iptables is a command line tool which allow system administrators to configure Linux packet filtering ruleset.
Using iptables, you are able to tweak packet filtering, Network Address Translation (NAT) and packet mangling which in the end are going to allow you to secure your server, share your Internet connection and log unwanted traffic.
iptables is not really what we could call an easy to get with tool, but once you know the basis, it won’t be that scary :).
This tutorial will provide a sample script you can use to share your Internet access and will give an overview on how to use iptables
Most people will be freaked out when you pronounce the name iptables because it is not much of an easy to understand software, man page is huge as well as iptables capabilities.
To be able to set up a home router, you don’t actually need to spend nights and nights going through iptables man page, a grasp of the basis is enough to get your firewall up and running.
This tutorial provides a sample script you should be able to use out of the box or at most, changing 2 parameters will be able to get you running.
To be able to understand what the firewall do, there is some basis you need to know. Here I’m going to go over what make iptables handle network packets.
2.1. Chain Rules
Iptables use a set of chain rules to check weather or not a packet should be accepted. By default, there is 3 chains:
- INPUT: packet is destinate to the machine running iptables
- FORWARD: packet needs to be forwarded to another machine
- OUTPUT: packet going out of the machine running iptables
So when a packet reaches the firewall, the first thing the kernel is going to do is to determine where the packet is going. According to the destination, the kernel will check the packet against the rules of the appropriate chain.
2.2. Actions (TARGET)
For each chain we define a list of rules and actions (called targets in iptables’jargon) to take when a packet match a rule. Main actions are:
- ACCEPT: accept the packet
- REJECT: discard the packet and inform the source
- DROP: discard the packet but don’t say anything to the source
As soon as a packet has matched a rule, the kernel will apply the action it is said to do and won’t go further. If the packet did not match any rules, the kernel will use the
default policy defined for that chain.
This beeing said, we can now get into the script.