Iptables: Middleware for Network Management

Some companies don’t allow their employees to use social media at work, and some countries don’t allow their citizens to access news outside of controlled outlets. How do these institutions control access to information that seems so available in other contexts? Through iptables.

When you enter facebook.com in the address bar of your browser (or open the native app on your phone), the information exchanged between your device and the servers at Facebook is broken up into tagged chunks of data called packets. Iptables contain chains of rules, and each rule contains a policy for how to handle the network packets sent to and from your computer.

For example, a company that wants to block incoming Facebook data can set up a custom rule that sends all packets from Facebook to the garbage instead of delivering them to the browser.

If a packet fails to match any of the policy rules in the chain, it is usually dropped by default.

Iptables are useful in many scenarios:

  • to build your own firewalls,
  • to restrict access to specific sites (like Facebook),
  • to load balance incoming web traffic,
  • to block a DoS attack, or
  • to simulate a network or service failure in order to test the resilience of your system (my team uses this strategy for some game-day activities)

Administrator privileges are required, but you can use iptables on linux or pfctl on mac to in order to inspect or change any of your iptable rules.

While I am neither a system administrator, nor particularly interested in bespoke network management, I do occasionally install software that will help me focus by blocking my access to distracting sites — it is always good to know some of the magic going on under the hood.

Resources