Welcome to HBH! If you have tried to register and didn't get a verification email, please using the following link to resend the verification email.

IPTables and SPI Technology Overview


IPTables and SPI Technology Overview

By ghostghost | 7167 Reads |
0     0

IPTables, simply put, is just an IP Filtering Technology put in place to work hand-in-hand with the netfilter Firewall in Linux. In other words, it control netfilter from the command line, as a tool named "iptables".

IPTables rely run on an SPI (Stateful Packet Inspection) engine which allows it to carefully filter incoming/outgoing traffic. It can also even check TCP/IP flags for more control of data flow.

This whole technology is ideal in:

  • Preventing DDoS attacks
  • Blocking Certain IP ranges
  • Blocking some/all traffic

[We will define 3 more terms, then move on to applying some sample commands, and seeing how it would work in the real world of data communications.]

IPchains are made up of 3 structures:

–> TABLES –> CHAINS –> TARGETS

[TABLES]

This is where the packets gets processed. And, the tables structure is composed of three (3) main functions: FILTER, NAT, and MANGLE. Filter deals with standard processing of packets, and remains the default one. Then, we have the NAT which basically works with data routing and addressing. It also tracks connections. Mangle, on the other hand, has the ability to modify packet headers.

[CHAINS]

They lean heavily on tables, since they work hand-in-hand with the values stored in the tables. You can view chains as lists of rules stored in tables associated to "hook points" on the system. Hook points are simply places where you can intercept packets and modify them accordingly. The combination works are follows for tables/chains values:

  • FILTER: Input, Output, Forward
  • NAT: Prerouting, Postrouting, Output
  • MANGLE: Prerouting, Postrouting, Input, Output, Forward

The chains become more handy when they perform tasks, as shown below, ie:

  • [PREROUTING] Immediately after being received by an interface.
  • [POSTROUTING] Right before leaving an interface.
  • [INPUT] Right before being handed to a local process.
  • [OUTPUT] Right after being created by a local process.
  • [FORWARD] For any packets coming in one interface and leaving out another.

In other words, if you want to process packets as they leave your system, but without doing any NAT or MANGLE(ing), you'll look to the OUTPUT chain within the FILTER table. If you want to process packets coming from the outside destined for your local machine, you'll want to use the same FILTER table, but the INPUT chain.

[TARGETS] This is what you might call the heart of it all, since it looks up rules and then determines what to do with the packets. You get two outcomes from the target, either an ALLOW or a DENY. A deny implies that the packet(s) will the dropped, and allow means the packet(s) will be passed through.

Now, packets are set to pass through by default, unless authoritately told NOT to by IPTables, through netfilter.

Now, to some more practical stuff. I'll wrap this up with some sample commands… you can use the man table for IPtables, or use google for whatever need you have.

// Allowing Outgoing Pings

iptables -A OUTPUT -o eth0 -p icmp –icmp-type echo-request -j ACCEPT iptables -A INPUT -i eth0 -p icmp –icmp-type echo-reply -j ACCEPT

// "Passing Ports" Into A NAT'd Network (try to figure out what IP is telling whichever to do what) iptables -t nat -A PREROUTING -i eth0 -p tcp -d 1.2.3.4 –dport 25 -j DNAT –to 192.168.0.2:25 iptables -A FORWARD -i eth0 -o eth1 -p tcp –dport 25 -d 192.168.0.2 -j ACCEPT

This article is only a gentle introduction to IPtables… I cannot cover it in one article. It takes a full written book to thoroughly cover the topic. Practice with IPtables, and you'll learn best like that. Also, use the man pages available for you as referrence guides. Here's a great one:

http://www.linuxguruz.com/iptables/howto/maniptables.html

And for some sample IPtables scripts, look at:

http://www.pcc-services.com/iptables.html

	<netfish>=<netfish>=<netfish>=<netfish>=<netfish>=<netfish>

Comments
ghost's avatar
ghost 17 years ago

very nicely written. good to see some non-web-hacking oriented articles.

ghost's avatar
ghost 17 years ago

Agreed. I learned IPTables the hard way and after MANY hours of use. This article would've jumpstarted that significantly! So, when are you writing the other chapters in the book? ;)

ghost's avatar
ghost 17 years ago

nice article, i learnt alot about linux IP/TCP filtering