Skip to main content
Engineering LibreTexts

12-D.13: Access Control Lists / iptables

  • Page ID
    43067
  • ACL

    Access-list (ACL) is a set of rules defined for controlling the network traffic and reducing network attack. ACLs are used to filter traffic based on the set of rules defined for the incoming or outgoing of the network.

    ACL features

    1. The set of rules defined are matched serial wise i.e matching starts with the first line, then 2nd, then 3rd and so on.
    2. The packets are matched only until it matches the rule. Once a rule is matched then no further comparison takes place and that rule will be performed.
    3. There is an implicit deny at the end of every ACL, i.e., if no condition or rule matches then the packet will be discarded.

    Once the access-list is built, then it should be applied to inbound or outbound of the interface:

    • Inbound access lists – When an access list is applied on inbound packets of the interface, first the packets will be processed according to the access list and then routed to the outbound interface.
    • Outbound access lists – When an access list is applied on outbound packets of the interface, first the packet will be routed and then processed at the outbound interface.

    Types of ACL
    There are two main different types of access-list, namely:

    1. Standard access-list – These are the access-lists which are made using the source IP address only. These ACLs permit or deny the entire protocol suite. They don’t distinguish between the IP traffic such as TCP, UDP, Https etc. By using numbers 1-99 or 1300-1999, a router will understand it as a standard ACL and the specified address as source IP address.
    2. Extended access-list – These are the ACLs which uses both source and destination IP address. In these type of ACLs, we can also mention which IP traffic should be allowed or denied. These use the range 100-199 and 2000-2699.

    Also there are two categories of access-list:

    1. Numbered access-list – These are the access-lists which cannot be deleted specifically once created i.e., if we want to remove any rule from an access-list then this is not permitted in the case of numbered access list. If we try to delete a rule from the access-list then the whole access -ist will be deleted. The numbered access-list can be used with both standard and extended access-list.
    2. Named access-list – In this type of access-list, a name is assigned to identify an access-list. It is allowed to delete a named access-list unlike numbered access-lists. Like numbered access-lists, these can be used with both standard and extended access-lists.

    Rules for ACL

    1. The standard access-list is generally applied close to the destination (but not always).
    2. The extended access-list is generally applied close to the source (but not always).
    3. We can assign only one ACL per interface per protocol per direction, i.e., only one inbound and outbound ACL is permitted per interface.
    4. We can’t remove a rule from an access-list if we are using a numbered access-list. If we try to remove a rule then the whole ACL will be removed. If we are using named access-lists then we can delete a specific rule.
    5. Every new rule which is added into the access-list will be placed at the bottom of the access-list, therefore before implementing the access-lists, analyze the whole scenario carefully.
    6. As there is an implicit deny at the end of every access-list, we should have at least a permit statement in our access-list, otherwise all traffic will be denied.
    7. Standard access-lists and extended access-lists cannot have the same name.

    Advantages of ACL

    • Improves network performance.
    • Provides security as administrator can configure the access-list according to the needs and deny the unwanted packets from entering the network.
    • Provides control over the traffic as it can permit or deny according to the needs of network.

    iptables

    iptables is used to inspect, modify, forward, redirect, and/or drop IP packets. The code for filtering IP packets is already built into the kernel and is organized into a collection of tables, each with a specific purpose. The tables are made up of a set of predefined chains, and the chains contain rules which are traversed in order. Each rule consists of a predicate of potential matches and a corresponding action (called a target) which is executed if the predicate is true; i.e., the conditions are matched. If the IP packet reaches the end of a built-in chain, including an empty chain, then the chain's policy target determines the final destination of the IP packet. iptables is the user utility which allows you to work with these chains/rules. Most new users find the complexities of Linux IP routing quite daunting, but, in practice, the most common use cases (NAT and/or basic Internet firewall) are considerably less complex.

    Tables

    iptables contains five tables:

    Raw is used only for configuring packets so that they are exempt from connection tracking.
    Filter is the default table, and is where all the actions typically associated with a firewall take place.
    Nat is used for network address translation (e.g., port forwarding).
    Mangle is used for specialized packet alterations.
    Security is used for Mandatory Access Control networking rules (e.g., SELinux -- see this article for more details).

    In most common use cases you will only use two of these: filter and nat. The other tables are aimed at complex configurations involving multiple routers and routing decisions and are in any case beyond the scope of these introductory remarks.

    Chains

    Tables consist of chains, which are lists of rules which are followed in order. The default table, filter, contains three built-in chains: INPUT, OUTPUT and FORWARD which are activated at different points of the packet filtering process.

    See iptables(8) for a description of built-in chains in other tables.

    By default, none of the chains contain any rules. It is up to you to append rules to the chains that you want to use. Chains do have a default policy, which is generally set to ACCEPT, but can be reset to DROP, if you want to be sure that nothing slips through your ruleset. The default policy always applies at the end of a chain only. Hence, the packet has to pass through all existing rules in the chain before the default policy is applied.

    User-defined chains can be added to make rulesets more efficient or more easily modifiable.

    iptables LOGGING

    To enable logging in iptables:

    pbmac@pbmac-server $ iptables -A INPUT -j LOG
    

    Define the source IP or range for which log will be created:

    pbmac@pbmac-server $ iptables -A INPUT -s 192.168.10.0/24 -j LOG
    

    To define level of LOG generated by iptables use –log-level followed by level number:

    pbmac@pbmac-server $ iptables -A INPUT -s 192.168.10.0/24 -j LOG --log-level 4
    

    Add some prefix in generated Logs, so it will be easy to search for logs in a huge file:

    pbmac@pbmac-server $ iptables -A INPUT -s 192.168.10.0/24 -j LOG --log-prefix '** SUSPECT **'
    

    After enabling iptables logs, check following log files to view logs generated by iptables as per your operating system - iptables log to either /var/log/kern.log or /var/log/messages.

    Adapted from:
    "Access-Lists (ACL)" by saurabhsharma56, Geeks for Geeks is licensed under CC BY-SA 4.0
    "Iptables How To" by Gunnar Hjalmarsson, Ubuntu Community Wiki is licensed under CC BY-SA 4.0
    "iptables" by Multiple COntributors, Arch Linux Wiki is in the Public Domain, CC0

    • Was this article helpful?