Friday 18 March 2016

Working with IPTables on CentOS 7

With the release of CentOS 7 iptables has been dropped by default and in it's place is firewalld - if (like me) you prefer iptables you can restore it you can do the following:

Disable the stop and disable the firewalld service:

systemctl stop firewalld
systemctl mask firewalld

and install and enable iptables:

yum install iptables-services
systemctl enable iptables
systemctl start iptables

service iptables save

To view iptables rules we must use the -L switch along with the -t switch specifying the table name - typically:

sudo iptables -L -t nat
sudo iptables -L -t filter
sudo iptables -L -t mangle
sudo iptables -L -t raw
sudo iptables -L -t security

Although you are likely to make use of the filter and nat tables predominantly.

IPTables are broken down into tables (as see above e.g. 'nat', 'filter' etc) and then into chains (e.g. 'INPUT', 'OUTPUT', 'FORWARD'.


FILTER - This table is used for the basic input / output traffic out and into the firewall - it is comprised of three chains: INPUT (for ingress traffic to the host), OUTPUT (for egress traffic from the host) and FORWARD (traffic from one NIC to another on the local host)

NAT - This table is (as the name suggests) performing NAT'ing on traffic - it is comprised of three chains - PREROUTING (This is where NAT'ing is performed before being routed (also known as (D)estination NAT) a typical example of this is where you want to NAT some internet IP's to local IP's on your LAN. The next is POSTROUTING where the NAT'ing will be performed after routing (also called (S)ource NAT - the more common NAT method) and is commonly used when you wish to provide internal users on a LAN access to the internet. And finally the OUTPUT chain - which deals with NAT traffic generated on the local host.

MANGLE - This table is specifically for packet alteration - for example applying QoS bits to a UDP / TCP header.

RAW - A much less commonly used table it is specifically for configuring exemptions for connection tracking.

The following command appends (-A) a new rule into the 'INPUT' chain in the 'filter' table where traffic equals TCP/80 and the connection state matches either 'NEW' or 'ESTABLISHED' and finally permits the rule:
iptables -t filter -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT

Or say we want to insert the same rule put higher up (above a deny all statement for example) the chain - we can do this with the -I switch:

 iptables -t filter -I INPUT 1 -i eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT

SNAT Example

iptables -t nat -A POSTROUTING -o eth0 -s -j MASQUERADE
iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth1 -s -o eth0 -j ACCEPT

Port Forwarding Example

OpenVPN Example


Post a Comment