home | tech | misc | code | bookmarks (broken) | contact | README


iptables basics

Take a look to this tutorial for a more complete basic guide.

NAT with iptables

What's the interface you use to get connected to the internet? Probably ppp0 if you connect using ADSL. But, it can be eth0 if you get connected with DHCP.

So, following this NAT HOWTO section, you just need to execute, as root:

# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
# echo 1 > /proc/sys/net/ipv4/ip_forward

Then, set others computers in your network to use yours as default router.

Adding a new entry to a chain

Iptables concept work with chains. The most obvious are INPUT, OUTPUT, FORWARD, which names are self-explanatory. You might create ones if you want. To ses all rules in chains, use the -L flag:

# iptables -L

You might want to pass a chain name and other parameters to filter its output. In our example we have:

ACCEPT     all  --  localhost            localhost
ACCEPT     tcp  --  anywhere             sshserver           tcp dpt:ssh
DROP       tcp  --  anywhere             anywhere            tcp dpt:ssh

That is, allow local connections and ssh connections to the ssh server, and drop everything else. This machine is like a gateway to another network.

Imagine you want to include a new rule in the OUTPUT chain. Let's say you want the computer to access address 172.16.98.232. All you have to do is:

# iptables -I OUTPUT -d 172.16.98.232 -j ACCEPT

And it will include a first entry to the chain:

ACCEPT     all  --  anywhere             172.16.98.232
ACCEPT     all  --  localhost            localhost
ACCEPT     tcp  --  anywhere             sshserver           tcp dpt:ssh
DROP       tcp  --  anywhere             anywhere            tcp dpt:ssh

Instead of -I you might want to include other mutual exclusive options, that are -A and -D. -A includes an entry to the end of the chain, which doesn't make sense in our case, because the DROP clause would be considered first and cancel any clause that comes after. See:

ACCEPT     all  --  localhost            localhost
ACCEPT     tcp  --  anywhere             sshserver           tcp dpt:ssh
DROP       tcp  --  anywhere             anywhere            tcp dpt:ssh
ACCEPT     all  --  anywhere             172.16.98.232

The -D flag drops the rule and we get back to the original setup:

# iptables -D OUTPUT -d 172.16.98.232 -j ACCEPT

A small table resumes the -I, -A and D options

Option Meaning
-I Includes the rule at the first entry of a chain
-A Includes the rule at the last entry of a chain (appends)
-D Deletes the rule from a chain

Example of allowing a machine to access connections from IP 192.168.0.34, port 22:

iptables -I INPUT -s 192.168.0.34 -p tcp --dport 22 -j ACCEPT

Insert rules in a persistent file

Just execute the command:

# iptables-save > /etc/iptables.rules

(The file path may differ depending on your Linux distribution).