15

I have to setup a firewall on a Linux server (all my previous experience is with Windows). My rules are meant to be pretty simple - forbid all, allow some ports with all, allow some ports for specific IP subnets, while the network is small but complex (each host has IPs in at least 2 192.168... nets, everyone can interconnect many different ways). I think using iptables wrappers can overcomplicate the system logically introducing many unnecessary entities and it would be better to keep it simple and use iptables directly.

Can you recommend a good quick intro on how to write iptables rules?

Ivan
  • 3,288
  • 19
  • 48
  • 70

3 Answers3

26

Links to official and recommended documentation exist on the Netfilter Web site.

This is not a new subject, resources are limitless.

Most basic commands are fairly intuitive and can easily be reference to the manpage.

netfilter, which is the kernel level technology that enables the packet filtering, is quite advanced. There are additional tables that can mangle packets, translate packets, and otherwise affect routing. The iptables utility is the userland tool for interacting with netfilter. If you wish to learn about advanced functionality, I suggest you reference the aforementioned documentation. For an introduction to the basic functionality, please read further.

To list all existing rules:

iptables -L -n

-n prevents iptables from resolving ips, which produces faster output.

The default table is the filter table, which is what is used to apply basic firewall rules to the three chains. The three default chains in the filter table are INPUT, OUTPUT, and FORWARD.

The chains are largely self explanatory. The INPUT chain affects packets coming in, the OUTPUT chain affects locally generated packets, and finally FORWARD for any packets that route through the system.

Among the targets you can specify, you can DROP packets, meaning simply ignore and not respond. You can REJECT packets, where an icmp response would be sent to the source of the denial. Finally, you can ACCEPT them, which allows the packets to continue routing.

Often with an external facing firewall the default choice will be DROP as opposed to REJECT, as it reduces the visible footprint of your network on the Internet. For example, an IP that otherwise limits services to a specific host would have less visibility with DROP.

Note, -A means append to the end of the chain. If you wish to insert to the top, you can use -I. All rules are processed from the top down. -D for deletion.

To DROP an incoming packet coming from the 192.168.235.235:

iptables -A INPUT -s 192.168.235.235 -j DROP

This jumps to the DROP target for all protocols coming from that IP.

To accept:

iptables -A INPUT -s 192.168.235.235 -j ACCEPT

To prevent access to that IP from your local server or network:

iptables -A OUTPUT -d 192.168.235.235 -j DROP

You can specify the -p protocol, the -s source of the packet, the -d destination for the packet, the destination port --dport, the source port --sport, and many other flags that will affect how the packets are treated by the rule.

If your default INPUT policy were DROP and you wanted to allow everyone at the 192.168.123.0/24 subnet to access SSH on your server, here is an example:

iptables -A INPUT -s 192.168.123.0/24 -p tcp --dport 22 -j ACCEPT

That's right, you can use CIDR notation too!

Generally speaking, the best default policy is DROP for all chains. Every chain has a default policy, which is specified by the -P flag. Even if you have your policy set to default DROP, it is still advised to have the final entry in a chain to be a DROP as well.

For example, to change the policy to DROP for the INPUT, FORWARD, and OUTPUT chains:

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

Be careful, if you specify the default policy of DROP for INPUT on a remote system without first allowing yourself SSH access, you could prevent yourself from accessing the system. If on a remote system, you could specify a temporary crontab to flush all rules every 5 minutes as a failsafe.

To delete all rules and allow all traffic:

iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -X
iptables -F

Note, -X removes all created chains. -F flushes all rules.

There are native tools to save and restore the rules. Particularly, iptables-save and iptables-restore. Most modern Linux distributions have save and restore functions within an iptables init file provided with the system.

There are other firewall best practices, such as dropping malformed packets and other type of undesirable traffic. This is one advantage of using a front end utility such as Shorewall, as it will implement many of these polices by default. Nevertheless, I agree with your approach and prefer to maintain my own rules directly as well, and these same best practices can be implemented without a front end.

Warner
  • 23,440
  • 2
  • 57
  • 69
  • 2
    Just came across this answer while looking for some random iptables stuff here (I search SF/SO before Google anymore!), and this very detailed answer seems to deserve more vote-up love, so I gave it some! – Andrew Barber Dec 14 '10 at 18:11
  • +1 nice answer. I would mention [Debian WIKI](http://wiki.debian.org/iptables) as well. – michal.kreuzman Jun 18 '12 at 16:53
2

Iptables Tutorial

halp
  • 2,098
  • 1
  • 19
  • 13
1

I found https://help.ubuntu.com/community/IptablesHowTo helpful recently. I don't think anything in there is especially Ubuntu-specific.

gbroiles
  • 1,344
  • 8
  • 8
  • I use Arch on my laptop, but an Ubuntu Lucid Server is exactly what the task to set up is. So this can come in hand if not obsolete (it addresses Ubuntu 8.04 as far as I can see). – Ivan Jul 09 '10 at 13:14