iptables is the ubiquitous userspace packet filtering program for the Linux kernel. It defines of a set of rules which match network packets to chains and targets. Each rule specifies a chain, a set of matching parameters, and a target. For example, the following rule accepts all inbound TCP packets on the SSH port (as specified in the /etc/services file).
# iptables -A INPUT -p tcp --dport ssh -j ACCEPT
Note that INPUT is one of the three built-in chains defined by iptables, with the others being OUTPUT and FORWARD. The ACCEPT target allows the packet to go through, while the DROP target would ignore the packet. iptables supports filtering by protocol, IP address, port number, network interface, and more. In addition, the conntrack kernel modules provides stateful connection tracking.
Setting up iptables
We begin by deleting all the rules and setting the default policies to drop packets.
# iptables -F
# iptables -P INPUT DROP
# iptables -P FORWARD DROP
# iptables -P OUTPUT DROP
We then create a user-defined chain for logging dropped packets. The limit parameters prevent port scans from filling up the log files.
# iptables -N LOGDROP
# iptables -F LOGDROP
# iptables -A LOGDROP -m limit --limit 5/m --limit-burst 10 -j LOG --log-prefix "Dropping packet: "
# iptables -A LOGDROP -j DROP
Next, we append basic rules to the INPUT, FORWARD, and OUTPUT chains.
# iptables -A INPUT -m state --state INVALID -j LOGDROP
# iptables -A INPUT -p icmp -j LOGDROP
# iptables -A INPUT -i lo -j ACCEPT
# iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# iptables -A INPUT -j LOGDROP
# iptables -A FORWARD -m state --state INVALID -j LOGDROP
# iptables -A FORWARD -o lo -j ACCEPT
# iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# iptables -A FORWARD -j LOGDROP
# iptables -A OUTPUT -m state --state INVALID -j LOGDROP
# iptables -A OUTPUT -p icmp -j LOGDROP
# iptables -A OUTPUT -o lo -j ACCEPT
# iptables -A OUTPUT -p udp -d 192.168.0.1 --dport domain -j ACCEPT
# iptables -A OUTPUT -p tcp --dport www -j ACCEPT
# iptables -A OUTPUT -p tcp --dport https -j ACCEPT
# iptables -A OUTPUT -p tcp --dport imaps -j ACCEPT
# iptables -A OUTPUT -p tcp --dport 465 -j ACCEPT
# iptables -A OUTPUT -p tcp --dport ssh -j ACCEPT
# iptables -A OUTPUT -p tcp --dport ftp -j ACCEPT
# iptables -A OUTPUT -p tcp --dport ftp-data -j ACCEPT
# iptables -A OUTPUT -p tcp --dport xmpp-client -j ACCEPT
# iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# iptables -A OUTPUT -j LOGDROP
Finally, we save the rules to persist across sessions.
# iptables-save > /etc/iptables/iptables.rules
Configuring for pacman
pacman requires domain, ftp, and ftp-data, as well as the ip_conntrack_ftp kernel module.
# nano /etc/rc.conf
...
MODULES=(... ip_conntrack_ftp ...)
...
.
rebuttal
iptables is not a userspace firewall, but a userspace program to configure packet-filtering in the kernel; and stateful connection tracking with conntrack has been there for a long time. You can check the current ruleset with “iptables -vL”, which is exactly what “shorewall show” is doing. Neither iptables nor Shorewall need to be constantly running; they are just tools to configure the packet-filtering program.
As for the syntactic sugar, you can write iptables.rules that look just like your Shorewall example: -A OUTPUT -p tcp –dports 21,22,80,443 -j ACCEPT.
iptables has a bad reputation, but it’s really quite simple to use. Shorewall is just a thin “front-end” for iptables, but with useful pre-configured filters.