IPTables and SPI Technology Overview
Uh oh. Looks like your using an ad blocker.
Our site is support by ads that help to pay our hosting costs. Please disable or whitelist us within your ad blocker to help us keep the site online.
All money generate by ads and donations is used to pay the hosting costs of the site, for more information about our income and expenses please see our donation page.
IPTables and SPI Technology Overview
IPTables, simply put, is just an IP Filtering Technology put in place to work hand-in-hand with the netfilter Firewall in Linux. In other words, it control netfilter from the command line, as a tool named "iptables".
IPTables rely run on an SPI (Stateful Packet Inspection) engine which allows it to carefully filter incoming/outgoing traffic. It can also even check TCP/IP flags for more control of data flow.
This whole technology is ideal in:
- Preventing DDoS attacks
- Blocking Certain IP ranges
- Blocking some/all traffic
[We will define 3 more terms, then move on to applying some sample commands, and seeing how it would work in the real world of data communications.]
IPchains are made up of 3 structures:
–> TABLES –> CHAINS –> TARGETS
This is where the packets gets processed. And, the tables structure is composed of three (3) main functions: FILTER, NAT, and MANGLE. Filter deals with standard processing of packets, and remains the default one. Then, we have the NAT which basically works with data routing and addressing. It also tracks connections. Mangle, on the other hand, has the ability to modify packet headers.
They lean heavily on tables, since they work hand-in-hand with the values stored in the tables. You can view chains as lists of rules stored in tables associated to "hook points" on the system. Hook points are simply places where you can intercept packets and modify them accordingly. The combination works are follows for tables/chains values:
- FILTER: Input, Output, Forward
- NAT: Prerouting, Postrouting, Output
- MANGLE: Prerouting, Postrouting, Input, Output, Forward
The chains become more handy when they perform tasks, as shown below, ie:
- [PREROUTING] Immediately after being received by an interface.
- [POSTROUTING] Right before leaving an interface.
- [INPUT] Right before being handed to a local process.
- [OUTPUT] Right after being created by a local process.
- [FORWARD] For any packets coming in one interface and leaving out another.
In other words, if you want to process packets as they leave your system, but without doing any NAT or MANGLE(ing), you'll look to the OUTPUT chain within the FILTER table. If you want to process packets coming from the outside destined for your local machine, you'll want to use the same FILTER table, but the INPUT chain.
[TARGETS] This is what you might call the heart of it all, since it looks up rules and then determines what to do with the packets. You get two outcomes from the target, either an ALLOW or a DENY. A deny implies that the packet(s) will the dropped, and allow means the packet(s) will be passed through.
Now, packets are set to pass through by default, unless authoritately told NOT to by IPTables, through netfilter.
Now, to some more practical stuff. I'll wrap this up with some sample commands… you can use the man table for IPtables, or use google for whatever need you have.
// Allowing Outgoing Pings
iptables -A OUTPUT -o eth0 -p icmp –icmp-type echo-request -j ACCEPT iptables -A INPUT -i eth0 -p icmp –icmp-type echo-reply -j ACCEPT
// "Passing Ports" Into A NAT'd Network (try to figure out what IP is telling whichever to do what) iptables -t nat -A PREROUTING -i eth0 -p tcp -d 18.104.22.168 –dport 25 -j DNAT –to 192.168.0.2:25 iptables -A FORWARD -i eth0 -o eth1 -p tcp –dport 25 -d 192.168.0.2 -j ACCEPT
This article is only a gentle introduction to IPtables… I cannot cover it in one article. It takes a full written book to thoroughly cover the topic. Practice with IPtables, and you'll learn best like that. Also, use the man pages available for you as referrence guides. Here's a great one:
And for some sample IPtables scripts, look at: