iptables example rulesets and utility programs
Example rulesets have been moved to their own page to reduce the length of this page.
History of netfilter features sorted by kernel version - very incomplete, I would welcome any additions.
Programs
Ruleset manipulation
-
confread, which allows you to make a more english-like configuration file (example)
-
view, which displays a summary of the iptables rules from an iptables-restore file, or if run as root with no arguments, the current table
-
mkscript, which converts these rulesets to shell scripts
-
patch, which takes two rulesets and outputs a script to move from one to the other (needs IPTables.pm)
-
fwsnort converts snort rules to an iptables ruleset
Ruleset debugging
-
trace - allows you to see what actions are taken on a packet as it goes through iptables. Use -v to see each rule that is checked.
This script uses IPTables.pm. There is no relation between this and the TRACE target
-
TRACE target - add this to the raw table (like
iptables -t raw -A PREROUTING -j TRACE) and the packets will be traced in the system log.
This has recently been added to the linux kernel. For older kernels, you will need to patch your kernel and iptables binaries with patch-o-matic and recompile them. See the README for a quick howto -
nfsim - full kernel-level simulation of netfilter code. More useful for debugging the kernel modules, but you can debug or test a ruleset with it
Log analysis
-
adcfw-log - firewall log analyzer/summarizer with several types of reports
-
IptablesWeb - Inspect iptables logs using a web browser, PHP, and MySQL
-
fire-log, which either displays a summary of firewall logs or runs a continuous summary (which I usually leave in a spare screen window). Config file
Active response
-
psad - detection of port scans
-
fwknop - single-packet knocking with an encrypted authentication
(this differs from the simple recent-module based knocking below because it requires a client, but is more secure)
Administration tools
-
ulogd - if you are using the LOG target for more than just debugging, ULOG is better for several reasons: it doesn't fill up dmesg, logs to a separate file or even database, and can log in tcpdump format
-
conntrack - Kernel 2.6.14 and later lets you manipulate the conntrack table from userspace. This program can list, add, remove, or clear entries from the conntrack table
-
ctview - a perl ncurses-based frontend to the conntrack tool above. Entries with an endpoint on the local system are resolved to the owning pid, uid, and command. You can also delete any entry by using 'd' when it is selected
Frontends
If you don't want to learn iptables, you can use one of several frontends to it. I haven't personally used any of them, but other people like them. There are many more on google; there are just the ones I have looked at.
-
KIptablesGenerator - a graphical frontend to iptables that generates a script and lets
you configure allowed ports and NAT
-
ipkungfu - generates an iptables ruleset from a set of config files in /etc/ipkungfu/.
Allows both simple and complex configuration including NAT and logging, or custom rules if needed
Information
Tutorials
-
Iptables Tutorial by Oskar Andreasson (local mirror) is a very nice starting place for iptables, but may be a bit long
-
netfilter.org howtos - Some of the external links on that page are outdated, but overall it is a good collection of information
Papers
Diagrams
Rulesets
These rulesets are in iptables-save format. I have written some simple documentation of the iptables-save format. I use this format for several reasons: it ensures there are no other rules in iptables, it loads faster, it avoids the possibility of a race condition that most iptables scripts have (although the race window would be about 1ms for most rulesets).
There are several ways to use these rulesets.
-
Use the scripts as an init script without any modifications
-
Use mkscript to convert the iptables-save file into a shell script and add the script to your init scripts
-
Save the ruleset as-is to /etc/iptables.conf and use this init script
-
Add
pre-up iptables-restore < /etc/iptables.conf to the internet-facing interface in /etc/network/interfaces (Debian-based Distributions only)
For the best security, a firewall should be applied before the internet-facing interface is brought up. If you have a dynamic IP and need to use it in your ruleset, consider loading a simple deny-all firewall (remember to allow DHCP) before bringing up the interface, then switching to the real firewall after the you get an IP.
Related scripts
- sysctl settings that may be useful if you are running a firewall.
References
The iptables 1.3.6 manpage, which has a full syntax description and covers all the modules.
Netfilter, the official iptables/netfilter website.
Ask in the freenode IRC channel #iptables for more information, or for any other reason. I'm usually in there as danieldg. If you have any other examples, send them to me and I'll put them up on this page.
Last modified Fri Mar 7 15:56:48 2008. ©2005-2007 Daniel De Graaf
