Firewall tutorial for iptables

The most widely used firewall on Linux is probably iptables. Most often or not, its turned off as users have difficulty to configure it.

The iptables use a set of rules for three type of data movement around the network interface. These movements are called CHAINS and are described as;

INPUT - rules to determine which inbound traffic will be accepted or denied
OUTPUT - rules to determine which outbound traffic will be accepted or denied
FORWARD - rules to determine which traffic to be forwarded will be accepted or denied

All three chain names are in uppercase.

Follow the steps below on the most common ways of how to use iptables. Before you begin this tutorial, have a web server running on port 80 and its a good idea to start with an empty set of rules. Start a command line terminal and type;

iptables -F

1. View Iptables Rules

List rules being used
iptables -L

Chain INPUT (policy ACCEPT)
target     prot opt source               destination        

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination        

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

List rules and the the rule number
iptables -L --line-numbers

2. Append Rules

The decision on what to do with a packet of data is very frequently used with the command DROP and ACCEPT which are in uppercase.

Add rule at the end of the rules list for an INPUT chain to allow users to SSH to the server
iptables -A INPUT -p tcp --dport ssh -j ACCEPT

Add a simple rule to allow your web server to be accessed HTTP via port 80
iptables -A INPUT -p tcp --dport 80 -j ACCEPT

Add a rule to reject any other incoming request
iptables -A INPUT -j DROP

Now list the rules with its line numbers.

Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination        
1    ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh
2    ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:http
3    DROP       all  --  anywhere             anywhere           

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination        

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination

3. Insert a rule

Each time a new rule is append, it goes to the bottom of the rule list. The rules are executed in the order it is listed. E.g. if we added a new rule to the our current rules, it will never work because of rule #3 where every incoming packet is already asked to be drop.

The insert option will place the rule before the rule number specified after the name of the chain.

Insert a rule before the DROP command to allow HTPS.
iptables -I INPUT 3 -p tcp --dport 443 -j ACCEPT

Allow loopback interface for programs to talk to each other on the same server.
iptables -I INPUT 1 -i lo -j ACCEPT

4. Delete a rule

Delete using a rule number.

Delete rule #3 that allows HTTP connection.
iptables -D INPUT 3

Use a web browser to access your webserver which is behind the firewall. Its will just fail with a message like "This page can't be displayed". This happens because the firewall will drop all packets that do not meet previously listed rules.

5. Default Policy

As can be seen in step #1, the default policy is ACCEPT for all 3 chains. This default can be made strict to DROP a packet if there are no rules mentioned.

Change the default INPUT chain to DROP all packet unless they are allowed by the rules listed.
iptables -P INPUT DROP

Chain INPUT (policy DROP) num target prot opt source destination 1 ACCEPT all -- anywhere anywhere 2 ACCEPT tcp -- anywhere anywhere tcp dpt:ssh 3 ACCEPT tcp -- anywhere anywhere tcp dpt:https 4 DROP all -- anywhere anywhere Chain FORWARD (policy ACCEPT) num target prot opt source destination Chain OUTPUT (policy ACCEPT) num target prot opt source destination
Change the default policy for INPUT back to ACCEPT
iptables -P INPUT ACCEPT

6. Saving the Rules

Changes done at the command line are not applied when iptables restart or the server restarts. These rules can however be saved to a file for loading during startup.

Save the configured rules to a file in /tmp folder.
iptables-save > /tmp/examples.1.iptables

In Redhat and Centos systems, the rules are stored in a file /etc/sysconfig/iptables where you can edit it directly then restart iptables.

To manually load rules from an iptables file, clear the existing rules then run iptables-restore. Make sure you have created the rule files as mentioned above.
iptables -F
iptables -L
iptables-restore < /tmp/examples.1.iptables
iptables -L

Notes & Exercise

1. These are common rules to allow the web server access from any other connected PC. It assumes that the default centos rules are in place where rule number 5 is a REJECT command

iptables -I INPUT 5 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -I OUTPUT  -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT

Describe the options being used in the 2 rules above.

2. Consider the default policy for each chain being ACCEPT, in Centos Linux it includes these rules
-A INPUT -j REJECT --reject-with icmp-host-prohibited 
-A FORWARD -j REJECT --reject-with icmp-host-prohibited

These REJECT command option --reject-with may have any one of the following types;
icmp-port-unreachable (type 3 is the default)
icmp-host-prohibited or
icmp-admin-prohibited (*)

Describe the what happens with this rule when a user access using a web browser.

Blog Archive