Difference between revisions of "Iptables"

From ArchWiki
Jump to: navigation, search
m (From the command line: typo)
m
(22 intermediate revisions by 9 users not shown)
Line 1: Line 1:
 +
{{DISPLAYTITLE:iptables}}
 +
[[Category:Security]]
 +
[[Category:Networking]]
 
{{expansion}}
 
{{expansion}}
{{i18n|Iptables}}
+
[[es:Iptables]]
 
+
[[it:Iptables]]
[[Category:Security (English)]][[Category:Networking (English)]]
+
[[ru:Iptables]]
 +
[[sr:Iptables]]
 +
[[zh-CN:Iptables]]
 
{{Article summary start}}
 
{{Article summary start}}
 
{{Article summary text|Information regarding the setup and configuration of iptables.}}
 
{{Article summary text|Information regarding the setup and configuration of iptables.}}
Line 10: Line 15:
 
{{Article summary end}}
 
{{Article summary end}}
  
iptables is a powerful [[firewall]] built into the Linux kernel and is part of the [[Wikipedia:Netfilter|netfilter]] project. It can be configured directly, or by using one of the many [[Firewalls#iptables_front-ends|frontends]] and [[Firewall#iptables_GUIs|GUIs]]. iptables is used for [[Wikipedia:Ipv4|ipv4]] and ip6tables is used for [[Wikipedia:Ipv6|ipv6]].
+
Iptables is a powerful [[firewall]] built into the Linux kernel and is part of the [[Wikipedia:Netfilter|netfilter]] project. It can be configured directly, or by using one of the many [[Firewalls#iptables_front-ends|frontends]] and [[Firewall#iptables_GUIs|GUIs]]. iptables is used for [[Wikipedia:IPv4|IPv4]] and ip6tables is used for [[Wikipedia:IPv6|IPv6]].
  
 
== Installation ==
 
== Installation ==
  
{{Note| Your kernel needs to be compiled with iptables support. All stock Arch Linux kernels have iptables support.}}
+
{{Note|Your kernel needs to be compiled with iptables support. All stock Arch Linux kernels have iptables support.}}
 
+
First, install the userland utilities:
+
  
# pacman -S iptables
+
First, [[pacman|install]] the userland utilities, which are provided by the package {{Pkg|iptables}} in the [[Official Repositories|official repositories]].
  
Next, add iptables to the [[daemon|DAEMONS array]] in {{filename|/etc/rc.conf}} to have it load your settings on boot:
+
Next, enable, and then start, the {{ic|iptables}} systemd service:
 +
# systemctl enable iptables
 +
# systemctl start iptables
  
{{File|name=/etc/rc.conf|content=.....
+
If you want IPv6 support, enable, and then start, the {{ic|ip6tables}} systemd service:
DAEMONS=(... '''iptables''' network ...)}}
+
# systemctl enable ip6tables
 +
# systemctl start ip6tables
  
 
== Basic concepts ==
 
== Basic concepts ==
Line 33: Line 39:
 
=== chains ===
 
=== chains ===
 
{{expansion}}
 
{{expansion}}
Chains are used to specify rulesets. A packet begins at the top of a chain and progresses downwards until it hits a rule. There are three built-in chains: {{Codeline|INPUT}}, {{Codeline|OUTPUT}} and {{Codeline|FORWARD}}. All outbound, locally-generated traffic passes through the {{Codeline|OUTPUT}} chain, all inbound traffic addressed to the machine itself passes through the {{Codeline|INPUT}} chain, and all routed traffic which should not be delivered locally passes through the {{Codeline|FORWARD}} chain. The three built-in chains have default targets which are used if no rules are hit. User-defined chains can be added to make rulesets more efficient.
+
Chains are used to specify rulesets. A packet begins at the top of a chain and progresses downwards until it hits a rule. There are three built-in chains: {{ic|INPUT}}, {{ic|OUTPUT}} and {{ic|FORWARD}}. All outbound, locally-generated traffic passes through the {{ic|OUTPUT}} chain, all inbound traffic addressed to the machine itself passes through the {{ic|INPUT}} chain, and all routed traffic which should not be delivered locally passes through the {{ic|FORWARD}} chain. The three built-in chains have default targets which are used if no rules are hit. User-defined chains can be added to make rulesets more efficient.
  
 
=== targets ===
 
=== targets ===
Line 49: Line 55:
 
You can check the current ruleset and the number of hits per rule by using the command:
 
You can check the current ruleset and the number of hits per rule by using the command:
  
{{Command|name=iptables -nvL|output=Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
+
{{hc|# iptables -nvL|Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 
  pkts bytes target    prot opt in    out    source              destination   
 
  pkts bytes target    prot opt in    out    source              destination   
 
      
 
      
Line 55: Line 61:
 
  pkts bytes target    prot opt in    out    source              destination     
 
  pkts bytes target    prot opt in    out    source              destination     
 
      
 
      
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
+
Chain OUTPUT (policy ACCEPT 0K packets, 0 bytes)
  pkts bytes target    prot opt in    out    source              destination|prompt=#}}
+
  pkts bytes target    prot opt in    out    source              destination}}
  
 
If the output looks like the above, then there are no rules.
 
If the output looks like the above, then there are no rules.
Line 70: Line 76:
 
=== Configuration file ===
 
=== Configuration file ===
  
The configuration file at {{filename|/etc/conf.d/iptables}} points to the location of the configuration file. The ruleset is loaded when the daemon is started.
+
The configuration file at {{ic|/etc/conf.d/iptables}} points to the location of the configuration file. The ruleset is loaded when the daemon is started.
  
{{File|name=/etc/conf.d/iptables|content=# Configuration for iptables rules
+
{{hc|/etc/conf.d/iptables|2=# Configuration for iptables rules
 
IPTABLES_CONF=/etc/iptables/iptables.rules
 
IPTABLES_CONF=/etc/iptables/iptables.rules
 
IP6TABLES_CONF=/etc/iptables/ip6tables.rules
 
IP6TABLES_CONF=/etc/iptables/ip6tables.rules
Line 91: Line 97:
 
To load the ruleset, use this command:
 
To load the ruleset, use this command:
  
  # rc.d restart iptables
+
  # systemctl restart iptables
  
=== Saving counters ===
+
For systemd users, after editing the rules, run:
 +
# iptables-save > /etc/iptables/iptables.rules
 +
# systemctl enable iptables
 +
# systemctl start iptables
  
You can also, optionally, save byte and packet counters. To accomplish this, edit {{filename|/etc/rc.d/iptables}}
+
=== Saving counters ===
 +
{{Note|This will not work if you are using [[systemd]]. You will have to edit the systemd service files.}}
 +
You can also, optionally, save byte and packet counters. To accomplish this, edit {{ic|/etc/rc.d/iptables}}
  
 
In the '''save)''' section, change the line:
 
In the '''save)''' section, change the line:
Line 144: Line 155:
 
=== Limiting log rate ===
 
=== Limiting log rate ===
  
The limit module should be used to prevent your iptables log from growing too large or causing needless hard drive writes. Without limiting, an attacker could fill your drive (or at least your {{filename|/var}} partition) by causing writes to the iptables log.
+
The limit module should be used to prevent your iptables log from growing too large or causing needless hard drive writes. Without limiting, an attacker could fill your drive (or at least your {{ic|/var}} partition) by causing writes to the iptables log.
  
 
'''-m limit''' is used to call on the limit module. You can then use --limit to set an average rate and --limit-burst to set an initial burst rate. Example:
 
'''-m limit''' is used to call on the limit module. You can then use --limit to set an average rate and --limit-burst to set an initial burst rate. Example:
Line 159: Line 170:
 
  filter f_everything { level(debug..emerg) and not facility(auth, authpriv) and not filter(f_iptables); };
 
  filter f_everything { level(debug..emerg) and not facility(auth, authpriv) and not filter(f_iptables); };
  
This will stop logging iptables output to {{filename|/var/log/everything.log}}.
+
This will stop logging iptables output to {{ic|/var/log/everything.log}}.
  
If you also want iptables to log to a different file than {{filename|/var/log/iptables.log}}, you can simply change the file value of destination d_iptables here (still in {{filename|syslog-ng.conf}})
+
If you also want iptables to log to a different file than {{ic|/var/log/iptables.log}}, you can simply change the file value of destination d_iptables here (still in {{ic|syslog-ng.conf}})
 
  destination d_iptables { file("/var/log/iptables.log"); };
 
  destination d_iptables { file("/var/log/iptables.log"); };
  
 
=== ulogd ===
 
=== ulogd ===
  
[http://www.netfilter.org/projects/ulogd/index.html ulogd] is a specialized userspace packet logging daemon for netfilter that can replace the default LOG target.  The package {{Package Official|ulogd}} is available in the {{Codeline|[community]}} reopository.
+
[http://www.netfilter.org/projects/ulogd/index.html ulogd] is a specialized userspace packet logging daemon for netfilter that can replace the default LOG target.  The package {{Pkg|ulogd}} is available in the {{ic|[community]}} reopository.
 
+
== Further Reading ==
+
  
* [[Wikipedia:Iptables|Wikipedia Article on Iptables]]
+
== See also ==
* [http://www.netfilter.org/projects/iptables/index.html Iptables Homepage]
+
{{Wikipedia|iptables}}
 +
* [http://www.netfilter.org/projects/iptables/index.html Official iptables web site]
 +
* [http://www.frozentux.net/iptables-tutorial/iptables-tutorial.html iptables Tutorial 1.2.2] by Oskar Andreasson
 +
* [http://wiki.debian.org/iptables iptables Debian] Debian wiki

Revision as of 02:39, 11 November 2012

Tango-view-fullscreen.pngThis article or section needs expansion.Tango-view-fullscreen.png

Reason: please use the first argument of the template to provide a brief explanation. (Discuss in Talk:Iptables#)
Template:Article summary start

Template:Article summary text Template:Article summary heading Template:Article summary wiki Template:Article summary wiki Template:Article summary end

Iptables is a powerful firewall built into the Linux kernel and is part of the netfilter project. It can be configured directly, or by using one of the many frontends and GUIs. iptables is used for IPv4 and ip6tables is used for IPv6.

Installation

Note: Your kernel needs to be compiled with iptables support. All stock Arch Linux kernels have iptables support.

First, install the userland utilities, which are provided by the package iptables in the official repositories.

Next, enable, and then start, the iptables systemd service:

# systemctl enable iptables
# systemctl start iptables

If you want IPv6 support, enable, and then start, the ip6tables systemd service:

# systemctl enable ip6tables
# systemctl start ip6tables

Basic concepts

tables

iptables contains four tables: raw, filter, nat and mangle.

chains

Tango-view-fullscreen.pngThis article or section needs expansion.Tango-view-fullscreen.png

Reason: please use the first argument of the template to provide a brief explanation. (Discuss in Talk:Iptables#)

Chains are used to specify rulesets. A packet begins at the top of a chain and progresses downwards until it hits a rule. There are three built-in chains: INPUT, OUTPUT and FORWARD. All outbound, locally-generated traffic passes through the OUTPUT chain, all inbound traffic addressed to the machine itself passes through the INPUT chain, and all routed traffic which should not be delivered locally passes through the FORWARD chain. The three built-in chains have default targets which are used if no rules are hit. User-defined chains can be added to make rulesets more efficient.

targets

A "target" is the result that occurs when a packet hits a rule. Targets are specified using "jump" (-j). The most common targets are ACCEPT, DROP, REJECT and LOG.

modules

There are many modules which can be used to extend iptables such as connlimit, conntrack, limit and recent. These modules add extra functionality to allow complex filtering rules.

Configuration

From the command line

You can check the current ruleset and the number of hits per rule by using the command:

# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination   
     
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination    
    
Chain OUTPUT (policy ACCEPT 0K packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

If the output looks like the above, then there are no rules.

You can flush and reset iptables to default using these commands:

# iptables -P INPUT ACCEPT
# iptables -P FORWARD ACCEPT
# iptables -P OUTPUT ACCEPT
# iptables -F
# iptables -X

Configuration file

The configuration file at /etc/conf.d/iptables points to the location of the configuration file. The ruleset is loaded when the daemon is started.

/etc/conf.d/iptables
# Configuration for iptables rules
IPTABLES_CONF=/etc/iptables/iptables.rules
IP6TABLES_CONF=/etc/iptables/ip6tables.rules

# Enable IP forwarding (both IPv4 and IPv6)
# NOTE: this is not the recommended way to do this, and is supported only for
# backward compatibility. Instead, use /etc/sysctl.conf and set the following
# options:
# * net.ipv4.ip_forward=1
# * net.ipv6.conf.default.forwarding=1
# * net.ipv6.conf.all.forwarding=1
#IPTABLES_FORWARD=0

To save the current ruleset, use this command:

# rc.d save iptables

To load the ruleset, use this command:

# systemctl restart iptables

For systemd users, after editing the rules, run:

# iptables-save > /etc/iptables/iptables.rules
# systemctl enable iptables
# systemctl start iptables

Saving counters

Note: This will not work if you are using systemd. You will have to edit the systemd service files.

You can also, optionally, save byte and packet counters. To accomplish this, edit /etc/rc.d/iptables

In the save) section, change the line:

/usr/sbin/iptables-save > $IPTABLES_CONF

to

/usr/sbin/iptables-save -c > $IPTABLES_CONF

In the stop) section, add the following to save before stopping:

stop)
     $0 save
     sleep 2

In the start) section, change the line:

/usr/sbin/iptables-restore < $IPTABLES_CONF

to

/usr/sbin/iptables-restore -c < $IPTABLES_CONF

and save the file

Guides

Logging

The LOG target can be used to log packets that hit a rule. Unlike other targets like ACCEPT or DROP, the packet will continue moving through the chain after hitting a LOG target. This means that in order to enable logging for all dropped packets, you would have to add a duplicate LOG rule before each DROP rule. Since this reduces efficiency and makes things less simple, a LOGDROP chain can be created instead.

## /etc/iptables/iptables.rules

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]

... other user defined chains ..

## LOGDROP chain
:LOGDROP - [0:0]

-A LOGDROP -m limit --limit 5/m --limit-burst 10 -j LOG
-A LOGDROP -j DROP

... rules ...

## log AND drop packets that hit this rule:
-A INPUT -m state --state INVALID -j LOGDROP

... more rules ...

Limiting log rate

The limit module should be used to prevent your iptables log from growing too large or causing needless hard drive writes. Without limiting, an attacker could fill your drive (or at least your /var partition) by causing writes to the iptables log.

-m limit is used to call on the limit module. You can then use --limit to set an average rate and --limit-burst to set an initial burst rate. Example:

-A LOGDROP -m limit --limit 5/m --limit-burst 10 -j LOG

This appends a rule to the LOGDROP chain which will log all packets that pass through it. The first 10 packets will the be logged, and from then on only 5 packets per minute will be logged. The "limit burst" is restored by one every time the "limit rate" is not broken.

syslog-ng

Assuming you are using syslog-ng which is the default in Archlinux, you can control where iptables' log output goes this way:

filter f_everything { level(debug..emerg) and not facility(auth, authpriv); };

to

filter f_everything { level(debug..emerg) and not facility(auth, authpriv) and not filter(f_iptables); };

This will stop logging iptables output to /var/log/everything.log.

If you also want iptables to log to a different file than /var/log/iptables.log, you can simply change the file value of destination d_iptables here (still in syslog-ng.conf)

destination d_iptables { file("/var/log/iptables.log"); };

ulogd

ulogd is a specialized userspace packet logging daemon for netfilter that can replace the default LOG target. The package ulogd is available in the [community] reopository.

See also

Template:Wikipedia