If you own a Linux server, you know how important securing it is. A server is available to the whole world, when it's connected to the internet, and soon bad guys will try to break in. Without a firewall anybody can connect to your server and send messages to it. IPTables solves just that. It allows you to block traffic both incoming and outgoing.
IPTables Settings
In iptables we have so called chains. We have 3 main chains:
- Input
- Output
- Forward
Today we'll look at mostly INPUT because that's how bad guys can reach our server.
In forward
you can, well forward traffic from one port to another, or to another address.
In output
you can restrict the traffic that leaves your computer, but i don't want to do that.
In input
we can restrict the traffic reaching our machine.
Set the default option
Now that you know the chains, we can start setting default actions.
Basically there's two ways to restrict the INPUT chain
- Specify the connections to be blocked and accept everything else
- Specify the connections to be accepted and block everything else
I will choose the second option, because it offers more security, basically nothing reaches my machine without me knowing about it.
Important: Do this step only after you've added the rules you want. Dropping every incoming connection can result in losing access to your server.
So to set the default action to block connections execute:
iptables -P INPUT DROP
where
-P
defines that we want to set the default actionINPUT
is the chain to modifyDROP
is the default action.
Actions
Actions tell how a connection should be treated.
Note: Actions are case sensitive!
Here are some of the actions that we'll work with:
Action Keyword | Description |
---|---|
ACCEPT | Accept the current connection |
DROP | Drop the packet and tell the sender that we dropped it. |
REJECT | Reject the packet and don't respond to the sender |
LOG | Log a connection's information to syslog |
Adding rules
Now we know some of the basics, we can start adding rules. To add rules use the -A
flag with the rule to add.
The first rule i recommend is to leave the loopback interface alone, the loopback connections originate from your machine, so you don't have to filter them, but you have the option to do so.
Leave the Loopback interface alone: iptables -A -i lo -j ACCEPT
where
-i
specifies and interfacelo
is the loopback interface-j
specifies the action to execute.
Another common rule is to accept established state connections, this rule is really important, and most things won't work if you leave this one out. To explain this please imagine, that you
- Connect to a server (this is output traffic)
- The server accept's your connection, and sends you a message (this is INPUT traffic)
- IPTables sees that a server tries to send traffic to your machine to a random port, but there is no rule for that random port, so it DROPs the connection.
To avoid this execute: iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
where
-m
enables a modulestate
is the module to inspect the connection state withRELATED
andESTABLISHED
are the states we will accept as input.
We have one more common rule, it's blocking pings coming in too fast. This is used to prevent ping based DDoS attacks, and is recommended to add to you INPUT chain.
iptables -i eth0 -p icmp -m icmp -m limit --icmp-type 8 --limit 1/second -j ACCEPT
where
-i
is used to specify an interface for this ruleeth0
is in my case the network interface card, facing the internet-p
is used to specify a protocol for this rule (it can beicmp
,udp
ortcp
)icmp
module is used to filter icmp specific datalimit
module is used to limit the number of connections--icmp-type
is used to specify the icmp message type, 8 is ECHO aka Ping--limit
is limiting the number of connections to 1 connection per second
Examples
At this point you have the recommended default rules added to your INPUT chain, the rules from here are dependent on your machine. I will provide some examples to create your own rules for your own server. My interface facing the internet is eth0
Allow SSH Traffic
iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
where
--dport
is the destination port (the port of your server the client connects to)
Allow Web Traffic
iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT
HTTP
iptables -A INPUT -i eth0 -p tcp --dport 443 -j ACCEPT
HTTPS
Allow Incoming OpenVPN connections
iptables -A INPUT -i eth0 -p udp --dport 1194 -j ACCEPT
Log a specified connection
iptables -A INPUT -i eth0 --dport 21 -j LOG --log-prefix "Got FTP Incoming" --log-level 6
where
--log-prefix
Specifies the prefix of the message added to syslog--log-level
Specifies the severity of the message
There's more
Remember the command to set the default action for a chain? We need to execute that now, because we have rules, for the filtering to take effect. Also IPTables doesn't need to be restarted every time you make a change unlike a web server for example.
Saving and Loading your rules
Important: Your rules only last until the next reboot, that's why we have to save them!
iptables-save > /root/iptables-rules
to export the current rules into a file
To load back the rules after a reboot you need to execute:
iptables-restore < /root/iptables-rules
Listing and removing rules
Listing
To list your rules type: iptables -L
, this will give you a user friendly representation of your current rules.
To get the commands of your rules use iptables -S
, this will give you the commands executed to add the rules
Removing
To remove a rule, first you need the command of the rule you added, you can get this with the previous -S
option.
After you got the command, for example -A INPUT -p tcp --dport 21 -j ACCEPT
you can delete it using:
iptables -D -p tcp --dport 21 -j ACCEPT
, in other words just change -A
to -D
to remove that rule
Summary
IPTables is a very powerful firewall for server machines, it can do a lot more like pre- and postrouting, but to keep it simple I just showcased the basic usage. If you didn't understand something or I missed something, or you just have a question, then feel free to comment on this post! Now go and secure that server!
I love Iptables . It's certainly very powerful. If you know a little bit about it, you can really secure yourself. Good work, my friend.
my contribution to iptables can be found here https://steemit.com/iptables/@djsmoke/besser-filtern-mit-ip-tables
Downvoting a post can decrease pending rewards and make it less visible. Common reasons:
Submit