Introduction to iptables
This article explains how to use IP tables for a simple firewall and
describes the process of opening up holes in your firewall to necessary
ports. An IP table is a firewall and networking tool available to
all Linux distros and operates by analyzing packets at the kernel level
as they are received.
For a comprehensive list of IP tables commands, parameters, and other
options, see the MAN page and the
IP tables how-to.
Base ruleset
The command to list current rules is:
sudo iptables --list
Default output is:
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Reading the ruleset
In a default install, you see three predefined Chains, a list of rules, that
takes care of the three major activities: incoming traffic (INPUT),
forwarded traffic (FORWARD), and outgoing traffic (OUTPUT). The most important
thing to take away from the table above is that the default ruleset for that all
policies is set to ACCEPT.
Policies
Available policies and other options are extensive. If you want to know
more about them check out the man page
for IPtables. This article covers only the most common policies:
-
Accept explicitly passes traffic through as long as no other target rules
apply. -
Reject sends back an error packet in response to the matched
packet. Otherwise,, it is equivalent to DROP so it is a terminating
TARGET, ending rule traversal. -
Drop halts a connection to a host without any communication unless
there a target rule applies.
Available options
IPtables MAN page: https://linux.die.net/man/8/iptables
The options recognized by iptables
come in the following groups:
- Commands specify an action to perform.
- Parameters set rule specifications for the commands used.
- Other Options which you specify, as necessary, for commands used.
Simple firewall commands
Allow connections that are already connected to your server.
sudo iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
Allow connections on ServiceNet. Required by other Rackspace Cloud products such as Cloud Backup and Cloud Monitoring.
sudo iptables -A INPUT -i eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
Allow connections to SSH. You can also use this command to make customizations.
The following command allows all TCP connections attempts to the SSH port 22
.
sudo iptables -I INPUT 1 -p tcp --dport 22 -j ACCEPT
Allow connections only coming from a certain IP subnet by using
CIDR (Classless
Inter Domain Routing) notation. In this example, we lockdown to any IP address
lying in the range of 192.168.1.0 - 192.168.1.255.
sudo iptables -I INPUT 1 -p tcp --dport 22 -s 192.168.1.0/24 -j ACCEPT
Allow connections to HTTP 80
or HTTPS 443
from any connection.
sudo iptables -I INPUT 1 -p tcp --dport 80 -j ACCEPT
sudo iptables -I INPUT 1 -p tcp --dport 443 -j ACCEPT
Allow connections for FTP servers on port 21
.
sudo iptables -I INPUT 1 -p tcp --dport 21 -j ACCEPT
Changing default policy to deny all connections, only allowed connections would
be accepted.
sudo iptables -P INPUT DROP
IMPORTANT: Run this rule after you have set up your access rules to
allow incoming SSH connections.
List of common ports
Using the preceding commands, mix and match options from the following list of
common ports
to create rules for any running server you have.
Save your ruleset
If the server reboots for any reason or you restart IPTables, changes will be
lost since modifications are stored in volatile memory. The following commands
create a plain text file, /etc/sysconfig/iptables, with human-readable syntax.
All edits to this file are live whenever iptables restart.
-
For CentOS and Fedora
/etc/init.d/iptables save
-
For the Ubuntu operating system
iptables-save > /etc/iptables.rules
-
For all other distributions
iptables-save > /etc/sysconfig/iptables
Summary
This article shows you how to create a simple firewall to protect your
server from basic attacks. Keep in mind that IPTables is a powerful tool
that would need a book to fully explore. If you need help creating more rules,
see Easy Firewall Generator for IPTables.
References and useful links
Updated about 1 year ago