Introduction to iptables
On Linux systems, iptables is one commonly used interface to the Netfilter subsystem in the Linux kernel. Netfilter is the code that actually performs packet inspection and filtering, and it can be configured in several different ways. Although newer interfaces, such as nftables, are now available, the iptables interface is still widely used. By convention, iptables is always written in lowercase to match the name of the corresponding iptables command (remember that commands are case-sensitive in Linux).
Video Lecture
Firewalls and the OSI Model
In the context of networking, we frequently use the 7-layer Open Systems Interconnection (OSI) model to explain concepts and define protocols. Whenever we are routing network packets between network segments, we focus on layer 3, or the Network Layer (Figure 1). Since a firewall is often deployed on a system that is also responsible for routing packets (a router), it is tempting to think of the firewall as part of layer 3.
While it is true that the routing of packets (also known as datagrams) happens at layer 3, firewalls are not limited to working only at this layer. As shown in Figure 2, a comprehensive firewall system may also be aware of protocols at other layers. In particular, many firewalls have capabilities for working with Application, Transport, and Data Link Layer protocols, in addition to the Network Layer protocols.
By having code that can process both higher and lower layer protocols, a network firewall can perform Deep Packet Inspection (DPI). DPI permits the firewall to make decisions about network packets based on the services for which the packets are destined. Without DPI, a firewall would be limited to making decisions based on the layer 3 protocol source address, source port, destination address, and destination port of the packet. Many firewall decisions can be made based only on these Network Layer properties. However, more sophisticated network intrusion attempts can spoof some of this information and bypass a simple firewall. DPI improves overall cybersecurity by allowing the firewall to make decisions based on the content of the packet and not just its address information.
Functions of a Firewall
In many contexts, the firewall is often viewed to be part of the router that connects the Local Area Network (LAN) to the Internet. However, a firewall can be deployed on a host that is not a router. In fact, it is a good security practice to deploy a firewall on every host in a network, including all servers, workstations, laptops, and mobile devices.
The reason to deploy a firewall on every device is to protect each host system from unauthorized connections. At the edge of the network, the router firewall commonly blocks connections to services that should not be public. However, a firewall on each host allows connections to be restricted with finer-grained controls. For example, connections to a given service on a host can be restricted to certain IP addresses, controlling which devices on the LAN can access that service.
On the other hand, a firewall like the Linux Netfilter can definitely be used on the network router as part of routing and Network Address Translation (NAT) for IPv4. This firewall can rewrite packet headers and assist the kernel in routing packets between networks. In fact, any Linux computer can function as a network router. Many consumer and business “router” appliances are just small computers with Linux kernels using Netfilter as part of the routing solution.
Firewalls may also be used to implement more advanced network and traffic management techniques. Apart from NAT, one common use of a firewall is to implement Quality of Service (QoS), which allows some kinds of network traffic to be prioritized over other kinds of traffic. For example, QoS makes it possible to ensure that a real-time video call is not affected by a simultaneous large file download.
With each additional capability added, the complexity of the firewall implementation and its associated configuration increases. Firewall rules can become quite lengthy and difficult to understand. For this reason, various different interfaces have been created for firewall configuration. The Linux iptables command is one such interface. (ip6tables is the corresponding interface for IPv6.)
iptables
As depicted in Figure 3, the Linux Netfilter firewall is fairly complex. It is capable of filtering incoming and outgoing traffic to and from the host on which the firewall is running. In addition, Netfilter also supports rules for routing packets between networks, allowing any Linux system to function as a router.
An important distinction needs to be made between Netfilter and iptables/ip6tables. The Netfilter code is part of the Linux kernel and is therefore a facility of the operating system. The iptables and ip6tables interfaces are userspace interfaces for configuring Netfilter. These interfaces are part of the operating environment, since they are outside the kernel. iptables and ip6tables are one of several ways of configuring Netfilter; other userspace interfaces exist, such as nftables.
Configuring iptables
Both iptables and ip6tables are command-line interfaces to Netfilter. There are a number of other firewall tools that are built on top of iptables and ip6tables in an effort to simplify configuration. Many such tools exist, but some examples are firewalld, ufw, Shorewall, and Firestarter. Each of these tools has its own configuration system and syntax, which is separate from iptables.
In these lessons, I will be focusing on writing iptables and ip6tables rules by hand, instead of using one of these frontends. Writing the firewall rules manually makes it easier to understand what the firewall is doing, thereby making it less likely that an unintended port or service will be exposed to the public. In addition, the iptables command can be found on any Linux distribution, making it a universal way to configure the firewall. The availability of other tools varies by distribution, depending on what has been packaged by the distribution maintainers.
nftables
The developers of the Netfilter project have created nftables, which is intended to be a replacement for iptables, ip6tables, and a few other userspace tools (such as ebtables for configuring a layer-2 firewall). As of early 2023, nftables is usable as a replacement for the older iptables interface.
That said, nftables has a completely different configuration syntax from iptables, and this new syntax isn’t easier to use than the iptables syntax it is intended to replace. For example, to set default rules for incoming, forwarded, and outgoing packets with nftables, we would need syntax that looks something like:
table ip filter {
chain input {
type filter hook input priority 0
policy drop
counter packets 0 bytes 0
}
chain forward {
type filter hook forward priority 0
policy drop
counter packets 0 bytes 0
}
chain output {
type filter hook output priority 0
policy accept
counter packets 0 bytes 0
}
}
The corresponding iptables syntax is:
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
For this reason, not all Linux distributions have embraced nftables as a replacement for the older, time-tested iptables interface. Similarly, even those distributions that support nftables out of the box also tend to continue support for iptables, at least as of early 2023. Over time, it is possible that the additional configuration flexibility of nftables will result in the deprecation of the older interfaces.