iptables Firewalling and Packet-Filtering
Quick Start Guide

Iptables is a powerful packet-filtering tool available on ImageStream routers with ImageStream Linux version 4.0 or later. This document will provide examples on how to use Iptables to add basic firewalling, port forwarding and network address translation (NAT) capabilities to your ImageStream router. More in-depth information is available in the iptables HOWTO linked to the Other On-line Resources page on this site.

Iptables Basics

Iptables is a utility used to set up, maintain, and inspect the packet filtering rules in ImageStream Linux. Iptables handles packets in one of two ways: chains and tables. A chain is a set of rules that tells iptables how to manipulate a packet that matches a given rule. Even with no user-defined iptables statements on your router, each packet passing through the router will flow through at least one of the three predefined chains in the operating system:
                       _____
                      /     \
 IN -->[Routing ]--->|FORWARD|-------> OUT
       [Decision]     \_____/        ^ 
            |                        |
            v                       ____  
           ___                     /    \ 
          /   \                   |OUTPUT|
         |INPUT|                   \____/ 
          \___/                      ^    
            |                        |
             ----> Local Process ----


When packets enter the router, iptables makes a "Routing Decision." The router will decide if the packet needs to be forwarded, or if it is destined for a local interface on the router. If the router needs to forward the packet, iptables will add it to the FORWARD chain. If the packet is destined for a local interface on the router, iptables will add it to the INPUT chain. If a local process on the router is generating a packet it will pass through the OUTPUT chain. By default, each of the chains will accept any packet.

Iptables Firewall Setup

This section will provide an example of a basic firewall setup using Iptables. We will start with defining a new "firewall" chain.
iptables -N FIREWALL
This creates a new chain named FIREWALL. Next, we will add some rules to this firewall chain.
iptables -A FIREWALL -i eth1 -s 192.168.0.0/16 -j DROP
This adds a new rule to the firewall chain. The " -A" option (add) tells Iptables to add this rule to the FIREWALL chain. The "-i" (interface) option tells Iptables to apply this rule only to incoming packets on the eth1 interface. The "-s" option ensures that only packets with a source address of 192.168.0.0/16 (Class B) will match this rule. The "-j" option instructs iptables what to do if the packet matches the rule. In this example, iptables will drop the packet. When taken as a whole, this command will drop all incoming packets on eth1 with a source ip address of 192.168.0.0/16.

Other valid commands and options are listed in the iptables HOWTO linked to the Other On-line Resources page on this site. Here are several common example chain commands:
iptables -A FIREWALL -s 128.211.243.16 -d 128.211.245.156 -j ACCEPT
This command will accept all traffic from 128.211.243.16 to 128.211.245.156.
iptables -A FIREWALL -i eth1 -d 128.211.245.156 -p tcp --dport 21 \
-j DROP
This command will drop all incoming traffic on eth1 for the ftp port (port 21) where the destination is 128.211.245.156.

You can add any number of rules to a chain. After all of the processing rules have been added to the FIREWALL chain, we need to send incoming packets (packets passing through the INPUT or FORWARD chains, as described above) to our user-defined FIREWALL chain.
iptables -A INPUT -j FIREWALL
iptables -A FORWARD -j FIREWALL
These two commands tell the all packets that are in the INPUT and FORWARD chains to also pass through the FIREWALL chain. Below is a complete example of a simple firewall. In this example, the incoming interface is eth1 and eth0 is being firewalled.
# begin example

# setup the firewall chain

iptables -N FIREWALL

# add rules to the chain

iptables -A FIREWALL -i eth1 -s 192.168.0.0/16 -j DROP

iptables -A FIREWALL -i eth1 -s 205.159.243.0/24 -d 128.211.245.156 \
-j ACCEPT

iptables -A FIREWALL -i eth1 -s 216.117.0.0/16 -p tcp --dport 21 \
-j ACCEPT

iptables -A FIREWALL -i eth1 -d 128.211.245.156 -p tcp --dport 21 \
-j DROP

# insert the FIREWALL chain into the INPUT and FORWARD chains

iptables -A INPUT –j FIREWALL

iptables -A FORWARD –j FIREWALL
# end example

Iptables - Tables

There are three available tables within iptables: filter, nat and mangle. You can add chains to each table by invoking the "-t" (table) option in iptables. This option specifies the packet-matching table on which the command should operate.

The "filter" table is the default table. It contains the built-in chains discussed above: INPUT (for packets coming into the box itself), FORWARD (for packets being routed through the box), and OUTPUT (for locally generated packets).

The second, and frequently used, table is the "nat" (network address translation) table. This table is consulted when the router encounters a packet creating a new connection. . The nat table contains of three built-in chains: PREROUTING (Destination NAT, for altering packets as soon as they come in), OUTPUT (for altering locally-generated packets before routing), and POSTROUTING (Source NAT, for altering packets as they are about to go out).

The third table, "mangle," is used for specialized packet alteration. It has two built-in chains: PREROUTING (for altering incoming packets before routing) and OUTPUT (for altering locally-generated packets before routing).

Iptables NAT and Port forwarding

The Network Address Translation table is most frequently used for firewalls. You create NAT rules that tell the kernel what connections to change, and how to change them. To do this, we tell iptables to alter the NAT table by specifying the "-t nat" option.

There are two types of Network Address Translation that Iptables supports: source NAT and destination NAT. Source NAT is used to change the apparent source of a packet.

Source NAT is done in the POSTROUTING chain, just before a packet is finally sent out. This is an important detail, since it means that anything else on the router itself (routing, packet filtering) will see the packet unchanged. It also means that the "-o" (outgoing interface) option can be used. This can be used to put an entire network behind a single outbound machine.

Destination NAT is done in the PREROUTING chain, just as the packet comes in; this means that anything else on the Linux box itself (routing, packet filtering) will see the packet going to its "real" destination. It also means that the "-i" (incoming interface) option can be used. Destination NAT is sometimes called port forwarding, and can also be used to redirect packets.

Iptables NAT examples

Below is an source NAT example where all traffic from 192.168.0.0/24 that is outgoing on eth1 will get it's source changed to 1.2.3.4. This example will would allow all of the machines in the 192.168.0.0 network talk to the 1.2.3.0 network.
iptables -t nat -A POSTROUTING –s 192.168.0.0/24 -o eth1 \
-j SNAT -to 1.2.3.4
Source NAT is specified using `-j SNAT', and the `--to-source' option specifies an IP address, a range of IP addresses, and an optional port or range of ports (for UDP and TCP protocols only).
## Change source addresses to 1.2.3.4.
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 1.2.3.4

## Change source addresses to 1.2.3.4, 1.2.3.5 or 1.2.3.6
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 1.2.3.4-1.2.3.6

## Change source addresses to 1.2.3.4, ports 1-1023
iptables -t nat -A POSTROUTING -p tcp -o eth0 -j SNAT \
--to 1.2.3.4:1-1023
Destination NAT is specified using `-j DNAT', and the `--to-destination' option specifies an IP address, a range of IP addresses, and an optional port or range of ports (for UDP and TCP protocols only).
## Change destination address of 1.2.3.4 to 192.168.1.1
iptables -t nat -A PREROUTING -i eth0 -j DNAT -d 1.2.3.4 --to 192.168.1.1

## Change destination addresses to 5.6.7.8
iptables -t nat -A PREROUTING -i eth0 -j DNAT --to 5.6.7.8

## Change destination addresses to 5.6.7.8, 5.6.7.9 or 5.6.7.10.
iptables -t nat -A PREROUTING -i eth0 -j DNAT --to 5.6.7.8-5.6.7.10

## Change destination addresses of web traffic to 5.6.7.8, port 8080.
iptables -t nat -A PREROUTING -p tcp --dport 80 -i eth0 \
-j DNAT --to 5.6.7.8:8080

Redirection

There is a specialized case of Destination NAT called redirection: it is a simple convenience which is exactly equivalent to doing DNAT to the address of the incoming interface.
## Send incoming port-80 web traffic to our squid (transparent) proxy
# iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 \
        -j REDIRECT --to-port 3128
(Note that squid needs to be configured to know it's a transparent proxy!)

Below is an destination NAT example that will send all incoming ftp connections (port 21) to a machine at 1.2.3.4
iptables -t nat -A PREROUTING -p tcp --dport 21 -i eth1 -j DNAT \
--to 1.2.3.4
Technical Support
Home >
Technical Notes >
iptables Firewall

Software Versions

General Availability
(GA) Releases


Envoy: 4.4.1-30
Others: 4.4.1-30
IDCA:

ICNA Certification


Get Your
ImageStream
Certification