We want regulate the traffic that we want accept. We want to block ICMP echo request:
iptable -A INPUT -p icmp --icmp-type echo-request -J DROP
The host receives the packets but do not process them.
iptable -A INPUT -p icmp --icmp-type echo-request -J REJECT
The client receive a ICMP packet that notifies that the connection cannot be done.
iptables is the implementation of a packet filtering firewall for linux that runs in kernel space, with it we can manipulate the rules of the packet filtering table. It operate on network and transport layer.
We need a set of rules that have to be applied to the incoming and outgoing packets. Rules are grouped in TABLES, each table has a different chain of rules and each packet is subject to each rule of a table. Some tables filter the packets and other manipulate them. Tables can have different chains, we can use chain to group rules with different meanings: when routing, sending or receiving.
In the Filter table are present three chains: INPUT, OUTPUT, FORWARD.
Usually a script that introduces and saves all the rules is used, but another option is to use the commands iptables-save and iptables-restore.
LOG rule exception to "a packet will match only a rule". The state module permit to specify rules regarding the state of a connection.
Packets are processed by the INPUT chain if they are destinated to the host, if they are not destined to the host they are processed by the FORWARD chain. If the packets are generated by the host the OUTPUT chain processes them.
ICMP packets have the notion of RELATED; this notion is used when a ICMP packet is generated by the host to response to a request.
Other tables are the: MANGLE table used for manipulate bits in TCP header and IP header like edit TTL and Tos. MANGLE table should nt be used for filtering or NAT. It has five chains: PREROUTING, INPUT, FORWARD, OUTPUT, POSTROUTING. The PREROUTING chain is used to modify the packet before the routing rule will be applied (the analogous for POSTROUTING).
The FILTER table is used for filtering packets, it has three chains: INPUT, FORWARD, and OUTPUT and is only used when the machine is configured as a router (net.ipv4,ip_forward=1 in sysctl).
The NAT table is used for network address translation, so is not supposed to be used for filtering. We can use the NAT table to manipulate the IP source and destination and also source port and destination port. Special targets are DNAT, SNAT, MASQUERADE (dynamic nat) and REDIRECT.
- DNAT has to be used in the PREROUTING chain;
- SNAT has to be used in the POSTROUTING chain;
- MASQUERADE is like SNAT but the source IP is taken from the dynamically assigned address of the interface.
It's possible to specify a jump rule to a different chain within the same table; extending in a same way the functionalities of a chain.