Difference between revisions of "Iptables"
(→chains: fix wrong info, requested in talk page; expansion is requested too) |
m (→From the command line: typo) |
||
| Line 55: | Line 55: | ||
pkts bytes target prot opt in out source destination | pkts bytes target prot opt in out source destination | ||
| − | Chain OUTPUT (policy ACCEPT | + | Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) |
pkts bytes target prot opt in out source destination|prompt=#}} | pkts bytes target prot opt in out source destination|prompt=#}} | ||
Revision as of 19:24, 1 November 2011
Template:Article summary start
Template:Article summary text Template:Article summary heading Template:Article summary wiki Template:Article summary wiki Template:Article summary end
iptables is a powerful firewall built into the Linux kernel and is part of the netfilter project. It can be configured directly, or by using one of the many frontends and GUIs. iptables is used for ipv4 and ip6tables is used for ipv6.
Contents
Installation
First, install the userland utilities:
# pacman -S iptables
Next, add iptables to the DAEMONS array in Template:Filename to have it load your settings on boot:
Basic concepts
tables
iptables contains four tables: raw, filter, nat and mangle.
chains
Chains are used to specify rulesets. A packet begins at the top of a chain and progresses downwards until it hits a rule. There are three built-in chains: Template:Codeline, Template:Codeline and Template:Codeline. All outbound, locally-generated traffic passes through the Template:Codeline chain, all inbound traffic addressed to the machine itself passes through the Template:Codeline chain, and all routed traffic which should not be delivered locally passes through the Template:Codeline chain. The three built-in chains have default targets which are used if no rules are hit. User-defined chains can be added to make rulesets more efficient.
targets
A "target" is the result that occurs when a packet hits a rule. Targets are specified using "jump" (-j). The most common targets are ACCEPT, DROP, REJECT and LOG.
modules
There are many modules which can be used to extend iptables such as connlimit, conntrack, limit and recent. These modules add extra functionality to allow complex filtering rules.
Configuration
From the command line
You can check the current ruleset and the number of hits per rule by using the command:
If the output looks like the above, then there are no rules.
You can flush and reset iptables to default using these commands:
# iptables -P INPUT ACCEPT # iptables -P FORWARD ACCEPT # iptables -P OUTPUT ACCEPT # iptables -F # iptables -X
Configuration file
The configuration file at Template:Filename points to the location of the configuration file. The ruleset is loaded when the daemon is started.
To save the current ruleset, use this command:
# rc.d save iptables
To load the ruleset, use this command:
# rc.d restart iptables
Saving counters
You can also, optionally, save byte and packet counters. To accomplish this, edit Template:Filename
In the save) section, change the line:
/usr/sbin/iptables-save > $IPTABLES_CONF
to
/usr/sbin/iptables-save -c > $IPTABLES_CONF
In the stop) section, add the following to save before stopping:
stop)
$0 save
sleep 2
In the start) section, change the line:
/usr/sbin/iptables-restore < $IPTABLES_CONF
to
/usr/sbin/iptables-restore -c < $IPTABLES_CONF
and save the file
Guides
Logging
The LOG target can be used to log packets that hit a rule. Unlike other targets like ACCEPT or DROP, the packet will continue moving through the chain after hitting a LOG target. This means that in order to enable logging for all dropped packets, you would have to add a duplicate LOG rule before each DROP rule. Since this reduces efficiency and makes things less simple, a LOGDROP chain can be created instead.
## /etc/iptables/iptables.rules *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0] ... other user defined chains .. ## LOGDROP chain :LOGDROP - [0:0] -A LOGDROP -m limit --limit 5/m --limit-burst 10 -j LOG -A LOGDROP -j DROP ... rules ... ## log AND drop packets that hit this rule: -A INPUT -m state --state INVALID -j LOGDROP ... more rules ...
Limiting log rate
The limit module should be used to prevent your iptables log from growing too large or causing needless hard drive writes. Without limiting, an attacker could fill your drive (or at least your Template:Filename partition) by causing writes to the iptables log.
-m limit is used to call on the limit module. You can then use --limit to set an average rate and --limit-burst to set an initial burst rate. Example:
-A LOGDROP -m limit --limit 5/m --limit-burst 10 -j LOG
This appends a rule to the LOGDROP chain which will log all packets that pass through it. The first 10 packets will the be logged, and from then on only 5 packets per minute will be logged. The "limit burst" is restored by one every time the "limit rate" is not broken.
syslog-ng
Assuming you are using syslog-ng which is the default in Archlinux, you can control where iptables' log output goes this way:
filter f_everything { level(debug..emerg) and not facility(auth, authpriv); };
to
filter f_everything { level(debug..emerg) and not facility(auth, authpriv) and not filter(f_iptables); };
This will stop logging iptables output to Template:Filename.
If you also want iptables to log to a different file than Template:Filename, you can simply change the file value of destination d_iptables here (still in Template:Filename)
destination d_iptables { file("/var/log/iptables.log"); };
ulogd
ulogd is a specialized userspace packet logging daemon for netfilter that can replace the default LOG target. The package Template:Package Official is available in the Template:Codeline reopository.