This article explains how to use IP tables for a simple firewall and
describes the process of opening up holes in your firewall to necessary
ports. An IP table is a firewall and networking tool available to
all Linux distros and operates by analyzing packets at the kernel level
as they are received.
The command to list current rules is:
sudo iptables --list
Default output is:
Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination
In a default install, you see three predefined Chains, a list of rules, that
takes care of the three major activities: incoming traffic (INPUT),
forwarded traffic (FORWARD), and outgoing traffic (OUTPUT). The most important
thing to take away from the table above is that the default ruleset for that all
policies is set to ACCEPT.
Available policies and other options are extensive. If you want to know
more about them check out the man page
for IPtables. This article covers only the most common policies:
Accept explicitly passes traffic through as long as no other target rules
Reject sends back an error packet in response to the matched
packet. Otherwise,, it is equivalent to DROP so it is a terminating
TARGET, ending rule traversal.
Drop halts a connection to a host without any communication unless
there a target rule applies.
IPtables MAN page: https://linux.die.net/man/8/iptables
The options recognized by
iptables come in the following groups:
- Commands specify an action to perform.
- Parameters set rule specifications for the commands used.
- Other Options which you specify, as necessary, for commands used.
Allow connections that are already connected to your server.
sudo iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
Allow connections on ServiceNet. Required by other Rackspace Cloud products such as Cloud Backup and Cloud Monitoring.
sudo iptables -A INPUT -i eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
Allow connections to SSH. You can also use this command to make customizations.
The following command allows all TCP connections attempts to the SSH port
sudo iptables -I INPUT 1 -p tcp --dport 22 -j ACCEPT
Allow connections only coming from a certain IP subnet by using
Inter Domain Routing) notation. In this example, we lockdown to any IP address
lying in the range of 192.168.1.0 - 192.168.1.255.
sudo iptables -I INPUT 1 -p tcp --dport 22 -s 192.168.1.0/24 -j ACCEPT
Allow connections to HTTP
80 or HTTPS
443 from any connection.
sudo iptables -I INPUT 1 -p tcp --dport 80 -j ACCEPT sudo iptables -I INPUT 1 -p tcp --dport 443 -j ACCEPT
Allow connections for FTP servers on port
sudo iptables -I INPUT 1 -p tcp --dport 21 -j ACCEPT
Changing default policy to deny all connections, only allowed connections would
sudo iptables -P INPUT DROP
IMPORTANT: Run this rule after you have set up your access rules to
allow incoming SSH connections.
Using the preceding commands, mix and match options from the following list of
to create rules for any running server you have.
If the server reboots for any reason or you restart IPTables, changes will be
lost since modifications are stored in volatile memory. The following commands
create a plain text file, /etc/sysconfig/iptables, with human-readable syntax.
All edits to this file are live whenever iptables restart.
For CentOS and Fedora
For the Ubuntu operating system
iptables-save > /etc/iptables.rules
For all other distributions
iptables-save > /etc/sysconfig/iptables
This article shows you how to create a simple firewall to protect your
server from basic attacks. Keep in mind that IPTables is a powerful tool
that would need a book to fully explore. If you need help creating more rules,
see Easy Firewall Generator for IPTables.
Updated 3 months ago