. No further processing is performed, and as far as the receiving stack is concerned, it is as though the packet was never sent.
LOG
Logs a packet to syslog.
REJECT
Drops a packet