SlideShare a Scribd company logo

Understanding iptables

Download as PPTX, PDF
Denys Haryachyy, profile picture
Denys Haryachyy

This document provides an overview of iptables and Linux firewall configuration. It discusses Netfilter hooks and stages, stateless and stateful firewall rules using iptables, logging rules, the tables (filter, nat, mangle, raw) and built-in chains, creating custom chains, using ipsets for constant-time lookups, and useful iptables commands. It also briefly mentions using libnetfilter_queue to divert traffic to userspace applications and provides references for further reading on Linux firewalls and Netfilter.

Software
1 of 13
Downloaded 81 times
1
2
Most read
3
4
5
Most read
6
Most read
7
8
9
10
11
12
13
Understanding iptables Linux firewall basics
Netfilter hooks stages Socket App NIC INPUT PRE_ROUTING POST_ROUTING OUTPUT FORWARD
Stateless firewall iptables -A INPUT -p tcp --dport 80 -j ACCEPT
Stateful firewall iptables -A INPUT -p tcp -m conntrack --ctstate ESTABLISHED -j ACCEPT iptables -A INPUT -p tcp --dport 80 -m conntrack --ctstate NEW -j ACCEPT
Logging iptables -A INPUT -p tcp --dport 80 -m conntrack --ctstate NEW -j LOG --log-prefix “In Http:”
Tables overview Filter is a default table. So, if you don’t define you own table, you’ll be using filter table. Each table has a number of predefined chains inside. You can create your own chain. Filter Input Forward Output Nat Output Prerouting Postrouting Mangle Input Prerouting Postrouting Output Forward Raw Output Prerouting
Tables in shell iptables -t mangle -A POSTROUTING -o $NETCARD -p tcp -m connbytes --connbytes 10000000: --connbytes-mode bytes --connbytes-dir both -j CONNMARK --set-mark 999 iptables -t mangle -A INPUT -i eth0 -p tcp --dport 80 -m string --string ”get /admin http/” --icase --algo bm -m conntrack --ctstate ESTABLISHED -j DROP iptables -t filter -A input -p tcp --dport 22 -m time --datestart “” --datestop “” --utc --j DROP
Custom chains Create a new chain iptables -N LOGDROP Add chain rules iptables -A LOGDROP -j LOG --log-level 4 --log-prefix 'SourceDrop ' iptables -A LOGDROP -j DROP Add chain rules to iptables rules iptables -A INPUT -s 10.0.0.0/8 -j LOGDROP
Netfilter in user land libnetfilter_queue is used to divert traffic to user application Packets are not duplicated User application has to inject a packet back Useful for debugging rules
ip sets Constant time hash lookup modprobe ip_set ipset -N droplist nethash ipset -add droplist 192.168.1.0/24 iptables -A INPUT -m set --set droplistsrc -j DROP
Useful commands Drop all rules iptables -F Quickly restore rules iptables-restore <rules list file>
References Designing and Implementing Linux Firewalls with QoS using netfilter, iproute2, NAT and L7-filter Netfilter & Iptables Elements Linux Firewall Tutorial: IPTables Tables, Chains, Rules Fundamentals Understanding Linux Network Internals iptables book Iptables targets and jumps Security in Linux
My blog Learning Network Programming

More Related Content

PDF
LinuxCon 2015 Linux Kernel Networking Walkthrough
Thomas Graf
 
PDF
Container Performance Analysis
Brendan Gregg
 
PDF
netfilter and iptables
Kernel TLV
 
PPTX
Linux Network Stack
Adrien Mahieux
 
PDF
Linux Networking Explained
Thomas Graf
 
PDF
CCNA CheatSheet
Eng. Emad Al-Atoum
 
PDF
IntelON 2021 Processor Benchmarking
Brendan Gregg
 
PDF
Uboot startup sequence
Houcheng Lin
 
LinuxCon 2015 Linux Kernel Networking Walkthrough
Thomas Graf
 
Container Performance Analysis
Brendan Gregg
 
netfilter and iptables
Kernel TLV
 
Linux Network Stack
Adrien Mahieux
 
Linux Networking Explained
Thomas Graf
 
CCNA CheatSheet
Eng. Emad Al-Atoum
 
IntelON 2021 Processor Benchmarking
Brendan Gregg
 
Uboot startup sequence
Houcheng Lin
 

What's hot (20)

PDF
QEMU Disk IO Which performs Better: Native or threads?
Pradeep Kumar
 
ODP
nftables - the evolution of Linux Firewall
Marian Marinov
 
PDF
Linux Kernel vs DPDK: HTTP Performance Showdown
ScyllaDB
 
PDF
OVS and DPDK - T.F. Herbert, K. Traynor, M. Gray
harryvanhaaren
 
PDF
Velocity 2015 linux perf tools
Brendan Gregg
 
PDF
The linux networking architecture
hugo lu
 
PPTX
The TCP/IP Stack in the Linux Kernel
Divye Kapoor
 
PDF
Linux Performance Analysis: New Tools and Old Secrets
Brendan Gregg
 
PDF
Linux Linux Traffic Control
SUSE Labs Taipei
 
PDF
Linux Performance Analysis and Tools
Brendan Gregg
 
PPTX
Présentation NAC-NAP PPT HARIFI Madiha
Harifi Madiha
 
PDF
LCU14 302- How to port OP-TEE to another platform
Linaro
 
PPTX
JUNOS - Monitoring and Troubleshooting
Zenith Networks
 
PDF
DevConf 2014 Kernel Networking Walkthrough
Thomas Graf
 
PDF
YOW2020 Linux Systems Performance
Brendan Gregg
 
PPTX
Broken Linux Performance Tools 2016
Brendan Gregg
 
PPTX
用Raspberry Pi 學Linux I2C Driver
艾鍗科技
 
PPTX
CloudStack Networking
CloudStack - Open Source Cloud Computing Project
 
PDF
LISA2019 Linux Systems Performance
Brendan Gregg
 
PDF
Using eBPF for High-Performance Networking in Cilium
ScyllaDB
 
QEMU Disk IO Which performs Better: Native or threads?
Pradeep Kumar
 
nftables - the evolution of Linux Firewall
Marian Marinov
 
Linux Kernel vs DPDK: HTTP Performance Showdown
ScyllaDB
 
OVS and DPDK - T.F. Herbert, K. Traynor, M. Gray
harryvanhaaren
 
Velocity 2015 linux perf tools
Brendan Gregg
 
The linux networking architecture
hugo lu
 
The TCP/IP Stack in the Linux Kernel
Divye Kapoor
 
Linux Performance Analysis: New Tools and Old Secrets
Brendan Gregg
 
Linux Linux Traffic Control
SUSE Labs Taipei
 
Linux Performance Analysis and Tools
Brendan Gregg
 
Présentation NAC-NAP PPT HARIFI Madiha
Harifi Madiha
 
LCU14 302- How to port OP-TEE to another platform
Linaro
 
JUNOS - Monitoring and Troubleshooting
Zenith Networks
 
DevConf 2014 Kernel Networking Walkthrough
Thomas Graf
 
YOW2020 Linux Systems Performance
Brendan Gregg
 
Broken Linux Performance Tools 2016
Brendan Gregg
 
用Raspberry Pi 學Linux I2C Driver
艾鍗科技
 
CloudStack Networking
CloudStack - Open Source Cloud Computing Project
 
LISA2019 Linux Systems Performance
Brendan Gregg
 
Using eBPF for High-Performance Networking in Cilium
ScyllaDB
 
Ad

Viewers also liked (19)

PPTX
Vagrant
Denys Haryachyy
 
PPTX
Git basics
Denys Haryachyy
 
PPTX
Understanding DPDK algorithmics
Denys Haryachyy
 
PPTX
History of the personal computer
Denys Haryachyy
 
PPTX
C++ 11
Denys Haryachyy
 
PPTX
Secure communication
Denys Haryachyy
 
PPTX
Understanding DPDK
Denys Haryachyy
 
PPTX
Network sockets
Denys Haryachyy
 
PPTX
DPDK KNI interface
Denys Haryachyy
 
PDF
Iptables presentation
Emin Abdul Azeez
 
PPT
Iptables in linux
Mandeep Singh
 
PDF
netfilter programming
Gopi Krishnan S
 
PPT
IPTABLES
Tan Huynh Cong
 
PDF
Iptables Configuration
stom123
 
PDF
DPDK Summit - 08 Sept 2014 - Intel - Networking Workloads on Intel Architecture
Jim St. Leger
 
PDF
DPDK Summit 2015 - Intel - Keith Wiles
Jim St. Leger
 
PDF
Intel DPDK Step by Step instructions
Hisaki Ohara
 
KEY
Fosscon 2012 firewall workshop
jvehent
 
PDF
How to Become a Thought Leader in Your Niche
Leslie Samuel
 
Vagrant
Denys Haryachyy
 
Git basics
Denys Haryachyy
 
Understanding DPDK algorithmics
Denys Haryachyy
 
History of the personal computer
Denys Haryachyy
 
C++ 11
Denys Haryachyy
 
Secure communication
Denys Haryachyy
 
Understanding DPDK
Denys Haryachyy
 
Network sockets
Denys Haryachyy
 
DPDK KNI interface
Denys Haryachyy
 
Iptables presentation
Emin Abdul Azeez
 
Iptables in linux
Mandeep Singh
 
netfilter programming
Gopi Krishnan S
 
IPTABLES
Tan Huynh Cong
 
Iptables Configuration
stom123
 
DPDK Summit - 08 Sept 2014 - Intel - Networking Workloads on Intel Architecture
Jim St. Leger
 
DPDK Summit 2015 - Intel - Keith Wiles
Jim St. Leger
 
Intel DPDK Step by Step instructions
Hisaki Ohara
 
Fosscon 2012 firewall workshop
jvehent
 
How to Become a Thought Leader in Your Niche
Leslie Samuel
 
Ad

Similar to Understanding iptables (20)

PDF
[2019.01.12] hst iptables 101 to 301
Chia-Hao Tsai
 
PDF
Iptables fundamentals
ram_b17
 
PPTX
Firewall
khalid abdelazim
 
PPTX
Linux Firewall (Netfilter )and tools .pptx
Romal-Yorish
 
PDF
Firewall Facts
DAVID RAUDALES
 
PPT
I ptable
Sandeep Gupta
 
PPT
Iptables
leminhvuong
 
PPTX
Firewalls rules using iptables in linux
aamir lucky
 
PDF
Linux iptables Pocket Reference 1st Edition Gregor N. Purdy download pdf
sariyealpire
 
PPTX
Iptables the Linux Firewall
Syed fawad Gillani
 
PDF
Chapter 6 firewall
newbie2019
 
PDF
Linux firewall
chanmyaeag
 
DOCX
Creating a firewall in UBUNTU
Mumbai University
 
PDF
IP Tables Primer - Part 1
n|u - The Open Security Community
 
PDF
IPTables Primer - Part 1
Nishanth Kumar Pathi
 
PPTX
IP Tables And Filtering
SuperstarRr
 
PDF
Packet Filtering Using Iptables
Ahmed Mekkawy
 
PPT
Linux Firewall - NullCon Chennai Presentation
Vinoth Sivasubramanan
 
PDF
iptable casestudy by sans.pdf
Admin621695
 
ODP
Firewalld : A New Interface to Your Netfilter Stack
Mahmoud Shiri Varamini
 
[2019.01.12] hst iptables 101 to 301
Chia-Hao Tsai
 
Iptables fundamentals
ram_b17
 
Firewall
khalid abdelazim
 
Linux Firewall (Netfilter )and tools .pptx
Romal-Yorish
 
Firewall Facts
DAVID RAUDALES
 
I ptable
Sandeep Gupta
 
Iptables
leminhvuong
 
Firewalls rules using iptables in linux
aamir lucky
 
Linux iptables Pocket Reference 1st Edition Gregor N. Purdy download pdf
sariyealpire
 
Iptables the Linux Firewall
Syed fawad Gillani
 
Chapter 6 firewall
newbie2019
 
Linux firewall
chanmyaeag
 
Creating a firewall in UBUNTU
Mumbai University
 
IP Tables Primer - Part 1
n|u - The Open Security Community
 
IPTables Primer - Part 1
Nishanth Kumar Pathi
 
IP Tables And Filtering
SuperstarRr
 
Packet Filtering Using Iptables
Ahmed Mekkawy
 
Linux Firewall - NullCon Chennai Presentation
Vinoth Sivasubramanan
 
iptable casestudy by sans.pdf
Admin621695
 
Firewalld : A New Interface to Your Netfilter Stack
Mahmoud Shiri Varamini
 

Recently uploaded (20)

PPT
Introduction Database Management System for Course Database
ReinertYosua
 
PDF
Design an Analysis of Algorithms II-SECS-1021-03
DilanEscobar1
 
PDF
Odoo Companies in India – Driving Business Transformation.pdf
azhuhardeen1968
 
PDF
Internet Downloader Manager (IDM) Crack 6.42 Build 41
ghrom2211g
 
PDF
Which alternative to Crystal Reports is best for small or large businesses.pdf
Varsha Nayak
 
PPTX
Online Work Permit System for Fast Permit Processing
SHEQ Network Limited
 
PDF
Navsoft: AI-Powered Business Solutions & Custom Software Development
Navsoft
 
PPTX
history of c programming in notes for students .pptx
Vijayakumari829030
 
PDF
Design an Analysis of Algorithms I-SECS-1021-03
DilanEscobar1
 
PPTX
ISO 45001 Occupational Health and Safety Management System
EHA Soft Solutions
 
PDF
Internet Downloader Manager (IDM) Crack 6.42 Build 42 Updates Latest 2025
itskinga12
 
PPTX
ai tools demonstartion for schools and inter college
harshavardhanreddyka11
 
PPTX
ManageIQ - Sprint 268 Review - Slide Deck
ManageIQ
 
PDF
PTS Company Brochure 2025 (1).pdf.......
pts464036
 
PDF
Softaken Excel to vCard Converter Software.pdf
markwillsonmw004
 
PDF
Adobe Illustrator 28.6 Crack My Vision of Vector Design
ghrom2211g
 
PDF
How to Migrate SBCGlobal Email to Yahoo Easily
raymondjones7273
 
PDF
Wondershare Filmora 15 Crack With Activation Key [2025
ghrom2211g
 
PPTX
Operating system designcfffgfgggggggvggggggggg
rmskumara09
 
PPTX
Lecture 3: Operating Systems Introduction to Computer Hardware Systems
hci7se
 
Introduction Database Management System for Course Database
ReinertYosua
 
Design an Analysis of Algorithms II-SECS-1021-03
DilanEscobar1
 
Odoo Companies in India – Driving Business Transformation.pdf
azhuhardeen1968
 
Internet Downloader Manager (IDM) Crack 6.42 Build 41
ghrom2211g
 
Which alternative to Crystal Reports is best for small or large businesses.pdf
Varsha Nayak
 
Online Work Permit System for Fast Permit Processing
SHEQ Network Limited
 
Navsoft: AI-Powered Business Solutions & Custom Software Development
Navsoft
 
history of c programming in notes for students .pptx
Vijayakumari829030
 
Design an Analysis of Algorithms I-SECS-1021-03
DilanEscobar1
 
ISO 45001 Occupational Health and Safety Management System
EHA Soft Solutions
 
Internet Downloader Manager (IDM) Crack 6.42 Build 42 Updates Latest 2025
itskinga12
 
ai tools demonstartion for schools and inter college
harshavardhanreddyka11
 
ManageIQ - Sprint 268 Review - Slide Deck
ManageIQ
 
PTS Company Brochure 2025 (1).pdf.......
pts464036
 
Softaken Excel to vCard Converter Software.pdf
markwillsonmw004
 
Adobe Illustrator 28.6 Crack My Vision of Vector Design
ghrom2211g
 
How to Migrate SBCGlobal Email to Yahoo Easily
raymondjones7273
 
Wondershare Filmora 15 Crack With Activation Key [2025
ghrom2211g
 
Operating system designcfffgfgggggggvggggggggg
rmskumara09
 
Lecture 3: Operating Systems Introduction to Computer Hardware Systems
hci7se
 

Understanding iptables

  • 3. Stateless firewall iptables -A INPUT -p tcp --dport 80 -j ACCEPT
  • 4. Stateful firewall iptables -A INPUT -p tcp -m conntrack --ctstate ESTABLISHED -j ACCEPT iptables -A INPUT -p tcp --dport 80 -m conntrack --ctstate NEW -j ACCEPT
  • 5. Logging iptables -A INPUT -p tcp --dport 80 -m conntrack --ctstate NEW -j LOG --log-prefix “In Http:”
  • 6. Tables overview Filter is a default table. So, if you don’t define you own table, you’ll be using filter table. Each table has a number of predefined chains inside. You can create your own chain. Filter Input Forward Output Nat Output Prerouting Postrouting Mangle Input Prerouting Postrouting Output Forward Raw Output Prerouting
  • 7. Tables in shell iptables -t mangle -A POSTROUTING -o $NETCARD -p tcp -m connbytes --connbytes 10000000: --connbytes-mode bytes --connbytes-dir both -j CONNMARK --set-mark 999 iptables -t mangle -A INPUT -i eth0 -p tcp --dport 80 -m string --string ”get /admin http/” --icase --algo bm -m conntrack --ctstate ESTABLISHED -j DROP iptables -t filter -A input -p tcp --dport 22 -m time --datestart “” --datestop “” --utc --j DROP
  • 8. Custom chains Create a new chain iptables -N LOGDROP Add chain rules iptables -A LOGDROP -j LOG --log-level 4 --log-prefix 'SourceDrop ' iptables -A LOGDROP -j DROP Add chain rules to iptables rules iptables -A INPUT -s 10.0.0.0/8 -j LOGDROP
  • 9. Netfilter in user land libnetfilter_queue is used to divert traffic to user application Packets are not duplicated User application has to inject a packet back Useful for debugging rules
  • 10. ip sets Constant time hash lookup modprobe ip_set ipset -N droplist nethash ipset -add droplist 192.168.1.0/24 iptables -A INPUT -m set --set droplistsrc -j DROP
  • 11. Useful commands Drop all rules iptables -F Quickly restore rules iptables-restore <rules list file>
  • 12. References Designing and Implementing Linux Firewalls with QoS using netfilter, iproute2, NAT and L7-filter Netfilter & Iptables Elements Linux Firewall Tutorial: IPTables Tables, Chains, Rules Fundamentals Understanding Linux Network Internals iptables book Iptables targets and jumps Security in Linux