Iptables
Encyclopedia
iptables is a user space
application program that allows a system administrator
to configure the tables provided by the Linux kernel
firewall
(implemented as different Netfilter modules) and the chains and rules it stores. Different kernel modules and programs are currently used for different protocols; iptables applies to IPv4, ip6tables to IPv6, arptables to ARP, and ebtables to Ethernet frames.
iptables requires elevated privileges to operate and must be executed by user root
, otherwise it fails to function. On most Linux systems, iptables is installed as /usr/sbin/iptables and documented in its man page, which can be opened using
iptables is also commonly used to inclusively refer to the kernel-level components. x_tables is the name of the kernel module carrying the shared code portion used by all four modules that also provides the API used for extensions; subsequently, Xtables is more or less used to refer to the entire firewall (v4,v6,arp,eb) architecture.
Prior to iptables, the predominant software packages for creating Linux firewalls were ipchains
in Linux 2.2; and ipfwadm in Linux 2.0 which was based on BSD
ipfw
.
iptables preserves the basic ideas introduced with ipfwadm: lists of rules each of which specified what to match within a packet, and what to do with such a packet. ipchains added the concept of chains of rules, and iptables extended this further into tables: one table was consulted when deciding whether to NAT
a packet, and another consulted when deciding how to filter a packet. In addition, the three filtering points in a packet's journey were altered such that any packet only passes through one filtering point.
This split allowed iptables, in turn, to use the information the connection tracking layer had determined about a packet. The information was previously tied to NAT. This makes iptables superior to ipchains because it has the ability to monitor the state of a connection and redirect, modify or stop data packets based on the state of the connection, not just on the source, destination or packet data content. (This is done with the
versus ipchains, which can only create a stateless firewall (except in very limited cases). It can be said that ipchains is not fully aware of the context from which a data packet arises, whereas iptables is. Therefore, iptables can make better decisions on the fate of packets and connections.
The Netfilter maintainer Patrick McHardy proposed to replace iptables with nftables
in the future. The project is currently in the alpha stage of development. Alternate developments include Xtables2 that seek to gradually improve the code that is already in the Linux kernel.
to define tables containing chains of rules for the treatment of packets. Each table is associated with a different kind of packet processing. Packets are processed by sequentially traversing the rules in chains. A rule in a chain can cause a goto or jump to another chain, and this can be repeated to whatever level of nesting is desired. (A jump is like a “call”, i.e. the point that was jumped from is remembered.) Every network packet arriving at or leaving from the computer traverses at least one chain.
The origin of the packet determines which chain it traverses initially. There are five predefined chains (mapping to the five available Netfilter hooks), though a table may not have all chains. Predefined chains have a policy, for example DROP, which is applied to the packet if it reaches the end of the chain. The system administrator can create as many other chains as desired. These chains have no policy; if a packet reaches the end of the chain it is returned to the chain which called it. A chain may be empty.
Each rule in a chain contains the specification of which packets it matches. It may also contain a target (used for extensions) or verdict (one of the built-in decisions). As a packet traverses a chain, each rule in turn is examined. If a rule does not match the packet, the packet is passed to the next rule. If a rule does match the packet, the rule takes the action indicated by the target/verdict, which may result in the packet being allowed to continue along the chain or it may not. Matches make up the large part of rulesets, as they contain the conditions packets are tested for. These can happen for about any layer in the OSI model, as with e.g. the --mac-source and -p tcp --dport parameters, and there are also protocol-independent matches, such as -m time.
The packet continues to traverse the chain until either
Targets also return a verdict like ACCEPT (NAT modules will do this) or DROP (e.g. the “REJECT” module), but may also imply CONTINUE (e.g. the "LOG" module; CONTINUE is an internal name) to continue with the next rule as if no target/verdict was specified at all.
or graphical fashion allow users to click-generate simple rulesets; scripts usually refer to shell scripts
(but other scripting languages are possible too) that call iptables or (the faster)
Such front-ends, generators and scripts are often limited by their built-in template systems and where the templates offer substitution spots for user-defined rules. Also, the generated rules are generally not optimized for the particular firewalling effect the user wishes, as doing so will likely increase the maintenance cost for the developer. Users who reasonably understand iptables and want their ruleset optimized are advised to construct their own ruleset.
User space
A conventional computer operating system usually segregates virtual memory into kernel space and user space. Kernel space is strictly reserved for running the kernel, kernel extensions, and most device drivers...
application program that allows a system administrator
System administrator
A system administrator, IT systems administrator, systems administrator, or sysadmin is a person employed to maintain and operate a computer system and/or network...
to configure the tables provided by the Linux kernel
Linux kernel
The Linux kernel is an operating system kernel used by the Linux family of Unix-like operating systems. It is one of the most prominent examples of free and open source software....
firewall
Firewall (computing)
A firewall is a device or set of devices designed to permit or deny network transmissions based upon a set of rules and is frequently used to protect networks from unauthorized access while permitting legitimate communications to pass....
(implemented as different Netfilter modules) and the chains and rules it stores. Different kernel modules and programs are currently used for different protocols; iptables applies to IPv4, ip6tables to IPv6, arptables to ARP, and ebtables to Ethernet frames.
iptables requires elevated privileges to operate and must be executed by user root
Superuser
On many computer operating systems, the superuser is a special user account used for system administration. Depending on the operating system, the actual name of this account might be: root, administrator or supervisor....
, otherwise it fails to function. On most Linux systems, iptables is installed as /usr/sbin/iptables and documented in its man page, which can be opened using
man iptables
when installed. It may also be found in /sbin/iptables, but since iptables is more like a service rather than an "essential binary", the preferred location remains /usr/sbin.iptables is also commonly used to inclusively refer to the kernel-level components. x_tables is the name of the kernel module carrying the shared code portion used by all four modules that also provides the API used for extensions; subsequently, Xtables is more or less used to refer to the entire firewall (v4,v6,arp,eb) architecture.
History
Netfilter and iptables were initially designed together, so there is some overlap in early history. See Netfilter's article.Prior to iptables, the predominant software packages for creating Linux firewalls were ipchains
Ipchains
Linux IP Firewalling Chains, normally called ipchains, is free software to control the packet filter/firewall capabilities in the 2.2 series of Linux kernels. It superseded ipfwadm, but was replaced by iptables in the 2.4 series. Unlike iptables, ipchains is stateless.It is a rewrite of Linux's...
in Linux 2.2; and ipfwadm in Linux 2.0 which was based on BSD
Berkeley Software Distribution
Berkeley Software Distribution is a Unix operating system derivative developed and distributed by the Computer Systems Research Group of the University of California, Berkeley, from 1977 to 1995...
ipfw
Ipfirewall
ipfirewall or ipfw is a FreeBSD IP packet filter and traffic accounting facility. Its ruleset logic is similar to many other packet filters except IPFilter. ipfw is authored and maintained by FreeBSD volunteer staff members. Its syntax enables use of sophisticated filtering capabilities and thus...
.
iptables preserves the basic ideas introduced with ipfwadm: lists of rules each of which specified what to match within a packet, and what to do with such a packet. ipchains added the concept of chains of rules, and iptables extended this further into tables: one table was consulted when deciding whether to NAT
Network address translation
In computer networking, network address translation is the process of modifying IP address information in IP packet headers while in transit across a traffic routing device....
a packet, and another consulted when deciding how to filter a packet. In addition, the three filtering points in a packet's journey were altered such that any packet only passes through one filtering point.
This split allowed iptables, in turn, to use the information the connection tracking layer had determined about a packet. The information was previously tied to NAT. This makes iptables superior to ipchains because it has the ability to monitor the state of a connection and redirect, modify or stop data packets based on the state of the connection, not just on the source, destination or packet data content. (This is done with the
-m conntrack
match, explained in the manpages.) A firewall using iptables this way is said to be a stateful firewallStateful firewall
In computing, a stateful firewall is a firewall that keeps track of the state of network connections traveling across it. The firewall is programmed to distinguish legitimate packets for different types of connections...
versus ipchains, which can only create a stateless firewall (except in very limited cases). It can be said that ipchains is not fully aware of the context from which a data packet arises, whereas iptables is. Therefore, iptables can make better decisions on the fate of packets and connections.
The Netfilter maintainer Patrick McHardy proposed to replace iptables with nftables
Nftables
nftables was an engine and administration tool for packet filtering and classification for Linux, intended to replace iptables. The project stayed in alpha stage and seemed to be abandoned and the official website was removed in 2009...
in the future. The project is currently in the alpha stage of development. Alternate developments include Xtables2 that seek to gradually improve the code that is already in the Linux kernel.
Operational summary
Xtables allows the system administratorSystem administrator
A system administrator, IT systems administrator, systems administrator, or sysadmin is a person employed to maintain and operate a computer system and/or network...
to define tables containing chains of rules for the treatment of packets. Each table is associated with a different kind of packet processing. Packets are processed by sequentially traversing the rules in chains. A rule in a chain can cause a goto or jump to another chain, and this can be repeated to whatever level of nesting is desired. (A jump is like a “call”, i.e. the point that was jumped from is remembered.) Every network packet arriving at or leaving from the computer traverses at least one chain.
The origin of the packet determines which chain it traverses initially. There are five predefined chains (mapping to the five available Netfilter hooks), though a table may not have all chains. Predefined chains have a policy, for example DROP, which is applied to the packet if it reaches the end of the chain. The system administrator can create as many other chains as desired. These chains have no policy; if a packet reaches the end of the chain it is returned to the chain which called it. A chain may be empty.
- “PREROUTING”: Packets will enter this chain before a routing decision is made.
- “INPUT”: Packet is going to be locally delivered. (N.B.: It does not have anything to do with processes having a socket open. Local delivery is controlled by the “local-delivery” routing table: `
ip route show table local
`.) - “FORWARD”: All packets that have been routed and were not for local delivery will traverse this chain.
- “OUTPUT”: Packets sent from the machine itself will be visiting this chain.
- “POSTROUTING”: Routing decision has been made. Packets enter this chain just before handing them off to the hardware.
Each rule in a chain contains the specification of which packets it matches. It may also contain a target (used for extensions) or verdict (one of the built-in decisions). As a packet traverses a chain, each rule in turn is examined. If a rule does not match the packet, the packet is passed to the next rule. If a rule does match the packet, the rule takes the action indicated by the target/verdict, which may result in the packet being allowed to continue along the chain or it may not. Matches make up the large part of rulesets, as they contain the conditions packets are tested for. These can happen for about any layer in the OSI model, as with e.g. the --mac-source and -p tcp --dport parameters, and there are also protocol-independent matches, such as -m time.
The packet continues to traverse the chain until either
- a rule matches the packet and decides the ultimate fate of the packet, for example by calling one of the ACCEPT or DROP, or a module returning such an ultimate fate; or
- a rule calls the RETURN verdict, in which case processing returns to the calling chain; or
- the end of the chain is reached; traversal either continues in the parent chain (as if RETURN was used), or the base chain policy, which is an ultimate fate, is used.
Targets also return a verdict like ACCEPT (NAT modules will do this) or DROP (e.g. the “REJECT” module), but may also imply CONTINUE (e.g. the "LOG" module; CONTINUE is an internal name) to continue with the next rule as if no target/verdict was specified at all.
Front-ends and scripts
There are numerous third-party software for iptables that try to facilitate setting up rules. Front-ends in textualNcurses
ncurses is a programming library that provides an API which allows the programmer to write text user interfaces in a terminal-independent manner. It is a toolkit for developing "GUI-like" application software that runs under a terminal emulator...
or graphical fashion allow users to click-generate simple rulesets; scripts usually refer to shell scripts
Unix shell
A Unix shell is a command-line interpreter or shell that provides a traditional user interface for the Unix operating system and for Unix-like systems...
(but other scripting languages are possible too) that call iptables or (the faster)
iptables-restore
with a set of predefined rules, or rules expanded from a template with the help of a simple configuration file. Linux distributions commonly employ the latter scheme of using templates. Such a template-based approach is practically a limited form of a rule generator, and such generators also exist in standalone fashion, for example, as PHP web pages.Such front-ends, generators and scripts are often limited by their built-in template systems and where the templates offer substitution spots for user-defined rules. Also, the generated rules are generally not optimized for the particular firewalling effect the user wishes, as doing so will likely increase the maintenance cost for the developer. Users who reasonably understand iptables and want their ruleset optimized are advised to construct their own ruleset.
Other tools
- NuFWNuFWNuFW is a GPL extension to Netfilter . It adds authentication to filtering rules. NuFW is also provided as a hardware firewall, in the EdenWall firewalling appliance.- Introduction :...
, an authenticating firewall extension to Netfilter - GUFW, simple configuration utility for UbuntuUbuntu (operating system)Ubuntu is a computer operating system based on the Debian Linux distribution and distributed as free and open source software. It is named after the Southern African philosophy of Ubuntu...
- FWSnort, Translates a SnortSnort (software)Snort is a free and open source network intrusion prevention system and network intrusion detection system , created by Martin Roesch in 1998...
IDS ruleset into an IPTables ruleset. - psad, Automated iptables log analysis to detect suspicious activity (port scans and probes for backdoors), and passively fingerprint remote TCP stacks.
- Programming Netfilter/iptables modules in "Rope"
- LibIPTables C API for iptables (iptables has its own API - libiptc - although this shouldn't be used as a public API, and is known to change, which breaks programs that use it)
Tutorials
- Netfilter HOWTOs
- How to use iptables on Ubuntu
- Documentation on how to integrate both firewall (IP Tables) and Linux advanced routing
- “Detecting and deceiving network scans” — countermeasures against nmap