Any firewall has many functions you probably don’t know about. They are very useful not only for network engineers, but for any IT engineer. Let’s start !

1. Filtering

This is the main function of the firewall, this is what the firewall was created for. This means you can block some traffic and allow some others to go. Linux main firewall is Iptables (or modern replacement notables), which is a part of a netfilter project.

There are many criteria for creating filtering rules. You can filter by source IP address, destination IP address, source port, destination port, protocol, and so on.

Here is an example:

# iptables -A OUTPUT -d 8.8.8.8 --dport 53 -p udp -m udp -j DROP

The rule above restricts access to Google’s public DNS.

2. Rules order

This is the most important feature, because if you are not aware of it, you can make mistakes. Every firewall applies rules from the top to down. Take into account. Here is an example of the wrong order:

# iptables -A FORWARD -s 192.168.0.0/24 -j DROP
# iptables -A FORWARD -s 192.168.0.0/16 -j ACCEPT

The first rule blocks traffic from the 192.168.0.0/24 network, then the rule below allows traffic from the 192.168.0.0/16 network. As you can see, the 192.168.0.0/16 network is wider than 192.168.0.0/24 and includes the latter. This means that the first rule has no effect. To fix this, you should change the order of the rules, as follows:

# iptables -A FORWARD -s 192.168.0.0/16 -j ACCEPT
# iptables -A FORWARD -s 192.168.0.0/24 -j DROP

3. DNAT & SNAT

It is another important thing that is done by a firewall. If you are using the internet at home, you probably want your devices to be online. But you have only one “white” ip address. For this purpose, your firewall inside your router will help you. This technology is called source network address translation(SNAT). That is all ip packets going out will have the same real ip address and the firewall will remember where reply traffic should go (this is connection tracking).

Example:

# iptables -t nat -A POSTROUTING -s 10.0.0.0/16 -j SNAT --to-source xxx.xxx.xxx.xxx

where 10.0.0.0/16 is your local network --to-source xxx.xxx.xxx.xxx — specify your external IP address

In contrast to this, there is DNAT, this technology less widely used, it is used for replacing IP address for the destination. If you want to get public access to one of your home devices, become accessible from the internet, but behind the firewall.

Example:

# iptables -t nat -A PREROUTING -i wlan0 -d xxx.xxx.xxx.xxx -j DNAT --to-destination 10.0.0.7

where -d xxx.xxx.xxx.xxx — external IP address

10.0.0.7 — is IP of a device you want to make public

Just take into account, SNAT and DNAT are opposite things and configuration is also opposite:

POSTROUTING vs PREROUTING,

--to-source xxx.xxx.xxx.xxx vs --to-destination 10.0.0.7 and so on.

4. Shaping and QoS

Yes, a firewall like iptables can be used for shaping traffic and QoS(Quality of service).

Here is a simple example to shape bandwidth to 80 port (HTTP traffic):

# tc qdisc add dev enp0s3 root handle 1: htb (1)
# tc class add dev enp0s3 parent 1:1 classid 1:10 htb rate 1mbit (2)
# iptables -t mangle -A POSTROUTING  -p tcp -m tcp --dport 80 -j CLASSIFY --set-class 1:10 (3)

In the line 1 we create a root queue discipline, then we create a class with htb backet(line 2). Modify this rule for your needs, like --dport and --sport depends on traffic direction flow.

Line 3 classifies traffic into class with major 1 and minor 10 numbers. CLASSIFY target may be used only in POSTROUTING chain of mangle table. If you need to classify somewhere else, use MARK (instead of line 3):

# iptables -t mangle -A OUTPUT  -p tcp -m tcp --dport 80 -j MARK --set-mark 0x01
# iptables -t mangle -A POSTROUTING -m mark --mark 0x1 -j CLASSIFY --set-class 1:10

An example of QoS (prioritizing traffic) how to minimize a latency for ssh traffic(which actually has ToS — Type of Service — set up):

# iptables -t mangle -A POSTROUTING -p tcp -m tos - tos 0x10 -m tcp - dport 22 -j CLASSIFY - set-class 1:0

5. Brute force protection

There is a best practice to limit connecting attempts to ssh or any other service to prevent brute forcing. I am sure you’ve heard about fail2ban python script. The script adds to iptables addresses which were from unsuccessful attempts. There is a more efficient solution!

In such a case a firewall will help you out! As for iptables, there is a special modules limit, hashlimit and recent.

Example:

# iptables -A INPUT -p tcp - dport 22 -i eth0 -m state - state NEW -m recent - set (1)
# iptables -A INPUT -p tcp - dport 22 -i eth0 -m state - state NEW -m recent - update - seconds 6 - hitcount 4 -j DROP (2)

In the example iptables adds source IP address to a set(1), then anyone attempting to guess the ssh password more than 4 times per 6 seconds will be banned(2). It works on updating timestamps, because iptables know nothing about the protocol. Then, access from the banned address will be restored(in this example 6 seconds).

6. DROP vs REJECT

These actions with packets are similar to each other, but different.

The difference is that the

• REJECT action is rejecting the packet and sending a reply to a remote site.
• DROP — Just throws away the packet and forgets about this.

If you are using a firewall just for protecting your home network, it doesn’t matter what action to use. However, for complex networks and complex firewall settings, using DROP might have an unexpected effect.

Example of DROP action:

# iptables -A INPUT -p icmp -j DROP

and try to ping the machine:

denis@linux:~$ ping example.com
PING 8.47.17.77 (8.47.17.77) 56(84) bytes of data.
--- example.com ping statistics ---
40 packets transmitted, 0 received, 100% packet loss, time 39921ms

Example of REJECT action:

# iptables -A INPUT -p icmp -j REJECT

and ping the machine:

denis@linux:~$ ping example.com
PING 8.47.17.77 (8.47.17.77) 56(84) bytes of data.
From 8.47.17.77 (8.47.17.77) icmp_seq=1 Destination Port Unreachable
From 8.47.17.77 (8.47.17.77) icmp_seq=2 Destination Port Unreachable
From 8.47.17.77 (8.47.17.77) icmp_seq=3 Destination Port Unreachable
From 8.47.17.77 (8.47.17.77) icmp_seq=4 Destination Port Unreachable
From 8.47.17.77 (8.47.17.77) icmp_seq=5 Destination Port Unreachable
--- example.com ping statistics ---
6 packets transmitted, 0 received, +5 errors, 100% packet loss, time 5000ms

I suppose comments are unnecessary.

7. Work with large IP addresses sets

For efficient work with a large number of addresses and networks, for efficient looking for matching conditions, there is a special module ipset. This module optimized for network addressing.

Example:

# ipset -N ddos nethash
# ipset -A ddos 157.240.0.0/16
# iptables -I INPUT -m set --match-set ddos src -j DROP

Rewrite the ssh brute force preventing rule using ipset:

# ipset -N ssh nethash timeout 3600
# iptables -A INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --set
# iptables -A INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --update --seconds 6 --hitcount 4 -j SET --add-set ssh src
# iptables -A INPUT -m set --match-set ssh src -j DROP

Banned IP address can be removed from the set manually:

# ipset del ssh 116.203.xxx.xxx

or wait until the rule expires(1 hour).

8. Routing

Sometimes it’s necessary to direct traffic in different routes, instead of default.

So it’s also possible to do this using iptables in conjunction with tc (from iproute2 package) utility.

Mark entire connection in iptables with CONNMARK target and then let go via specific network interface, defined in created route table:

Example:

# iptables -t mangle -A INPUT -i eth0 -p tcp -m tcp –dport 22 -j CONNMARK --set-mark 0x2
# iptables -t mangle -A OUTPUT -j CONNMARK --restore-mark
# ip route add default via 172.31.1.1 dev eth0 table 120
# ip rule add fwmark 0x2/0x2 lookup 120

9. Forwarding traffic

Imagine, your web site has been migrated and you changed DNS A record. It has a TTL and during this time some clients go to new site, others go to old site. Using iptables all clients can be forced to go to the new version of the site instead of the old one.

Take a look:

# iptables -t nat -A PREROUTING -p tcp --dport 443 -j DNAT --to-destination xxx.xxx.xxx.xxx:443
# iptables -t nat -A POSTROUTING -j MASQUERADE

With help of iptables you don’t need redir utility.

10. DDoS protection

There are many kinds of DDoS, in some cases you can easily use a rule in your iptables, let’s say for syn flood protection and drop packets from an attacker:

# ipset -N ddos nethash timeout 3600
# iptables -t mangle -A PREROUTING -p tcp --syn -m hashlimit --hashlimit-above 200/sec --hashlimit-burst 10 --hashlimit-mode srcip --hashlimit-name ddos-banned -j SET --add-set ddos src
# iptables -A INPUT -m set --match-set ddos src -j DROP

So, here the IP addresses that match the criteria will be put into ipset for 3600 secs. Specifying here chain PREROUTING is very important, because it is the first chain in iptables packet flow.

Of course, DDoS protection is not only limited by this rule, so. You can add other TCP flags (RST, ACK,FIN) to filter criteria or combine them.

Also, it is possible to protect your server from HTTP flood, just modify the rule from point 7 (using connlimit module) or this rule. It depends on what level of TCP you want to protect.

Conclusion

Sometimes iptables can be used instead of well known and familiar tools, but more efficiently, iptables implemented in Linux kernel and there is no need to spend lots of resources. iptables is highly efficient in dropping packets on the TCP stage. Such scripts like fail2ban scan logs, analyze and then decide to ban or not.

This article does not fully cover iptables capabilities, this one is powerful and flexible, I just wanted to show some examples of using iptables in everyday tasks without installing additional utilities. But nowadays iptables considered as legacy and you should migrate to nftables.

👋 If you find this helpful, please click the clap 👏 button below a few times to show your support for the author 👇

🚀Join FAUN Developer Community & Get Similar Stories in your Inbox Each Week

10 iptables features you must know was originally published in FAUN Publication on Medium, where people are continuing the conversation by highlighting and responding to this story.