If you own a Linux server, you know how important securing it is. A server is available to the whole world, when it's connected to the internet, and soon bad guys will try to break in. Without a firewall anybody can connect to your server and send messages to it. IPTables solves just that. It allows you to block traffic both incoming and outgoing.
In iptables we have so called chains. We have 3 main chains:
Today we'll look at mostly INPUT because that's how bad guys can reach our server.
In forward you can, well forward traffic from one port to another, or to another address.
In output you can restrict the traffic that leaves your computer, but i don't want to do that.
In input we can restrict the traffic reaching our machine.
Now that you know the chains, we can start setting default actions.
Basically there's two ways to restrict the INPUT chain
I will choose the second option, because it offers more security, basically nothing reaches my machine without me knowing about it.
Important: Do this step only after you've added the rules you want. Dropping every incoming connection can result in losing access to your server.
So to set the default action to block connections execute:
iptables -P INPUT DROP
where
-P defines that we want to set the default actionINPUT is the chain to modifyDROP is the default action.Actions tell how a connection should be treated.
Note: Actions are case sensitive!
Here are some of the actions that we'll work with:
| Action Keyword | Description |
|---|---|
| ACCEPT | Accept the current connection |
| DROP | Drop the packet and tell the sender that we dropped it. |
| REJECT | Reject the packet and don't respond to the sender |
| LOG | Log a connection's information to syslog |
Now we know some of the basics, we can start adding rules. To add rules use the -A flag with the rule to add.
The first rule i recommend is to leave the loopback interface alone, the loopback connections originate from your machine, so you don't have to filter them, but you have the option to do so.
Leave the Loopback interface alone: iptables -A -i lo -j ACCEPT
where
-i specifies and interfacelo is the loopback interface-j specifies the action to execute.Another common rule is to accept established state connections, this rule is really important, and most things won't work if you leave this one out. To explain this please imagine, that you
To avoid this execute: iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
where
-m enables a modulestate is the module to inspect the connection state withRELATED and ESTABLISHED are the states we will accept as input.We have one more common rule, it's blocking pings coming in too fast. This is used to prevent ping based DDoS attacks, and is recommended to add to you INPUT chain.
iptables -i eth0 -p icmp -m icmp -m limit --icmp-type 8 --limit 1/second -j ACCEPT
where
-i is used to specify an interface for this ruleeth0 is in my case the network interface card, facing the internet-p is used to specify a protocol for this rule (it can be icmp, udp or tcp)icmp module is used to filter icmp specific datalimit module is used to limit the number of connections--icmp-type is used to specify the icmp message type, 8 is ECHO aka Ping--limit is limiting the number of connections to 1 connection per secondAt this point you have the recommended default rules added to your INPUT chain, the rules from here are dependent on your machine. I will provide some examples to create your own rules for your own server. My interface facing the internet is eth0
iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
where
--dport is the destination port (the port of your server the client connects to)iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT HTTP
iptables -A INPUT -i eth0 -p tcp --dport 443 -j ACCEPT HTTPS
iptables -A INPUT -i eth0 -p udp --dport 1194 -j ACCEPT
iptables -A INPUT -i eth0 --dport 21 -j LOG --log-prefix "Got FTP Incoming" --log-level 6
where
--log-prefix Specifies the prefix of the message added to syslog--log-level Specifies the severity of the messageRemember the command to set the default action for a chain? We need to execute that now, because we have rules, for the filtering to take effect. Also IPTables doesn't need to be restarted every time you make a change unlike a web server for example.
Important: Your rules only last until the next reboot, that's why we have to save them!
iptables-save > /root/iptables-rules to export the current rules into a file
To load back the rules after a reboot you need to execute:
iptables-restore < /root/iptables-rules
To list your rules type: iptables -L, this will give you a user friendly representation of your current rules.
To get the commands of your rules use iptables -S, this will give you the commands executed to add the rules
To remove a rule, first you need the command of the rule you added, you can get this with the previous -S option.
After you got the command, for example -A INPUT -p tcp --dport 21 -j ACCEPT you can delete it using:
iptables -D -p tcp --dport 21 -j ACCEPT, in other words just change -A to -D to remove that rule
IPTables is a very powerful firewall for server machines, it can do a lot more like pre- and postrouting, but to keep it simple I just showcased the basic usage. If you didn't understand something or I missed something, or you just have a question, then feel free to comment on this post! Now go and secure that server!