Iptables Tables
Iptables Tables
iptables firewall is used to manage packet filtering and NAT rules. IPTables
comes with all Linux distributions. Understanding how to setup and configure
iptables will help you manage your Linux firewall effectively.
iptables tool is used to manage the Linux firewall rules. At a first look,
iptables might look complex (or even confusing). But, once you understand
the basics of how iptables work and how it is structured, reading and writing
iptables firewall rules will be easy.
This article is part of an ongoing iptables tutorial series. This is the 1st article
in that series.
This article explains how iptables is structured, and explains the
fundamentals about iptables tables, chains and rules.
On a high-level iptables might contain multiple tables. Tables might contain
multiple chains. Chains can be built-in or user-defined. Chains might contain
multiple rules. Rules are defined for the packets.
So, the structure is: iptables -> Tables -> Chains -> Rules. This is defined in
the following diagram.
1. Filter Table
Filter is default table for iptables. So, if you dont define you own table, youll
be using filter table. Iptabless filter table has the following built-in chains.
2. NAT table
Iptables NAT table has the following built-in chains.
3. Mangle table
Iptabless Mangle table is for specialized packet alteration. This alters QOS
bits in the TCP header. Mangle table has the following built-in chains.
PREROUTING chain
OUTPUT chain
FORWARD chain
INPUT chain
POSTROUTING chain
4. Raw table
Iptables Raw table is for configuration excemptions. Raw table has the
following built-in chains.
PREROUTING chain
OUTPUT chain
Target Values
Following are the possible special values that you can specify in the target.
RETURN Firewall will stop executing the next set of rules in the
current chain for this packet. The control will be returned to the calling
chain.
If you do iptables list (or) service iptables status, youll see all the available
firewall rules on your system. The following iptable example shows that there
are no firewall rules defined on this system. As you see, it displays the
default input table, with the default input chain, forward chain, and output
chain.
destination
destination
destination
Note: If you dont specify the -t option, it will display the default filter table.
So, both of the following commands are the same.
# iptables -t filter --list
(or)
# iptables --list
The following iptable example shows that there are some rules defined in the
input, forward, and output chain of the filter table.
# iptables --list
Chain INPUT (policy ACCEPT)
num target
prot opt source
1
RH-Firewall-1-INPUT all --
0.0.0.0/0
destination
0.0.0.0/0
0.0.0.0/0
destination
0.0.0.0/0
destination
destination
0.0.0.0/0
0.0.0.0/0
0.0.0.0/0
0.0.0.0/0
icmp type
5
ACCEPT
udp
6
ACCEPT
udp
7
ACCEPT
tcp
8
ACCEPT
all
RELATED,ESTABLISHED
9
ACCEPT
tcp
tcp dpt:22
10
REJECT
all
icmp-host-prohibited
-----
0.0.0.0/0
0.0.0.0/0
0.0.0.0/0
0.0.0.0/0
224.0.0.251
0.0.0.0/0
0.0.0.0/0
0.0.0.0/0
udp dpt:5353
udp dpt:631
tcp dpt:631
state
--
0.0.0.0/0
0.0.0.0/0
state NEW
--
0.0.0.0/0
0.0.0.0/0
reject-with
The rules in the iptables list command output contains the following fields: