Tag Archives: chains in iptables

Basics of iptables – Linux firewall

Beginner’s tutorial to understand iptables – Linux firewall. This article explains about iptable basics, different types of chains, and chain policy defining strategy.

iptables – Linux firewall

Linux firewall: iptables! plays a very important role in securing your Linux system. System hardening or locking down cannot be completed without configuring iptables. Here we are discussing the basics of iptables. This article can be referred to by beginners as an iptables guide. In this article we will walkthrough :

  • What is iptables
  • iptables chains
  • Chain policy defining strategy

We discussed how to set iptables rules, how to save iptables settings in this article. Let’s start with iptables basics.

What is iptables

iptables is a Linux native firewall and almost comes pre-installed with all distributions. If by any chance its not on your system you can install an iptables package to get it. As its a firewall, it has got policies termed as ‘chain policies’ which are used to determine whether to allow or block incoming or outgoing connection to or from Linux machine. Different chains used to control the different types of connections defined by its travel direction and policies are defined on each chain type.

In newer versions like RHEL7, the firewall is still powered by iptables only the management part is being handled by a new daemon called firewalld.

As there are policies you can define, one default policy also exists for all chains. If the connection in question does not match with any of the defined policy chains then iptable applies default policy action to that connection. By default (generally) ALLOW rule is configured in defaults under iptables.

iptable chains

As we saw earlier iptables rely on chains to determine the action to be taken in connection, let’s understand what are chains. Chains are connection types defined by their travel direction/behavior. There are three types of chains: Input, Output, Forward.

Input chain :

This chain is used to control incoming connections to the Linux machine. For example, if the user tries to connect the server via ssh (port 22) then the input chain will be checked for IP or user and port if those are allowed. If yes then only the user will be connected to the server otherwise not.

Output chain :

Yes, this chain controls outgoing connections from the Linux machine. If any application or user tries to connect to outside server/IP then the output chain decides if the app/user can connect to destination IP/port or not.

Both chains are stateful. Meaning only said the connection is allowed and a response is not. Means you have to exclusively define input and output chain if your connection needs both way communication (from source to destination and back)

Forward chain :

In most of the systems, it’s not used. If your system is being used as a pass-through or for natting or for forwarding traffic then only this chain is used. When connections/packets are to be forwarded to next hop then this chain is used.

You can view the status of all these chains using the command :

# iptables -L -v
Chain INPUT (policy ACCEPT 8928 packets, 13M bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 2201 packets, 677K bytes)
 pkts bytes target     prot opt in     out     source               destination

In above output, you can see all three chains details, how many packets were transferred, how much data transferred and default action policy.

Chain policy defining strategy

There are three policies can be defined for chains.

  1. ACCEPT: Allow connection
  2. REJECT: Block connection and send back error message informing source that destination blocked it
  3. DROP: Block connection only (behave like connection never questioned). The source is unaware of being blocked at the destination.

By default, all chains configured with ACCEPT policy for all connections. When configuring policies manually you have to pick either way from below two :

  1. Configure default as REJECT/DROP and exclusively configure each chain and its policy of ALLOW for required IP/subnet/ports.
  2. Configure default as ACCEPT and exclusively configure each chain and its policy of REJECT for required IP/subnet/ports.

You will go with number two unless your system has highly sensitive, important data and should be locked out of the outer world. Obviously, its environment criticality and number of IP/subnet/ports to be allowed/denied makes it easier to select a strategy.

In next article we discussed how to define these chain policies in detail.