This article shows how to set up a fundamental firewall with iptables. You can directly give and restrict access to specific server services as well as specific IP addresses using the iptables application.

About iptables

The built-in network packet filtering features of the Linux kernel can be viewed and modified using the iptables application. You can let or ban particular IP addresses from connecting to the server as well as provide or restrict access to particular network services (such SSH, HTTP, and others).

To accomplish this, chains of rules are created by grouping sets of rules together. The three chains INPUT (for receiving packets), FORWARD (for forwarding packets), and OUTPUT (for outgoing packets) are used by default by iptables. In order to selectively block and accept incoming packets to the server in this article, we will solely work with the INPUT chain.

The majority of the most popular Linux distributions, including Debian, Ubuntu, CentOS, and Fedora, come with the iptables program by default.

Adding rules

By default, iptables does not have any rules defined. You can verify this yourself on a new server by typing the following command:

iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

As you can see, there are no targets and no destinations defined. So let's add some basic rules. At the command prompt, type the following commands:

iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 7822 -j ACCEPT
iptables -A INPUT -j DROP

In all of these commands, the -A option instructs iptables to append the rule to the end of the specified chain (in this case, the INPUT chain). Let's step through each command:

  • The first command permits all packets for the local loopback interface. Many programs use the loopback interface, so it is a good idea to accept packets on it.
  • The second command uses the -m option to load the state module. This module determines and monitors a packet's state, which can be NEWESTABLISHED, or RELATED. In this rule, we accept incoming packets that belong to a connection that has already been established.
  • The third command accepts incoming TCP connections on port 7822 (SSH).
  • The last command drops (rejects) incoming packets that do not match any of the preceding rules.

Now if you type the iptables -L command, you should see the following output:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:7822
DROP       all  --  anywhere             anywhere            

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

To test the configuration, try connecting to the server using SSH. It should allow you to connect. Connections on any other ports, however (such as an HTTP connection on port 80) will be rejected.

Inserting rules

The list of guidelines we defined above is somewhat limited. You're good to go if SSH is the sole incoming connection you want to permit. But as you set up your server, you'll probably need to add access to services.

But if we just add a rule with the -A option, as seen above, it will be the very last rule in the chain, following our DROP rule. This means that while iptables processes rules in order, it will never reach the new rule because the packet will have already been dropped. As a result, we require a method for adding fresh rules to the chain.

The -I option enables us to insert a new rule anywhere in the chain. Let's insert a rule that allows incoming TCP connections on port 80 (HTTP). We want the rule to come just before the DROP rule, which is currently the fourth rule in the chain:

iptables -I INPUT 4 -p tcp -m tcp --dport 80 -j ACCEPT

This inserts our HTTP rule in the fourth line, and pushes the DROP rule down to the fifth line. Now if you type the iptables -L command, you should see the following output:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:7822
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http
DROP       all  --  anywhere             anywhere            

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Blocking an IP address

The rules above define access by service (SSH, HTTP, etc.). However, you can also set rules that permit or block specific IP addresses.

For example, suppose you find in your server log files that there are repeated SSH login attempts from a particular IP address. To block all subsequent SSH connections from the IP address, type the following command. Replace rulenum with the rule number in the chain, and replace xxx.xxx.xxx.xxx with the IP address to block:

iptables -I INPUT rulenum -s xxx.xxx.xxx.xxx -p tcp -m tcp --dport 7822 -j DROP

To block all traffic from an IP address regardless of the service requested, type the following command:

iptables -I INPUT rulenum -s xxx.xxx.xxx.xxx -j DROP

Deleting rules

To delete a rule, use the -D option. You need to know the number of the rule you want to delete (just as you must know the number when you insert a rule). The following command demonstrates how to delete the fifth rule from the INPUT chain:

iptables -D INPUT 5

If you want to delete all of the rules at once, type the following command:

iptables -F

Saving rules

If you reboot the server now, all of the rules you defined will be erased. To maintain rules across system restarts, you must save them. The steps to do this depend on the Linux distribution you are running.

Debian and Ubuntu

To save the iptables rules on a server running Debian or Ubuntu, follow these steps:

  1. At the command prompt, type the following command:
    apt-get install iptables-persistent
  2. During package installation, at the Save current IPv4 rules? prompt, press Enter.
  3. At the Save current IPv6 rules? prompt, press Tab, and then press Enter.

CentOS and Fedora

To save the iptables rules on a server running CentOS or Fedora, type the following command:

/sbin/service iptables save
Was this answer helpful? 0 Users Found This Useful (0 Votes) iptables, linux