5.3 IP-Tables

Iptables rules for a small network

Now we want to discuss a small network scenario. Suppose our intranet has the subnet IP number 172.16.1.0 with subnet mask 255.255.255.0, which is equal to 24 ones from the left side. The users in the subnet are allowed to access WWW servers on the Internet with their WWW browsers, but no other traffic is allowed. Remember,WWWservers listen usually on port 80 of the TCP protocol for connection requests. A screening router with Linux operating system (kernel 2.4) and installed iptables is physically between the Internet and the local intranet.

The screening router has two network interfaces, one is connected with the Internet and the other with the intranet.

The netfilter kernel module has to be configured to fulfill the above policy for the intranet.

At first the kernel module that provides support for netfilter has to be loaded in the kernel:

Now the commands to build the chains for the filter table, that fulfill the above policy:

$ modprobe ip tables
$ iptables -F OUTPUT
$ iptables -P OUTPUT DROP
$ iptables -F INPUT
$ iptables -P INPUT DROP
$ iptables -F FORWARD
$ iptables -P FORWRAD DROP
$ iptables -A FORWARD -m tcp -p tcp -s 0/0 --sport 80 -d 172.16.1.0/24 --syn -j DROP
$ iptables -A FORWARD -m tcp -p tcp -s 172.16.1.0/24 -d 0/0 --dport 80 -j ACCEPT
$ iptables -A FORWARD -m tcp -p tcp -s 0/0 --sport 80 -d 172.16.1.0/24 -j ACCEPT

The table filter has not to be specified, because filter is the default table. With the first six commands all three chains in the filter table are cleaned and the default policy of the chains is set to DROP.