Links to official and recommended documentation exist on the Netfilter Web site.
This is not a new subject, resources are limitless.
Most basic commands are fairly intuitive and can easily be reference to the manpage.
netfilter, which is the kernel level technology that enables the packet filtering, is quite advanced. There are additional tables that can mangle packets, translate packets, and otherwise affect routing. The iptables
utility is the userland tool for interacting with netfilter. If you wish to learn about advanced functionality, I suggest you reference the aforementioned documentation. For an introduction to the basic functionality, please read further.
To list all existing rules:
iptables -L -n
-n
prevents iptables from resolving ips, which produces faster output.
The default table is the filter
table, which is what is used to apply basic firewall rules to the three chains. The three default chains in the filter
table are INPUT
, OUTPUT
, and FORWARD
.
The chains are largely self explanatory. The INPUT chain affects packets coming in, the OUTPUT chain affects locally generated packets, and finally FORWARD for any packets that route through the system.
Among the targets you can specify, you can DROP
packets, meaning simply ignore and not respond. You can REJECT
packets, where an icmp response would be sent to the source of the denial. Finally, you can ACCEPT
them, which allows the packets to continue routing.
Often with an external facing firewall the default choice will be DROP
as opposed to REJECT
, as it reduces the visible footprint of your network on the Internet. For example, an IP that otherwise limits services to a specific host would have less visibility with DROP
.
Note, -A
means append to the end of the chain. If you wish to insert to the top, you can use -I
. All rules are processed from the top down. -D
for deletion.
To DROP
an incoming packet coming from the 192.168.235.235
:
iptables -A INPUT -s 192.168.235.235 -j DROP
This jumps to the DROP
target for all protocols coming from that IP.
To accept:
iptables -A INPUT -s 192.168.235.235 -j ACCEPT
To prevent access to that IP from your local server or network:
iptables -A OUTPUT -d 192.168.235.235 -j DROP
You can specify the -p
protocol, the -s
source of the packet, the -d
destination for the packet, the destination port --dport
, the source port --sport
, and many other flags that will affect how the packets are treated by the rule.
If your default INPUT
policy were DROP
and you wanted to allow everyone at the 192.168.123.0/24
subnet to access SSH on your server, here is an example:
iptables -A INPUT -s 192.168.123.0/24 -p tcp --dport 22 -j ACCEPT
That's right, you can use CIDR notation too!
Generally speaking, the best default policy is DROP
for all chains. Every chain has a default policy, which is specified by the -P
flag. Even if you have your policy set to default DROP
, it is still advised to have the final entry in a chain to be a DROP
as well.
For example, to change the policy to DROP
for the INPUT, FORWARD, and OUTPUT chains:
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
Be careful, if you specify the default policy of DROP for INPUT on a remote system without first allowing yourself SSH access, you could prevent yourself from accessing the system. If on a remote system, you could specify a temporary crontab to flush all rules every 5 minutes as a failsafe.
To delete all rules and allow all traffic:
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -X
iptables -F
Note, -X
removes all created chains. -F
flushes all rules.
There are native tools to save and restore the rules. Particularly, iptables-save
and iptables-restore
. Most modern Linux distributions have save
and restore
functions within an iptables init file provided with the system.
There are other firewall best practices, such as dropping malformed packets and other type of undesirable traffic. This is one advantage of using a front end utility such as Shorewall, as it will implement many of these polices by default. Nevertheless, I agree with your approach and prefer to maintain my own rules directly as well, and these same best practices can be implemented without a front end.