Scenario / Questions
I have to setup a firewall on a Linux server (all my previous experience is with Windows). My rules are meant to be pretty simple – forbid all, allow some ports with all, allow some ports for specific IP subnets, while the network is small but complex (each host has IPs in at least 2 192.168… nets, everyone can interconnect many different ways). I think using iptables wrappers can overcomplicate the system logically introducing many unnecessary entities and it would be better to keep it simple and use iptables directly.
Can you recommend a good quick intro on how to write iptables rules?
Find below all possible solutions or suggestions for the above questions..
Links to official and recommended documentation exist on the Netfilter Web site.
This is not a new subject, resources are limitless.
Most basic commands are fairly intuitive and can easily be reference to the manpage.
netfilter, which is the kernel level technology that enables the packet filtering, is quite advanced. There are additional tables that can mangle packets, translate packets, and otherwise affect routing. The
iptables utility is the userland tool for interacting with netfilter. If you wish to learn about advanced functionality, I suggest you reference the aforementioned documentation. For an introduction to the basic functionality, please read further.
To list all existing rules:
iptables -L -n
-n prevents iptables from resolving ips, which produces faster output.
The default table is the
filter table, which is what is used to apply basic firewall rules to the three chains. The three default chains in the
filter table are
The chains are largely self explanatory. The INPUT chain affects packets coming in, the OUTPUT chain affects locally generated packets, and finally FORWARD for any packets that route through the system.
Among the targets you can specify, you can
DROP packets, meaning simply ignore and not respond. You can
REJECT packets, where an icmp response would be sent to the source of the denial. Finally, you can
ACCEPT them, which allows the packets to continue routing.
Often with an external facing firewall the default choice will be
DROP as opposed to
REJECT, as it reduces the visible footprint of your network on the Internet. For example, an IP that otherwise limits services to a specific host would have less visibility with
-A means append to the end of the chain. If you wish to insert to the top, you can use
-I. All rules are processed from the top down.
-D for deletion.
DROP an incoming packet coming from the
iptables -A INPUT -s 192.168.235.235 -j DROP
This jumps to the
DROP target for all protocols coming from that IP.
iptables -A INPUT -s 192.168.235.235 -j ACCEPT
To prevent access to that IP from your local server or network:
iptables -A OUTPUT -d 192.168.235.235 -j DROP
You can specify the
-p protocol, the
-s source of the packet, the
-d destination for the packet, the destination port
--dport, the source port
--sport, and many other flags that will affect how the packets are treated by the rule.
If your default
INPUT policy were
DROP and you wanted to allow everyone at the
192.168.123.0/24 subnet to access SSH on your server, here is an example:
iptables -A INPUT -s 192.168.123.0/24 -p tcp --dport 22 -j ACCEPT
That’s right, you can use CIDR notation too!
Generally speaking, the best default policy is
DROP for all chains. Every chain has a default policy, which is specified by the
-P flag. Even if you have your policy set to default
DROP, it is still advised to have the final entry in a chain to be a
DROP as well.
For example, to change the policy to
DROP for the INPUT, FORWARD, and OUTPUT chains:
iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP
Be careful, if you specify the default policy of DROP for INPUT on a remote system without first allowing yourself SSH access, you could prevent yourself from accessing the system. If on a remote system, you could specify a temporary crontab to flush all rules every 5 minutes as a failsafe.
To delete all rules and allow all traffic:
iptables -P INPUT ACCEPT iptables -P OUTPUT ACCEPT iptables -P FORWARD ACCEPT iptables -X iptables -F
-X removes all created chains.
-F flushes all rules.
There are native tools to save and restore the rules. Particularly,
iptables-restore. Most modern Linux distributions have
restore functions within an iptables init file provided with the system.
There are other firewall best practices, such as dropping malformed packets and other type of undesirable traffic. This is one advantage of using a front end utility such as Shorewall, as it will implement many of these polices by default. Nevertheless, I agree with your approach and prefer to maintain my own rules directly as well, and these same best practices can be implemented without a front end.
I found https://help.ubuntu.com/community/IptablesHowTo helpful recently. I don’t think anything in there is especially Ubuntu-specific.
Disclaimer: This has been sourced from a third party syndicated feed through internet. We are not responsibility or liability for its dependability, trustworthiness, reliability and data of the text. We reserves the sole right to alter, delete or remove (without notice) the content in its absolute discretion for any reason whatsoever.