Iptables are the Firewall of many Unix based Systems. Its quite easy to install and more easy to manage than most ppl would think of. Lately I became the SysAdmin of an Linux based Root Server and wanted to secure it as much as possible. So I went for my first exercise with Iptables and found that they are quite to manage as long as you know some important things.
1.) The Chains
The Iptables are in fact tables. There are three possible "Chains": Input, Forward and Output.
2.) Position Counts
The Position of an Rule in these tables is VITAL!
I.e. normally you start with the Input Table and write in which Services are allowed to access your server. I.e. Apache (Webserver), SSH, etc. Then you set an big DROP. Everything after this Drop, even if it says Accept - does not count: The Packet gets dropped. Watch out for your chain and the position of the rules!
3.) Established Sessions
If you server asks for an service or website, it maybe would call over Port 80. But the answer from the other server could come on an different port. The Iptables would then drop this answer as it does not know what to do with that. If you set in an Global Allow on Input for all Established or Related Connection (i.e. already running connections, things we sent out ourselves and such..) this will not happen and your stuff will run without problems. You NEED to do that.
Show current Iptables and rules:
iptables -L
Show current Iptables and rules with more details:
iptables -L -v
Allow incoming traffic on Webport for Webserver:
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
This does say the iptables to Append this rule to the Input Table
The pRotocol is tcp. The dEstinationport is 80.
jUmp to Accept and let the Packet pass
Allow incoming traffic for SSH:
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
Allow everything on the Loopback Interface:
iptables -A INPUT -i lo -j ACCEPT
-i means the interface
Allow Established Sessions (see 3.!)
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
if error:
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
Drop everything else:
iptables -A INPUT -j DROP
After the last line, everything except the Apache and SSH Server will not be accessible anymore.
To insert an new Accept Rule before the drop, use
iptables -I INPUT 1 -p tcp --dport 21 -j ACCEPT
INsert on place 1 the new Rule with TCP on Telnet Port and Accept everything connection.
To save iptables enter:
iptables-save > /etc/iptables.rules
You write the iptables to the named file
To load the iptables enter:
iptables-restore < /etc/iptables.rules
Delete all rules and therefor disable the firewall temporarily:
iptables -F
Everything taken from: https://help.ubuntu.com/community/IptablesHowTo
Appendix for Ubuntu:
Autoloading and Saving Iptables?
Autoloading: Create in /etc/network/if-pre-up.d an chmod+x file i.e. iptablesload:
#!/bin/sh
iptables-restore < /etc/iptables.rules
ip6tables-restore < /etc/ip6tables.rules
exit 0
Autosaving: Create in /etc/network/if-post-down.d an chmod+x file i.e. iptablessave:
#!/bin/sh
iptables-save -c > /etc/iptables.rules
if [ -f /etc/iptables.downrules ]; then
iptables-restore < /etc/iptables.downrules
fi
ip6tables-save -c > /etc/ip6tables.rules
if [ -f /etc/ip6tables.downrules ]; then
ip6tables-restore < /etc/ip6tables.downrules
fi
exit 0