Linux Firewalling

iptables is Linux's modern firewall, implemented within the kernel. It can monitor different types of packets, on different paths, and process them in various ways.

Chains are an important first concept in learning iptables. They contain lists of rules that are matched against packets and targets that describe what to do with the packet. A target can be a user-defined chain, ACCEPT, DROP, QUEUE, and RETURN (which directs the packet back to the chain that called this one). If the packet can't be matched to any rule in the chain, the policy decides the ultimate target.

A set of chains make up a table. Depending on one's kernel configuration and loaded modules, different chains may exist. Without anything special, one could expect the following tables to be present:

• filter, the default table, has the built-in chains: INPUT, FORWARD (for packets routed through the computer), and OUTPUT.


• nat, for packets that create new connections.


• mangle, for specialized packet alteration.


• raw, mainly for allowing certain packets to bypass connection tracking.

Argument Summary

Really, this entire article is a summary of man iptables, but this is especially true for the following commands, which represent only a portion of the vast array available in iptables:

• -A, --append chain rule-specification


• -D, --delete chain rulenum


• -I, --insert chain [rulenum] rule-specification


• -L, --list [chain]
: Displays basic information about the chains in a given table.

• -F, --flush [chain]: Deletes all the rules from a given chain.


• -Z, --zero: Zeroes out the various counters.


• -N, --new-chain chain


• -X, --delete-chain [chain]: Without a given chain, all custom chains in the table are deleted.


• -P, --policy chain target


• -s, --source [!] address: A name or IP address is acceptable.


• -d, --destination [!] address: A name or IP address is acceptable.


• -j, --jump target: A jump isn't required if counting packets is the only desired effect.


• -v, --verbose: Shows the packet and byte counters for each rule, among other things.


• --line-numbers: Shows the rule number of each rule in the chain that's displayed.

So how does one go about blocking a website, for example, using iptables? Like this:
iptables --table filter --append OUTPUT --destination www.digg.com --match owner --uid-owner samuel --jump REJECT --reject-with icmp-host-unreachable
Here we are working on the filter table's OUTPUT chain. Every outbound packet originating on this computer must travel through this chain of rules. The destination we are attempting to match in this rule is www.digg.com. Optionally, we only care if I'm the one initiating this connection. Instead of just dropping the packet, which would cause the browser to hang for a while, it is clearly rejected.

Persistence

Ah, now I can finally get some work done :) But wait, when you reboot your computer the firewall rule will be gone. What we need to do is save the firewall rule so that we can restore it upon system startup:
iptables-save > /root/firewall_rules # Initially save the firewall rules.
By the way, you may wish to try iptables-save on it's own first just to make sure that there are no firewall rules that another program has currently setup, which would otherwise mingle with your own. Now fire up your favorite text editor to create a startup and shutdown script. I'll use GEdit:
gedit /etc/init.d/firewall
Paste the following into the new file and save it:
case "$1" in
start|"")
echo Loading firewall rules...
iptables-restore < /root/firewall_rules
;;
stop)
echo Saving firewall rules...
iptables-save > /root/firewall_rules
;;
esac
And that's it! Now your custom firewall rules will persist between sessions. Happy Hacking!