Iptables is a very flexible firewall software that is built in by default on most Linux operating systems. This guide provides iptables basics; commands you can use in everyday scenarios. Specifically, we will be talking about using the INPUT chain to filter incoming connections.
Checking Current iptables Status
With the following command, you can list your firewall’s current policy. It is most likely set to the default ACCEPT policy.
sudo iptables –L –v
Example:
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
INPUT chain is used to control incoming packets to your server. FORWARD chain is used to filter packets that are coming through to another destination. OUTPUT chain is used to filter.
Defining Rules
Using the following command structure, we can create chain rules for iptables. Not all options need to be specified when adding a new rule. -A stands for Append and it means a new rule will be added at the end of the chain. -I can be used if you need to Insert instead.
sudo iptables -A -i <interface> -p <protocol (tcp/udp) > -s <source> –dport <port> -j <target>
Enable localhost Traffic
Let’s start with enabling localhost traffic by using the following command.
sudo iptables -A INPUT -i lo -j ACCEPT
Here you can see we used the -i option to specify our loopback adapter used in localhost communication.
Enable Connection on HTTP, SSH, and SSL Port
We usually want our regular connections like HTTP (port 80), HTTPS (port 443) and SSH (default port 22) to be still usable. So, we want to add them to our INPUT chain. Notice that we used –p to specify the protocol and corresponding port. If you’re using a non-default SSH port, change it to the one you are using.
sudo iptables -A INPUT -p tcp –dport 22 -j ACCEPT
sudo iptables -A INPUT -p tcp –dport 80 -j ACCEPT
sudo iptables -A INPUT -p tcp –dport 443 -j ACCEPT
Filter Packets Based on Source
If you want to accept or reject packets based on originating IP, you can specify it with the –s option. For example, the following command will drop packets from the IP 192.168.1.3.
sudo iptables -A INPUT -s 192.168.1.3 -j DROP
You can also specify a range using CIDR notation.
sudo iptables -A INPUT -s 192.168.1.1/24 -j DROP
Limit the Incoming TCP Connections/Mitigating DDoS
Lately, syn-flood attacks has become an issue. It is used to DDoS another server using your bandwidth by exploiting the TCP protocol. We can mitigate that by using the following command.
sudo iptables -A INPUT -p tcp –syn -m limit –limit 1/s –limit-burst 3 -j DROP
This makes all incoming connections allowed until the limit is reached:
- –limit 1/s: Maximum average matching rate in seconds
- –limit-burst 3: Maximum initial number of packets to match
We also want to drop invalid packets by following these commands:
sudo iptables -A INPUT -m state –state INVALID -j DROP
sudo iptables -A INPUT -p tcp –tcp-flags ALL ACK,RST,SYN,FIN -j DROP
sudo iptables -A INPUT -p tcp –tcp-flags SYN,FIN SYN,FIN -j DROP
sudo iptables -A INPUT -p tcp –tcp-flags SYN,RST SYN,RST -j DROP
sudo iptables -A INPUT -f -j DROP
sudo iptables -A INPUT -p tcp –tcp-flags ALL ALL -j DROP
sudo iptables -A INPUT -p tcp –tcp-flags ALL NONE -j DROP
Dropping all Other Traffic
Finally, we can drop all other traffic we don’t need to prevent unauthorized access.
sudo iptables -A INPUT -j DROP
Deleting Rules
If you need to remove rules and start from scratch you can use the flush command. It deletes every rule specified in all chains.
sudo iptables -F
If you need to delete a specific rule, you first want to check which line it corresponds to.
sudo iptables -L –line-numbers
You will get a list of rules with their corresponding number.
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT all — 192.168.0.4 anywhere
2 ACCEPT tcp — anywhere anywhere tcp dpt:https
3 ACCEPT tcp — anywhere anywhere tcp dpt:http
4 ACCEPT tcp — anywhere anywhere tcp dpt:ssh
To delete the rule we specify the number in our command.
sudo iptables -D INPUT 2
Saving Changes
The iptables rules that we have created are stored in memory. That means that when we reboot, all changes will be wiped. To keep them, we execute the following script on Ubuntu/Debian machines.
sudo /sbin/iptables-save
CentOS/RHEL command:
/sbin/service iptables save
iptables is a flexible tool so feel free to explore different commands to match your specific needs. If you have any questions about iptables basics, feel free to ask us in the comments below.
Good luck!
[…] we talked about how to secure your server using Nmap and how to block connections using the firewall iptables. But how can we check if what we did is actually working? This is where Nmap comes in. Nmap is a […]