iptablesis auser-spaceutility program that allows asystem administratorto configure theIP packet filter rulesof theLinux kernelfirewall,implemented as differentNetfiltermodules. The filters are organized in a set of tables, which contain chains of rules for how to treat network traffic packets. Different kernel modules and programs are currently used for different protocols;iptablesapplies to IPv4,ip6tablesto IPv6,arptablestoARP,andebtablestoEthernet frames.

iptables
Original author(s)Rusty Russell
Developer(s)Netfilter Core Team
Initial release2001
Stable release
1.8.11[1]Edit this on Wikidata / 8 November 2024;20 days ago(8 November 2024)
Repository
Written inC
Operating systemLinux
PlatformNetfilter
TypePacket filtering
LicenseGPL
Websitewww.netfilter.org

iptables requires elevated privileges to operate and must be executed by userroot,otherwise it fails to function. On most Linux systems, iptables is installed as/usr/sbin/iptablesand documented in itsman pages,which can be opened usingman iptableswhen installed. It may also be found in/sbin/iptables,but since iptables is more like a service rather than an "essential binary", the preferred location remains/usr/sbin.

The termiptablesis also commonly used to inclusively refer to the kernel-level components.x_tablesis the name of the kernel module carrying the shared code portion used by all four modules that also provides the API used for extensions; subsequently,Xtablesis more or less used to refer to the entire firewall (v4, v6, arp, and eb) architecture.

iptables supersededipchains;and the successor of iptables isnftables,which was released on 19 January 2014[2]and was merged into theLinux kernel mainlinein kernel version 3.13.

Overview

edit

iptables allows thesystem administratorto definetablescontainingchainsofrulesfor the treatment of packets. Each table is associated with adifferent kind of packet processing.Packets are processed by sequentially traversing the rules in chains. A rule in a chain can cause a goto or jump to another chain, and this can be repeated to whatever level of nesting is desired. (A jump is like a “call”, i.e. the point that was jumped from is remembered.) Every network packet arriving at or leaving from the computer traverses at least one chain.

Packet flow paths. Packets start at a given box and will flow along a certain path, depending on the circumstances.

The origin of the packet determines which chain it traverses initially. There are fivepredefined chains(mapping to the five available Netfilter hooks), though a table may not have all chains. Predefined chains have apolicy,for example DROP, which is applied to the packet if it reaches the end of the chain. The system administrator can create as many other chains as desired. These chains have no policy; if a packet reaches the end of the chain it is returned to the chain which called it. A chain may be empty.

  • PREROUTING:Packets will enter this chain before a routing decision is made.
  • INPUT:Packet is going to be locally delivered. It does not have anything to do with processes having an opened socket; local delivery is controlled by the "local-delivery" routing table:ip route show table local.
  • FORWARD:All packets that have been routed and were not for local delivery will traverse this chain.
  • OUTPUT:Packets sent from the machine itself will be visiting this chain.
  • POSTROUTING:Routing decision has been made. Packets enter this chain just before handing them off to the hardware.

A chain does not exist by itself; it belongs to atable.There are three tables:nat,filter,andmangle.Unless preceded by the option-t,aniptablescommand concerns thefiltertable by default. For example, the commandiptables -L -v -n,which shows some chains and their rules, is equivalent toiptables -t filter -L -v -n.To show chains of tablenat,use the commandiptables -t nat -L -v -n

Each rule in a chain contains the specification of which packets it matches. It may also contain atarget(used for extensions) orverdict(one of the built-in decisions). As a packet traverses a chain, each rule in turn is examined. If a rule does not match the packet, the packet is passed to the next rule. If a rule does match the packet, the rule takes the action indicated by the target/verdict, which may result in the packet being allowed to continue along the chain or may not. Matches make up the large part of rulesets, as they contain the conditions packets are tested for. These can happen for about any layer in theOSImodel, as with e.g. the--mac-sourceand-p tcp --dportparameters, and there are also protocol-independent matches, such as-m time.

The packet continues to traverse the chain until either

  1. a rule matches the packet and decides the ultimate fate of the packet, for example by calling one of theACCEPTorDROP,or a module returning such an ultimate fate; or
  2. a rule calls theRETURNverdict, in which case processing returns to the calling chain; or
  3. the end of the chain is reached; traversal either continues in the parent chain (as ifRETURNwas used), or the base chain policy, which is an ultimate fate, is used.

Targets also return a verdict likeACCEPT(NATmodules will do this) orDROP(e.g. theREJECTmodule), but may also implyCONTINUE(e.g. theLOGmodule;CONTINUEis an internal name) to continue with the next rule as if no target/verdict was specified at all.

Userspace utilities

edit

Front-ends

edit

There are numerous third-party software applications for iptables that try to facilitate setting up rules. Front-ends intextualor graphical fashion allow users to click-generate simple rulesets; scripts usually refer toshell scripts(but other scripting languages are possible too) that call iptables or (the faster)iptables-restorewith a set of predefined rules, or rules expanded from a template with the help of a simple configuration file. Linux distributions commonly employ the latter scheme of using templates. Such a template-based approach is practically a limited form of a rule generator, and such generators also exist in standalone fashion, for example, as PHP web pages.

Such front-ends, generators and scripts are often limited by their built-in template systems and where the templates offer substitution spots for user-defined rules. Also, the generated rules are generally not optimized for the particular firewalling effect the user wishes, as doing so will likely increase the maintenance cost for the developer. Users who reasonably understand iptables and want their ruleset optimized are advised to construct their own ruleset.

Other notable tools

edit
  • FireHOL– a shell script wrapping iptables with an easy-to-understand plain-text configuration file
  • NuFW– an authenticating firewall extension to Netfilter
  • Shorewall– a gateway/firewall configuration tool, making it possible to use easier rules and have them mapped to iptables

See also

edit

References

edit
  1. ^"[ANNOUNCE] iptables 1.8.11 release".8 November 2024.Retrieved10 November2024.
  2. ^"Linux 3.13, Section 1.2. nftables, the successor of iptables".kernelnewbies.org.19 January 2014.Retrieved20 January2014.

Literature

edit
edit