History of iptables
The iptables tool was born around 1999 when Paul "Rusty" Russell, during a meeting in Canada introduced an idea to adopt a multiple table framework for security. This new idea would replace the previous, and far less flexible, ipnatctl. Russell's iptables was an instant success and was adopted as the defacto standard for security.
Command structure
The iptables command structure looks something like this:
iptables [-t table] -[AD] chain rule-specification [options]
It looks a bit confusing at first. Let's take a look at an full-blown command to make it easier to discern.
iptables -A INPUT -p tcp -j DROP
What the above iptables command does is this:
- The -A indicates this is a new chain and that the chain is called INPUT.
- The -p indicates what follows is the protocol (tcp or udp) this chain will watch for.
- The -j means if anything has matched so far, to take the action that follows. The DROP means the packet is to be dropped and will not make it to its destination.
The above is a bit of an over-simplification, but it makes iptables easily understood. But let's explain it all a bit further.
The iptables system works like this:
The administrator creates chains which form a table.
Each chain is defined as either an INPUT or OUTPUT chain. This means it either watches traffic going IN or OUT of the system. The administrator defines what protocol the chain is to watch for, and/or any of the following:
- The interface.
- The source address (where the network packet originated from).
- The source port.
- What to do with the matching packet.
The iptables tool can be used in various ways. The simplest (but less efficient) is to run (as root) individual iptables commands to add chains to a table. A more efficient way is to write all of your chains into a script so all the chains will be issued with a single command.
Final Thoughts
What you have just read is a very basic introduction to iptables. As with any means of security, iptables can quickly become quite complicated. But understanding the fundamentals is crucial to being able to grasp iptables on any level. And once you have a solid understanding of iptables, you can create Linux security as solid as you can imagine.
No comments:
Post a Comment