What is iptables?

iptables is a software package used to create, modify, and enforce firewall rules on a Linux system. Ultimately, the tool controls network access to and from a computer. iptables is based on the netfilter package, which provides "hooks" into the Linux kernel for communicating with the network (TCP/IP) stack on a machine. The iptables service is the firewall running under Linux that ultimately controls access to the system.

Technically, iptables is a framework that enables packet filtering, network and port address translation (often known as NAT and PAT) and other packet mangling (e.g., frame fragmentation, assembly, type-of-service processing, and other modification).

iptables replaces the now defunct ipchains (Linux 2.2.x) and ipfwadm (Linux 2.0.x) tools.

How does it work?

iptables provides a generic table structure for the definition of rules also called chains. Each rule within an IP table consists of a number of classifiers (iptables matches) and one connected action (iptables target). By default, a firewall has one Policy rule set, one NAT rule set, and one routing rule set. Within these rulesets are the chains that define each allowed or blocked network communication.

Generally, outgoing sessions established by applications such as Firefox, Lotus Notes, and Sametime Connect are granted access though the firewall automatically and any unsolicited access is only allowed if the port is open. For example, if the SSH service is running on the local system, the only way traffic would be allowed in is for the firewall to allow access to the port used for SSH (tcp port 22).

Conversely, users from the local system would be allowed to SSH into other machines, regardless of whether the port was opened or not, since it originated from inside the firewall. This process is similar to a home router that denies access to outsiders, but the computers inside the local network are allowed to function as if the router was not there.

Understanding how the firewall rules work in Linux

When Linux boots, it loads the iptables firewall program as a kernel module, making it ultra-fast and built-in.

The iptables tool is a stateful inspection firewall, meaning that it considers the state of a communication (an established flow, a new communication, etc.) in addition to its direction (e.g., leaving the workstation, or coming into the workstation). When packets are initiated remotely (e.g., come into the workstation or are inbound), they are reviewed by the INPUT chain (rules). They must make it through all the "-A INPUT" rules sequentially before being allowed to move on to the local services listening or waiting for packets. If the incoming communication traverses all of these rules and doesn't meet any matches, there is a "INPUT -j DROP" rule to ensure that nothing continues by mistake. The Open Client is preconfigured to ensure that incoming communications that are responses to a user-initiated program are accepted by default. This is the consideration given to the state of a communication.

Outgoing packets also are assigned a state, and must pass through the OUTPUT chains (rules) before being allowed to leave the workstation destined for a remote network system. By default, the Open Client does not limit these outgoing flows.

Basic Initialization

Firstly, the chains need to be defined and initialized. IBM chiefly employs the default built-in chains and initializes as such:

  • Use the DROP control or to "flush" the INPUT and FORWARD Chains
  • Use the ACCEPT control to allow PREROUTING, POSTROUTING, and OUTPUT Chain input
  • Question(s): Technically they all should probably be flushed first?

Basic "Chain" of Command

This illustration of packet flow shows the essential progression of communications using the default chains. All incoming traffic must be a pre-established or related communication (e.g., predefined state) or must match an explicitly allowed port/data type.

In the Open Client, no flows are placed on the FORWARD chain. This policy is used when the Linux system is protecting a system (e.g., think of a traditional firewall server between a Web server and a Database server). IBM's use of iptables is designed for workstation users, and so the FORWARD and OUTPUT chains are the pertinent ones.

Default IBM firewall rulebase

The default rules configured by the application of the ibm-firewall package are located in /etc/iptables.d/filter/INPUT.


Additional Information


Post a Comment