# Linux iptables preview (try making a nat) for example, `iptables -t nat` the t option from manpage is filter: This is the default table (if no -t option is passed). It contains the built-in chains INPUT (for packets destined to local sockets), FORWARD (for packets being routed through the box), and OUTPUT (for locally-generated packets). nat: This table is consulted when a packet that creates a new connection is encountered. It consists of four built-ins: PREROUTING (for altering packets as soon as they come in), INPUT (for altering packets destined for local sockets), OUTPUT (for altering locally-generated packets before routing), and POSTROUTING (for altering packets as they are about to go out). IPv6 NAT support is available since kernel 3.7. mangle: This table is used for specialized packet alteration. Until kernel 2.4.17 it had two built-in chains: PREROUTING (for altering incoming packets before routing) and OUTPUT (for altering locally-generated packets before routing). Since kernel 2.4.18, three other built-in chains are also supported: INPUT (for packets coming into the box it‐ self), FORWARD (for altering packets being routed through the box), and POSTROUTING (for altering packets as they are about to go out). raw: This table is used mainly for configuring exemptions from connection tracking in com‐ bination with the NOTRACK target. It registers at the netfilter hooks with higher priority and is thus called before ip_conntrack, or any other IP tables. It provides the following built-in chains: PREROUTING (for packets arriving via any network in‐ terface) and OUTPUT (for packets generated by local processes). security: This table is used for Mandatory Access Control (MAC) networking rules, such as those enabled by the SECMARK and CONNSECMARK targets. Mandatory Access Control is imple‐ mented by Linux Security Modules such as SELinux. The security table is called after the filter table, allowing any Discretionary Access Control (DAC) rules in the filter table to take effect before MAC rules. This table provides the following built-in chains: INPUT (for packets coming into the box itself), OUTPUT (for altering locally- generated packets before routing), and FORWARD (for altering packets being routed through the box). # What kind of tables in iptables according from [archlinux wiki](https://wiki.archlinux.org/title/Iptables) iptables contains five tables: - raw is used only for configuring packets so that they are exempt from connection tracking. - filter is the default table, and is where all the actions typically associated with a firewall take place. - nat is used for network address translation (e.g. port forwarding). - mangle is used for specialized packet alterations. - security is used for Mandatory Access Control networking rules (e.g. SELinux -- [see this article](https://lwn.net/Articles/267140/) for more details). In most common use cases, you will only use two of these: filter and nat. The other tables are aimed at complex configurations involving multiple routers and routing decisions and are in any case beyond the scope of these introductory remarks. # Tables & chain details all iptables chain information can be gathered by this command ```sh sudo iptables -t filter -L sudo iptables -t nat -L sudo iptables -t mangle -L sudo iptables -t raw -L sudo iptables -t security -L ``` this is list of all chain by corresponding table ## table `raw` - PREROUTING - OUTPUT ## table `nat` - PREROUTING - INPUT - OUTPUT - POSTROUTING ## table `mangle` - PREROUTING - INPUT - FORWARD - OUTPUT - POSTROUTING ## table `filter` - INPUT - FORWARD - OUTPUT ## table `security` - INPUT - FORWARD - OUTPUT we will focus on `NAT` section. # machine session In iptables, packet often categorized as 4 different state, such - NEW - ESTABLISHED - RELATED - INVALID this connection tracking is done by a special framework within the kernel called conntrack # command lists this is some special iptables command collection - `iptables --list-rules`: show all ip rules - `iptables --table nat --list --line-numbers`: will useful if you want to delete spesific rule, i.e, duplicated rule - `sudo iptables --table nat -D POSTROUTING 2` example: delete rule 2 ## create your own chain - `iptables -N chain_name`: eq: `--new-chain` - `iptables -A chain_name -p icmp -j accept` (example) ## make changes permanent `sudo iptables-save > /etc/iptables/rules.v4` ## tables explanation ``` > sudo iptables --table nat --list Chain PREROUTING (policy ACCEPT) target prot opt source destination Chain INPUT (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination MASQUERADE all -- anywhere anywhere MASQUERADE all -- anywhere anywhere MASQUERADE all -- anywhere anywhere MASQUERADE all -- anywhere anywhere ``` target: what to do with packet. prot: abbr of protocol opt: abbr of options (AI says rarely used) source: its `anywhere` or explicit ip such `192.168.1.0/24` destination: same as source, can be network ## show rules from X table for example, there has - `nat` table, which contains `PREROUTING`, `INPUT`, `OUTPUT`, `POSTROUTING` - `filter` table contains main chain that used by iptables for packet filtering, which contains `INPUT`, `FORWARD`, `OUTPUT` MORE deeper on X table | Table | Purpose | Chains it uses | | ---------- | ------------------------------------ | ------------------------------------- | | `filter` | Default, handles packet filtering | `INPUT`, `OUTPUT`, `FORWARD` | | `nat` | Network Address Translation | `PREROUTING`, `POSTROUTING`, `OUTPUT` | | `mangle` | Packet modification (TTL, TOS, etc.) | All chains | | `raw` | Pre-connection tracking processing | `PREROUTING`, `OUTPUT` | | `security` | SELinux/LSM-based packet filtering | `INPUT`, `OUTPUT`, `FORWARD` |