Linux iptables Configuration Tutorial

Iptables is an extremely flexible command-line firewall utility built for Linux operating systems. It uses policy chains to allow or block traffic. When a connection tries to establish itself on your system, iptables looks for a rule in its list to match it to. If it doesn’t find one, it resorts to the default action. Securing any server will surely require a firewall configuration and iptables should be on every system admins toolbox.

Installation/Update

iptables almost always comes pre-installed on any Linux distribution. To update/install it, just retrieve the iptables package:
sudo apt-get install iptables

List of the Current rules

$ sudo iptables --list

Your output is going to look like the following if you haven’t made any changes:

Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

If you have already a firewall ruleset and you want to reset, flush current iptable rules.
$ sudo iptables -F

Reading the Ruleset

In a default install you will see three predefined Chains that will take care of the three major activities: Incoming Traffic, Forwarded Traffic and Outgoing Traffic. The “policy” is probably the most important thing to take away from the above table. The policy is the default ruleset for that particular Chain, with a standard install all policies will be “Accept”.

Policies

The available policies and other options are extensive, if you would like to know more about them check out the ‘man page’ for IPtables. In the scope of this article I will only cover the following three policies which are the most common:

Accept – This is used to explicitly pass through as long as no target rules apply.

Reject – This is used to send back an error packet in response to the matched packet: otherwise it is equivalent to DROP so it is a terminating TARGET, ending rule traversal.

Drop – This policy will halt a connection to a host without any communication unless there is a target rule that applies.

Available Options

The options that are recognized by iptables can be divided into several different groups:

Commands – These options specify a specific action to perform.
Parameters – Parameters set rule specifications for the commands used.
Other Options – Other options can be specified, as necessary, for commands used.

Simple Firewall

The following exercise will configure a simple firewall for your server allowing only the basic ports such as incoming ssh, ftp and http ports.

Allow connections that are already connected to your server.
$ sudo iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

Allow connections to SSH

In this case we can make a few different choices, the choices can be applied to other ports or situations to make customizations.
In this command, we will allow connections for all tcp connections attempts at SSH connections.

$ sudo iptables -I INPUT 1 -p tcp --dport 22 -j ACCEPT

In this command, we will allow connections only coming from a certain IP subnet using CIDR notation. In this example we are going to lockdown to any IP address lying in the range of 192.168.1.0 – 192.168.1.255

$ sudo iptables -I INPUT 1 -p tcp --dport 22 -s 192.168.1.0/24 -j ACCEPT

Allowing connections to HTTP/HTTPS

The following iptables rules will allow connections from both port 80 (HTTP) and port 443 (HTTPS) from any connections.

$ sudo iptables -I INPUT 1 -p tcp --dport 80 -j ACCEPT
$ sudo iptables -I INPUT 1 -p tcp --dport 443 -j ACCEPT

Allowing connections to FTP

The following iptables rules will allow connections for FTP servers on port 21.

$ sudo iptables -I INPUT 1 -p tcp --dport 21 -j ACCEPT

List of common Ports

Using what you’ve learned from the above use the following list of common ports from the link to create rules for any running server you have.

Changing the Default Policy

The only real policy change that we are going to make is going to effect incoming traffic, as a general rule we are going to Drop all connections, and only allow those we have deemed legit.

$ sudo iptables -P INPUT DROP

This rule should be run only after you have setup your access rules to allow you to ssh in.

Save Save Save your Ruleset

If your server reboots for any reason or you restart IPTables you will loose your changes. The rules that you input by hand are stored in volatile memory. Make sure that you save IPtables rules for any change you want to make permanent you will need one of the following commands:

for CentOS and Fedora

# /etc/init.d/iptables save

for Ubuntu

# iptables-save > /etc/iptables.rules

for all other Distros

# iptables-save > /etc/sysconfig/iptables

The above commands will create a file /etc/sysconfig/iptables that will be a flat file with human readable syntax that can be edited by hand if necessary. All edits to this file will be live whenever iptables is restarted.


– masterkenneth

Leave a Reply

Your email address will not be published. Required fields are marked *