Iptables questions

Is anyone able to assist with explaining (or providing a link towards explaining) how to read iptables’ tables?
I am trying to understand the interactions regarding tables, chains, and rules - but I’m having problems understanding the readout from the “iptables-S” command.

I’m personally interested in what do the “-P,” “-N,” and “-A” signify.


I’m also curious as to what the “LIBVIRT_INP,” “LIBVIRT_FWI,” AND “LIBVIRT_FWX” chains are all about…

I am referencing the man pages, and checking online:
(https://www.tutorialspoint.com/unix_commands/iptables.htm;
https://www.linuxtopia.org/Linux_Firewall_iptables/f30.html)…
…but I may be missing/overlooking something.

While explanation would be helpful, if one could offer an article for instruction, that would be awesome.

Equipment: using a Rocky Linux VM in VirtualBox. Host system is Windows 10, version 10.0.19043 Build 19043, upon a Xeon E3 system, with 32GB RAM

First, forget iptables and learn nftables. That is what Rocky really has. You can see real rules with:
nft list ruleset
See Using nftables in Red Hat Enterprise Linux 8
and Chapter 52. Getting started with nftables Red Hat Enterprise Linux 8 | Red Hat Customer Portal

That said,
P sets default policy for main chain
N adds new custom chain
A appends new rule to a chain

Libvirtd can add rules to control access to VMs. It uses now custom chains in order to keep ruleset more manageable.

@Priest_Apostate, I am in total agreement with jlehtone.
iptables is the older technology, it is difficult to understand and know how to manage; however, when I switched to firewalld things got significantly easier for me to adapt to firewall management.

nftables and firewalld are co-existent. They are really one in the same.

1 Like

I have to disagree a tiny bit. FirewallD is a front-end that hides technical details and presents to user “zone-based” abstraction.

In EL7 the firewalld.service did use iptables back-end to communicate with kernel.
In EL8 the firewalld.service does use nftables back-end to communicate with kernel.
A mutually exclusive alternative to firewalld.service in EL8 is nftables.service that uses nftables back-end to communicate with kernel.

Yes, managing firewall via FirewallD and Libvirt is probably more humane than at lower level, providing that the two get along. The FirewallD in EL8.5 does (finally) support filtering forwarded traffic (unlike in 8.4 and before). I wonder whether the libvirt is “on same page”?

2 Likes

@j;ehtone, thanks. That is what I meant to say. I am glad you clear it up.

Regards.

Thanks for the explanation, and documentation, everyone!
I’ll admit that it is a relief to move away from iptables, and that I wasn’t the only person who found it less than user-friendly!