Iptables are the Firewall of many Unix based Systems. Its quite easy to install and more easy to manage than most ppl would think of. Lately I became the SysAdmin of an Linux based Root Server and wanted to secure it as much as possible. So I went for my first exercise with Iptables and found that they are quite to manage as long as you know some important things.<\/p>\n
1.) The Chains
\nThe Iptables are in fact tables. There are three possible \"Chains\": Input, Forward and Output.<\/p>\n
2.) Position Counts
\nThe Position of an Rule in these tables is VITAL!
\nI.e. normally you start with the Input Table and write in which Services are allowed to access your server. I.e. Apache (Webserver), SSH, etc. Then you set an big DROP. Everything after this Drop, even if it says Accept - does not count: The Packet gets dropped. Watch out for your chain and the position of the rules!<\/p>\n
3.) Established Sessions
\nIf you server asks for an service or website, it maybe would call over Port 80. But the answer from the other server could come on an different port. The Iptables would then drop this answer as it does not know what to do with that. If you set in an Global Allow on Input for all Established or Related Connection (i.e. already running connections, things we sent out ourselves and such..) this will not happen and your stuff will run without problems. You NEED to do that.<\/p>\n
Show current Iptables and rules:
\niptables -L<\/p>\n
Show current Iptables and rules with more details:
\niptables -L -v<\/p>\n
Allow incoming traffic on Webport for Webserver:
\niptables -A INPUT -p tcp --dport 80 -j ACCEPT<\/p>\n
This does say the iptables to Append this rule to the Input Table
\nThe pRotocol is tcp. The dEstinationport is 80.
\njUmp to Accept and let the Packet pass<\/p>\n
Allow incoming traffic for SSH:
\niptables -A INPUT -p tcp --dport 22 -j ACCEPT<\/p>\n
Allow everything on the Loopback Interface:
\niptables -A INPUT\u00a0 -i lo -j ACCEPT
\n-i means the interface<\/p>\n
Allow Established Sessions (see 3.!)
\niptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
\nif error:
\niptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT<\/p>\n
Drop everything else:
\niptables -A INPUT -j DROP<\/p>\n
After the last line, everything except the Apache and SSH Server will not be accessible anymore.
\nTo insert an new Accept Rule before the drop, use
\niptables -I INPUT 1 -p tcp --dport 21 -j ACCEPT
\nINsert on place 1 the new Rule with TCP on Telnet Port and Accept everything connection.<\/p>\n
To save iptables enter:
\niptables-save > \/etc\/iptables.rules
\nYou write the iptables to the named file<\/p>\n
To load the iptables enter:
\niptables-restore < \/etc\/iptables.rules<\/p>\n
Delete all rules and therefor disable the firewall temporarily:
\niptables -F<\/p>\n
Everything taken from: https:\/\/help.ubuntu.com\/community\/IptablesHowTo<\/p>\n
Appendix for Ubuntu:
\nAutoloading and Saving Iptables?<\/p>\n
Autoloading: Create in \/etc\/network\/if-pre-up.d an chmod+x file i.e. iptablesload:
\n#!\/bin\/sh
\niptables-restore < \/etc\/iptables.rules\nip6tables-restore < \/etc\/ip6tables.rules\nexit 0\n\nAutosaving: Create in \/etc\/network\/if-post-down.d an chmod+x file i.e. iptablessave:\n#!\/bin\/sh\niptables-save -c > \/etc\/iptables.rules
\nif [ -f \/etc\/iptables.downrules ]; then
\n iptables-restore < \/etc\/iptables.downrules\nfi\nip6tables-save -c > \/etc\/ip6tables.rules
\nif [ -f \/etc\/ip6tables.downrules ]; then
\n ip6tables-restore < \/etc\/ip6tables.downrules\nfi\nexit 0\n\n<\/p>\n