Iptables is well known as being one of the most powerful ways to secure and lockdown nearly any linux machine. But it can be challenging and difficult to understand just how to configure iptables linux. With a learning curve that can scare or intimidate most people just getting started with Linux it can be a very time consuming quest for information when it comes to trying to just learn the basics of iptables, or to just “get it working”.
If your like me you don’t need to know or don’t want to know everything there is available about setting up your linux firewall. Many times you want to just block 1 ip address, or a block of ip’s and don’t want to spend 3 hours digging though web pages or man pages to find a simple solution to a simple (or so you thought!) problem.
Before we begin you will need to understand a bit more of what iptables and ipchains are. Iptables function as a “software firewall”. Meaning you can specifcally allow or disallow an ip, domain, blocks or ip’s as well as specificlly allowing or disallowing access to specific ports (www, telnet, ftp, ssh). Normally it is the best practice to disallow access to everything, and specifically allow access to what you want to offer people access too.
For example on your web server you may only offer access to everyone to WWW, and allow access to FTP to a specific set of IP addresses. This would mean everyone could access your website, while only you or your web developers could access the server though FTP. Pretty cool huh?
Sets start getting into some examples that will help you set up your firewall and a few of the basic need to know settings. By default Iptables is installed on nearly every flavor of Linux, so I will not go over the details of installing it on a server.
–append or –A Append to chain
–delete or –D Delete rule from chain
–list or –L [chain] List rules in a chain or all chains
–flush or –F [chain] Delete all rules in a chain or all chains
First, we set our default rules for the three main chains. We deny incoming packets by default and we allow outgoing packets and forwarded (NAT) packets by default.
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
With our focus on security first we want to deny access to everything, and open what is needed.
This is done by setting the default action on the INPUT chain (incoming packets) to DROP. This means all packets processed by the chain will be dropped unless explicitly allowed.
OUTPUT and FORWARD chains are set to ACCEPT, as this traffic is coming from our internal network. This assumes you want to allow all the computers on your internal network access to everything on the outside world.
Now how do you setup access from the outside world (inbound requests) to your internal machines ports like WWW and SSH?
iptables -A INPUT -i $WAN_IFACE -p TCP –destination-port 22 \
iptables -A INPUT -i $WAN_IFACE -p TCP –destination-port 80 \
* (Note: $WAN_IFACE is your interface, eth1, eth0, eth2 which ever is your network cart to the ousdie world).
And there you have it. You now have a secured machine that will only allow access to your computer though WWW and SSH. In a real world situation you would want to most likely open up Email, Instant messaging client ports, or any other programs that need to communicate to your computer from the outside world.