Please contact your support team if you have a question or need assistance for any Rackspace products, services, or articles.
I am going to use this article to explain how to use IPtables a simple firewall. The scope of this article will be to learn basic knowledge enough to open up holes in your firewall to necessary ports.
$ sudo iptables --list
Your output is going to look like the following if you haven't made any changes:
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
In a default install you will see three predefined Chains that will take care of the three major activities: Incoming Traffic, Forwarded Traffic and Outgoing Traffic. The "policy" is probably the most important thing to take away from the above table. The policy is the default ruleset for that particular Chain, with a standard install all policies will be "Accept".
The available policies and other options are extensive, if you would like to know more about them check out the 'man page' for IPtables. In the scope of this article I will only cover the following three policies which are the most common:
IPtables MAN page: http://linux.die.net/man/8/iptables
The options that are recognized by iptables can be divided into several different groups.
These options specify the specific action to perform. Only one of them can be specified on the command line
unless otherwise specified below. For all the long versions of the command and option names, you need to
use only enough letters to ensure that iptables can differentiate it from all other options.
-A, --append chain rule-specification
Append one or more rules to the end of the selected chain. When the source and/or destination names
resolve to more than one address, a rule will be added for each possible address combination.
-D, --delete chain rule-specification
-D, --delete chain rulenum
Delete one or more rules from the selected chain. There are two versions of this command: the rule
can be specified as a number in the chain (starting at 1 for the first rule) or a rule to match.
-I, --insert chain [rulenum] rule-specification
Insert one or more rules in the selected chain as the given rule number. So, if the rule number
is 1, the rule or rules are inserted at the head of the chain. This is also the default if no rule
number is specified.
-R, --replace chain rulenum rule-specification
Replace a rule in the selected chain. If the source and/or destination names resolve to multiple
addresses, the command will fail. Rules are numbered starting at 1.
-L, --list [chain]
List all rules in the selected chain. If no chain is selected, all chains are listed. As every
other iptables command, it applies to the specified table (filter is the default), so NAT rules
get listed by
# iptables -t nat -n -L
Please note that it is often used with the -n option, in order to avoid long reverse DNS lookups.
It is legal to specify the -Z (zero) option as well, in which case the chain(s) will be atomically
listed and zeroed. The exact output is affected by the other arguments given. The exact rules are
suppressed until you use
# iptables -L -v
-F, --flush [chain]
Flush the selected chain (all the chains in the table if none is given). This is equivalent to
deleting all the rules one by one.
-Z, --zero [chain]
Zero the packet and byte counters in all chains. It is legal to specify the -L, --list (list) option
as well, to see the counters immediately before they are cleared. (See above.)
-N, --new-chain chain
Create a new user-defined chain by the given name. There must be no target of that name already.
-X, --delete-chain [chain]
Delete the optional user-defined chain specified. There must be no references to the chain. If
there are, you must delete or replace the referring rules before the chain can be deleted. The
chain must be empty, i.e. not contain any rules. If no argument is given, it will attempt to delete
every non-builtin chain in the table.
-P, --policy chain target
Set the policy for the chain to the given target. See the section TARGETS for the legal targets.
Only built-in (non-user-defined) chains can have policies, and neither built-in nor user-defined
chains can be policy targets.
-E, --rename-chain old-chain new-chain
Rename the user specified chain to the user supplied name. This is cosmetic, and has no effect
on the structure of the table.
Help. Give a (currently very brief) description of the command syntax.
The following parameters make up a rule specification (as used in the add, delete, insert, replace and
-p, --protocol [!] protocol
The protocol of the rule or of the packet to check. The specified protocol can be one of tcp, udp,
icmp, or all, or it can be a numeric value, representing one of these protocols or a different one.
A protocol name from /etc/protocols is also allowed. A "!" argument before the protocol inverts the
test. The number zero is equivalent to all. Protocol all will match with all protocols and is taken
as default when this option is omitted.
-s, --source [!] address[/mask]
Source specification. Address can be either a network name, a hostname (please note that specifying
any name to be resolved with a remote query such as DNS is a really bad idea), a network IP address
(with /mask), or a plain IP address. The mask can be either a network mask or a plain number,
specifying the number of 1's at the left side of the network mask. Thus, a mask of 24 is equivalent
to 255.255.255.0. A "!" argument before the address specification inverts the sense of the address.
The flag --src is an alias for this option.
-d, --destination [!] address[/mask]
Destination specification. See the description of the -s (source) flag for a detailed description
of the syntax. The flag --dst is an alias for this option.
-j, --jump target
This specifies the target of the rule; i.e., what to do if the packet matches it. The target can be
a user-defined chain (other than the one this rule is in), one of the special builtin targets which
decide the fate of the packet immediately, or an extension (see EXTENSIONS below). If this option is
omitted in a rule (and -g is not used), then matching the rule will have no effect on the packet's
fate, but the counters on the rule will be incremented.
-g, --goto chain
This specifies that the processing should continue in a user specified chain. Unlike the --jump
option return will not continue processing in this chain but instead in the chain that called us
-i, --in-interface [!] name
Name of an interface via which a packet was received (only for packets entering the INPUT, FORWARD
and PREROUTING chains). When the "!" argument is used before the interface name, the sense is
inverted. If the interface name ends in a "+", then any interface which begins with this name will
match. If this option is omitted, any interface name will match.
-o, --out-interface [!] name
Name of an interface via which a packet is going to be sent (for packets entering the FORWARD,
OUTPUT and POSTROUTING chains). When the "!" argument is used before the interface name, the sense
is inverted. If the interface name ends in a "+", then any interface which begins with this name
will match. If this option is omitted, any interface name will match.
[!] -f, --fragment
This means that the rule only refers to second and further fragments of fragmented packets. Since
there is no way to tell the source or destination ports of such a packet (or ICMP type), such a
packet will not match any rules which specify them. When the "!" argument precedes the "-f" flag, the
rule will only match head fragments, or unfragmented packets.
-c, --set-counters PKTS BYTES
This enables the administrator to initialize the packet and byte counters of a rule (during INSERT,
APPEND, REPLACE operations).
The following additional options can be specified:
Verbose output. This option makes the list command show the interface name, the rule options (if any),
and the TOS masks. The packet and byte counters are also listed, with the suffix 'K', 'M' or 'G' for 1000,
1,000,000 and 1,000,000,000 multipliers respectively (but see the -x flag to change this). For appending,
insertion, deletion and replacement, this causes detailed information on the rule or rules to be printed.
Numeric output. IP addresses and port numbers will be printed in numeric format. By default, the program
will try to display them as host names, network names, or services (whenever applicable).
Expand numbers. Display the exact value of the packet and byte counters, instead of only the rounded
number in K's (multiples of 1000) M's (multiples of 1000K) or G's (multiples of 1000M). This option is
only relevant for the -L command.
When listing rules, add line numbers to the beginning of each rule, corresponding to that rule's position
in the chain.
When adding or inserting rules into a chain, use command to load any necessary modules (targets, match
$ sudo iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
Ok, in this case we can make a few different choices, the choices can be applied to other ports or situations to make customizations.
In this command, we will allow connections for all tcp connections attempts at SSH connections.
$ sudo iptables -I INPUT 1 -p tcp --dport 22 -j ACCEPT
In this command, we will allow connections only coming from a certain IP subnet using CIDR notation. In this example we are going to lockdown to any IP address lying in the range of 192.168.1.0 - 192.168.1.255
$ sudo iptables -I INPUT 1 -p tcp --dport 22 -s 192.168.1.0/24 -j ACCEPT
The following iptables rules will allow connections from both port 80 (HTTP) and port 443 (HTTPS) from any connections.
$ sudo iptables -I INPUT 1 -p tcp --dport 80 -j ACCEPT
$ sudo iptables -I INPUT 1 -p tcp --dport 443 -j ACCEPT
The following iptables rules will allow connections for FTP servers on port 21.
$ sudo iptables -I INPUT 1 -p tcp --dport 21 -j ACCEPT
Using what you've learned from the above use the following list of common ports from the link to create rules for any running server you have.
The only real policy change that we are going to make is going to effect incoming traffic, as a general rule we are going to Drop all connections, and only allow those we have deemed legit.
$ sudo iptables -P INPUT DROP
If your server reboots for any reason or you restart IPTables you will loose your changes. The rules that you input by hand are stored in volatile memory. Make sure that you save IPtables rules for any change you want to make permanent you will need one of the following commands:
# /etc/init.d/iptables save
# iptables-save > /etc/iptables.rules
# iptables-save > /etc/sysconfig/iptables
The above commands will create a file /etc/sysconfig/iptables that will be a flat file with human readable syntax that can be edited by hand if necessary. All edits to this file will be live whenever iptables is restarted.
Hopefully from this article you can create a simple firewall to protect your server from basic attacks. Keep in mind that IPTables is a very powerful tool that would take a book to fully go through all of its abilities. My next networking article will go through a few simple networking tricks like port forwarding and NATing. If you need help creating more rules here is a link to an Easy Firewall Generator for IPTables.