In Linux, iptables is the kernel-level firewall feature
iptables works by allowing you to create rules that can be applied to every packet that tries to enter (INPUT), leave (OUTPUT), or cross through your system (FORWARD)
Although allowing or blocking packets trying to enter your system is the primary feature of iptables, you can also create rules for iptables that let you do the following
- Block packets leaving your system effectively to prevent a process on your system from reaching a remote host, range of addresses, or selected services.
- Forward packets from one network interface on your system to another, effectively allowing your computer to act as a router between two networks.
- Port forward a packet intended for a selected port to be rerouted to another port on your local system, or to a remote system, so that other locations can handle the request from the packet.
- Change information in a packet header (called mangling) to redirect the packet or somehow mark it for more processing.
- Allow multiple computers on a private network (such as the computers, televisions, or other devices on your home network) to communicate with the Internet over a single public IP address. (This is referred to as IP masquerading.)
A firewall is either network-based or host-based
A firewall is either a hardware or a software firewall
A firewall is either a network-layer filter or an application-layer filter
On a Linux system, the firewall is a host-based, network-layer, software firewall managed
by the iptables utility and related kernel-level components.
For recent RHEL and Fedora releases, the iptables firewall backend was replaced with nftables
underlying the Cockpit and firewalld services is the iptables facility, if the system without the cockpit or firewall (disabled), we can still use the iptables service. we can set iptables firewall rules manually and use the iptables service directly, without the firewalld service.
Understanding the iptables utility
Tables
filter – nat – mangle – raw – security
Chains
INPUT – FORWARD – OUTPUT – PREROUTING – POSTROUTING
Policies
Rules
| -A –apend | append rule at the end of chain |
| -C –check | check for a rule if exist |
| -D –delete | delete a rule (rule | rule number-start from 1) |
| -I –insert | insert a rule at a numbered location in the chain |
| -R –replace | replace a rule in the chain |
| -P –policy | Set the policy for the chain to the given target |
| -L –list | list all rules (in the chain if selected) |
| –line-numbers | add line numbers to the beginning of each rule |
| -i –in-interface | input interface |
| -o –out-interface | output interface |
| –deport | apply to certain protocol packets coming into the designated port# |
| –sport | apply to certain protocol packets going out of the designated port# |
Example
iptables -A INPUT -s 10.140.67.22 -p tcp –dport 22 -j DROP