This article guides on how to configure a basic firewall using iptables. By using an iptables program, you can explicitly grant or deny access to selected services that run on your server as well as on selected IP addresses.
What is iptables?
The iptables program allows you to view and modify the Linux kernel’s built-in network packet filtering capabilities. You have the opportunity to grant and deny access to specific network services such as SSH, HTTP, etc. Also, you can permit or block specific IP addresses from connecting to the server.
To perform all these actions, first, you need to define a set of rules that are grouped into chains. By default iptables uses three chains :
(i) INPUT (for incoming packets)
(ii) FORWARD (for forwarding packets)
(iii) OUTPUT (for outgoing packets)
This article will cover only the INPUT chain to selectively block and accept an incoming packet to the server.
Most of the major Linux distributors are already incorporated with iptables program by default, including Debian, Ubuntu, CentOS and Fedora.
# How to add rules?
iptables does not have any rules defined and to verify this, you can type the following command :
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
You can see that there are no targets and no destinations defined. So, to add some basic rules, type the following commands:
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state –state RELATED, ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp –dport 7822 -j ACCEPT
iptables -A INPUT -j DROP
-A in all the above comments, instructs iptables to append the rule to the end of the specified chain (here, the INPUT chain). Let’s see what each command specifies :
• The first command is used to permit all packets for the local loopback interface. The loopback interface is used by many programs, so it is a good option to accept packets on it.
• The second command is used because it uses -m option to load the state module. This module can determine and monitor a packet’s state, which can be NEW, ESTABLISHED, or RELATED. Using this rule, we accept incoming packets that belong to a connection that has already been established.
• The third command is used to accept incoming TCP connection on port 7288 (SSH).
• The last command is used to drop (reject) incoming packets that do not match any of the preceding rules.
Now, if you type the iptables -L command, you will get the following output :Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all — anywhere anywhere ACCEPT all — anywhere anywhere state RELATED,ESTABLISHED ACCEPT tcp — anywhere anywhere tcp dpt:7822 DROP all — anywhere anywhere Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination
You can test the configuration by connecting to the server using SSH. It will allow you to connect. Connections that are on any other ports like HTTP connection on port 80 will get rejected.
# Inserting the rules
The set of rules that are defined above are limited. If you want to allow only SSH as the incoming connection then you are all set. But, most likely, you will need to add access to services as you configure your server.
If we add a rule using -A option as shown above, then it will be the last rule in the chain, right after the DROP rule. This is because iptables works through the sequence of rules. That means it will never get to the new rule as the packet have already been dropped. Thus, we need to have a way to insert new rules into the chain.
The -I option allows us to insert a new rule anywhere in the chain. Let’s see how to insert a rule that allows incoming TCP connections on port 80(HTTP). So we will want a rule to come just before the DROP rule which is currently the fourth rule in the chain :
iptables -I INPUT 4 -p tcp -m tcp –dport 80 -j ACCEPT
This command will insert our HTTP rule in the fourth line and will push the DROP rule down to the fifth line. Now after typing the iptables -L command, you will get the following output :Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all — anywhere anywhere ACCEPT all — anywhere anywhere state RELATED,ESTABLISHED ACCEPT tcp — anywhere anywhere tcp dpt:7822 ACCEPT tcp — anywhere anywhere tcp dpt:http DROP all — anywhere anywhere Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination
Note: To check the line numbers for all of the rules in a chain, type the following command :
iptables -L –line-numbers
# To Block an IP Address
The rules explained above define access by service (SSH, HTTP, etc.). Similarly, you can also set the rules that permit or block specific IP addresses.
For example, if you find server log files that there are repeated SSH login attempts from a particular IP address in the server log files. So, to block all subsequent SSH connections from the IP address, you need to type the following command:
iptables -I INPUT rulenum -s xxx.xxx.xxx.xxx -p tcp -m tcp –dport 7822 -j DROP
In this command, replace rulenum with the rule number and also replace xxx.xxx.xxx.xxx with the IP address to block.
To block all the traffic from an IP address regardless of the service that has been requested, type the following command :
iptables -I INPUT rulenum -s xxx.xxx.xxx.xxx -j DROP
# Deleting Rules
To delete the rule, you need to use the -D option. Also, you need to know the number of the rule that you want to delete. For example to delete the fourth rule from the INPUT chain, use the following command :
iptables -D INPUT 5
To delete all the rules at once, type the following command :
# Saving Rules
Once you reboot the server now, all the rules that you have defined will be erased. So, to maintain rules across system restarts, you need to save them. The steps to do this depend on the Linux distribution that you are running.
For Debian and Ubuntu
Perform the following steps to save the iptables rules on a server running Debian or Ubuntu :
1. In the command prompt, type the following command :
apt-get install iptables-persistent
2. During the process of package installation, at the Save current IPv4 rules? prompt, press on Enter.
3. At the prompt for the Save current IPv6 rules?, press Tab, and then press Enter.
Note: Above steps 2 and 3 will only appear once during initial package installation. So, if you make any changes to iptables rules, then type the following command to save them :
iptables-save > /etc/iptables/rules.v4
For CentOS and Fedora
Enter the following command, to save the iptables rules on a server running CentOS or Fedora.
/sbin/service iptables save
To know more information about iptables type the following command :