Version 1.0 -- 2006-01-02 by Shashin T. Thakur
 This tutorial is a concise doc for those people who are new to iptables. This is an edited from original www.netfilter.org. This is a small reference doc which I have created for my purpose which i would like to share with all member of open-source. Your suggestion and feedback is very important to improve the same.
 
Hope this is helpful for you.

 
IPTABLES

A packet filter is a piece of software which looks at the header of packets as they pass through, and decides the fate of the entire packet. It might decide to DROP the packet ( i.e., discard the packet as if it had never received it), ACCEPT the packet (i.e., let the packet go through), or something more complicated. in linux its done in the kernel.
It’s done for three things: - monitoring, security, and controlling.
  
 
 

In any Iptables there are 3 main type of traversal take place.
for eg : A,B,C are three system

1.  A<-->B<-->c   Forward packet  for A to C via B.
3.  B--->C        Send to other system from B-->c.
1.  A--->B        Local packet reciving from A to B.


There three main table on an iptables.
1. Mangle (Alter packet)
2. Filter
3. NAT
1. Mangle has following sub-tables.
    1. Prerouting: - altering packet before routing decisions.
    2. Output:- changing and altering the local generated packet before decisions.
         Note:-    MANGLE IS never used in NAT,MASQ
         
2. Filter has following sub-tables.
    1. Forward: - not for own source or own destination
    2. Input   : - for own destination.
    3. Output: - for locally generated packets.
 3.  NAT has following sub tables.
    1. Prerouting: - altering packet as they come to firewall.
    2. Post routing: - altering packet as they leave from firewall.
    3. OUTPUT: latering of locally genrated packet.

Packet mend for different destination: - (Forward Packet)

1. On the wire
2, comes on the interface
3. MANGLE-PREROUTNG:-changing TOS
4. NAT-PREROUTING: - dnat,
5. Routing decision
6. Filter forward: - all forwarded packet filter's and go from here.
7. NAT-POSTROUTING: - SNAT
8. Goes out on the interface
9. Out on wire.


Packet mend for own system(Incoming Packets)

1. on the wire
2. Comes on the interface.
3. MANGLE-PREROUTNG  :-changing TOS
4. NAT-PREROUTING :- dnat,
5. Routing decission
6. Filter Input: filtering for all incoming traffics.
7. Local process or server

Packet mended to send other system (outgoing packets)

1. Local process or server
2. Mangle output: - TOS
3. NAT OUTPUT: -
4. Filter OUTPUT: where we filter outgoing traffic of local host.
5. Routing Decision
6. NAT POSTROUTING: - SNAT (filter not recommended)
7. Interface
8. Internet


Usage of Three Tables
  1. Mangling  
  1. Nat Table
  1. Filter
CONNECTION STATE:-
There are 4 state of connection:
Tcp: proto, 6: normal decimal encoding, 117: in seconds and decremented duration of entry.
SyN_sent : send only tcp syn pac, Rest is src&DST ip and ports
On 128 MB RAM 8192 possible connection can be maintained.
IPsysctl

------------------------------------------------------------------------------------------------------------
Syntax of an iptables commands

-t : table name
-J : Action

---------------------------------------------------------------------------------------------------------------------
command to For add delete and Replace.
1. -A  Append :- iptables -A INPUT......... ( append rule at the end of the chain)
   
   eg. /sbin/iptables -A PREROUTING -s 0/0 -d 0/0 -j ACCEPT -t mangle
       Accepting all source and destination in mangle
 
2. -D Delete :- 
   eg.   /sbin/iptables -D PREROUTING -s 10.10.10.0/255.255.255.0 -d 0/0 -j ACCEPT  -t mangle
         deleting the above created chain from prerouting mangle.
3. -R replace :-
   eg.    iptables -R PREROUTING 1 -s 10.10.10.3/255.255.255.255 -d 0/0 -t mangle
          Replaced the above created chains by source 10.10.10.3/255.255.255.25
 
        
4. -I insert :-
   eg:-  1. iptables -I PREROUTING 4 -s 10.10.10.13/255.255.255.255 -d 0/0 -t mangle
                getting inserted at given linenumber.          
         2. iptables -I PREROUTING  -s 10.10.10.16/255.255.255.255 -d 0/0 -t mangle
           ( inserted on above of all rules in table )
           IF line number is taken more then current created then this message come iptables: Index of insertion too big.
 
5. -L List :  eg. 1) iptables -L  -t mangle   (Listing all the subtable of main table mangle)
                  2) iptables -L PREROUTING -t mangle (Listing only subtable PREROUTING).
6. -F flush :-  eg:- iptables -F  -t mangle (Flushing all the table of the of mangle)
7. -Z zero :-   eg:  iptables -L PREROUTING -t mangle  -Z (reset's the packet counter to zero)
8.  -N New chain :-
         1. iptables -N shashin -t mangle (created chain shashin)
         2. iptables -I  PREROUTING -L 10.10.10.2/255.255.255.255 -d 0/0 -j shashin -t mangle  (linked with chain shashin)
         3. iptables -I -l shashin -s 10.10.10.0/255.255.255.0 -d 192.168.1.254/255.255.255.255 -j ACCEPT -t mangle
             (created rule for shashin chain) 
 
9. -X delete chain:-
          1. iptables -X shashin1 -t mangle ( deleted chain achain has to be always made empty before deletion)

10 -E rename chain :- iptables -E shashin shashin2  -t mangle
                      corresponding target get auto renamed if mention some where in other chains.

---------------------------------------------------------------------------------------------------------------------
List option -
1. -N :- numeric
2. -V :- verbose
3. -X :- exact
4. --line-numbers:- can be used with linenumbers.
eg.
bash# iptables -L PREROUTING -t mangle -nvx --line-number
Chain PREROUTING (policy ACCEPT 2179 packets, 172919 bytes)
num      pkts      bytes target     prot opt in     out     source               destination        
1        1603    75092 shashin2   all  --  *      *       10.10.10.2           0.0.0.0/0   
---------------------------------------------------------------------------------------------------------------------
insert/append/delete option
 
1. -c set-counters : it sets the intial packet counter to 20 and 400
iptables -I  PREROUTING -s 10.10.10.0/255.255.255.0 -d 192.168.1.254/255.255.255.255 --set-counter 20 400  -j ACCEPT -t mangle
bash# iptables  -L PREROUTING -t mangle -nvx
Chain PREROUTING (policy ACCEPT 288 packets, 34205 bytes)
    pkts      bytes target     prot opt in     out     source               destination        
      20      400 ACCEPT     all  --  *      *       10.10.10.0/24        192.168.1.254      
 
Generic match
1. -p: protocol
            eg:-   iptables -D PREROUTING -p icmp  -j DROP -t mangle   (dropping ICMP protocol)
2. -s: source
            eg:-   iptables -I PREROUTING -p icmp -s 10.10.10.3/255.255.255.255 -d 0/0 -j DROP -t mangle
                    (dropping Icmp packet from source 10.10.10.3 )
                    
3. -d: destination
            eg:- /sbin/iptables -I PREROUTING -p icmp -s 0/0 -d 192.168.1.254/255.255.255.255 -j DROP -t mangle
                     (dropping Icmp packet from destination  192.168.1.254 )
4. -i: in-interface
            eg:- /sbin/iptables -A PREROUTING -p icmp -i eth0 -j DROP -t mangle
                 ( dropping all icmp packet arriving from eth0)
           
5. -o: out-interface 
            eg:- /sbin/iptables -I POSTROUTING -p icmp -o eth1 -j DROP -t nat
                 (dropping all icmp packet going from eth1 )  
6. -f: fragment
            eg:-
                /sbin/iptables -I POSTROUTING -p icmp -o eth1 -f -j DROP -t nat
                 ( drops all fragmented packet of icmp)  

Implicit match with protocol

1. Tcp
   (1) sport :- source port
       eg:    /sbin/iptables -I POSTROUTING -p tcp   -d 192.168.1.254 --sport 23 -j DROP -t nat
 
   (2) dport : destination port
        eg:-      /sbin/iptables -I POSTROUTING -p tcp  -s 10.10.10.2 -d 192.168.1.254 --dport 23 -j DROP -t nat
                    (dropping all outgoing traffic with destination ip 192.168.1.254 and destination port =23)
   (3) tcp-flag: syn,ack,fin-syn
        eg:- iptables -I POSTROUTING -p tcp  -s 10.10.10.2 -d 192.168.1.254 --dport 23 --tcp-flags syn, ack -j DROP -t nat    (droping a tcp packet if it contains a syn or ack flag for 192.168.1.254)

2. UDP
  (1) sport :- source port
  (2) dport : destination port
3. ICMP
   (1) Icmp type:-

Other Match

(1) mac-source :-
(2) limit :-
(3) limit-burst :    
(4) Multiport Match
    (1) source-port 80,90,100
    (2) destination port 80,90,100
    (3) port 22,23,25
(5) --mark : packet marking
(6) --uid-owner : user id
(7) --gid-owner : group id
(8) --pid-owner : pid owner
(9) --sid       : session-id
State match
(1) --state:  what state the packet must be to match
(2) --Tos: type of service match
(3) --ttl: TTL value to match

TARGETS/JUMPS
1) -j Accept :- will allowed to continue traversal in chains .
2) -j Drop   :- will be refused to further process and packet get drops
3) -j queue  :- the target will be queued
4) -j return :- If the packet is traversing in other chain in that case it will return to its main chain.
5) -j log    :- ( in dmesg) log-level, --log-prefix,--log-tcp-sequence, log tcpoptions, log-ip-options
6) -j reject :- drops the packet sending a reject methods
7) Mirror targets
8) snat target : for source nating.
9) dnat target:- for destination nating.