This chapter and the upcoming three chapters will discuss at length how to
build your own rules. A rule could be described as the directions the firewall
will adhere to when blocking or permitting different connections and packets
in a specific chain. Each line you write that's inserted in a chain should be
considered a rule. We will also discuss the basic matches that are available,
and how to use them, as well as the different targets and how we can construct
new targets of our own (i.e.,new sub chains).
This chapter will deal with the raw basics of how a rule is created and how you
write it and enter it so that it will be accepted by the userspace program
iptables, the different tables, as well as the commands that
you can issue to iptables. After that we will in the next chapter look at all
the matches that are available to iptables, and then get
more into detail of each type of target and jump.
As we have already explained, each rule is a line that the kernel looks at to
find out what to do with a packet. If all the criteria - or matches - are met,
we perform the target - or jump - instruction. Normally we would write our
rules in a syntax that looks something like this:
iptables [-t table] command [match] [target/jump]
There is nothing that says that the target instruction has to be the last
function in the line. However, you would usually adhere to this syntax to get
the best readability. Anyway, most of the rules you'll see are written in this
way. Hence, if you read someone else's script, you'll most likely recognize the
syntax and easily understand the rule.
If you want to use a table other than the standard table, you could insert
the table specification at the point at which [table] is specified. However,
it is not necessary to state explicitly what table to use, since by default
iptables uses the filter table on
which to implement all commands. Neither do you have to specify the table at
just this point in the rule. It could be set pretty much anywhere along the
line. However, it is more or less standard to put the table specification at
One thing to think about though: The command should always come first, or
alternatively directly after the table specification. We use 'command' to tell
the program what to do, for example to insert a rule or to add a rule to the
end of the chain, or to delete a rule. We shall take a further look at this
The match is the part of the rule that we send to the kernel that details the
specific character of the packet, what makes it different from all other
packets. Here we could specify what IP address the packet comes from, from
which network interface, the intended IP address, port, protocol or whatever.
There is a heap of different matches that we can use that we will look closer
at further on in this chapter.
Finally we have the target of the packet. If all the matches are met for a
packet, we tell the kernel what to do with it. We could, for example, tell the
kernel to send the packet to another chain that we've created ourselves, and
which is part of this particular table. We could tell the kernel to drop the
packet dead and do no further processing, or we could tell the kernel to send
a specified reply to the sender. As with the rest of the content in this
section, we'll look closer at it further on in the chapter.