IPCHAINS 101

IPCHAINS 101

The ipchains program was written by Paul Russell and it is included in most Linux distributions. There is an IPCHAINS-HowTo available at this site, and the online documentation is extensive. This section provides a general overview of the syntax and semantics of ipchains.

The ipchains program is very powerful, and surprisingly simple once you get the basics down. The general format is:

ipchains <command> <chain> [<options>]

The complete syntax for ipchains is a little more complex, but this is sufficient for our needs. The online help enumerates the complete syntax including a useful command like:

ipchains -L

that lists the currently loaded ipchains configuration.

Linux keeps a set of tables for ipchains that it uses when routing packets to non-local destinations as well as routing incoming packets destined for other computers. The ipchains program changes these tables. Typically this is done when the system boots or as part of a script associated with a particular network adapter, such as a modem adapter discussed in the next article.

The three commands that we look at are -F, -P, and -A. The -F command flushes a chain so it starts fresh. The -P command sets up the default handling, while the -A command adds conditions or rules to a chain.

As yet we have not defined what a chain is. With ipchains, three chains are predefined: input, output, and forward. The following two commands are normally used to set up a chain:

ipchains -F input
ipchains -P input REJECT

This causes any rules for the input chain to be discarded and sets up the default condition so incoming packets are rejected. It is easier to discuss how chains work using an example, so we'll assume that the following command is next:

ipchains -A input -i eth0 -s 10.1.0.0/16 -d 0.0.0.0/0 -j ACCEPT

This is used to accept packets that meet the criteria specified in this command. In particular, the -i option is followed by the interface name, eth0. The -s and -d options are followed by source and destination values. If a packet is received on eth0 and it is from the specified source and going to the specified destination then it will be accepted by the router.

The source and destination values are IP address and mask bit pairs. In this case, the source will match any IP address of the form 10.1.x.x. The destination matches anything. Therefore, the rule accepts any packet with an address like 10.1.54.103 going anywhere. If a source or destination criteria is not specified then 0.0.0.0/0 is used.

The output chain controls what packets can be sent. A packet may be accepted by the input chain but rejected by the output chain. Likewise, the forward chain controls what packets will be routed.

In general, the input chain controls incoming packet filtering. The packet is either destined for the router or for another computer. In the latter case, the packet is processed by the forward chain. Packets that make it through this chain will then be processed by the output chain.

Additional -A, or add, commands can be used with the same chain name. The rules can also be used to reject packets as well. For example:

ipchains -A input -i eth0 -s 10.2.0.0/16 -d 0.0.0.0/0 -j REJECT

will reject packets with a source address like 10.2.x.x to any destination. This is actually redundant for the current set of rules since anything that does not match the first example rule for 10.1.x.x will be rejected. Including a rule like:

ipchains -A input -i eth0 -s 10.2.0.0/16 -d 10.1.0.0/16 -j ACCEPT

will accept a packet if it is from a source address like 10.2.x.x and destined for an IP address of the form 10.1.x.x. Note that rules are order dependent in a first-come-first-used basis so this rule should be added before the rule that rejects a more general condition.

We have used the -j option in a simplistic fashion to designate whether a packet will be accepted or rejected. This option is actually called a jump and can be used to link to user-defined chains, as well as using ACCEPT and REJECT. User-defined chains are manipulated in the same fashion as the standard chains. Only the names have been changed. User-defined chains are typically used to manage more complicated routing configurations. The bottom line is that the rules are followed until the packet is ACCEPTed or REJECTed.

Other argument values for the -j option when used with the forward chain. These include DENY and MASQ. DENY is similar to REJECT in that it terminates checking of the chain. MASQ indicates that a packet should be masqueraded using the built-in NAT support. In this case, the accepted packet will be modified so its IP address and port address are changed as described with NAT earlier. The reverse translation for response packets is done automatically. Selective use of MASQ allows a Linux router to forward some packets NAT-fashion and others with no translation. This is handy for small companies that have been assigned more than one IP address and use them for PCs on the local network.

For simple router support when an ISP provides a single IP address, MASQ is typically used. User-defined chains are usually unnecessary.

The ipchains program can also delete a rule using the -D command. A rule must match exactly with a command's argument to be deleted.

The ipchains commands are normally included in a script that runs when Linux boots or when a particular network adapter is started. The following section addresses masquerading of special protocols.

One last item for ipchains is to enable forwarding using the following command:

echo "1" > /proc/sys/net/ipv4/ip_forward

This creates a single byte file containing the number "1". Note: Linux distributions based on Red Hat Linux can normally specify this feature by adding the following to /etc/sysconfig/network:

FORWARD_IPV4=true