Thank you for visiting the Rackspace Community
The The Community is live! Post new content or topics so our teams can assist.

Please contact your support team if you have a question or need assistance for any Rackspace products, services, or articles.

Introduction to iptables

Introduction

I am going to use this article to explain how to use IPtables a simple firewall. The scope of this article will be to learn basic knowledge enough to open up holes in your firewall to necessary ports.

The Base Ruleset

  • List of the Current rules
$ sudo iptables --list

Your output is going to look like the following if you haven't made any changes:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Reading the Ruleset

In a default install you will see three predefined Chains that will take care of the three major activities: Incoming Traffic, Forwarded Traffic and Outgoing Traffic. The "policy" is probably the most important thing to take away from the above table. The policy is the default ruleset for that particular Chain, with a standard install all policies will be "Accept".

Policies

The available policies and other options are extensive, if you would like to know more about them check out the 'man page' for IPtables. In the scope of this article I will only cover the following three policies which are the most common:

  • Accept - This is used to explicitly pass through as long as no target rules apply.
  • Reject - This is used to send back an error packet in response to the matched packet: otherwise it is equivalent to DROP so it is a terminating TARGET, ending rule traversal.
  • Drop - This policy will halt a connection to a host without any communication unless there is a target rule that applies.

Available Options

IPtables MAN page: http://linux.die.net/man/8/iptables

The options that are recognized by iptables can be divided into several different groups.

COMMANDS

These options specify the specific action to perform. Only one of them can be specified on the command line 
unless otherwise specified below. For all the long versions of the command and option names, you need to 
use only enough letters to ensure that iptables can differentiate it from all other options.

-A, --append chain rule-specification
    Append one or more rules to the end of the selected chain. When the source and/or destination names 
    resolve to more than one address, a rule will be added for each possible address combination. 

-D, --delete chain rule-specification

-D, --delete chain rulenum
    Delete one or more rules from the selected chain. There are two versions of this command: the rule 
    can be specified as a number in the chain (starting at 1 for the first rule) or a rule to match. 

-I, --insert chain [rulenum] rule-specification
    Insert one or more rules in the selected chain as the given rule number. So, if the rule number 
    is 1, the rule or rules are inserted at the head of the chain. This is also the default if no rule 
    number is specified. 

-R, --replace chain rulenum rule-specification
    Replace a rule in the selected chain. If the source and/or destination names resolve to multiple 
    addresses, the command will fail. Rules are numbered starting at 1. 

-L, --list [chain]
    List all rules in the selected chain. If no chain is selected, all chains are listed. As every 
    other iptables command, it applies to the specified table (filter is the default), so NAT rules 
    get listed by

    # iptables -t nat -n -L

    Please note that it is often used with the -n option, in order to avoid long reverse DNS lookups. 
    It is legal to specify the -Z (zero) option as well, in which case the chain(s) will be atomically 
    listed and zeroed. The exact output is affected by the other arguments given. The exact rules are 
    suppressed until you use

    # iptables -L -v

-F, --flush [chain]
    Flush the selected chain (all the chains in the table if none is given). This is equivalent to 
    deleting all the rules one by one. 
-Z, --zero [chain]
    Zero the packet and byte counters in all chains. It is legal to specify the -L, --list (list) option 
    as well, to see the counters immediately before they are cleared. (See above.) 
-N, --new-chain chain
    Create a new user-defined chain by the given name. There must be no target of that name already. 
-X, --delete-chain [chain]
    Delete the optional user-defined chain specified. There must be no references to the chain. If 
    there are, you must delete or replace the referring rules before the chain can be deleted. The 
    chain must be empty, i.e. not contain any rules. If no argument is given, it will attempt to delete 
    every non-builtin chain in the table. 
-P, --policy chain target
    Set the policy for the chain to the given target. See the section TARGETS for the legal targets. 
    Only built-in (non-user-defined) chains can have policies, and neither built-in nor user-defined 
    chains can be policy targets. 
-E, --rename-chain old-chain new-chain
    Rename the user specified chain to the user supplied name. This is cosmetic, and has no effect 
    on the structure of the table. 
-h
    Help. Give a (currently very brief) description of the command syntax.

PARAMETERS

The following parameters make up a rule specification (as used in the add, delete, insert, replace and 
append commands).
-p, --protocol [!] protocol
    The protocol of the rule or of the packet to check. The specified protocol can be one of tcp, udp, 
    icmp, or all, or it can be a numeric value, representing one of these protocols or a different one. 
    A protocol name from /etc/protocols is also allowed. A "!" argument before the protocol inverts the 
    test. The number zero is equivalent to all. Protocol all will match with all protocols and is taken 
    as default when this option is omitted. 
-s, --source [!] address[/mask]
    Source specification. Address can be either a network name, a hostname (please note that specifying 
    any name to be resolved with a remote query such as DNS is a really bad idea), a network IP address 
    (with /mask), or a plain IP address. The mask can be either a network mask or a plain number, 
    specifying the number of 1's at the left side of the network mask. Thus, a mask of 24 is equivalent 
    to 255.255.255.0. A "!" argument before the address specification inverts the sense of the address. 
    The flag --src is an alias for this option. 
-d, --destination [!] address[/mask]
    Destination specification. See the description of the -s (source) flag for a detailed description 
    of the syntax. The flag --dst is an alias for this option. 
-j, --jump target
    This specifies the target of the rule; i.e., what to do if the packet matches it. The target can be 
    a user-defined chain (other than the one this rule is in), one of the special builtin targets which 
    decide the fate of the packet immediately, or an extension (see EXTENSIONS below). If this option is 
    omitted in a rule (and -g is not used), then matching the rule will have no effect on the packet's 
    fate, but the counters on the rule will be incremented. 
-g, --goto chain
    This specifies that the processing should continue in a user specified chain. Unlike the --jump 
    option return will not continue processing in this chain but instead in the chain that called us 
    via --jump. 
-i, --in-interface [!] name
    Name of an interface via which a packet was received (only for packets entering the INPUT, FORWARD 
    and PREROUTING chains). When the "!" argument is used before the interface name, the sense is 
    inverted. If the interface name ends in a "+", then any interface which begins with this name will 
    match. If this option is omitted, any interface name will match. 
-o, --out-interface [!] name
    Name of an interface via which a packet is going to be sent (for packets entering the FORWARD, 
    OUTPUT and POSTROUTING chains). When the "!" argument is used before the interface name, the sense 
    is inverted. If the interface name ends in a "+", then any interface which begins with this name 
    will match. If this option is omitted, any interface name will match. 
[!] -f, --fragment
    This means that the rule only refers to second and further fragments of fragmented packets. Since 
    there is no way to tell the source or destination ports of such a packet (or ICMP type), such a 
    packet will not match any rules which specify them. When the "!" argument precedes the "-f" flag, the 
    rule will only match head fragments, or unfragmented packets. 
-c, --set-counters PKTS BYTES
    This enables the administrator to initialize the packet and byte counters of a rule (during INSERT, 
    APPEND, REPLACE operations). 

OTHER OPTIONS

The following additional options can be specified:
-v, --verbose
    Verbose output. This option makes the list command show the interface name, the rule options (if any), 
    and the TOS masks. The packet and byte counters are also listed, with the suffix 'K', 'M' or 'G' for 1000, 
    1,000,000 and 1,000,000,000 multipliers respectively (but see the -x flag to change this). For appending, 
    insertion, deletion and replacement, this causes detailed information on the rule or rules to be printed. 
-n, --numeric
    Numeric output. IP addresses and port numbers will be printed in numeric format. By default, the program 
    will try to display them as host names, network names, or services (whenever applicable). 
-x, --exact
    Expand numbers. Display the exact value of the packet and byte counters, instead of only the rounded 
    number in K's (multiples of 1000) M's (multiples of 1000K) or G's (multiples of 1000M). This option is 
    only relevant for the -L command. 
--line-numbers
    When listing rules, add line numbers to the beginning of each rule, corresponding to that rule's position 
    in the chain. 
--modprobe=command
    When adding or inserting rules into a chain, use command to load any necessary modules (targets, match 
    extensions, etc).

Simple Firewall

Simple Rules

Allow connections that are already connected to your server.

$ sudo iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

Allow connections to SSH

Ok, in this case we can make a few different choices, the choices can be applied to other ports or situations to make customizations.

In this command, we will allow connections for all tcp connections attempts at SSH connections.

$ sudo iptables -I INPUT 1 -p tcp  --dport 22 -j ACCEPT 

In this command, we will allow connections only coming from a certain IP subnet using CIDR notation. In this example we are going to lockdown to any IP address lying in the range of 192.168.1.0 - 192.168.1.255

$ sudo iptables -I INPUT 1 -p tcp --dport 22 -s 192.168.1.0/24 -j ACCEPT

Allowing connections to HTTP/HTTPS

The following iptables rules will allow connections from both port 80 (HTTP) and port 443 (HTTPS) from any connections.

$ sudo iptables -I INPUT 1 -p tcp --dport 80 -j ACCEPT
$ sudo iptables -I INPUT 1 -p tcp --dport 443 -j ACCEPT

Allowing connections to FTP

The following iptables rules will allow connections for FTP servers on port 21.

$ sudo iptables -I INPUT 1 -p tcp --dport 21 -j ACCEPT

List of common Ports

Using what you've learned from the above use the following list of common ports from the link to create rules for any running server you have.

Changing the Default Policy

The only real policy change that we are going to make is going to effect incoming traffic, as a general rule we are going to Drop all connections, and only allow those we have deemed legit.

$ sudo iptables -P INPUT DROP
  • This rule should be run only after you have setup your access rules to allow you to ssh in.

Save Save Save your Ruleset

If your server reboots for any reason or you restart IPTables you will loose your changes. The rules that you input by hand are stored in volatile memory. Make sure that you save IPtables rules for any change you want to make permanent you will need one of the following commands:

  • for CentOS and Fedora
# /etc/init.d/iptables save
  • for Ubuntu
# iptables-save > /etc/iptables.rules
  • for all other Distros
# iptables-save > /etc/sysconfig/iptables

The above commands will create a file /etc/sysconfig/iptables that will be a flat file with human readable syntax that can be edited by hand if necessary. All edits to this file will be live whenever iptables is restarted.

Summary

Hopefully from this article you can create a simple firewall to protect your server from basic attacks. Keep in mind that IPTables is a very powerful tool that would take a book to fully go through all of its abilities. My next networking article will go through a few simple networking tricks like port forwarding and NATing. If you need help creating more rules here is a link to an Easy Firewall Generator for IPTables.