Most distros and different versions of Linux use the IPTABLES firewall by default to block and unblock ports. This powerful firewall normally keeps most Linux ports closed on virtual servers and dedicated servers. If you plan to run a service or program on Linux, you must first open the required ports of this program in the IPTABLES firewall.
What Does Firewall Do Exactly?
Firewall plays an important role in the security of Linux and network systems. This option acts as a security gateway between internal and external networks, managing and controlling incoming and outgoing traffic based on set rules. This set of firewall rules only allows secure and legal communications to enter and exit, and blocks traffic that is not defined.
Firewalls Usually Use One Of The Following Three Methods
Packets are small packets of information that makeup information on the Internet and the network. In fact, files are broken into these small packets. With this method, each packet does not pass through a filter, and only authorized packets pass through the filter.
The information first goes to the firewall and then to the destination system.
With this method, which is newer than the previous two methods, only a part of each package is checked by the Firewall, and that part is usually the key part of the package.
Start IPTABLES Command
The first step in working with this command is to enable the related service, which is done with the following command:
service iptables start
Note: Before running the IPTABLES service, we must disable the ip6tables service. To do this, we enter the following commands in the command line.
service ip6tables stop chkconfig ip6tables off
Note: In order for this service to be activated by default when the system boots, the run level status must be set to ON.
chkconfig –level 345 iptables on
How To Unblock An Specific Port In IPTABLES?
For example to open port 80 in the firewall, use the following command:
iptables -A INPUT -p tcp -m tcp –sport 80 -j ACCEPT iptables -A OUTPUT -p tcp -m tcp -dport 80 -j ACCEPT
Note: -P is equivalent to Protocol and sport is equivalent to the source port and dport is equivalent to the destination port.
To make things easier, you can manually edit IPTABLES file with Linux editors such as vi, nano, and…, and manually enter the IP and ports you want to open.
The mentioned file is saved in this path.
With the vi command, we open it first.
After adding the desired IP and ports, we save the file with the following command.
In the end, the firewall service should be restarted. To restart the firewall, use the following command.
service iptables restart
How To Block An Specific Port In Linux Firewall
It should be done exactly like the last process and just we have to change the ACCEPT word with DROP.
For example to block port 80 in the firewall, use the following command:
iptables -A INPUT -p tcp -m tcp –sport 80 -j DROP iptables -A OUTPUT -p tcp -m tcp -dport 80 -j DROP
IPTABLES Command Structure
The grammar of this command is divided into two parts: the chain and target.
iptables -A chain –j target
The chain is the main part and the -A (append) parameter adds a rule. The chain can be equivalent to input, output, and forward, which are permanent parameters.
The local -j (jump) parameter in the set of rules determines where the jump is performed. Its values include accept, drop, and reject, respectively. You can also add new and custom chains with the -n parameter.
How To Save And Restore Rules
Firewall rules are valid as long as the computer is on and are automatically reset by restarting the system. Use the following command to run these rules automatically after restarting:
/sbin/ service iptables save
Note: Other Rules are stored in /etc/sysconfig/iptables
Note: Especially on Linux VPS service, you need to activate and use a firewall because the remote service (SSH) of this service is always active and you may receive many attacks.
Some Scenarios of IPTABLES Command
Clear all current settings
Make public settings and block all access
iptables –P INPUT DROP iptables –P FORWARD DROP iptables –P OUTPUT DROP
Blocking a specific IP
iptables –A INPUT -s xxx.xxx.xxx.xxx –j DROP
Open the SSH port for all incoming communications
iptables -A INPUT -i eth0 –p tcp portdport 22 –m state atestate NEW, ESTABLISHED -j ACCEPT iptables –A OUTPUT –o eth0 –p tcp portsport 22 –m state atestate ESTABLISHED -j ACCEPT
Open the ssh port for a particular IP or IP range
iptables –A INPUT -i eth0 –p tcp –s xxx.xxx.xxx.xxx/24 portdport 22 –m state atestate NEW, ESTABLISHED – j ACCEPT iptables –A INPUT -i eth0 –p tcp –s xxx.xxx.xxx.xxx portdport 22 –m state —state NEW, ESTABLISHED –jACCEPT iptables –A OUTPUT –o eth0 –p tcp portsport 22 –m state atestate ESTABLISHED -j ACCEPT
Open the HTTP port
iptables -A INPUT -i eth0 –p tcp portdport 80 –m state atestate NEW, ESTABLISHED -j ACCEPT iptables –A OUTPUT –o eth0 –p tcp portsport 80 –m state atestate ESTABLISHED -j ACCEPT
Open the https port
iptables -A INPUT -i eth0 –p tcp portdport 443 –m state atestate NEW, ESTABLISHED -j ACCEPT iptables –A OUTPUT –o eth0 –p tcp portsport 443 –m state —state ESTABLISHED -j ACCEPT
Open several ports at once
iptables –A INPUT ethi –p tcp –m multiport —dports 22,80,443 –m state —state NEW, ESTABLISHED -j ACCEPT iptables –A OUTPUT –o eth0 –p tcp –m multiport portssports 22,80,443 –m state —state ESTABLISHED –j ACCEPT
Open port for ssh output connection
iptables –A OUTPUT –o eth0 –p tcp portdport 22 –m state —state NEW, ESTABLISHED -j ACCEPT iptables -A INPUT eth0 –p tcp portsport 22 –m state atestate ESTABLISHED -j ACCEPT
Open ssh output port only for a specific network
iptables –A OUTPUT –o eth0 –p tcp –d 192.168.101.0/24 portdport 22 –m state —state NEW, ESTABLISHED –j ACCEPT iptables -A INPUT eth0 –p tcp portsport 22 –m state atestate ESTABLISHED -j ACCEPT
Open the https port for output communications
iptables –A OUTPUT –o eth0 –p tcp portdport 443 –m state atestate NEW, ESTABLISHED -j ACCEPT iptables –A INPUT-eth0 –p tcp portsport 443 –m state atestate ESTABLISHED -j ACCEPT
Enable ping from the inside to outside
iptables –A OUTPUT –p icmp —icmp – type echo – request –j ACCEPT iptables –A INPUT –p icmp —icmp – type echo – reply –j ACCEPT
Enable ping from the outside to inside
iptables –A INPUT –p icmp —icmp – type echo – request –j ACCEPT iptables –A OUTPUT –p icmp —icmp – type echo – reply –j ACCEPT
Enable loopback access
iptables –A INPUT -i lo –j ACCEPT iptables –A OUTPUT –o lo –j ACCEPT
Enable access to the external eth1 network from the eth0 internal network
iptables –A FORWARD eth0 –o eth1 –j ACCEPT
Open DNS port output access
iptables –A OUTPUT –p udp –o eth0 —dport 53 -j ACCEPT iptables –A INPUT –p udp –i eth0 portsport 53 -j ACCEPT
Save IPTABLES changes
service iptables save
Use the following command to block port 80 for all but one IP (eg 126.96.36.199) in incoming
/sbin/iptables -A INPUT -p tcp -i eth1 -s ! 188.8.131.52 --dport 80 -j DROP
You can block and unblock ports in IPTABLES using the ACCEPT and DROP parameters. Also, we mentioned some examples of other scenarios of this firewall.
I hope you have enjoyed this post and found it useful.
Please do not hesitate to share your opinions with us.