The networking layer must decide what to do with each packet. A packet can be delivered to a local recipient, forwarded to a remote recipient, or even dropped. This mechanism is configurable to avoid abuse of default rules for delivering, forwarding, discarding.
The packet filter framework defines several points where a packet can be classified and a decision can be taken based upon the classification. The points are identified by chains that are grouped into tables.
The filter table is for normal packets:
INPUT - chain for incoming packets
OUTPUT - chain for outgoing packets
FORWARD - chain for packets that pass through
The nat table is for packets that open new connections:
PREROUTING
OUTPUT
POSTROUTING
The mangle table is for packets that need special modifications:
PREROUTING
INPUT
OUTPUT
FORWARD
POSTROUTING
Each point contains a sequence of rules. A rule can classify packets using information from packet header (source and destination address, protocol ...) or from packet processing (source and destination interface ...). Modules that classify packets can be added, available modules include file conditions, connection marks, connection rates, connection state, security context, random and others.
The action of the first matching rule is used. An action is either a chain name or ACCEPT, DROP, QUEUE, RETURN. ACCEPT means process packet, DROP means discard, QUEUE means queue for user space application to decide, RETURN means continue previous chain. Modules that process packets can be added, available modules include marking, address translation and redirection, logging, routing and others.
> cat /etc/sysconfig/iptables *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :INPUT_FROM_LOCAL - [0:0] :INPUT_FROM_WORLD - [0:0] :FORWARD_FROM_LOCAL - [0:0] :FORWARD_FROM_WORLD - [0:0] # Sort traffic -A INPUT -i lo -j INPUT_FROM_LOCAL -A INPUT -i eth0 -j INPUT_FROM_LOCAL -A INPUT -i tun0 -j INPUT_FROM_LOCAL -A INPUT -i tun1 -j INPUT_FROM_LOCAL -A INPUT -j INPUT_FROM_WORLD -A FORWARD -i lo -j FORWARD_FROM_LOCAL -A FORWARD -i eth0 -j FORWARD_FROM_LOCAL -A FORWARD -i tun0 -j FORWARD_FROM_LOCAL -A FORWARD -i tun1 -j FORWARD_FROM_LOCAL -A FORWARD -j FORWARD_FROM_WORLD # Input from local machines -A INPUT_FROM_LOCAL -j ACCEPT # Input from world machines -A INPUT_FROM_WORLD -p tcp --dport ssh -j ACCEPT -A INPUT_FROM_WORLD -p tcp --dport http -j ACCEPT -A INPUT_FROM_WORLD -p tcp --dport smtp -j ACCEPT -A INPUT_FROM_WORLD -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT_FROM_WORLD -j REJECT # Forward from local machines -A FORWARD_FROM_LOCAL -j ACCEPT # Forward from world machines -A FORWARD_FROM_WORLD -m state --state ESTABLISHED,RELATED -j ACCEPT -A FORWARD_FROM_WORLD -j REJECT COMMIT *nat :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A PREROUTING -s 192.168.0.128/25 -p tcp --dport http -j REDIRECT --to-ports 3128 -A PREROUTING -s 192.168.0.128/25 -p tcp --dport smtp -j REDIRECT --to-ports 25 -A POSTROUTING -o ppp0 -s 192.168.0.128/25 -j MASQUERADE COMMIT
Use iptables -L -v to list the current rules.
References.Â
Graham Shaw: Implement Port Knocking Using IPTables