IptablesHowTo

Revision 4 as of 2005-09-08 06:15:43

Clear message

THIS IS NOT COMPLETE AND SHOULD BE COMPLETED BY SOMEONE WHO KNOWS MORE THAN ME! THANKS

Basic Iptables How to for Ubuntu Server Edition

Iptables is a firewall, installed by default on the Ubuntu Server (and maybe the regular setup? Someone else know?)

There is a wealth of information available about iptables, but much of it is fairly complex, and if you want to do a few basic things, this How To is for you.

Basic Commands

Typing 

# iptables -L

lists your current rules in iptables. If you have just set up your server, you will have no rules, and you should see 

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Allowing Established Sessions

We can allow established sessions to receive traffic: 

# iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

Allowing Incoming Trafic on Specific Ports

You could start by blocking traffic, but you might be working over SSH, where you would need to allow SSH before blocking everything else.

To allow incoming traffic on port 22 (traditionally used by SSH), you could tell iptables to allow all TCP traffic on port 22 of your network adapter. 

# iptables -A INPUT -p tcp -i eth0 --dport ssh -j ACCEPT

Specifically, this appends (-A) to the table INPUT the rule that any traffic to the interface (-i) eth0 on the destination port for ssh that iptables should jump (-j), or perform the action, ACCEPT.

Lets check the rules: (only the first few lines shown, you will see more) 

# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination        
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED  
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh

Now, let's allow all web traffic 

# iptables -A INPUT -p tcp -i eth0 --dport 80 -j ACCEPT

Checking our rules, we have 

# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination        
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED  
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:www

We have specifically allowed tcp traffic to the ssh and web ports, but as we have not blocked anything, all traffic can still come in.

Blocking Traffic

Once a decision is made about a packet, no more rules affect it. As our rules allowing ssh and web trafic come first, as long as our rule to block all traffic comes after them, we can still accept the traffic we want. All we need to do is put the rule to block all traffic at the end. The -A command tells iptables to append the rule at the end, so we'll use that again. 

# iptables -A INPUT -j DROP
# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination        
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED  
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:www 
DROP       all  --  anywhere             anywhere

Because we didn't specify an interface or a protocol, any traffic for any port on any interface is blocked, except for web and ssh.

Editing iptables

The only problem with our setup so far is that even the loopback port is blocked. We could have written the drop rule for just eth0 by specifying -i eth0, but we could also add a rule for the loopback. If we append this rule, it will come too late - after all the traffic has been dropped. We need to insert this rule onto the fourth line. 

# iptables -I INPUT 4 -i lo -j ACCEPT
# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination        
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED  
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:www
ACCEPT     all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere

The last two lines look nearly the same, so we will list iptables in greater detail. 

# iptables -L -v

Saving iptables

If you were to reboot your machine right now, your iptables configuration would disapear. Rather than type this each time you reboot, however, you can save the configuration, and have it start up automatically. To save the configuration, you can use iptables-save and iptables-restore.

Configuration on startup

This section is unwritten

Further Information

[http://iptables-tutorial.frozentux.net/iptables-tutorial.html Iptables Tutorial]

[http://www.netfilter.org/documentation/HOWTO/packet-filtering-HOWTO.html Iptables How To]

[http://www.netfilter.org/documentation/ Netfilter and Iptables Multilingual Documentation]

Credits

Thanks to Rusty Russell and his How-To, as much of this is based off that.