medusa/the_information_nexus
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
the_information_nexus/tech_docs/iptables.md
Whisker Jones 93790bb928 add iptables
2024-05-19 14:38:10 -06:00

155 lines
4.9 KiB
Markdown
Raw Permalink Blame History

## Comprehensive Guide to iptables Administration
### Table of Contents
1. Introduction to iptables
2. Understanding Chains and Tables
- PREROUTING
- INPUT
- FORWARD
- OUTPUT
- POSTROUTING
3. Comparison with Cisco Technologies
4. Practical Examples
- Viewing iptables Rules
- Basic Configuration
- Advanced Port Forwarding for LXC Containers
5. Persisting iptables Rules
6. Summary
### 1. Introduction to iptables
`iptables` is a command-line firewall utility in Linux that allows for packet filtering, network address translation (NAT), and other packet manipulation. It uses a set of rules organized into different chains and tables to control the flow of traffic through a Linux system.
### 2. Understanding Chains and Tables
#### Chains
- **PREROUTING**: Processes packets as they arrive at the network interface before routing decisions.
- **INPUT**: Handles packets destined for the local system.
- **FORWARD**: Manages packets that are routed through the system.
- **OUTPUT**: Deals with packets generated by the local system.
- **POSTROUTING**: Alters packets just before they leave the interface after routing decisions.
#### Tables
- **filter**: Default table for filtering packets.
- **nat**: Used for network address translation.
- **mangle**: Used for specialized packet alteration.
- **raw**: Used for configuration exemptions from connection tracking.
- **security**: Used for Mandatory Access Control (MAC) rules.
### 3. Comparison with Cisco Technologies
- **PREROUTING**: Similar to ingress ACLs, where packets are inspected and potentially modified before being routed.
- **INPUT**: Comparable to inbound ACLs on Cisco devices for traffic directed to the device itself.
- **FORWARD**: Equivalent to ACLs applied to routed interfaces, controlling forwarded traffic.
- **OUTPUT**: Similar to outbound ACLs, applied to traffic generated by the device.
- **POSTROUTING**: Like egress ACLs or NAT rules, applied after routing decisions have been made.
### 4. Practical Examples
#### Viewing iptables Rules
To view the current `iptables` rules:
```bash
sudo iptables -L
sudo iptables -t nat -L
```
#### Basic Configuration
1. **Allow SSH traffic to the local system (INPUT chain)**:
```bash
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT
```
2. **Allow outgoing HTTP requests from the local system (OUTPUT chain)**:
```bash
sudo iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
```
#### Advanced Port Forwarding for LXC Containers
**Scenario**: Forward traffic from `192.168.1.10:81` to `10.0.0.1:80` and `192.168.1.10:82` to `10.0.0.2:80`.
```mermaid
graph TD;
A[External Network] --> |Access Apache Services| B(LXC Host)
B --> |Forward to 192.168.1.10:81| C(LXC Container 192.168.1.10)
B --> |Forward to 192.168.1.10:82| C
C --> |Forward to 10.0.0.1:80| D[Apache2 Instance 1 10.0.0.1:80]
C --> |Forward to 10.0.0.2:80| E[Apache2 Instance 2 10.0.0.2:80]
```
1. **PREROUTING Chain**:
- Redirect packets from `192.168.1.10:81` to `10.0.0.1:80`.
- Redirect packets from `192.168.1.10:82` to `10.0.0.2:80`.
```bash
sudo iptables -t nat -A PREROUTING -d 192.168.1.10 -p tcp --dport 81 -j DNAT --to-destination 10.0.0.1:80
sudo iptables -t nat -A PREROUTING -d 192.168.1.10 -p tcp --dport 82 -j DNAT --to-destination 10.0.0.2:80
```
2. **FORWARD Chain**:
- Allow forwarding for packets to `10.0.0.1:80`.
- Allow forwarding for packets to `10.0.0.2:80`.
```bash
sudo iptables -A FORWARD -p tcp -d 10.0.0.1 --dport 80 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
sudo iptables -A FORWARD -p tcp -d 10.0.0.2 --dport 80 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
```
3. **POSTROUTING Chain**:
- Enable masquerading for outgoing packets.
```bash
sudo iptables -t nat -A POSTROUTING -o br0 -j MASQUERADE
```
### 5. Persisting iptables Rules
To ensure `iptables` rules persist across reboots, save them using `iptables-save` and restore them using `iptables-restore`:
```bash
sudo iptables-save > /etc/iptables/rules.v4
```
Create a systemd service to restore these rules at startup:
```bash
# Create a systemd service file
sudo nano /etc/systemd/system/iptables-restore.service
```
Add the following content to the service file:
```ini
[Unit]
Description=Restore iptables rules
After=network.target
[Service]
Type=oneshot
ExecStart=/sbin/iptables-restore < /etc/iptables/rules.v4
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target
```
Enable and start the service:
```bash
sudo systemctl enable iptables-restore.service
sudo systemctl start iptables-restore.service
```
### 6. Summary
This guide provided an overview of `iptables` chains and tables, compared them to similar Cisco technologies, and presented practical examples for configuring and managing `iptables` rules. By understanding and using these concepts, you can effectively control and manipulate network traffic in a Linux environment, leveraging your existing networking knowledge to achieve advanced configurations.
Reference in New Issue View Git Blame Copy Permalink