Iptables Tutorial: Ultimate Guide to Linux Firewall – phoenixNAP

All

modern operating systems come equipped with a firewall, a software application that regulates network traffic to a computer. Firewalls create a barrier between a trusted network (such as an office network) and an untrusted one (such as the Internet). Firewalls work by defining rules that govern what traffic is allowed and what is blocked. The utility firewall developed for Linux systems is iptables.

In this tutorial, you will learn how to install iptables, configure, and use iptables on Linux.

Prerequisites

  • A user account with sudo privileges
  • Accessing a terminal/command line window (Ctrl-Alt-T, Ctrl-Alt-F2)

How iptables work

Network traffic consists of packets. The data is broken down into smaller parts (called packets), sent over a network, and then put back together. Iptables identifies received packets and then uses a set of rules to decide what to do with them.

Iptables filters packets based on

:

  • Tables: Tables are files that join similar actions. A table consists of several chains.
  • Strings: A string is a chain of rules. When a packet is received, iptables finds the appropriate table and then executes it through the rule chain until it finds a match.
  • Rules: A rule is an instruction that tells the system what to do with a package. Rules can block one type of packet or forward another type of packet. The result, where a packet is sent, is called a target.
  • Goals: A destination is a decision of what to do with a package. Usually, this is accepting, deleting, or rejecting it (which sends an error to the sender).

Tables and strings

Linux firewall iptables has four default tables. We will list the four along with the strings that each table contains.

1

. Filter

The Filter table is the most commonly used. He acts as a goalkeeper, deciding who goes in and out of his net. It has the following default strings

:

  • Inbound: The rules in this chain control the packets received by the
  • server.

  • Outbound: This string handles packets for outbound traffic
  • .

  • Forward: This set of rules controls packets that are routed through the server

.

2. Network Address Translation

(NAT)

This table contains network address translation (NAT) rules for routing packets to networks that cannot be directly accessed. When the destination or source of the packet must be modified, the NAT table is used. It includes the following strings

: Pre-routing:

    This string assigns packets as soon as the server receives them. Output:

  • works the same as the output string described in the filter table
  • .

  • Post-routing: The rules in this chain allow changes to be made to packets after they leave the output chain

.

3

. Mangle

The Mangrove table adjusts the IP header properties of packets. The table has all of the following strings described above:

  • Prerouting
  • Postrouting
  • Output
  • Input
  • Forward

4.

Raw

The Raw table is used to exempt packets from connection tracing. The raw table has two of the strings we mentioned earlier:

  • Prerouting
  • Output

5. Security (optional)

Some versions of Linux also use a security table to manage special access rules. This table includes input, output, and forward strings, as does the filter table.

Destinations

A destination is what happens after a packet matches a rule criterion. Unfinished destinations continue to match packets to rules in a chain, even when the packet matches a rule.

With termination targets, a packet is evaluated immediately and not compared to another string. The termination targets in Linux iptables are:

  • OK – this rule accepts packets passing through the iptables firewall
  • .

  • Drop – the dropped packet is not compared to any other string. When Linux iptables interrupts an incoming connection to your server, the person trying to connect does not receive an error. It looks as if they are trying to connect to a non-existent machine.
  • Return: This rule sends the packet back to the source string so that you can compare it with other rules.
  • Reject: The iptables firewall rejects a packet and sends an error to the connecting device.

How to install and configure Linux Firewall iptables

Iptables

Ubuntu Iptables

are installed by default on most Linux systems. To confirm

that iptables is installed, use the following command: sudo apt-get install iptables

The sample output in Ubuntu confirms that the latest version of iptables is already present

:

If you want to keep the iptables firewall rules when you restart the system, install the persistent package:

sudo apt-get install iptables-persistent

Installing Iptables

CentOS

on CentOS 7, iptables was replaced by firewalld.

To install iptables, you must first stop the firewall. Enter the following commands:

sudo systemctl stop firewalld sudo systemctl disable firewalld sudo systemctl mask firewalld

The commands stop and prevent firewalld from starting at boot, and do not allow other services to start firewalld

.

Next, install and enable iptables. First,

install the iptables service package with the following command: sudo yum -y install iptables-services

This package preserves the rules after the system restarts. The following information confirms that the installation is complete

: Enter the following commands to enable and launch iptables on CentOS 7: sudo systemctl enable iptables sudo systemctl start iptables

The status command confirms the state of the application

: sudo status systemctl iptables

Basic syntax for

iptables commands and

options

In general, An iptables command looks like this

: sudo iptables [option] CHAIN_rule [-j target]

Here is a list of some common iptables options:

  • A -append – Add a rule to a string (at the end).
  • C -check – Look for a rule that matches the requirements of the
  • string. -D -delete – Delete specified rules from a string. -F –

  • flush – Delete all rules.
  • -I -insert – Add a rule to a string at a given position
  • . -L -list – Displays all the rules in a chain. -N -new-chain – Create a new chain. –

  • v -verbose – Displays more information when using a list option
  • . –

  • X -delete-chain – Delete the provided string
  • .

Iptables is case sensitive, so make sure you’re using the right options.

Configure iptables on Linux

By default, these commands affect the filter table. If you need to specify a different table, use the -t option, followed by the table name.

Check the current status of iptables

To view the current set of rules on your server, enter the following in the terminal window:

sudo

iptables

-L

The system displays the status of your strings. The output will list three strings:

Chain INPUT (policy ACCEPT) Chain FORWARD (policy ACCEPT) Chain OUTPUT (policy ACCEPT)

Enable loopback

traffic

It is safe to allow traffic from your own system (the localhost). Append the input string by entering the following:

sudo iptables -A INPUT -i lo -j ACCEPT

This command configures the firewall to accept traffic for the localhost (lo) (-i) interface. Now anything that originates from your system will pass through your firewall. You must set this rule to allow applications to communicate with the localhost interface.

Allow

traffic on specific ports

These rules allow traffic on different ports that you specify using the commands listed below. A port is a communication endpoint specified for a specific type of data.

To allow HTTP web traffic, type the following command: sudo iptables -A INPUT -p tcp -dport 80 -j ACCEPT To allow

only incoming Secure Shell (SSH)

traffic, type the following: sudo iptables -A INPUT -p tcp -dport 22 -j ACCEPT

To allow HTTPS Internet traffic, type the

following

command

: sudo iptables -A INPUT -p tcp -dport 443 -j ACCEPT

The options work as follows:

  • -p – Check the specified protocol (tcp).
  • dport – Specify the destination port
  • . –

  • j jump – Perform the specified action

.

Control

traffic by IP address Use the following command to ACCEPT traffic from a specific IP address. sudo iptables -A INPUT -s 192.168.0.27 -j OK Replace the IP address

in the command with the IP address you want to allow

. You can also DELETE traffic from an IP address: sudo iptables -A INPUT -s 192.168.0.27 -j DROP

You can

REJECT traffic from a range of IP addresses, but the command is more complex

: sudo iptables -A INPUT -m iprange -src-range 192.168.0.1-192.168.0.255 -j REJECT

The iptables options we use in the examples work as follows:

  • m – Matches the specified option
  • . –

  • iprange – Tell the system to expect a range of IP addresses instead of just one
  • . –

  • src-range – Identifies the IP address range.

Removing

unwanted traffic

If you define dport firewall rules iptables, you must prevent unauthorized access by deleting any traffic coming through other ports: sudo iptables

-A INPUT -j DROP

The -A option adds a new rule to the chain. If any connection arrives through ports other than those you defined, it will be deleted.

Delete a rule

You can use the -F option to clear all iptables firewall rules. A more accurate method is to remove the line number from a rule.

First, list all the rules by entering the following

: sudo iptables -L -line-numbers Locate the line of the firewall rule you want to delete

and run this command:

sudo iptables -D INPUT <Number>

Replace <Number> with the actual rule line number you want to delete

.

Save changes

Iptables does not maintain rules created when the system is restarted. As long as you configure iptables on Linux, any changes you make will be applied only until the first reboot.

To save the rules on Debian-based systems, type: sudo /sbin/iptables-save To save the rules on

Red-Hat-based systems, type:

sudo /sbin/service iptables save

The next time the system starts, iptables will automatically reload the firewall rules

.

Conclusion

After reading this Linux iptables tutorial, you should have a better understanding of how iptables work and how to install the

iptables tool. Now you can also configure basic iptables firewall rules for your Linux system.

Feel free to experiment, as you can always remove rules you don’t need, or empty all the rules and start over.

Contact US