IPTABLES Firewall: An In-depth Walkthrough for Beginners
IPTABLES firewall by default to block and unblock ports. This powerful firewall normally keeps most Linux ports closed on virtual servers and dedicated servers. If you plan to run a service or program on Linux, you must first open the required ports of this program in the IPTABLES firewall.
What Does Firewall Do Exactly?
Firewall plays an important role in the security of Linux and network systems. This option acts as a security gateway between internal and external networks, managing and controlling incoming and outgoing traffic based on set rules. This set of firewall rules only allows secure and legal communications to enter and exit, and blocks traffic that is not defined.
Firewalls Usually Use One Of The Following Three Methods
-
Packet
Packets are small packets of information that makeup information on the Internet and the network. In fact, files are broken into these small packets. With this method, each packet does not pass through a filter, and only authorized packets pass through the filter.
-
Proxy
The information first goes to the firewall and then to the destination system.
-
Stateful Inspection
With this method, which is newer than the previous two methods, only a part of each package is checked by the Firewall, and that part is usually the key part of the package.
Start IPTABLES Command
The first step in working with this command is to enable the related service, which is done with the following command:
service iptables startNote: Before running the IPTABLES service, we must disable the ip6tables service. To do this, we enter the following commands in the command line.
service ip6tables stopchkconfig ip6tables offNote: In order for this service to be activated by default when the system boots, the run level status must be set to ON.
chkconfig –level 345 iptables onHow To Unblock An Specific Port In IPTABLES?
For example to open port 80 in the firewall, use the following command:
iptables -A INPUT -p tcp -m tcp –sport 80 -j ACCEPTiptables -A OUTPUT -p tcp -m tcp -dport 80 -j ACCEPTNote: -P is equivalent to Protocol and sport is equivalent to the source port and dport is equivalent to the destination port.
To make things easier, you can manually edit IPTABLES file with Linux editors such as vi, nano, and…, and manually enter the IP and ports you want to open.
The mentioned file is saved in this path:
/etc/sysconfig/iptables
With the vi command, we open it first.
vi /etc/sysconfig/iptables
After adding the desired IP and ports, we save the file with the following command.
wq:In the end, the firewall service should be restarted. To restart the firewall, use the following command.
service iptables restartHow To Block An Specific Port In Linux Firewall
It should be done exactly like the last process and just we have to change the ACCEPT word with DROP.
For example to block port 80 in the firewall, use the following command:
iptables -A INPUT -p tcp -m tcp –sport 80 -j DROPiptables -A OUTPUT -p tcp -m tcp -dport 80 -j DROPIPTABLES Command Structure
The grammar of this command is divided into two parts: the chain and target.
iptables -A chain –j targetThe chain is the main part and the -A (append) parameter adds a rule. The chain can be equivalent to input, output, and forward, which are permanent parameters.
The local -j (jump) parameter in the set of rules determines where the jump is performed. Its values include accept, drop, and reject, respectively. You can also add new and custom chains with the -n parameter.
How To Save And Restore Rules
Firewall rules are valid as long as the computer is on and are automatically reset by restarting the system. Use the following command to run these rules automatically after restarting:
/sbin/ service iptables saveNote: Other Rules are stored in /etc/sysconfig/iptables
Note: Especially on Linux VPS service, you need to activate and use a firewall because the remote service (SSH) of this service is always active and you may receive many attacks.
Some Scenarios of IPTABLES Command
Clear all current settings
iptables –FMake public settings and block all access
iptables –P INPUT DROPiptables –P FORWARD DROPiptables –P OUTPUT DROPBlocking a specific IP
iptables –A INPUT -s xxx.xxx.xxx.xxx –j DROPOpen the SSH port for all incoming communications
iptables -A INPUT -i eth0 –p tcp portdport 22 –m state atestate NEW, ESTABLISHED -j ACCEPT
iptables –A OUTPUT –o eth0 –p tcp portsport 22 –m state atestate ESTABLISHED -j ACCEPTOpen the ssh port for a particular IP or IP range
iptables –A INPUT -i eth0 –p tcp –s xxx.xxx.xxx.xxx/24 portdport 22 –m state atestate NEW, ESTABLISHED – j ACCEPTiptables –A INPUT -i eth0 –p tcp –s xxx.xxx.xxx.xxx portdport 22 –m state —state NEW, ESTABLISHED –jACCEPTiptables –A OUTPUT –o eth0 –p tcp portsport 22 –m state atestate ESTABLISHED -j ACCEPTOpen the HTTP port
iptables -A INPUT -i eth0 –p tcp portdport 80 –m state atestate NEW, ESTABLISHED -j ACCEPTiptables –A OUTPUT –o eth0 –p tcp portsport 80 –m state atestate ESTABLISHED -j ACCEPTOpen the https port
iptables -A INPUT -i eth0 –p tcp portdport 443 –m state atestate NEW, ESTABLISHED -j ACCEPTiptables –A OUTPUT –o eth0 –p tcp portsport 443 –m state —state ESTABLISHED -j ACCEPTOpen several ports at once
iptables –A INPUT ethi –p tcp –m multiport —dports 22,80,443 –m state —state NEW, ESTABLISHED -j ACCEPTiptables –A OUTPUT –o eth0 –p tcp –m multiport portssports 22,80,443 –m state —state ESTABLISHED –j ACCEPTOpen port for ssh output connection
iptables –A OUTPUT –o eth0 –p tcp portdport 22 –m state —state NEW, ESTABLISHED -j ACCEPTiptables -A INPUT eth0 –p tcp portsport 22 –m state atestate ESTABLISHED -j ACCEPTOpen ssh output port only for a specific network
iptables –A OUTPUT –o eth0 –p tcp –d 192.168.101.0/24 portdport 22 –m state —state NEW, ESTABLISHED –j ACCEPTiptables -A INPUT eth0 –p tcp portsport 22 –m state atestate ESTABLISHED -j ACCEPTOpen the https port for output communications
iptables –A OUTPUT –o eth0 –p tcp portdport 443 –m state atestate NEW, ESTABLISHED -j ACCEPTiptables –A INPUT-eth0 –p tcp portsport 443 –m state atestate ESTABLISHED -j ACCEPTEnable ping from the inside to outside
iptables –A OUTPUT –p icmp —icmp – type echo – request –j ACCEPTiptables –A INPUT –p icmp —icmp – type echo – reply –j ACCEPTEnable ping from the outside to inside
iptables –A INPUT –p icmp —icmp – type echo – request –j ACCEPTiptables –A OUTPUT –p icmp —icmp – type echo – reply –j ACCEPTEnable loopback access
iptables –A INPUT -i lo –j ACCEPTiptables –A OUTPUT –o lo –j ACCEPTEnable access to the external eth1 network from the eth0 internal network
iptables –A FORWARD eth0 –o eth1 –j ACCEPTOpen DNS port output access
iptables –A OUTPUT –p udp –o eth0 —dport 53 -j ACCEPTiptables –A INPUT –p udp –i eth0 portsport 53 -j ACCEPTSave IPTABLES changes
service iptables saveUse the following command to block port 80 for all but one IP (eg 1.2.3.4) in incoming
/sbin/iptables -A INPUT -p tcp -i eth1 -s ! 1.2.3.4 --dport 80 -j DROP
Conclusion
You can block and unblock ports in IPTABLES using the ACCEPT and DROP parameters. Also, we mentioned some examples of other scenarios of this firewall.
I hope you have enjoyed this post and found it useful.
Please do not hesitate to share your opinions with us.
This article is worthy of recognition and comment. I found this material attention-grabbing and engrossing. This is well-scripted and highly informative. These views appeal to me. This is how real writing is done. Thank you.