Specifications

SuSE Live CD for Firewall

iptables

A typical iptables ﬁlter rule is very simple in theory. It normally consists of

four parts:

1. a basic operation with which the rule is inserted. This is typically run

with the command /sbin/iptables -A.

2. the identiﬁcation of the packet

3. a description of the packet to treat

4. a description of what should happen to the packet once it is found

Inserting Rules

There is a range of options available for manipulating ﬁlter rules. The basic

commands are:

adding new rules to a chain: iptables -A

inserting a rule at a speciﬁc point in a chain: iptables -I

replacing a rule at a speciﬁc point in a chain: iptables -R

deleting a rule within a chain: iptables -D

In these commands, a “chain” must be speciﬁed in each case. These will

be explained in the next section. The syntax would then be, for example,

/sbin/iptables -A INPUT ...

Be very careful with all options except “-A”. It is very easy to get into unex-

pected difﬁculties. If you want to delete all rules except the default policy,

use iptables -F.

The Course of a Packet

With iptables the user has three different ﬁlter tables available: filter, nat,

and mangle. Each of these tables describes different “chains.” A “chain”

is described by a list of ﬁlter rules. Each of these rules says: “if a packet

header matches my description, here are my instructions for this packet.” If

the packet header does not match, the next rule is queried. If all rules have

been queried and there are no matches, the “default policy” is applied.

The filter rules chain is described by three tables: INPUT, OUTPUT,

and FORWARD. The nat rules chain is also described by three tables:

117SuSE Linux – Firewall on CD2