Follow Techotopia on Twitter

On-line Guides
All Guides
eBook Store
iOS / Android
Linux for Beginners
Office Productivity
Linux Installation
Linux Security
Linux Utilities
Linux Virtualization
Linux Kernel
System/Network Admin
Scripting Languages
Development Tools
Web Development
GUI Toolkits/Desktop
Mail Systems
Eclipse Documentation

How To Guides
General System Admin
Linux Security
Linux Filesystems
Web Servers
Graphics & Desktop
PC Hardware
Problem Solutions
Privacy Policy




Debian GNU/Linux Reference Guide
Prev Home Next

10.12.1 Netfilter configuration

The netfilter/iptables project is a firewalling subsystem for Linux 2.4 and after. See Netfilter, where many network configuration issues are explained. Basics of netfilter

Netfilter process packets use five built-in chains: PREROUTING, INPUT, FORWARD, OUTPUT, and POSTROUTING.

     IN ------> PRE ---> ------> FORWARD -----> ----> POST -----> OUT
     interface  ROUTING  \       filter       /       ROUTING     interface
                DNAT     |       tracking     ^       SNAT
                REDIRECT |                    |       MASQUERADE
                         v                    |
                       INPUT                OUTPUT
                         | filter             ^ filter,DNAT 
                         v                    |
                         \--> Local Process --/
                              user-space programs Netfilter table

Packets are processed at each built-in chain using the following tables.

  • filter (packet filter, default)

    • INPUT (for packets coming into the box itself)

    • FORWARD (for packets being routed through the box)

    • OUTPUT (for locally generated packets).

  • nat (network address translation )

    • PREROUTING (for altering packets as soon as they come in)

    • OUTPUT (for altering locally generated packets before routing)

    • POSTROUTING (for altering packets as they are about to go out)

  • mangle (network address mangling, good only after 2.4.18)

    • all five built-in chains. Netfilter target

Firewall rules have several targets:

  • four basic targets:

    • ACCEPT means to let the packet through.

    • DROP means to drop the packet.

    • QUEUE means to pass the packet to userspace (if supported by the kernel).

    • RETURN means stop traversing this chain and resume at the next rule in the previous (calling) chain.

  • extended targets:

    • LOG turns on kernel logging.

    • REJECT sends back an error packet and drops the packet.

    • SNAT alters the source address of the packet and is used only in the POSTROUTING chain. (nat table only)

           --to-source ipaddr[-ipaddr][:port-port]
    • MASQUERADE is the same as SNAT but for dynamically assigned IP (dialup) connections. (nat table only)

           --to-ports port[-port]
    • DNAT alters the destination address of the packet and is used in the PREROUTING and OUTPUT chains, and user-defined chains which are only called from those chains. (nat table only)

           --to-destination ipaddr[-ipaddr][:port-port]
    • REDIRECT alters the destination IP address to send the packet to the machine itself.

           --to-ports port[-port] Netfilter commands

The basic commands of iptables are:

     iptables -N chain                   # create a chain
     iptables -A chain \                 # add rule to chain
              -t table \                 # use table (filter, nat, mangle)
              -p protocol \              # tcp, udp, icmp, or all,
              -s source-address[/mask] \
              --sport port[:port] \      # source port if -p is tcp or udp
              -d destination-address[/mask] \
              --dport port[:port] \      # dest. port if -p is tcp or udp
              -j target \                # what to do if match
              -i in-interface-name \     # for INPUT,  FORWARD, PREROUTING
              -o out-interface-name      # for FORWARD, OUTPUT, POSTROUTING Network Address Translation

Machines on a LAN can access Internet resources through a gateway that translates IP address on the LAN to IP addresses usable on the Internet.

     # apt-get install ipmasq

Apply example rules to strengthen the ipmasq protection. See /usr/share/doc/ipmasq/examples/stronger/README. For Debian kernel-image-2.4 under woody, make sure to load the proper modules. Sarge version of ipmasq fixed this issue. See Network function, Section 7.2.3 for configuration instructions.

For Debian kernel-image-2.2, edit Z92timeouts.rul in /etc/masq/rules as follows to ensure a longer connection to remote sites (good for large emails, etc.):

     # tcp, tcp-fin, udp
     # 2hr, 10 sec, 160 sec - default
     # 1 day, 10 min, 10 min - longer example
     $IPCHAINS -M -S 86400 600 600

Also, if the network is accessed through a PCMCIA NIC, ipmasq needs to be started either from /etc/pcmcia/network.opts (read: /usr/share/doc/ipmasq/ipmasq.txt.gz) or from /etc/network/interfaces (read: Network configuration and PCMCIA, Section 10.8.5 and Triggering network configuration, Section 10.8). Redirect SMTP connection (2.4)

Suppose you have a notebook PC which is configured to use other LAN environments and you want to use your mail user agent on the notebook PC without reconfiguring it.

Adding the following rules through the iptables command to the gateway machine will redirect the SMTP connection to the gateway machine.

     # iptables -t nat -A PREROUTING -s -j REDIRECT \
                -p tcp --dport smtp --to-port 25 # smtp=25, INPUT is open

For a more thorough redirect rule set consider installing the ipmasq package and adding M30redirect.def to the /etc/ipmasq/rules/ directory.

Debian GNU/Linux Reference Guide
Prev Home Next

  Published under the terms of the GNU General Public License Design by Interspire