How to build a Linux Firewall with iptables

How to manage IPtables on ubuntu

By this point you should know what is iptables, but we’re going to explain it anyway.

Iptables is a flexible firewall utility that uses chains to block or allow traffic. Iptables are usually installed by default on any linux operating system. Just like any other firewall, iptables doesn’t block any traffic if you don’t specify the rules. Iptables is a front-end tool that talks to the kernel and decides which packages to filter.

By default Iptables has 3 Rules (but can add more)

• INPUT – This chain is used for incoming packets to your server. Use this to open or close incoming ports (such as 80,25, and 110 etc) and ip addresses / subnet (such as 50.32.1.0/24).
• OUTPUT – This chain is used when packets are generating from your server. Use this open or close outgoing ports and ip addresses / subnets.
• FORWARD – This chain is used when packets are being sent through another interface. Usually used when you setup Linux as router. For example, eth0 connected to ADSL/Cable modem and eth1 is connected to local LAN. Use FORWARD chain to send and receive traffic from LAN to the Internet.

For now we’re going to work only with INPUT and OUTPUT chains, since is more likely that you’re here to learn the basics.

The first command we’re going to learn is iptables -L. This command works to list all the rules in our chains.

root@clickit:/home/ubuntu# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

NOTE: the rules are being read from top to bottom, so if a rule matches at the top and the bottom too, the one it’ll take will be the nearest to the top.

As you can see in the INPUT chain, the default action is to ACCEPT all the traffic. Now for example, I want to accept connections that arrive to port 22 (which normally is SSH), so to open this port and close the others we can do this:

$ iptables -I INPUT -p tcp --dport 22 -j ACCEPT
$ iptables -A INPUT -j DROP

I’m going to explain what I did here:

The first command:

• iptables :call iptables binary
• -I :Add a rule at the top
• INPUT :Chain where the rule is going to be applied
• -p tcp :Protocol of the packet
• –dport 22 :Destination port, in this case is 22
• -j ACCEPT :Action to perform, it can be ACCEPT,DROP, or REJECT

The second command:

• iptables :call iptables binary
• -A :Append a rule at the bottom
• INPUT :Chain where the rule is going to be applied
• -j DROP :Action to perform

You may be wondering why I put the second rule. Well this is because we want to drop all packets that we didn’t define on top, so in this case we have

root@clickit:/home/ubuntu# iptables -I INPUT -p tcp --dport 22 -j ACCEPT
root@clickit:/home/ubuntu# iptables -A INPUT -j DROP
root@clickit:/home/ubuntu# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh
DROP       all  --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Now what most guides don’t tell you is that if you block all the other packets, you won’t be able to receive connections that you started, and to demonstrate this, try to ping google.com… You can’t!

To solve this we just have to add a simple rule

$ iptables -I INPUT 2 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

Now, don’t get scared by this rule, it’s easier than you think and here you’re going to see what it does so you can make combinations to your liking

• iptables :call iptables binary
• -I INPUT 2 :Add the rule at the below THE SECOND RULE
• -m conntrack :use a module called conntrack (connection tracking)
• –ctstate RELATED,ESTABLISHED :match a state of the connection, in this case is established connections of your server or related
• -j ACCEPT :Action to perform

Now, with this you will be able to send and receive packets that start from your server.

You can follow the same logic for other rules, here are some examples:

For web servers:

$ iptables -A INPUT -p tcp --dport 80 -j ACCEPT
$ iptables -A INPUT -p tcp --dport 443 -j ACCEPT

For FTP:

$ iptables -A INPUT -p tcp --dport 21 -j ACCEPT

For SMTP

$ iptables -A INPUT -p tcp --dport 25 -j ACCEPT

Now you may have a lot of rules, and may be wondering how to delete a rule that you don’t want to be in there anymore.

root@clickit:/home/ubuntu# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http
DROP       all  --  anywhere             anywhere

For example I don’t want to accept traffic from http, which is port 80. so all I have to do is locate the row number of the rule, in this case is the second. So I will delete it like this:

root@vps-2786:/home/ubuntu# iptables -D INPUT 2
root@vps-2786:/home/ubuntu# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh
DROP       all  --  anywhere             anywhere

Now the rule number 2 has gone.

To Delete ALL the rules in ALL the chains, iptables gives us a magnific command (great for extreme situations), but you have to use it carefully.

$ iptables -F

By now you should be able to manage your iptables firewall and there are countless ways to use it, it just depends on what you need and what you want to achieve.

Here at ClickIT, we are experts providing Managed services with DevOps solutions such as Ansible, Chef and AWS Opswork. Our Agile Team also includes leading IT experts in application migration in the cloud, web security, web development, IT automation, clustering, scalability and near-shore support. Contact Us Now!”