How To Use IPTABLES Firewall?

Linux Tutorials

July 11, 2020 by Harry

iptables

Most distros and different versions of Linux use the IPTABLES firewall by default to block and unblock ports. This powerful firewall normally keeps most Linux ports closed on virtual servers and dedicated servers. If you plan to run a service or program on Linux, you must first open the required ports of this program in the IPTABLES firewall.

What Does Firewall Do Exactly?

Firewall plays an important role in the security of Linux and network systems. This option acts as a security gateway between internal and external networks, managing and controlling incoming and outgoing traffic based on set rules. This set of firewall rules only allows secure and legal communications to enter and exit, and blocks traffic that is not defined.

use IPTABLES commands

Firewalls Usually Use One Of The Following Three Methods

  • Packet

Packets are small packets of information that makeup information on the Internet and the network. In fact, files are broken into these small packets. With this method, each packet does not pass through a filter, and only authorized packets pass through the filter.

  • Proxy

The information first goes to the firewall and then to the destination system.

  • Stateful Inspection

With this method, which is newer than the previous two methods, only a part of each package is checked by the Firewall, and that part is usually the key part of the package.

Start IPTABLES Command

The first step in working with this command is to enable the related service, which is done with the following command:

service iptables start

Note: Before running the IPTABLES service, we must disable the ip6tables service. To do this, we enter the following commands in the command line.

service ip6tables stop

chkconfig ip6tables off

Note: In order for this service to be activated by default when the system boots, the run level status must be set to ON.

chkconfig –level 345 iptables on

How To Unblock An Specific Port In IPTABLES?

For example to open port 80 in the firewall, use the following command:

iptables -A INPUT -p tcp -m tcp –sport 80 -j ACCEPT

iptables -A OUTPUT -p tcp -m tcp -dport 80 -j ACCEPT

Note: -P is equivalent to Protocol and sport is equivalent to the source port and dport is equivalent to the destination port.

To make things easier, you can manually edit IPTABLES file with Linux editors such as vi, nano, and…, and manually enter the IP and ports you want to open.

The mentioned file is saved in this path.

/etc/sysconfig/iptables

With the vi command, we open it first.

vi /etc/sysconfig/iptables

After adding the desired IP and ports, we save the file with the following command.

wq:

In the end, the firewall service should be restarted. To restart the firewall, use the following command.

service iptables restart

How To Block An Specific Port In Linux Firewall

It should be done exactly like the last process and just we have to change the ACCEPT word with DROP.

For example to block port 80 in the firewall, use the following command:

iptables -A INPUT -p tcp -m tcp –sport 80 -j DROP

iptables -A OUTPUT -p tcp -m tcp -dport 80 -j DROP

IPTABLES Command Structure

The grammar of this command is divided into two parts: the chain and target.

iptables -A chain –j target

The chain is the main part and the -A (append) parameter adds a rule. The chain can be equivalent to input, output, and forward, which are permanent parameters.

The local -j (jump) parameter in the set of rules determines where the jump is performed. Its values include accept, drop, and reject, respectively. You can also add new and custom chains with the -n parameter.

How To Save And Restore Rules

Firewall rules are valid as long as the computer is on and are automatically reset by restarting the system. Use the following command to run these rules automatically after restarting:

/sbin/ service iptables save

Note: Other Rules are stored in /etc/sysconfig/iptables

Note: Especially on Linux VPS service, you need to activate and use a firewall because the remote service (SSH) of this service is always active and you may receive many attacks.

Some Scenarios of IPTABLES Command

Clear all current settings

iptables –F

Make public settings and block all access

iptables –P INPUT DROP
iptables –P FORWARD DROP

iptables –P OUTPUT DROP

Blocking a specific IP

iptables –A INPUT -s xxx.xxx.xxx.xxx –j DROP

Open the SSH port for all incoming communications

iptables -A INPUT -i eth0 –p tcp portdport 22 –m state atestate NEW, ESTABLISHED -j ACCEPT
iptables –A OUTPUT –o eth0 –p tcp portsport 22 –m state atestate ESTABLISHED -j ACCEPT

Open the ssh port for a particular IP or IP range

iptables –A INPUT -i eth0 –p tcp –s xxx.xxx.xxx.xxx/24 portdport 22 –m state atestate NEW, ESTABLISHED – j ACCEPT
iptables –A INPUT -i eth0 –p tcp –s xxx.xxx.xxx.xxx portdport 22 –m state —state NEW, ESTABLISHED –jACCEPT

iptables –A OUTPUT –o eth0 –p tcp portsport 22 –m state atestate ESTABLISHED -j ACCEPT

Open the HTTP port

iptables -A INPUT -i eth0 –p tcp portdport 80 –m state atestate NEW, ESTABLISHED -j ACCEPT
iptables –A OUTPUT –o eth0 –p tcp portsport 80 –m state atestate ESTABLISHED -j ACCEPT

Open the https port

iptables -A INPUT -i eth0 –p tcp portdport 443 –m state atestate NEW, ESTABLISHED -j ACCEPT
iptables –A OUTPUT –o eth0 –p tcp portsport 443 –m state —state ESTABLISHED -j ACCEPT

Open several ports at once

iptables –A INPUT ethi –p tcp –m multiport —dports 22,80,443 –m state —state NEW, ESTABLISHED -j ACCEPT
iptables –A OUTPUT –o eth0 –p tcp –m multiport portssports 22,80,443 –m state —state ESTABLISHED –j ACCEPT

Open port for ssh output connection

iptables –A OUTPUT –o eth0 –p tcp portdport 22 –m state —state NEW, ESTABLISHED -j ACCEPT
iptables -A INPUT eth0 –p tcp portsport 22 –m state atestate ESTABLISHED -j ACCEPT

Open ssh output port only for a specific network

iptables –A OUTPUT –o eth0 –p tcp –d 192.168.101.0/24 portdport 22 –m state —state NEW, ESTABLISHED –j ACCEPT
iptables -A INPUT eth0 –p tcp portsport 22 –m state atestate ESTABLISHED -j ACCEPT

Open the https port for output communications

iptables –A OUTPUT –o eth0 –p tcp portdport 443 –m state atestate NEW, ESTABLISHED -j ACCEPT
iptables –A INPUT-eth0 –p tcp portsport 443 –m state atestate ESTABLISHED -j ACCEPT

Enable ping from the inside to outside

iptables –A OUTPUT –p icmp —icmp – type echo – request –j ACCEPT
iptables –A INPUT –p icmp —icmp – type echo – reply –j ACCEPT

Enable ping from the outside to inside

iptables –A INPUT –p icmp —icmp – type echo – request –j ACCEPT
iptables –A OUTPUT –p icmp —icmp – type echo – reply –j ACCEPT

Enable loopback access

iptables –A INPUT -i lo –j ACCEPT
iptables –A OUTPUT –o lo –j ACCEPT

Enable access to the external eth1 network from the eth0 internal network

iptables –A FORWARD eth0 –o eth1 –j ACCEPT

Open DNS port output access

iptables –A OUTPUT –p udp –o eth0 —dport 53 -j ACCEPT
iptables –A INPUT –p udp –i eth0 portsport 53 -j ACCEPT

Save IPTABLES changes

service iptables save

Use the following command to block port 80 for all but one IP (eg 1.2.3.4) in incoming

/sbin/iptables -A INPUT -p tcp -i eth1 -s ! 1.2.3.4 --dport 80 -j DROP

How to use IPTABLES rules

Conclusion

You can block and unblock ports in IPTABLES using the ACCEPT and DROP parameters. Also, we mentioned some examples of other scenarios of this firewall.

I hope you have enjoyed this post and found it useful.
Please do not hesitate to share your opinions with us.

Helpful

About the Author Harry

I like to learn and to teach to make things easier

Leave a Reply

Your email address will not be published. Required fields are marked *