Skip to content

Iptables

Advice, just once read the manual page of iptables, very clarifying. iptables is the latest in the series of linux firewalls. It does NAT as well as packet filtering.

list verbose
1
iptables -vL [chain]

Note the verbose option it not only gives more detail about the interfaces, it also prints a 'match count' both in packets and bytes. So you can see how many /bytes/packets have been matched by the rule in question. Very handy for debugging !!! This gives the rules of the chain or all chains if you omit it. You read it like this :

  • Within each "Chain" each packet is compared against the first "Rule"
  • if it does not match, go on to the next Rule
  • if it does match take the action given (DROP,ACCEPT,QUEUE or RETURN} or if no action is given jump to the rule specified.
  • DROP means discard the packet, ACCEPT means what it says
  • QUEUE means pass the packet to user space (i elaborate when i understand it ;)
  • RETURN means return to the place of the last jump, this implementing a sort of function call If you reach the end the hierarchy of chains, the Default policy is executed

It is just that simple !!

connection tracking

Connection tracking is a means of having a 'sort-of' tcp connection with UDP. The firewall knows about all packets crossing it, so it can remember what passed to allow other packets to cross as well. Most inbound udp packets are discarded by default, but you cannot do the with replies to packets you sent out yourself, because that would invalidate almost any internet service. So if a packet went from the inside to some address on the outside, that address is treated differently. For debugging connection tracking you can do : watch cat /proc/net/ip_conntrack It might yield lines like this one :

cat /proc/net/ip_conntrack
1
2
udp      17 176 src=10.174.10.25 dst=217.77.152.25 sport=5060 dport=5060 src=217.77.152.25 dst=217.77.154.101 
sport=5060 dport=1024 [ASSURED] use=1
  • It means udp (protocol 17)
  • The connection tracking will expire within 176 seconds.
  • The first set of ip addresses/ports are the original request, so 10.174.10.25 wants to contact 217.77.152.25:5060.
  • The second set is of the expected reply, so address 10.174.10.15:5060 is NAT'd to 217.77.154.101:1024.
  • The ASSURED means the connection is not dropped (during the timer) under heavy load, [UNREPLIED] for instance is a type that can be dropped.

examples

These are actual rules in our firewall and the reason they where put there.

give SIP access to an asterisk server in our DMZ

sip example
1
2
#$IPTABLES -A FORWARD -p UDP -i $IF_DMZ --dport 5060 -j ACCEPT 
$IPTABLES -A FORWARD -p UDP -o $IF_DMZ --dport 5060 -j ACCEPT

Clearly the forward chain, because packets are relayed from any interface to the DMZ. So this rule says : "allow packets to port 5060, that go out to the DMZ interface card".