Dissecting an iptables Rule

IPTables is a tool for firewall / fine-grained packet manipulation on Linux systems. After reading this great tutorial, I decided to try something more interesting (root is required):

iptables -A FORWARD -p tcp ––syn -s ––dport ! 80 -m connlimit ––connlimit-above 5 -j DROP

Let’s take this word-by-word and explain what this rule means:

  • -A
    This is the action we want to perform. It may be -A for append (add), -D for delete, -L for list, and some other ones I’ll let the man-page explain.
    This is the chain we want to perform the action upon. What’s a chain? It’s a path packets travel inside your computer / router. There are at least two: INPUT for packets entering, OUTPUT for packets going out. The FORWARD chain is present if you use NAT / Port Forwarding.
  • -p tcp
    This is the protocol we filter packets by. Most of the time, it will be TCP. However, there are other protocols, like UDP.
  • ––syn
    This means we want to catch packets with the SYN/ACK flag. In more accessible language, these packets are used to initiate connections. So if you may block them to secure your system!
  • -s
    This tells iptables to act upon packets with the source (-s) or destination (-d) specified. For ways to specify entire blocks / ranges of addresses, see the man-page.
  • ––dport ! 80
    This instructs the program to set up this rule for packets traveling on all ports, except 80 (which is for WWW). A nice way to use !-s like in C, huh?
  • -m connlimit ––connlimit-above 5
    We tell iptables to match (-m) packets using the connlimit module. Further, we use a switch particular to connlimit, instructing it to match all packets beyond the limit of 5 connections.
  • -j DROP
    This tells iptables what to do with the packets we spent so much valuable time collecting. Amongst the possible actions are ACCEPT to pass the packets along and DROP to get rid of them silently. There are others, check the man-page.

So what have we achieved? For all ports except 80, we limit the number of connections to 5. Peer-to-peer network users won’t be too happy :evil: Web browsing will continue to be fast, as we don’t touch any port-80 packet. Pretty nice for a one-line command, isn’t it?

But the fun isn’t over yet! Here’s how to list the rules:

  • iptables -L
    The Keep-It-Simple-Stupid (minimal) version.
  • iptables -L -v
    You also get to know how many packets / bytes has each rule matched.
  • iptables -L -v ––line-number
    Each rule is preceded by its number (you’ll see why this matters in a moment).
    There’s something funny about how these long switches are implemented, because even this works:
    iptables -L -v ––lin
    (––lin instead of the awkward ––line-number)

If you don’t specify a chain after the command, it lists the rules for all chains. Now, how to delete a rule? Simple:

  • iptables -D FORWARD 9
    Means delete (-D) rule #9 on the FORWARD chain. See where the line-numbers come in?
  • iptables -F INPUT
    Flush (-F) the INPUT chain. Delete all rules pertaining to it.
  • (see the man-page for more)

If this is not enough to get you up and running with IPTables, the man-page is always your friend. And so is Google (not always, but this time it is (-; )

Comments are closed.

%d bloggers like this: