BCE-C712 Linux System Administration

0 of 74 lessons complete (0%)
Exit Course

TCP/IP Firewall and IP Masquerade

iptables chains and Rules

You don’t have access to this lesson

Please register or sign in to access the course content.

iptables Chains and Rules:

In iptables, there are different “chains” that determine where rules are applied. Here are the three main chains:

  1. INPUT Chain:
    • This chain handles incoming packets destined for your computer.
    • Example: Imagine you’re receiving packages at your doorstep. You decide which ones to accept and which to reject.
    • Rule Example:bashCopy codeiptables -A INPUT -p tcp --dport 80 -j ACCEPT
      • This rule allows incoming TCP traffic on port 80 (commonly used for web browsing).
  2. OUTPUT Chain:
    • This chain deals with outgoing packets leaving your computer.
    • Example: You’re sending out packages. You decide which ones to send and which to keep.
    • Rule Example:bashCopy codeiptables -A OUTPUT -p udp --dport 53 -j ACCEPT
      • This rule allows outgoing UDP traffic on port 53 (commonly used for DNS requests).
  3. FORWARD Chain:
    • This chain handles packets that are being forwarded through your computer (if it’s acting as a router).
    • Example: If you’re passing packages from one room to another, you decide which ones to forward and which to hold.
    • Rule Example:bashCopy codeiptables -A FORWARD -s 192.168.1.0/24 -d 192.168.2.0/24 -p tcp --dport 22 -j ACCEPT
      • This rule allows forwarding of TCP traffic from devices in the 192.168.1.0/24 network to devices in the 192.168.2.0/24 network on port 22 (commonly used for SSH).

Default Policies:

Each chain has a default policy (usually ACCEPT or DROP) which dictates what happens to a packet if it doesn’t match any rule.

  • Example:bashCopy codeiptables -P INPUT DROP
    • This sets the default policy for incoming packets to DROP, meaning any packet not explicitly allowed will be discarded.

Additional Chains (Optional):

  • In addition to the main chains, you can create custom chains for specific tasks, like handling traffic for a particular service.
  • Example:bashCopy codeiptables -N MY_CUSTOM_CHAIN
    • This creates a custom chain named MY_CUSTOM_CHAIN.
  • You can then add rules to this custom chain, and later refer to it from the main chains.

Combining Chains and Rules:

  • You can mix and match rules in different chains to finely control the flow of traffic in and out of your system.
  • For example, you might allow incoming web traffic on port 80 (INPUT Chain), but only to a specific IP address (OUTPUT Chain).

Remember, each rule is like an instruction to your firewall. It tells it what to do with each packet that passes through. Understanding chains and rules helps you build a customized firewall configuration that suits your specific needs and enhances your system’s security.

Analogy to Real World for Better Understanding

iptables Chains and Rules:

In iptables, there are different “chains” that determine where rules are applied. Here are the three main chains:

  1. INPUT Chain:
    • This chain handles incoming packets destined for your computer.
    • Example: Imagine you’re receiving packages at your doorstep. You decide which ones to accept and which to reject.
    • Rule Example:
      • iptables -A INPUT -p tcp --dport 80 -j ACCEPT
      • This rule allows incoming TCP traffic on port 80 (commonly used for web browsing).
  2. OUTPUT Chain:
    • This chain deals with outgoing packets leaving your computer.
    • Example: You’re sending out packages. You decide which ones to send and which to keep.
    • Rule Example:
      • iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
      • This rule allows outgoing UDP traffic on port 53 (commonly used for DNS requests).
  3. FORWARD Chain:
    • This chain handles packets that are being forwarded through your computer (if it’s acting as a router).
    • Example: If you’re passing packages from one room to another, you decide which ones to forward and which to hold.
    • Rule Example:
      • iptables -A FORWARD -s 192.168.1.0/24 -d 192.168.2.0/24 -p tcp --dport 22 -j ACCEPT
      • This rule allows forwarding of TCP traffic from devices in the 192.168.1.0/24 network to devices in the 192.168.2.0/24 network on port 22 (commonly used for SSH).

Default Policies:

Each chain has a default policy (usually ACCEPT or DROP) which dictates what happens to a packet if it doesn’t match any rule.

  • Example:
    • iptables -P INPUT DROP
    • This sets the default policy for incoming packets to DROP, meaning any packet not explicitly allowed will be discarded.

Additional Chains (Optional):

  • In addition to the main chains, you can create custom chains for specific tasks, like handling traffic for a particular service.
  • Example:
    • iptables -N MY_CUSTOM_CHAIN
    • This creates a custom chain named MY_CUSTOM_CHAIN.
  • You can then add rules to this custom chain, and later refer to it from the main chains.

Combining Chains and Rules:

  • You can mix and match rules in different chains to finely control the flow of traffic in and out of your system.
  • For example, you might allow incoming web traffic on port 80 (INPUT Chain), but only to a specific IP address (OUTPUT Chain).

Remember, each rule is like an instruction to your firewall. It tells it what to do with each packet that passes through. Understanding chains and rules helps you build a customized firewall configuration that suits your specific needs and enhances your system’s security.