Sunday, September 20, 2015

How to configure iptables firewall on Linux ?

If not redirected, please click here

Hope you all know what is a firewall. In this article, I am going to explain how to configure firewalls in Linux system. There are GUI available to configure firewalls, but in this article I prefer to explain how to configure firewalls using command line utility.

There is a command line utility called iptables, which can be used to configure firewalls in Linux. This utility mostly comes pre-installed with Linux distributions. If not, you can install the iptable package:

# sudo apt-get install iptables

iptables is used to set up, maintain, and inspect the tables of IP packet filter rules in the Linux kernel. Several tables also can be maintained for different users. When an IP packet comes to the system or goes out of the system or gets forwarded, iptables checks a set of predefined rules takes action.

iptables use mainly three different chains:
INPUT – This chain is used for all the input packets. When a user attempts an ssh to your system, the input chain is checked for matching rules.OUTPUT – This chain is meant for output IP packets. When your system sends an IP packet to other IP address, this chain is checked for set of rules.FORWARD – This chain is mainly used for routers. In the case, when an IP packet is not locally delivered, but is destined for some other IP address, this chain is checked for set of rules.

In your system, before configuring firewalls, check the policy default behavior. By default, all the IP packets are accepted.

# sudo iptables -L | grep policy
Chain INPUT (policy ACCEPT)
Chain FORWARD (policy ACCEPT)
Chain OUTPUT (policy ACCEPT)

Rules are appended to the iptables using -A option. You can also use the option: iptables -I [chain] [number] to specify number in the list where it should be.

There can be three main types of connection specific responses – accept, drop and reject.
ACCEPT – It indicates allow the connection.DROP – It will drop the connection silently, without sending an error.REJECT – It will not accept the connection, and send out an error.

Specifying IP Address

You can specify rules to accept, allow or reject a connection from a specific IP address.

# iptables -A INPUT -s -j DROP

It will drop connection from IP address

# iptables -A INPUT -s -j ACCEPT

It will accept connection from the IP address

# iptables -A INPUT -s -j REJECT

This will reject connections from IP address

#iptables -A INPUT -s -j DROP

This will drop the connection from IP address range to

Specifying Port 

You can also specify port to accept, reject or drop connections to or from.

# iptables -A INPUT -p tcp --dport ssh -s -j DROP

This will drop all tcp connections from IP address which are destined for ssh port of your system.

# iptables -A INPUT -p udp --dport ssh -j REJECT
This will reject all udp connections destined for udp port of your system.

Specifying Connection State 

You can specify connection state in a rule.

# iptables -A INPUT -p tcp --dport ssh -s -m state --state NEW,ESTABLISHED -j ACCEPT

# iptables -A OUTPUT -p tcp --sport 22 -d -m state --state NEW -j REJECT

# iptables -A OUTPUT -p tcp --sport 22 -d -m state --state ESTABLISHED -j ACCEPT

These two commands specify that all new and already established tcp connections from IP address destined to your ssh port are accepted. But ssh connections to from source port 22 are not accepted. But, if an ssh connection is already established to from your source port 22, your system is permitted to send back information.

Save your changes 

iptables rules must be saved, so that next time the service restarts, rules are not lost.

# sudo /sbin/iptables-save

For saving rules in Ubuntu.

# /sbin/service iptables save

For RedHat/CentOS. Or

# /etc/init.d/iptables save

You can also use : iptables -F
to clear the currently configured rules.

So, this was some basic rules to configure firewalls in your Linux system. You can always refer the man page of iptables for more information!

No comments:

Post a Comment