Overview
This guide is meant to explain and help with the setup of iptables. With this tutorial you should be able to perform the basic setup of iptables. With this Linux firewall tool you are able to improve the security of your server.
In this article the following subjects will be covered:
- Basic explanation
- Basic commands
- How to secure your own connection to the server
- How to allow/open a specific port on the server
Basic explanation iptables
Iptables is a tool for Linux that is used as firewall. The iptables tool is based on rules and is installed on most Linux systems by default. Iptables runs without any rules by default and all traffic is therefore allowed. Generally iptables is split up in three sections, the INPUT chain, the FORWARD chain and the OUTPUT chain. These chains are used in order to apply rules in iptables and should be called with capital letters when used. Each chain has a default policy, this can either be ACCEPT or DROP.
- INPUT – All packets destined for the host computer.
- OUTPUT – All packets originating from the host computer.
- FORWARD – All packets that are passing through. This chain is used when the server is used as a router.
In order to setup the firewall chains there are two ways to do this. For example the default policy of INPUT can be set to ACCEPT. In this case you are able to add rules to the chain that will block certain packets for the INPUT chain. The other option would be to set the default policy of INPUT to DROP. In this case all packets will be dropped for the INPUT chain. You will then be able to add rules to allow certain packets.
When creating iptables rules there are two most common ways used in the commands. When calling the iptables command you can either use -A or -I as option to add rules. The -A option stands for Append, this means the rule you add will be added to the bottom of the rule list. The -I option stands for Insert, with this option the rule is added on rule number one by default. With the Insert option you are also able to indicate a line number where you wish to add the rule.
Basic commands
The following command can be used to show a list of all rules. The -L option is used to list the rules.
sudo iptables -L
Below you will find an example of the output:
root@worldstream:~# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination
It is also possible to show the list of current rules with line numbers. The below command can be used for this:
sudo iptables -L --line-numbers
The below command can be used to delete a specific rule from a chain. In this command the line numbers are used. The -D option stands for delete and at the end the rule number is mentioned you wish to remove:
sudo iptables -D INPUT 2
The following command will change the FORWARD policy to DROP. In this command the -P option is used to change the policy:
sudo iptables -P FORWARD DROP
If you wish to remove all rules currently active in the iptables the following command is used. In this command the option -F means “flush all rules”:
sudo iptables -F
How to secure your own connection to the server
If you wish to make sure that you are always able to enter your server you will have to insert a rule in iptables that will allow your connection. The one thing you need for this is your own public IP. The IP address you use at home or at work will be used to create a rule which will allow the connection. The below command can be used to make sure your IP is allowed in iptables:
sudo iptables -I INPUT -p tcp -s [Your public IP address] --dport 22 -j ACCEPT
In the above command SSH port 22 is used. Do note if you are using a different port that this will need to be adjusted in the command as well.
How to allow/open a specific port on the server
With the following commands you are able to allow certain services. Below http (port 80), https (port 443) and SSH (port 22) will be allowed:
sudo iptables -I INPUT -p tcp --dport 22 -j ACCEPT sudo iptables -I INPUT -p tcp --dport 80 -j ACCEPT sudo iptables -I INPUT -p tcp --dport 443 -j ACCEPT
Save and restore iptables rules
In the following section will be covered how you are able to save and restore your iptables rules. Rules added to the iptables are stored in memory and are removed on reboot. How to save your iptables rules will depend on the distribution you are using.
CentOS/ RHEL 6.x
The following command can be used to save the iptables. This command saves the current rules to /etc/sysconfig/iptables. When the server is then rebooted the rules saved will be automatically applied:
service iptables save
The below command can be used to restore the rules manually. This might be useful once you are setting up iptables:
sudo iptables-restore < /etc/sysconfig/iptables
Ubuntu 14.x/ 16.x
In order to save your rules of iptables in Ubuntu 14.x and 16.x the following command can be used:
sudo iptables-save > /etc/iptables/rules.v4
After a reboot you are then able to use the following command to restore your iptables rules:
sudo iptables-restore < /etc/iptables/rules.v4
You can also automate the restore process at reboot by installing an additional package for iptables. This package will make sure that all saved rules are automatically loaded on boot. The following command can be used to install this package/service:
sudo apt-get install iptables-persistent
On Ubuntu 18.x a different tool is used by default. The ufw tool is used by Ubuntu 18.x as the default firewall.