How to manage IPtables on ubuntu
By this point you should know what is iptables, but we’re going to explain it anyway.
Iptables is a flexible firewall utility that uses chains to block or allow traffic. Iptables are usually installed by default on any linux operating system. Just like any other firewall, iptables doesn’t block any traffic if you don’t specify the rules. Iptables is a front-end tool that talks to the kernel and decides which packages to filter.
By default Iptables has 3 Rules (but can add more)
For now we’re going to work only with INPUT
and OUTPUT
chains, since is more likely that you’re here to learn the basics.
The first command we’re going to learn is iptables -L
. This command works to list all the rules in our chains.
root@clickit:/home/ubuntu# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination
NOTE: the rules are being read from top to bottom, so if a rule matches at the top and the bottom too, the one it’ll take will be the nearest to the top.
As you can see in the INPUT chain, the default action is to ACCEPT all the traffic. Now for example, I want to accept connections that arrive to port 22 (which normally is SSH), so to open this port and close the others we can do this:
$ iptables -I INPUT -p tcp --dport 22 -j ACCEPT
$ iptables -A INPUT -j DROP
I’m going to explain what I did here:
The first command:
The second command:
You may be wondering why I put the second rule. Well this is because we want to drop all packets that we didn’t define on top, so in this case we have
root@clickit:/home/ubuntu# iptables -I INPUT -p tcp --dport 22 -j ACCEPT
root@clickit:/home/ubuntu# iptables -A INPUT -j DROP
root@clickit:/home/ubuntu# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
DROP all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Now what most guides don’t tell you is that if you block all the other packets, you won’t be able to receive connections that you started, and to demonstrate this, try to ping google.com… You can’t!
To solve this we just have to add a simple rule
$ iptables -I INPUT 2 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Now, don’t get scared by this rule, it’s easier than you think and here you’re going to see what it does so you can make combinations to your liking
Now, with this you will be able to send and receive packets that start from your server.
You can follow the same logic for other rules, here are some examples:
For web servers:
$ iptables -A INPUT -p tcp --dport 80 -j ACCEPT
$ iptables -A INPUT -p tcp --dport 443 -j ACCEPT
For FTP:
$ iptables -A INPUT -p tcp --dport 21 -j ACCEPT
For SMTP
$ iptables -A INPUT -p tcp --dport 25 -j ACCEPT
Now you may have a lot of rules, and may be wondering how to delete a rule that you don’t want to be in there anymore.
root@clickit:/home/ubuntu# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:http
DROP all -- anywhere anywhere
For example I don’t want to accept traffic from http, which is port 80. so all I have to do is locate the row number of the rule, in this case is the second. So I will delete it like this:
root@vps-2786:/home/ubuntu# iptables -D INPUT 2
root@vps-2786:/home/ubuntu# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
DROP all -- anywhere anywhere
Now the rule number 2 has gone.
To Delete ALL the rules in ALL the chains, iptables gives us a magnific command (great for extreme situations), but you have to use it carefully.
$ iptables -F
By now you should be able to manage your iptables firewall and there are countless ways to use it, it just depends on what you need and what you want to achieve.
Here at ClickIT, we are experts providing Managed services with DevOps solutions such as Ansible, Chef and AWS Opswork. Our Agile Team also includes leading IT experts in application migration in the cloud, web security, web development, IT automation, clustering, scalability and near-shore support. Contact Us Now!”
2024 is ending, and that only means one thing: ClickIT’s year in review! This year…
Have you ever wondered how businesses easily process enormous volumes of data, derive valuable insights,…
Discover the steps for developing cloud applications, from costs to cloud app deployment
Imagine launching your product with just the core features, getting honest user feedback, and then…
When a tight deadline is non-negotiable, every second counts! Here’s how we developed and launched…
You may have considered hiring a nearshore software development company or services, but you still have doubts…