If not redirected, please click here https://www.thesecuritybuddy.com/firewall/how-to-configure-iptables-firewall-on-linux/ 
Hope you all know what is a firewall. In this article, I am going to explain how to configure firewalls in Linux system. There are GUI available to configure firewalls, but in this article I prefer to explain how to configure firewalls using command line utility.
There is a command line utility called iptables, which can be used to configure firewalls in Linux. This utility mostly comes pre-installed with Linux distributions. If not, you can install the iptable package:
# sudo apt-get install iptables
iptables is used to set up, maintain, and inspect the tables of IP packet filter rules in the Linux kernel. Several tables also can be maintained for different users. When an IP packet comes to the system or goes out of the system or gets forwarded, iptables checks a set of predefined rules takes action.
iptables use mainly three different chains:INPUT – This chain is used for all the input packets. When a user attempts an ssh to your system, the input chain is checked for matching rules.OUTPUT – This chain is meant for output IP packets. When your system sends an IP packet to other IP address, this chain is checked for set of rules.FORWARD – This chain is mainly used for routers. In the case, when an IP packet is not locally delivered, but is destined for some other IP address, this chain is checked for set of rules.
In your system, before configuring firewalls, check the policy default behavior. By default, all the IP packets are accepted.
# sudo iptables -L | grep policy
Chain INPUT (policy ACCEPT)
Hope you all know what is a firewall. In this article, I am going to explain how to configure firewalls in Linux system. There are GUI available to configure firewalls, but in this article I prefer to explain how to configure firewalls using command line utility.
There is a command line utility called iptables, which can be used to configure firewalls in Linux. This utility mostly comes pre-installed with Linux distributions. If not, you can install the iptable package:
# sudo apt-get install iptables
iptables is used to set up, maintain, and inspect the tables of IP packet filter rules in the Linux kernel. Several tables also can be maintained for different users. When an IP packet comes to the system or goes out of the system or gets forwarded, iptables checks a set of predefined rules takes action.
iptables use mainly three different chains:INPUT – This chain is used for all the input packets. When a user attempts an ssh to your system, the input chain is checked for matching rules.OUTPUT – This chain is meant for output IP packets. When your system sends an IP packet to other IP address, this chain is checked for set of rules.FORWARD – This chain is mainly used for routers. In the case, when an IP packet is not locally delivered, but is destined for some other IP address, this chain is checked for set of rules.
In your system, before configuring firewalls, check the policy default behavior. By default, all the IP packets are accepted.
# sudo iptables -L | grep policy
Chain INPUT (policy ACCEPT)
Chain
FORWARD (policy ACCEPT)
Chain
OUTPUT (policy ACCEPT)
Rules
are appended to the iptables using -A option. You can also use the
option: iptables -I [chain] [number] to specify number in the list
where it should be.
There can be three main types of connection specific responses – accept, drop and reject.ACCEPT – It indicates allow the connection.DROP – It will drop the connection silently, without sending an error.REJECT – It will not accept the connection, and send out an error.
You can specify rules to accept, allow or reject a connection from a specific IP address.
# iptables -A INPUT -s 10.10.10.10 -j DROP
It will drop connection from IP address 10.10.10.10
# iptables -A INPUT -s 10.10.10.10 -j ACCEPT
It will accept connection from the IP address 10.10.10.10
# iptables -A INPUT -s 10.10.10.10 -j REJECT
This will reject connections from IP address 10.10.10.10
#iptables -A INPUT -s 10.10.10.10/20 -j DROP
This will drop the connection from IP address range 10.10.10.10 to 10.10.10.20
You can also specify port to accept, reject or drop connections to or from.
# iptables -A INPUT -p tcp --dport ssh -s 10.10.10.10 -j DROP
This will drop all tcp connections from IP address 10.10.10.10 which are destined for ssh port of your system.
# iptables -A INPUT -p udp --dport ssh -j REJECT
This will reject all udp connections destined for udp port of your system.
You can specify connection state in a rule.
# iptables -A INPUT -p tcp --dport ssh -s 10.10.10.10 -m state --state NEW,ESTABLISHED -j ACCEPT
# iptables -A OUTPUT -p tcp --sport 22 -d 10.10.10.10 -m state --state NEW -j REJECT
There can be three main types of connection specific responses – accept, drop and reject.ACCEPT – It indicates allow the connection.DROP – It will drop the connection silently, without sending an error.REJECT – It will not accept the connection, and send out an error.
Specifying IP Address
You can specify rules to accept, allow or reject a connection from a specific IP address.
# iptables -A INPUT -s 10.10.10.10 -j DROP
It will drop connection from IP address 10.10.10.10
# iptables -A INPUT -s 10.10.10.10 -j ACCEPT
It will accept connection from the IP address 10.10.10.10
# iptables -A INPUT -s 10.10.10.10 -j REJECT
This will reject connections from IP address 10.10.10.10
#iptables -A INPUT -s 10.10.10.10/20 -j DROP
This will drop the connection from IP address range 10.10.10.10 to 10.10.10.20
Specifying Port
You can also specify port to accept, reject or drop connections to or from.
# iptables -A INPUT -p tcp --dport ssh -s 10.10.10.10 -j DROP
This will drop all tcp connections from IP address 10.10.10.10 which are destined for ssh port of your system.
# iptables -A INPUT -p udp --dport ssh -j REJECT
This will reject all udp connections destined for udp port of your system.
Specifying Connection State
You can specify connection state in a rule.
# iptables -A INPUT -p tcp --dport ssh -s 10.10.10.10 -m state --state NEW,ESTABLISHED -j ACCEPT
# iptables -A OUTPUT -p tcp --sport 22 -d 10.10.10.10 -m state --state NEW -j REJECT
# iptables -A OUTPUT -p tcp --sport 22 -d 10.10.10.10 -m state --state ESTABLISHED -j ACCEPT
These two commands specify that all new and already established tcp connections from IP address 10.10.10.10 destined to your ssh port are accepted. But ssh connections to 10.10.10.10 from source port 22 are not accepted. But, if an ssh connection is already established to 10.10.10.10 from your source port 22, your system is permitted to send back information.
Save your changes
iptables rules must be saved, so that next time the service restarts, rules are not lost.
# sudo /sbin/iptables-save
For saving rules in Ubuntu.
# /sbin/service iptables save
For RedHat/CentOS. Or
# /etc/init.d/iptables save
You can also use : iptables -F
to clear the currently configured rules.
So, this was some basic rules to configure firewalls in your Linux system. You can always refer the man page of iptables for more information!

No comments:
Post a Comment