This article guides on how to configure a basic firewall using iptables. By using an iptables program, you can explicitly grant or deny access to selected services that run on your server as well as on selected IP addresses.<\/p>\n
The iptables program allows you to view and modify the Linux kernel’s built-in network packet filtering capabilities. You have the opportunity to grant and deny access to specific network services such as SSH, HTTP, etc. Also, you can permit or block specific IP addresses from connecting to the server.<\/p>\n
To perform all these actions, first, you need to define a set of rules that are grouped into chains. By default iptables uses three chains :<\/p>\n
(i) INPUT (for incoming packets)<\/strong><\/p>\n (ii) FORWARD (for forwarding packets)<\/strong><\/p>\n (iii) OUTPUT (for outgoing packets)<\/strong><\/p>\n This article will cover only the INPUT chain to selectively block and accept an incoming packet to the server. iptables does not have any rules defined and to verify this, you can type the following command :<\/p>\n <\/p>\n You can see that there are no targets and no destinations defined. So, to add some basic rules, type the following commands:<\/p>\n -A<\/strong> in all the above comments, instructs iptables to append the rule to the end of the specified chain (here, the INPUT chain). Let’s see what each command specifies :<\/p>\n \u2022 The first command is used to permit all packets for the local loopback interface. The loopback interface is used by many programs, so it is a good option to accept packets on it.<\/p>\n \u2022 The second command is used because it uses -m<\/strong> option to load the state module. This module can determine and monitor a packet’s state, which can be NEW<\/strong>, ESTABLISHED<\/strong>, or RELATED<\/strong>. Using this rule, we accept incoming packets that belong to a connection that has already been established.<\/p>\n \u2022 The third command is used to accept incoming TCP connection on port 7288 (SSH).<\/p>\n \u2022 The last command is used to drop (reject) incoming packets that do not match any of the preceding rules.<\/p>\n Now, if you type the iptables -L<\/strong> command, you will get the following output :<\/p>\n You can test the configuration by connecting to the server using SSH. It will allow you to connect. Connections that are on any other ports like HTTP connection on port 80 will get rejected.<\/p>\n The set of rules that are defined above are limited. If you want to allow only SSH as the incoming connection then you are all set. But, most likely, you will need to add access to services as you configure your server.<\/p>\n If we add a rule using -A<\/strong> option as shown above, then it will be the last rule in the chain, right after the DROP<\/strong> rule. This is because iptables works through the sequence of rules. That means it will never get to the new rule as the packet have already been dropped. Thus, we need to have a way to insert new rules into the chain.<\/p>\n The -I<\/strong> option allows us to insert a new rule anywhere in the chain. Let’s see how to insert a rule that allows incoming TCP connections on port 80(HTTP). So we will want a rule to come just before the DROP<\/strong> rule which is currently the fourth rule in the chain :<\/p>\n This command will insert our HTTP rule in the fourth line and will push the DROP<\/strong> rule down to the fifth line. Now after typing the iptables -L<\/strong> command, you will get the following output :<\/p>\n Note:<\/strong> To check the line numbers for all of the rules in a chain, type the following command :<\/p>\n The rules explained above define access by service (SSH, HTTP, etc.). Similarly, you can also set the rules that permit or block specific IP addresses. In this command, replace rulenum<\/span> with the rule number and also replace xxx.xxx.xxx.xxx<\/span> with the IP address to block.<\/p>\n To block all the traffic<\/strong> from an IP address regardless of the service that has been requested, type the following command :<\/p>\n To delete the rule, you need to use the -D option. Also, you need to know the number of the rule that you want to delete. For example to delete the fourth rule from the INPUT chain, use the following command :<\/p>\n To delete all the rules at once, type the following command :<\/p>\n Once you reboot the server now, all the rules that you have defined will be erased. So, to maintain rules across system restarts, you need to save them. The steps to do this depend on the Linux distribution that you are running.<\/p>\n Perform the following steps to save the iptables rules on a server running Debian or Ubuntu :<\/p>\n 1. In the command prompt, type the following command :<\/p>\n apt-get install iptables-persistent<\/p>\n 2. During the process of package installation, at the Save current IPv4 rules?<\/strong> prompt, press on Enter<\/strong>.<\/p>\n 3. At the prompt for the Save current IPv6 rules?<\/strong>, press Tab, and then press Enter<\/strong>.<\/p>\n Note:<\/strong> Above steps 2 and 3 will only appear once during initial package installation. So, if you make any changes to iptables rules, then type the following command to save them :<\/p>\n Enter the following command, to save the iptables rules on a server running CentOS or Fedora.<\/p>\n To know more information about iptables type the following command :<\/p>\n Also Read :<\/strong><\/p>\n<\/div>\n
\nMost of the major Linux distributors are already incorporated with iptables program by default, including Debian, Ubuntu, CentOS and Fedora.<\/p>\n# How to add rules?<\/h2>\n
Chain INPUT (policy ACCEPT)\r\ntarget prot opt source destination\r\n\r\nChain FORWARD (policy ACCEPT)\r\ntarget prot opt source destination\r\n\r\nChain OUTPUT (policy ACCEPT)\r\ntarget prot opt source destination<\/pre>\n
Chain INPUT (policy ACCEPT)\r\ntarget prot opt source destination\r\nACCEPT all -- anywhere anywhere\r\nACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED\r\nACCEPT tcp -- anywhere anywhere tcp dpt:7822\r\nDROP all -- anywhere anywhere\r\n\r\nChain FORWARD (policy ACCEPT)\r\ntarget prot opt source destination\r\n\r\nChain OUTPUT (policy ACCEPT)\r\ntarget prot opt source destination<\/pre>\n
# Inserting the rules<\/h2>\n
Chain INPUT (policy ACCEPT)\r\ntarget prot opt source destination\r\nACCEPT all -- anywhere anywhere\r\nACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED\r\nACCEPT tcp -- anywhere anywhere tcp dpt:7822\r\nACCEPT tcp -- anywhere anywhere tcp dpt:http\r\nDROP all -- anywhere anywhere\r\n\r\nChain FORWARD (policy ACCEPT)\r\ntarget prot opt source destination\r\n\r\nChain OUTPUT (policy ACCEPT)\r\ntarget prot opt source destination<\/pre>\n
# To Block an IP Address<\/h2>\n
\nFor example, if you find server log files that there are repeated SSH login attempts from a particular IP address in the server log files. So, to block all subsequent SSH connections from the IP address, you need to type the following command:<\/p>\n# Deleting Rules<\/h2>\n
# Saving Rules<\/h2>\n
For Debian and Ubuntu<\/h3>\n
For CentOS and Fedora<\/h3>\n