The iptables use a set of rules for three type of data movement around the network interface. These movements are called CHAINS and are described as;
INPUT - rules to determine which inbound traffic will be accepted or denied
OUTPUT - rules to determine which outbound traffic will be accepted or denied
FORWARD - rules to determine which traffic to be forwarded will be accepted or denied
All three chain names are in uppercase.
Follow the steps below on the most common ways of how to use iptables. Before you begin this tutorial, have a web server running on port 80 and its a good idea to start with an empty set of rules. Start a command line terminal and type;
1. View Iptables RulesList rules being used
Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination
List rules and the the rule number
iptables -L --line-numbers
2. Append RulesThe decision on what to do with a packet of data is very frequently used with the command DROP and ACCEPT which are in uppercase.
Add rule at the end of the rules list for an INPUT chain to allow users to SSH to the server
iptables -A INPUT -p tcp --dport ssh -j ACCEPT
Add a simple rule to allow your web server to be accessed HTTP via port 80
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
Add a rule to reject any other incoming request
iptables -A INPUT -j DROP
Now list the rules with its line numbers.
Chain INPUT (policy ACCEPT) num target prot opt source destination 1 ACCEPT tcp -- anywhere anywhere tcp dpt:ssh 2 ACCEPT tcp -- anywhere anywhere tcp dpt:http 3 DROP all -- anywhere anywhere Chain FORWARD (policy ACCEPT) num target prot opt source destination Chain OUTPUT (policy ACCEPT) num target prot opt source destination
3. Insert a ruleEach time a new rule is append, it goes to the bottom of the rule list. The rules are executed in the order it is listed. E.g. if we added a new rule to the our current rules, it will never work because of rule #3 where every incoming packet is already asked to be drop.
The insert option will place the rule before the rule number specified after the name of the chain.
Insert a rule before the DROP command to allow HTPS.
iptables -I INPUT 3 -p tcp --dport 443 -j ACCEPT
Allow loopback interface for programs to talk to each other on the same server.
iptables -I INPUT 1 -i lo -j ACCEPT
4. Delete a ruleDelete using a rule number.
Delete rule #3 that allows HTTP connection.
iptables -D INPUT 3
5. Default Policy
Chain INPUT (policy DROP) num target prot opt source destination 1 ACCEPT all -- anywhere anywhere 2 ACCEPT tcp -- anywhere anywhere tcp dpt:ssh 3 ACCEPT tcp -- anywhere anywhere tcp dpt:https 4 DROP all -- anywhere anywhere Chain FORWARD (policy ACCEPT) num target prot opt source destination Chain OUTPUT (policy ACCEPT) num target prot opt source destination
iptables -P INPUT ACCEPT
6. Saving the RulesChanges done at the command line are not applied when iptables restart or the server restarts. These rules can however be saved to a file for loading during startup.
Save the configured rules to a file in /tmp folder.
iptables-save > /tmp/examples.1.iptables
In Redhat and Centos systems, the rules are stored in a file /etc/sysconfig/iptables where you can edit it directly then restart iptables.
To manually load rules from an iptables file, clear the existing rules then run iptables-restore. Make sure you have created the rule files as mentioned above.
iptables-restore < /tmp/examples.1.iptables
Notes & Exercise1. These are common rules to allow the web server access from any other connected PC. It assumes that the default centos rules are in place where rule number 5 is a REJECT command
iptables -I INPUT 5 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -I OUTPUT -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
Describe the options being used in the 2 rules above.
2. Consider the default policy for each chain being ACCEPT, in Centos Linux it includes these rules
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
These REJECT command option --reject-with may have any one of the following types;
icmp-port-unreachable (type 3 is the default)
Describe the what happens with this rule when a user access using a web browser.