Basics of IPTables - PowerPoint PPT Presentation


PPT – Basics of IPTables PowerPoint presentation | free to view - id: 25c418-ZDc1Z


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation

Basics of IPTables


Do further packet manipulation (mangling), such as altering the TOS (Type of ... Both the MANGLE' and NAT' tables will link to the PREROUTING' chain before the ... – PowerPoint PPT presentation

Number of Views:213
Avg rating:3.0/5.0
Slides: 16
Provided by: sriramsr


Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Basics of IPTables

Basics of IPTables
  • Sriram Srinivasan

What is IPTables?
  • IPTables are building blocks of a framework
    within the Linux 2.4.x and 2.6.x kernels.
  • It is the successor of IPChains (2.2.x) and
    ipfwadm (2.0.x)
  • This framework enables packet filtering, network
    addresss and port translation (NAPT).
  • Also allows packet mangling.

  • It works by creating a generic table structure of
  • As in IPChains, each rule in an IPTable consists
    of a set of classifiers (IPTable matches) and a
    corresponding action (IPTable target).
  • IPTables, along with NetFilter, Connection
    Tracking, and the NAT Subsystem make up the
    entire framework.

Salient Features
  • Stateless Packet Filtering (IPv4 and IPv6)
  • Packet Filtering with states (as in IPv4)
  • All types of network address and port translation
  • Multiple layers of API's for 3rd party extensions
  • Large number of plugins and modules kept in a

What can be done with IPTables?
  • Build internet firewalls based on packet
    filtering, with or without specifying states.
  • Use NAT and masquerading for sharing internet
    access if you don't have enough public IP
  • Do further packet manipulation (mangling), such
    as altering the TOS (Type of Service) bits of the
    IP header

Kernel Setup
  • Commands required to begin use
  • CONFIG_PACKET - This option allows applications
    and utilities that to directly access network
    devices. Examples of such utilities are tcpdump
    or snort.
  • CONFIG_NETFILTER - This option is required if
    you're going to use your computer as a firewall
    or gateway to the Internet. In our case, this is
    a necessity.
  • Note To use this functionality, the proper
    interface drivers must be added. Simply adding
    the framework is of no use.
  • CONFIG_IP_NF_IPTABLES - This option is required
    to do any kind of filtering, masquerading or NAT.
    It adds the whole IPTables identification
    framework to the kernel. Without this you won't
    be able to do anything at all with iptables.

  • Other options include
  • CONFIG_IP_NF_FTP In conjunction with Connection
    tracking, this allows tracking on FTP
    target. Thus, depending on whether or not a
    packet carries a mark from a previous table, we
    may determine if it matches a specified rule.
  • CONFIG_IP_NF_MATCH_TOS - With this match we can
    match packets based on their TOS field.
  • CONFIG_IP_NF_MATCH_STATE Using this, packets
    may be matched based on a state assigned to them.
    For example, if traffic has been seen in both
    directions in a TCP connection, then this packet
    will be assigned the state of Established.

  • The first step is to disable IPChains.
  • chkconfig --level 0123456 ipchains off
  • service ipchains stop
  • The first command kills all soft links to the
    IPChains scripts. The second actually stops the
    entire package from running.
  • Once IPChains has been stopped, we may begin
    initializing IPTables.
  • chkconfig --level 235 iptables on
  • service iptables start
  • The first command specifies the run-levels the
    user wants (in this case 2,3,5). The second
    actually starts the package running.

Table Chain Relationships
  • When a packet enters the firewall, it goes
    through a series of steps before being routed to
    the appropriate application (locally), or being
    forwarded to another host.
  • Assuming the local host is the intended target
  • Both the MANGLE and NAT tables will link to
    the PREROUTING chain before the packet is
    delivered to its destination application on the
    local host.
  • Once the destination application is determined,
    then the MANGLE and NAT tables both link to
    the INPUT chain, before the packet gets relayed

  • If the source is the local host, then the
    MANGLE and NAT tables both link to the
    OUTPUT and POSTROUTING chains before the
    packet is sent out. There is also the additional
    step of using the FILTER table, which filters
    packets leaving the local host.
  • If a packet is intended to be forwarded to
    another host, then a similar process is followed
    where the tables access the FORWARD chain
    before the Postrouting step.

Traversal through IPTables
The Mangle Table
  • This is used to Edit/Manipulate (mangle)
    packets that pass through it.
  • Targets for this table are limited to TOS (Type
    of Service), TTL (Time To Live), and MARK (set a
    mark on a packet which passes through it).
  • No type of NAT or Masquerading will work on this

The NAT Table
  • This packet can only be used to translate a
    packets source or destination fields.
  • Valid targets include
  • DNAT (mainly used in cases where you have a
    public IP and want to redirect accesses to the
    firewall to some other host (on a DMZ for
    example). In other words, we change the
    destination address of the packet and reroute it
    to the host.

  • SNAT (mainly used for changing the source address
    of packets ). A very good example would be that
    of a firewall of which we know outside IP
    address, but need to substitute our local
    network's IP numbers with that of our firewall.
    With this target the firewall will automatically
    SNAT and De-SNAT the packets, hence making it
    possible to make connections from the LAN to the

The Filter Table
  • We can match packets and filter them in whatever
    way we want. This is the place that we actually
    take action against packets and look at what they
    contain and DROP or /ACCEPT them, depending on
    their content. Of course we may also do prior
    filtering however, this particular table, is the
    place for which filtering was designed. Almost
    all targets are usable in this chain.