medusa/the_information_nexus
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
the_information_nexus/tech_docs/iptables.md
Whisker Jones 93790bb928 add iptables
2024-05-19 14:38:10 -06:00

4.9 KiB
Raw Permalink Blame History

Comprehensive Guide to iptables Administration

Table of Contents

  1. Introduction to iptables
  2. Understanding Chains and Tables
    • PREROUTING
    • INPUT
    • FORWARD
    • OUTPUT
    • POSTROUTING
  3. Comparison with Cisco Technologies
  4. Practical Examples
    • Viewing iptables Rules
    • Basic Configuration
    • Advanced Port Forwarding for LXC Containers
  5. Persisting iptables Rules
  6. Summary

1. Introduction to iptables

iptables is a command-line firewall utility in Linux that allows for packet filtering, network address translation (NAT), and other packet manipulation. It uses a set of rules organized into different chains and tables to control the flow of traffic through a Linux system.

2. Understanding Chains and Tables

Chains

  • PREROUTING: Processes packets as they arrive at the network interface before routing decisions.
  • INPUT: Handles packets destined for the local system.
  • FORWARD: Manages packets that are routed through the system.
  • OUTPUT: Deals with packets generated by the local system.
  • POSTROUTING: Alters packets just before they leave the interface after routing decisions.

Tables

  • filter: Default table for filtering packets.
  • nat: Used for network address translation.
  • mangle: Used for specialized packet alteration.
  • raw: Used for configuration exemptions from connection tracking.
  • security: Used for Mandatory Access Control (MAC) rules.

3. Comparison with Cisco Technologies

  • PREROUTING: Similar to ingress ACLs, where packets are inspected and potentially modified before being routed.
  • INPUT: Comparable to inbound ACLs on Cisco devices for traffic directed to the device itself.
  • FORWARD: Equivalent to ACLs applied to routed interfaces, controlling forwarded traffic.
  • OUTPUT: Similar to outbound ACLs, applied to traffic generated by the device.
  • POSTROUTING: Like egress ACLs or NAT rules, applied after routing decisions have been made.

4. Practical Examples

Viewing iptables Rules

To view the current iptables rules:

sudo iptables -L
sudo iptables -t nat -L

Basic Configuration

  1. Allow SSH traffic to the local system (INPUT chain):
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT
  1. Allow outgoing HTTP requests from the local system (OUTPUT chain):
sudo iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT

Advanced Port Forwarding for LXC Containers

Scenario: Forward traffic from 192.168.1.10:81 to 10.0.0.1:80 and 192.168.1.10:82 to 10.0.0.2:80.

graph TD;
    A[External Network] --> |Access Apache Services| B(LXC Host)
    B --> |Forward to 192.168.1.10:81| C(LXC Container 192.168.1.10)
    B --> |Forward to 192.168.1.10:82| C
    C --> |Forward to 10.0.0.1:80| D[Apache2 Instance 1 10.0.0.1:80]
    C --> |Forward to 10.0.0.2:80| E[Apache2 Instance 2 10.0.0.2:80]
  1. PREROUTING Chain:
    • Redirect packets from 192.168.1.10:81 to 10.0.0.1:80.
    • Redirect packets from 192.168.1.10:82 to 10.0.0.2:80.
sudo iptables -t nat -A PREROUTING -d 192.168.1.10 -p tcp --dport 81 -j DNAT --to-destination 10.0.0.1:80
sudo iptables -t nat -A PREROUTING -d 192.168.1.10 -p tcp --dport 82 -j DNAT --to-destination 10.0.0.2:80
  1. FORWARD Chain:
    • Allow forwarding for packets to 10.0.0.1:80.
    • Allow forwarding for packets to 10.0.0.2:80.
sudo iptables -A FORWARD -p tcp -d 10.0.0.1 --dport 80 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
sudo iptables -A FORWARD -p tcp -d 10.0.0.2 --dport 80 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
  1. POSTROUTING Chain:
    • Enable masquerading for outgoing packets.
sudo iptables -t nat -A POSTROUTING -o br0 -j MASQUERADE

5. Persisting iptables Rules

To ensure iptables rules persist across reboots, save them using iptables-save and restore them using iptables-restore:

sudo iptables-save > /etc/iptables/rules.v4

Create a systemd service to restore these rules at startup:

# Create a systemd service file
sudo nano /etc/systemd/system/iptables-restore.service

Add the following content to the service file:

[Unit]
Description=Restore iptables rules
After=network.target

[Service]
Type=oneshot
ExecStart=/sbin/iptables-restore < /etc/iptables/rules.v4
RemainAfterExit=yes

[Install]
WantedBy=multi-user.target

Enable and start the service:

sudo systemctl enable iptables-restore.service
sudo systemctl start iptables-restore.service

6. Summary

This guide provided an overview of iptables chains and tables, compared them to similar Cisco technologies, and presented practical examples for configuring and managing iptables rules. By understanding and using these concepts, you can effectively control and manipulate network traffic in a Linux environment, leveraging your existing networking knowledge to achieve advanced configurations.