FreeKB - iptables Getting Started with iptables in Linux
Getting Started with iptables in Linux

Both firewalld and iptables are common Linux firewalls. This tutorial is for iptables. If firewalld is enabled on your system, stop, mask, and disable firewalld, so that firewalld is permanently disabled, even after a reboot.

Use apt-get or yum to install iptables.

apt-get install iptables-services
yum install iptables-services

 

The ps command can be used to determine if your system is using init or systemd. If PID 1 is init, then you will use the service command. If PID 1 is systemd, then you will use the systemctl command.

If your system is using systemd, use the systemctl command to start and enable iptables.

systemctl enable iptables
systemctl start iptables
systemctl status iptables

 

If your system is using init, use the service command to start and enable iptables.

service iptables enable
service iptables start
service iptables status

 

The file that contains the configuration for iptables is located a /etc/sysconfig/iptables.

/etc/sysconfig/iptables

 


CHAINS

iptables uses chains to allow or deny certain types of requests. The default chains are:

  • INPUT = Inbound request addressed to the host
  • OUTPUT = Output request created by the host
  • FORWARD = Neither addressed to the host nor created by the host. Forward is used to forward or route a packet to it's destination

 


FLUSHING RULES

Typically, after a clean install of iptables, iptables will already have default rules in place. The -F or --flush option can be used to flush all of the rules.

iptables --flush

 


LISTING RULES

The iptables command with the -L or --list option can be used to display the rules. If you flushed all the rules, there should be no rules.

iptables -L -v
. . .
Chain INPUT (policy ACCEPT)
pkts bytes target  prot  opt  in out source   destination

Chain FORWARD (policy ACCEPT)
pkts bytes target  prot  opt  in out source   destination

Chain ACCEPT (policy ACCEPT)
pkts bytes target  prot  opt  in out source   destination

 


ADDING RULES

  • The -I or --insert option can be used to add a rule at the beginning of a chain.
  • The -A or -- append option can be used to add a rule at the end of a chain.

This is important, because the order in which the rules are listed matters. iptables will read the rules from the top down, meaning the first rule listed will be read, then the second rule, and so on, until the last rule is read. Typically, the first rule that is added is to allow traffic directed to the lo interface, which is the loopback interface, localhost, or 127.0.0.1.

iptables -I INPUT -i lo -j ACCEPT

 

Often, the second rule that is added is to allow SSH connections. Notice now that the -A (append) option is used, not the -I (insert) option, so that the ICMP rule is appended after the lo rule.

iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED --source 192.168.0.0/24 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT

 

Optionally, if you want to be able to ping the system, a rule is added to allow ICMP echo requests, so that the system can be pinged. Notice now that the -A (append) option is used, not the -I (insert) option, so that the ICMP rule is appended after the SSH rule.

iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT

 


DELETING RULES

The -D or --delete option is used to delete a rule. In this example, the rule to allow ICMP echo requests is deleted.

iptables -D INPUT -p icmp --icmp-type echo-request -j ACCEPT

 


DROP

The end of a chain should have a DROP rule, so that any connection not matching a rule in the chain is dropped. However, the OUTPUT chain may not need the drop rule, as this can cause issues with some protocols.

iptables -A INPUT -j DROP
iptables -A FORWARD -j DROP

 


SAVE CHANGES

The following command will save the changes made to iptables.

iptables-save > /etc/sysconfig/iptables

 


RESTORE IPTABLES

The iptables-restore command can be used to restore iptables from the /etc/sysconfig/iptables file.

iptables-restore < /etc/sysconfig/iptables

 


COMMON RULES

25, 110, 143, 587, 993, 995 / Email

-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 110 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 143 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 587 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 993 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 995 -j ACCEPT

 

53 / DNS

-A INPUT -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -p udp -m udp --sport 53 -j ACCEPT

 

67 / DHCP

-A INPUT -p tcp --dport 67 -j ACCEPT

 

80 / HTTP and 443 / HTTS

-A INPUT -p tcp --dport http -j ACCEPT
-A INPUT -p tcp --dport https -j ACCEPT

 

123 / NTP client

-A INPUT -p udp --dport 123 -j ACCEPT
-A OUTPUT -p udp --sport 123 -j ACCEPT

123 / NTP server

-A INPUT -p udp --sport 123 -j ACCEPT
-A OUTPUT -p udp --dport 123 -j ACCEPT

 

 137, 138, 139, 445 / Samba, NetBIOS

-A INPUT -p udp --dport 137 -j ACCEPT
-A INPUT -p udp --dport 138 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 139 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 445 -j ACCEPT

 

3128 / Proxy

-A INPUT -p tcp --dport 3128 -j ACCEPT


Add a Comment




We will never share your name or email with anyone. Enter your email if you would like to be notified when we respond to your comment.




Please enter 30f4a in the box below so that we can be sure you are a human.




Comments

Web design by yours truely - me, myself, and I   |   jeremy.canfield@freekb.net   |