April 21, 2015

Firewalls: Basics of Iptables

^ Ad space to help offset hosting costs :D

Get started learning about Iptables chains, how to add/update/delete firewall rules, and start with a good basic set of rules for any server.# Firewalls

IPtables is a default firewall you'll find in most places. Here we'll discuss how to view, add and delete rules.

The situation

sudo iptables -L -v

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination   

Default policy ACCEPT, no rules in each of the three chains.

Mostly we take action on INPUT chains, which monitors incoming packets of data.

Basics

We'll setup a set of rules that will become the basic rules you can use on any server to start.

First: Loopback/localhost data:

Allow data between items on the localhost network (loopback interface).

sudo iptables -A INPUT -i lo -j ACCEPT

  • Append to INPUT chain
  • interface loopback
  • jump to ACCEPT target [packets get SENT somewhere]

Second, advanced but necessary:

sudo iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

Allow/keep current related/established rules, such as our SSH connection.

  • Append to INPUT chain
  • Use module conntrack
  • Check for state related, established
  • jumpt to accept

What's this affecting?

netstat -a:

Find items on the top:

Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 *:ssh                   *:*                     LISTEN     
tcp        0    324 172.30.0.86:ssh         cpe-173-174-200-3:61248 ESTABLISHED
tcp6       0      0 [::]:ssh                [::]:*                  LISTEN     
udp        0      0 *:bootpc                *:*                                
udp        0      0 *:40118                 *:*                                
udp6       0      0 [::]:46591              [::]:*

The Usual Suspects: SSH & Web Traffic

Allow future SSH connections & HTTP (port 80) traffic:

sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
  • Append to INPUT chain
  • Protocol TCP
  • Destination port 22 and 80
  • Jump to ACCEPT

Drop everything else

sudo iptables -A INPUT -j DROP
  • Append to INPUT chain
  • Drop all the things

See DROPing vs REJECTing traffic. Now investigate:

sudo iptables -L -v

HTTPS (Insert over Append)

We need to insert a rule instead of append one to allow other connections, such as https traffic:

sudo iptables -I INPUT 5 -p tcp --dport 443 -j ACCEPT
  • Insert to INPUT chain, 5th position
  • Protocol TCP
  • Destination port 443
  • Jump to ACCEPT

Delete

These are equivalent in our example:

# Delete rule in third position in list, starting with 1 (not zero)
sudo iptables -D INPUT 3

# Or delete the rule by matching the parameters
sudo iptables -D INPUT -p tcp --dport 22 -j ACCEPT

Find Rules by Command

We can delete rules by find the command originally used to create them.

To show all the current rules as valid Iptables command, run: sudo iptables -S

Copy one of them, perhaps this one: -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT

And then tweak it to delete -D rather than append or insert. We'll end up with a command like, which will delete this rule allowing port 22 traffic:

sudo iptables -D INPUT -p tcp -m tcp --dport 22 -j ACCEPT

Current

Firewalls: Basics of Iptables

All Topics